Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2023-27901 (GCVE-0-2023-27901)
Vulnerability from cvelistv5 – Published: 2023-03-08 17:14 – Updated: 2025-02-28 18:45
VLAI
EPSS
Summary
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl, allowing attackers to trigger a denial of service.
Severity
7.5 (High)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.jenkins.io/security/advisory/2023-03-… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Jenkins Project | Jenkins |
Unaffected:
2.394 , < *
(maven)
Unaffected: 2.375.4 , < 2.375.* (maven) Unaffected: 2.387.1 , < 2.387.* (maven) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:23:30.540Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Jenkins Security Advisory 2023-03-08",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3030"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-27901",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-28T18:44:36.147926Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-28T18:45:56.466Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Jenkins",
"vendor": "Jenkins Project",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "2.394",
"versionType": "maven"
},
{
"lessThan": "2.375.*",
"status": "unaffected",
"version": "2.375.4",
"versionType": "maven"
},
{
"lessThan": "2.387.*",
"status": "unaffected",
"version": "2.387.1",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl, allowing attackers to trigger a denial of service."
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T12:49:06.381Z",
"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"shortName": "jenkins"
},
"references": [
{
"name": "Jenkins Security Advisory 2023-03-08",
"tags": [
"vendor-advisory"
],
"url": "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3030"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"assignerShortName": "jenkins",
"cveId": "CVE-2023-27901",
"datePublished": "2023-03-08T17:14:50.696Z",
"dateReserved": "2023-03-07T09:35:48.506Z",
"dateUpdated": "2025-02-28T18:45:56.466Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2023-27901",
"date": "2026-05-26",
"epss": "0.00622",
"percentile": "0.70286"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*\", \"versionEndExcluding\": \"2.375.4\", \"matchCriteriaId\": \"60A98B86-E66C-4703-9DDD-7BB66247067C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*\", \"versionEndExcluding\": \"2.394\", \"matchCriteriaId\": \"57EF4F3C-05BE-4979-A92D-6B56EE5CD3FF\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl, allowing attackers to trigger a denial of service.\"}]",
"id": "CVE-2023-27901",
"lastModified": "2024-11-21T07:53:39.910",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}]}",
"published": "2023-03-10T21:15:15.573",
"references": "[{\"url\": \"https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3030\", \"source\": \"jenkinsci-cert@googlegroups.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3030\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
"sourceIdentifier": "jenkinsci-cert@googlegroups.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-770\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2023-27901\",\"sourceIdentifier\":\"jenkinsci-cert@googlegroups.com\",\"published\":\"2023-03-10T21:15:15.573\",\"lastModified\":\"2025-02-28T19:15:35.403\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl, allowing attackers to trigger a denial of service.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*\",\"versionEndExcluding\":\"2.375.4\",\"matchCriteriaId\":\"60A98B86-E66C-4703-9DDD-7BB66247067C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*\",\"versionEndExcluding\":\"2.394\",\"matchCriteriaId\":\"57EF4F3C-05BE-4979-A92D-6B56EE5CD3FF\"}]}]}],\"references\":[{\"url\":\"https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3030\",\"source\":\"jenkinsci-cert@googlegroups.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3030\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"cna\": {\"affected\": [{\"defaultStatus\": \"affected\", \"product\": \"Jenkins\", \"vendor\": \"Jenkins Project\", \"versions\": [{\"lessThan\": \"*\", \"status\": \"unaffected\", \"version\": \"2.394\", \"versionType\": \"maven\"}, {\"lessThan\": \"2.375.*\", \"status\": \"unaffected\", \"version\": \"2.375.4\", \"versionType\": \"maven\"}, {\"lessThan\": \"2.387.*\", \"status\": \"unaffected\", \"version\": \"2.387.1\", \"versionType\": \"maven\"}]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl, allowing attackers to trigger a denial of service.\"}], \"providerMetadata\": {\"orgId\": \"39769cd5-e6e2-4dc8-927e-97b3aa056f5b\", \"shortName\": \"jenkins\", \"dateUpdated\": \"2023-10-24T12:49:06.381Z\"}, \"references\": [{\"name\": \"Jenkins Security Advisory 2023-03-08\", \"tags\": [\"vendor-advisory\"], \"url\": \"https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3030\"}]}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T12:23:30.540Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"name\": \"Jenkins Security Advisory 2023-03-08\", \"tags\": [\"vendor-advisory\", \"x_transferred\"], \"url\": \"https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3030\"}]}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-27901\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-28T18:44:36.147926Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-770\", \"description\": \"CWE-770 Allocation of Resources Without Limits or Throttling\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-28T18:45:49.871Z\"}}]}",
"cveMetadata": "{\"cveId\": \"CVE-2023-27901\", \"assignerOrgId\": \"39769cd5-e6e2-4dc8-927e-97b3aa056f5b\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"jenkins\", \"dateReserved\": \"2023-03-07T09:35:48.506Z\", \"datePublished\": \"2023-03-08T17:14:50.696Z\", \"dateUpdated\": \"2025-02-28T18:45:56.466Z\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
bit-jenkins-2023-27901
Vulnerability from bitnami_vulndb
Published
2024-03-06 10:56
Modified
2025-04-03 14:40
Summary
Details
Jenkins LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl, allowing attackers to trigger a denial of service.
{
"affected": [
{
"package": {
"ecosystem": "Bitnami",
"name": "jenkins",
"purl": "pkg:bitnami/jenkins"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.394.0"
}
],
"type": "SEMVER"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
],
"aliases": [
"CVE-2023-27901"
],
"database_specific": {
"cpes": [
"cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*",
"cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*"
],
"severity": "High"
},
"details": "Jenkins LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl, allowing attackers to trigger a denial of service.",
"id": "BIT-jenkins-2023-27901",
"modified": "2025-04-03T14:40:37.652Z",
"published": "2024-03-06T10:56:20.197Z",
"references": [
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3030"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27901"
}
],
"schema_version": "1.5.0"
}
FKIE_CVE-2023-27901
Vulnerability from fkie_nvd - Published: 2023-03-10 21:15 - Updated: 2025-02-28 19:15
Severity
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl, allowing attackers to trigger a denial of service.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*",
"matchCriteriaId": "60A98B86-E66C-4703-9DDD-7BB66247067C",
"versionEndExcluding": "2.375.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*",
"matchCriteriaId": "57EF4F3C-05BE-4979-A92D-6B56EE5CD3FF",
"versionEndExcluding": "2.394",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl, allowing attackers to trigger a denial of service."
}
],
"id": "CVE-2023-27901",
"lastModified": "2025-02-28T19:15:35.403",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-03-10T21:15:15.573",
"references": [
{
"source": "jenkinsci-cert@googlegroups.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3030"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3030"
}
],
"sourceIdentifier": "jenkinsci-cert@googlegroups.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
GHSA-H76P-MC68-JV3P
Vulnerability from github – Published: 2023-03-10 21:30 – Updated: 2023-03-17 14:44
VLAI
Summary
Denial of service in Jenkins Core
Details
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl, allowing attackers to trigger a denial of service.
Severity
7.5 (High)
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.main:jenkins-core"
},
"ranges": [
{
"events": [
{
"introduced": "2.388"
},
{
"fixed": "2.394"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.main:jenkins-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.375.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.main:jenkins-core"
},
"ranges": [
{
"events": [
{
"introduced": "2.376"
},
{
"fixed": "2.387.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-27901"
],
"database_specific": {
"cwe_ids": [
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-17T14:44:28Z",
"nvd_published_at": "2023-03-10T21:15:00Z",
"severity": "HIGH"
},
"details": "Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl, allowing attackers to trigger a denial of service.",
"id": "GHSA-h76p-mc68-jv3p",
"modified": "2023-03-17T14:44:28Z",
"published": "2023-03-10T21:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27901"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/jenkins/commit/b70f4cb5892bd6059a45b5f156f019ce572adb08"
},
{
"type": "WEB",
"url": "https://github.com/CVEProject/cvelist/blob/master/2023/27xxx/CVE-2023-27901.json"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3030"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Denial of service in Jenkins Core"
}
GSD-2023-27901
Vulnerability from gsd - Updated: 2023-12-13 01:20Details
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl, allowing attackers to trigger a denial of service.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2023-27901",
"id": "GSD-2023-27901"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2023-27901"
],
"details": "Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl, allowing attackers to trigger a denial of service.",
"id": "GSD-2023-27901",
"modified": "2023-12-13T01:20:56.047933Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "jenkinsci-cert@googlegroups.com",
"ID": "CVE-2023-27901",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jenkins",
"version": {
"version_data": [
{
"version_value": "not down converted",
"x_cve_json_5_version_data": {
"defaultStatus": "affected",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "2.394",
"versionType": "maven"
},
{
"lessThan": "2.375.*",
"status": "unaffected",
"version": "2.375.4",
"versionType": "maven"
},
{
"lessThan": "2.387.*",
"status": "unaffected",
"version": "2.387.1",
"versionType": "maven"
}
]
}
}
]
}
}
]
},
"vendor_name": "Jenkins Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl, allowing attackers to trigger a denial of service."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3030",
"refsource": "MISC",
"url": "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3030"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "[2.375.4,2.394)",
"affected_versions": "All versions after 2.375.4 before 2.394",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-770",
"CWE-937"
],
"date": "2023-03-16",
"description": "Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl, allowing attackers to trigger a denial of service.",
"fixed_versions": [
"2.394"
],
"identifier": "CVE-2023-27901",
"identifiers": [
"CVE-2023-27901"
],
"not_impacted": "All versions starting from 2.394",
"package_slug": "maven/org.jenkins-ci.main/jenkins-core",
"pubdate": "2023-03-10",
"solution": "Upgrade to version 2.394 or above.",
"title": "Allocation of Resources Without Limits or Throttling",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2023-27901",
"https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3030"
],
"uuid": "df123d0e-e099-4ffb-a768-cc0f22508709"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2.394",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2.375.4",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "jenkinsci-cert@googlegroups.com",
"ID": "CVE-2023-27901"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl, allowing attackers to trigger a denial of service."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3030",
"refsource": "MISC",
"tags": [
"Vendor Advisory"
],
"url": "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3030"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6
}
},
"lastModifiedDate": "2023-03-16T15:54Z",
"publishedDate": "2023-03-10T21:15Z"
}
}
}
RHSA-2023:3299
Vulnerability from csaf_redhat - Published: 2023-05-24 17:13 - Updated: 2026-05-22 14:23Summary
Red Hat Security Advisory: jenkins and jenkins-2-plugins security update
Severity
Important
Notes
Topic: An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.13.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.
Security Fix(es):
* apache-commons-text: variable interpolation RCE (CVE-2022-42889)
* google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper authorization (CVE-2020-7692)
* jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin (CVE-2023-24422)
* kubernetes-client: Insecure deserialization in unmarshalYaml method (CVE-2021-4178)
* jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877)
* springframework: Authorization Bypass in RegexRequestMatcher (CVE-2022-22978)
* xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40151)
* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)
* Apache Commons FileUpload: FileUpload DoS with excessive parts (CVE-2023-24998)
* jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin (CVE-2023-25761)
* jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin (CVE-2023-25762)
* Jenkins: Denial of Service attack (CVE-2023-27900)
* Jenkins: Denial of Service attack (CVE-2023-27901)
* Jenkins: Workspace temporary directories accessible through directory browser (CVE-2023-27902)
* Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-client before 1.31.0.
7.4 (High)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch | — | ||
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src | — |
Threats
Impact
Moderate
A arbitrary code execution flaw was found in the Fabric 8 Kubernetes client affecting versions 5.0.0-beta-1 and above. Due to an improperly configured YAML parsing, this will allow a local and privileged attacker to supply malicious YAML.
6.7 (Medium)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch | — | ||
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src | — |
Threats
Impact
Moderate
A flaw was found in Jackson Databind. This issue may allow a malicious user to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.
7.5 (High)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch | — | ||
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src | — |
Threats
Impact
Moderate
A flaw was found in Spring Security. When using RegexRequestMatcher, an easy misconfiguration can bypass some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
9.8 (Critical)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch | — | ||
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src | — |
Threats
Impact
Moderate
A flaw was found in gson, which is vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes. This issue may lead to availability attacks.
7.5 (High)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch | — | ||
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src | — |
Threats
Impact
Moderate
A flaw was found in the XStream package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization.
7.5 (High)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch | — | ||
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src | — |
Threats
Impact
Moderate
A flaw was found in the FasterXML/woodstox package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization. An attacker may benefit from the parser sending a malicious input that may cause a crash. This vulnerability is only relevant for users using the DTD parsing functionality.
7.5 (High)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch | — | ||
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src | — |
Threats
Impact
Moderate
A flaw was found in Apache Commons Text packages 1.5 through 1.9. The affected versions allow an attacker to benefit from a variable interpolation process contained in Apache Commons Text, which can cause properties to be dynamically defined. Server applications are vulnerable to remote code execution (RCE) and unintentional contact with untrusted remote servers.
9.8 (Critical)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch | — |
Workaround
|
|
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src | — |
Workaround
|
Threats
Impact
Moderate
A flaw was found in the script-security Jenkins Plugin. In affected versions of the script-security plugin, property assignments performed implicitly by the Groovy language runtime when invoking map constructors were not intercepted by the sandbox. This vulnerability allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
8.8 (High)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch | — | ||
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src | — |
Threats
Impact
Important
A flaw was found in Apache Commons FileUpload, where it does not limit the number of parts being processed in a request. This issue may allow an attacker to use a malicious upload or series of uploads to trigger a denial of service. While Red Hat Satellite relies upon Apache Tomcat, it does not directly ship it. Tomcat is shipped with Red Hat Enterprise Linux and consumed by the Candlepin component of Satellite. Red Hat Satellite users are therefore advised to check the impact state of Red Hat Enterprise Linux, since any necessary fixes will be distributed through the platform.
6.5 (Medium)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch | — | ||
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src | — |
Threats
Impact
Moderate
A flaw was found in the Jenkins JUnit plugin. The affected versions of the JUnit Plugin do not escape test case class names in JavaScript expressions, resulting in a stored cross-site scripting (XSS) vulnerability. This may allow an attacker to control test case class names in the JUnit resources processed by the plugin.
5.4 (Medium)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch | — | ||
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src | — |
Threats
Impact
Moderate
A flaw was found in the Jenkins pipeline-build-step plugin. Affected versions of the pipeline-build-step plugin do not escape job names in a JavaScript expression used in the Pipeline Snippet Generator. This can result in a stored cross-site scripting (XSS) vulnerability that may allow attackers to control job names.
5.4 (Medium)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch | — | ||
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src | — |
Threats
Impact
Moderate
A flaw was found in Jenkins. Affected versions of Jenkins use the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in hudson.util.MultipartFormDataParser, allowing attackers to trigger a denial of service.
7.5 (High)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch | — | ||
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src | — |
Threats
Impact
Moderate
A flaw was found in Jenkins. Affected versions of Jenkins use the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl, allowing attackers to trigger a denial of service.
7.5 (High)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch | — | ||
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src | — |
Threats
Impact
Moderate
A flaw was found in Jenkins. Jenkins uses temporary directories adjacent to workspace directories, usually with the @tmp name suffix, to store temporary files related to the build. In pipelines, these temporary directories are adjacent to the current working directory when operating in a subdirectory of the automatically allocated workspace. Jenkins-controlled processes, like SCMs, may store credentials in these directories. Affected versions of Jenkins show these temporary directories when viewing job workspaces, which allows attackers with Item/Workspace permission to access their contents.
4.3 (Medium)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch | — | ||
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src | — |
Threats
Impact
Moderate
A flaw was found in Jenkins. The affected version of Jenkins prints an error stack trace on agent-related pages when agent connections are broken. This stack trace may contain information about Jenkins configuration that is otherwise inaccessible to attackers.
5.3 (Medium)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch | — | ||
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src | — |
Threats
Impact
Low
References
96 references
Acknowledgments
Jordy Versmissen
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.13.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.\n\nSecurity Fix(es):\n\n* apache-commons-text: variable interpolation RCE (CVE-2022-42889)\n\n* google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper authorization (CVE-2020-7692)\n\n* jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin (CVE-2023-24422)\n\n* kubernetes-client: Insecure deserialization in unmarshalYaml method (CVE-2021-4178)\n\n* jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877)\n\n* springframework: Authorization Bypass in RegexRequestMatcher (CVE-2022-22978)\n\n* xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40151)\n\n* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)\n\n* Apache Commons FileUpload: FileUpload DoS with excessive parts (CVE-2023-24998)\n\n* jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin (CVE-2023-25761)\n\n* jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin (CVE-2023-25762)\n\n* Jenkins: Denial of Service attack (CVE-2023-27900)\n\n* Jenkins: Denial of Service attack (CVE-2023-27901)\n\n* Jenkins: Workspace temporary directories accessible through directory browser (CVE-2023-27902)\n\n* Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:3299",
"url": "https://access.redhat.com/errata/RHSA-2023:3299"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1856376",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1856376"
},
{
"category": "external",
"summary": "2034388",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034388"
},
{
"category": "external",
"summary": "2087606",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2087606"
},
{
"category": "external",
"summary": "2134291",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134291"
},
{
"category": "external",
"summary": "2134292",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134292"
},
{
"category": "external",
"summary": "2135435",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135435"
},
{
"category": "external",
"summary": "2164278",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164278"
},
{
"category": "external",
"summary": "2170039",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2170039"
},
{
"category": "external",
"summary": "2170041",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2170041"
},
{
"category": "external",
"summary": "2172298",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2172298"
},
{
"category": "external",
"summary": "2177630",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2177630"
},
{
"category": "external",
"summary": "2177634",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2177634"
},
{
"category": "external",
"summary": "2177638",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2177638"
},
{
"category": "external",
"summary": "2177646",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2177646"
},
{
"category": "external",
"summary": "2185707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2185707"
},
{
"category": "external",
"summary": "PITEAM-10",
"url": "https://issues.redhat.com/browse/PITEAM-10"
},
{
"category": "external",
"summary": "PITEAM-9",
"url": "https://issues.redhat.com/browse/PITEAM-9"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3299.json"
}
],
"title": "Red Hat Security Advisory: jenkins and jenkins-2-plugins security update",
"tracking": {
"current_release_date": "2026-05-22T14:23:01+00:00",
"generator": {
"date": "2026-05-22T14:23:01+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2023:3299",
"initial_release_date": "2023-05-24T17:13:53+00:00",
"revision_history": [
{
"date": "2023-05-24T17:13:53+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-05-24T17:13:53+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-22T14:23:01+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Developer Tools and Services for OCP 4.13",
"product": {
"name": "OpenShift Developer Tools and Services for OCP 4.13",
"product_id": "8Base-OCP-Tools-4.13",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ocp_tools:4.13::el8"
}
}
}
],
"category": "product_family",
"name": "OpenShift Developer Tools and Services"
},
{
"branches": [
{
"category": "product_version",
"name": "jenkins-0:2.387.3.1684911776-3.el8.src",
"product": {
"name": "jenkins-0:2.387.3.1684911776-3.el8.src",
"product_id": "jenkins-0:2.387.3.1684911776-3.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins@2.387.3.1684911776-3.el8?arch=src"
}
}
},
{
"category": "product_version",
"name": "jenkins-2-plugins-0:4.13.1684911916-1.el8.src",
"product": {
"name": "jenkins-2-plugins-0:4.13.1684911916-1.el8.src",
"product_id": "jenkins-2-plugins-0:4.13.1684911916-1.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins-2-plugins@4.13.1684911916-1.el8?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "jenkins-0:2.387.3.1684911776-3.el8.noarch",
"product": {
"name": "jenkins-0:2.387.3.1684911776-3.el8.noarch",
"product_id": "jenkins-0:2.387.3.1684911776-3.el8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins@2.387.3.1684911776-3.el8?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"product": {
"name": "jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"product_id": "jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins-2-plugins@4.13.1684911916-1.el8?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-0:2.387.3.1684911776-3.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.13",
"product_id": "8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch"
},
"product_reference": "jenkins-0:2.387.3.1684911776-3.el8.noarch",
"relates_to_product_reference": "8Base-OCP-Tools-4.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-0:2.387.3.1684911776-3.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.13",
"product_id": "8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
},
"product_reference": "jenkins-0:2.387.3.1684911776-3.el8.src",
"relates_to_product_reference": "8Base-OCP-Tools-4.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.13",
"product_id": "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch"
},
"product_reference": "jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"relates_to_product_reference": "8Base-OCP-Tools-4.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-2-plugins-0:4.13.1684911916-1.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.13",
"product_id": "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
},
"product_reference": "jenkins-2-plugins-0:4.13.1684911916-1.el8.src",
"relates_to_product_reference": "8Base-OCP-Tools-4.13"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-7692",
"cwe": {
"id": "CWE-306",
"name": "Missing Authentication for Critical Function"
},
"discovery_date": "2020-07-09T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1856376"
}
],
"notes": [
{
"category": "description",
"text": "PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-client before 1.31.0.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper authorization",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-7692"
},
{
"category": "external",
"summary": "RHBZ#1856376",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1856376"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-7692",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7692"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-7692",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7692"
}
],
"release_date": "2020-07-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-24T17:13:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3299"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper authorization"
},
{
"acknowledgments": [
{
"names": [
"Jordy Versmissen"
]
}
],
"cve": "CVE-2021-4178",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2021-12-16T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2034388"
}
],
"notes": [
{
"category": "description",
"text": "A arbitrary code execution flaw was found in the Fabric 8 Kubernetes client affecting versions 5.0.0-beta-1 and above. Due to an improperly configured YAML parsing, this will allow a local and privileged attacker to supply malicious YAML.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "kubernetes-client: Insecure deserialization in unmarshalYaml method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat CodeReady Studio 12 is not affected by this flaw because it does not ship a vulnerable version of kubernetes-client; the version that it ships does not use SnakeYAML.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-4178"
},
{
"category": "external",
"summary": "RHBZ#2034388",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034388"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-4178",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4178"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4178",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4178"
}
],
"release_date": "2022-01-05T15:05:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-24T17:13:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3299"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "kubernetes-client: Insecure deserialization in unmarshalYaml method"
},
{
"cve": "CVE-2021-46877",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2023-04-11T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2185707"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jackson Databind. This issue may allow a malicious user to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-46877"
},
{
"category": "external",
"summary": "RHBZ#2185707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2185707"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-46877",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-46877"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-46877",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46877"
}
],
"release_date": "2023-03-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-24T17:13:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3299"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode"
},
{
"cve": "CVE-2022-22978",
"cwe": {
"id": "CWE-625",
"name": "Permissive Regular Expression"
},
"discovery_date": "2022-05-18T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2087606"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Spring Security. When using RegexRequestMatcher, an easy misconfiguration can bypass some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "springframework: Authorization Bypass in RegexRequestMatcher",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-22978"
},
{
"category": "external",
"summary": "RHBZ#2087606",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2087606"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-22978",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22978"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-22978",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22978"
},
{
"category": "external",
"summary": "https://tanzu.vmware.com/security/cve-2022-22978",
"url": "https://tanzu.vmware.com/security/cve-2022-22978"
}
],
"release_date": "2022-05-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-24T17:13:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3299"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "springframework: Authorization Bypass in RegexRequestMatcher"
},
{
"cve": "CVE-2022-25647",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-05-02T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2080850"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in gson, which is vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes. This issue may lead to availability attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "com.google.code.gson-gson: Deserialization of Untrusted Data in com.google.code.gson-gson",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-25647"
},
{
"category": "external",
"summary": "RHBZ#2080850",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2080850"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-25647",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25647"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-25647",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25647"
}
],
"release_date": "2022-05-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-24T17:13:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3299"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "com.google.code.gson-gson: Deserialization of Untrusted Data in com.google.code.gson-gson"
},
{
"cve": "CVE-2022-40151",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-10-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2134292"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the XStream package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40151"
},
{
"category": "external",
"summary": "RHBZ#2134292",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134292"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40151",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40151"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40151",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40151"
}
],
"release_date": "2022-09-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-24T17:13:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3299"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks"
},
{
"cve": "CVE-2022-40152",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-10-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2134291"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the FasterXML/woodstox package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization. An attacker may benefit from the parser sending a malicious input that may cause a crash. This vulnerability is only relevant for users using the DTD parsing functionality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40152"
},
{
"category": "external",
"summary": "RHBZ#2134291",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134291"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40152",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40152"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4",
"url": "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4"
}
],
"release_date": "2022-09-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-24T17:13:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3299"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks"
},
{
"cve": "CVE-2022-42889",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"discovery_date": "2022-10-15T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135435"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Commons Text packages 1.5 through 1.9. The affected versions allow an attacker to benefit from a variable interpolation process contained in Apache Commons Text, which can cause properties to be dynamically defined. Server applications are vulnerable to remote code execution (RCE) and unintentional contact with untrusted remote servers.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-commons-text: variable interpolation RCE",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In order to carry successful exploitation of this vulnerability, the following conditions must be in place on the affected target:\n - Usage of specific methods that interpolate the variables as described in the flaw\n - Usage of external input for those methods\n - Usage of that external input has to be unsanitized/no \"allow list\"/etc.\n\nThe following products have *Low* impact because they have maven references to the affected package but do not ship it nor use the code:\n- Red Hat EAP Expansion Pack (EAP-XP)\n- Red Hat Camel-K\n- Red Hat Camel-Quarkus\n\nRed Hat Satellite ships Candlepin that embeds Apache Commons Text, however, it is not vulnerable to the flaw since the library has not been exposed in the product code. In Candlepin, the Commons Text is being pulled for the Liquibase and ActiveMQ Artemis libraries as a dependency. Red Hat Product Security has evaluated and rated the impact of the flaw as Low for Satellite since there was no harm identified to the confidentiality, integrity, or availability of systems.\n\n- The OCP has a *Moderate* impact because the affected library is a third-party library in the OCP jenkins-2-plugin component which reduces the possibilities of successful exploitation.\n- The OCP-4.8 is affected by this CVE and is in an extended life phase. For versions of products in the Extended Life Phase, Red Hat will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42889"
},
{
"category": "external",
"summary": "RHBZ#2135435",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135435"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42889",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42889"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42889",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42889"
},
{
"category": "external",
"summary": "https://blogs.apache.org/security/entry/cve-2022-42889",
"url": "https://blogs.apache.org/security/entry/cve-2022-42889"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om",
"url": "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om"
},
{
"category": "external",
"summary": "https://seclists.org/oss-sec/2022/q4/22",
"url": "https://seclists.org/oss-sec/2022/q4/22"
}
],
"release_date": "2022-10-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-24T17:13:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3299"
},
{
"category": "workaround",
"details": "This flaw may be avoided by ensuring that any external inputs used with the Commons-Text lookup methods are sanitized properly. Untrusted input should always be thoroughly sanitized before using in any potentially risky situations.",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "apache-commons-text: variable interpolation RCE"
},
{
"cve": "CVE-2023-24422",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2023-01-25T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2164278"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the script-security Jenkins Plugin. In affected versions of the script-security plugin, property assignments performed implicitly by the Groovy language runtime when invoking map constructors were not intercepted by the sandbox. This vulnerability allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as out of support scope.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-24422"
},
{
"category": "external",
"summary": "RHBZ#2164278",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164278"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-24422",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24422"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-24422",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24422"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-3016",
"url": "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-3016"
}
],
"release_date": "2023-01-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-24T17:13:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3299"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin"
},
{
"cve": "CVE-2023-24998",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2023-02-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2172298"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Commons FileUpload, where it does not limit the number of parts being processed in a request. This issue may allow an attacker to use a malicious upload or series of uploads to trigger a denial of service.\r\n\r\nWhile Red Hat Satellite relies upon Apache Tomcat, it does not directly ship it. Tomcat is shipped with Red Hat Enterprise Linux and consumed by the Candlepin component of Satellite. Red Hat Satellite users are therefore advised to check the impact state of Red Hat Enterprise Linux, since any necessary fixes will be distributed through the platform.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "FileUpload: FileUpload DoS with excessive parts",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-24998"
},
{
"category": "external",
"summary": "RHBZ#2172298",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2172298"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-24998",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24998"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-24998",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24998"
},
{
"category": "external",
"summary": "https://commons.apache.org/proper/commons-fileupload/security-reports.html#Fixed_in_Apache_Commons_FileUpload_1.5",
"url": "https://commons.apache.org/proper/commons-fileupload/security-reports.html#Fixed_in_Apache_Commons_FileUpload_1.5"
}
],
"release_date": "2023-02-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-24T17:13:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3299"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "FileUpload: FileUpload DoS with excessive parts"
},
{
"cve": "CVE-2023-25761",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2023-02-15T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2170039"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Jenkins JUnit plugin. The affected versions of the JUnit Plugin do not escape test case class names in JavaScript expressions, resulting in a stored cross-site scripting (XSS) vulnerability. This may allow an attacker to control test case class names in the JUnit resources processed by the plugin.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of scope of the ELS support, therefore, the OpenShift 3.11 Jenkins component is marked as out of support scope in this CVE.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-25761"
},
{
"category": "external",
"summary": "RHBZ#2170039",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2170039"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-25761",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-25761"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-25761",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25761"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2023-02-15/#SECURITY-3032",
"url": "https://www.jenkins.io/security/advisory/2023-02-15/#SECURITY-3032"
}
],
"release_date": "2023-02-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-24T17:13:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3299"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin"
},
{
"cve": "CVE-2023-25762",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2023-02-15T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2170041"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Jenkins pipeline-build-step plugin. Affected versions of the pipeline-build-step plugin do not escape job names in a JavaScript expression used in the Pipeline Snippet Generator. This can result in a stored cross-site scripting (XSS) vulnerability that may allow attackers to control job names.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of scope of the ELS support, therefore, the OpenShift 3.11 Jenkins component is marked as out of support scope in this CVE.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-25762"
},
{
"category": "external",
"summary": "RHBZ#2170041",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2170041"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-25762",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-25762"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-25762",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25762"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2023-02-15/#SECURITY-3019",
"url": "https://www.jenkins.io/security/advisory/2023-02-15/#SECURITY-3019"
}
],
"release_date": "2023-02-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-24T17:13:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3299"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin"
},
{
"cve": "CVE-2023-27900",
"cwe": {
"id": "CWE-404",
"name": "Improper Resource Shutdown or Release"
},
"discovery_date": "2023-03-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2177638"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. Affected versions of Jenkins use the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in hudson.util.MultipartFormDataParser, allowing attackers to trigger a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Jenkins: Denial of Service attack",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of the scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as Out of Support Scope.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-27900"
},
{
"category": "external",
"summary": "RHBZ#2177638",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2177638"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-27900",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-27900"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-27900",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27900"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3030",
"url": "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3030"
}
],
"release_date": "2023-03-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-24T17:13:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3299"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Jenkins: Denial of Service attack"
},
{
"cve": "CVE-2023-27901",
"cwe": {
"id": "CWE-404",
"name": "Improper Resource Shutdown or Release"
},
"discovery_date": "2023-03-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2177646"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. Affected versions of Jenkins use the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl, allowing attackers to trigger a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Jenkins: Denial of Service attack",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of the scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as Out of Support Scope.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-27901"
},
{
"category": "external",
"summary": "RHBZ#2177646",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2177646"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-27901",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-27901"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-27901",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27901"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3030",
"url": "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3030"
}
],
"release_date": "2023-03-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-24T17:13:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3299"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Jenkins: Denial of Service attack"
},
{
"cve": "CVE-2023-27902",
"cwe": {
"id": "CWE-266",
"name": "Incorrect Privilege Assignment"
},
"discovery_date": "2023-03-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2177630"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. Jenkins uses temporary directories adjacent to workspace directories, usually with the @tmp name suffix, to store temporary files related to the build. In pipelines, these temporary directories are adjacent to the current working directory when operating in a subdirectory of the automatically allocated workspace. Jenkins-controlled processes, like SCMs, may store credentials in these directories. Affected versions of Jenkins show these temporary directories when viewing job workspaces, which allows attackers with Item/Workspace permission to access their contents.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Jenkins: Workspace temporary directories accessible through directory browser",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of the scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as Out of Support Scope.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-27902"
},
{
"category": "external",
"summary": "RHBZ#2177630",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2177630"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-27902",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-27902"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-27902",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27902"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-1807",
"url": "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-1807"
}
],
"release_date": "2023-03-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-24T17:13:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3299"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Jenkins: Workspace temporary directories accessible through directory browser"
},
{
"cve": "CVE-2023-27904",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2023-03-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2177634"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. The affected version of Jenkins prints an error stack trace on agent-related pages when agent connections are broken. This stack trace may contain information about Jenkins configuration that is otherwise inaccessible to attackers.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Jenkins: Information disclosure through error stack traces related to agents",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of the scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as Out of Support Scope.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-27904"
},
{
"category": "external",
"summary": "RHBZ#2177634",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2177634"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-27904",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-27904"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-27904",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27904"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2120",
"url": "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2120"
}
],
"release_date": "2023-03-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-24T17:13:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3299"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "Jenkins: Information disclosure through error stack traces related to agents"
}
]
}
RHSA-2023_3299
Vulnerability from csaf_redhat - Published: 2023-05-24 17:13 - Updated: 2024-12-17 22:55Summary
Red Hat Security Advisory: jenkins and jenkins-2-plugins security update
Severity
Important
Notes
Topic: An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.13.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.
Security Fix(es):
* apache-commons-text: variable interpolation RCE (CVE-2022-42889)
* google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper authorization (CVE-2020-7692)
* jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin (CVE-2023-24422)
* kubernetes-client: Insecure deserialization in unmarshalYaml method (CVE-2021-4178)
* jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877)
* springframework: Authorization Bypass in RegexRequestMatcher (CVE-2022-22978)
* xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40151)
* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)
* Apache Commons FileUpload: FileUpload DoS with excessive parts (CVE-2023-24998)
* jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin (CVE-2023-25761)
* jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin (CVE-2023-25762)
* Jenkins: Denial of Service attack (CVE-2023-27900)
* Jenkins: Denial of Service attack (CVE-2023-27901)
* Jenkins: Workspace temporary directories accessible through directory browser (CVE-2023-27902)
* Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-client before 1.31.0.
7.4 (High)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch | — | ||
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src | — |
Threats
Impact
Moderate
A arbitrary code execution flaw was found in the Fabric 8 Kubernetes client affecting versions 5.0.0-beta-1 and above. Due to an improperly configured YAML parsing, this will allow a local and privileged attacker to supply malicious YAML.
6.7 (Medium)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch | — | ||
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src | — |
Threats
Impact
Moderate
A flaw was found in Jackson Databind. This issue may allow a malicious user to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.
7.5 (High)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch | — | ||
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src | — |
Threats
Impact
Moderate
A flaw was found in Spring Security. When using RegexRequestMatcher, an easy misconfiguration can bypass some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
9.8 (Critical)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch | — | ||
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src | — |
Threats
Impact
Moderate
A flaw was found in gson, which is vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes. This issue may lead to availability attacks.
7.5 (High)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch | — | ||
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src | — |
Threats
Impact
Moderate
A flaw was found in the XStream package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization.
7.5 (High)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch | — | ||
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src | — |
Threats
Impact
Moderate
A flaw was found in the FasterXML/woodstox package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization. An attacker may benefit from the parser sending a malicious input that may cause a crash. This vulnerability is only relevant for users using the DTD parsing functionality.
7.5 (High)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch | — | ||
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src | — |
Threats
Impact
Moderate
A flaw was found in Apache Commons Text packages 1.5 through 1.9. The affected versions allow an attacker to benefit from a variable interpolation process contained in Apache Commons Text, which can cause properties to be dynamically defined. Server applications are vulnerable to remote code execution (RCE) and unintentional contact with untrusted remote servers.
9.8 (Critical)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch | — |
Workaround
|
|
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src | — |
Workaround
|
Threats
Impact
Moderate
A flaw was found in the script-security Jenkins Plugin. In affected versions of the script-security plugin, property assignments performed implicitly by the Groovy language runtime when invoking map constructors were not intercepted by the sandbox. This vulnerability allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
8.8 (High)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch | — | ||
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src | — |
Threats
Impact
Important
A flaw was found in Apache Commons FileUpload, where it does not limit the number of parts being processed in a request. This issue may allow an attacker to use a malicious upload or series of uploads to trigger a denial of service. While Red Hat Satellite relies upon Apache Tomcat, it does not directly ship it. Tomcat is shipped with Red Hat Enterprise Linux and consumed by the Candlepin component of Satellite. Red Hat Satellite users are therefore advised to check the impact state of Red Hat Enterprise Linux, since any necessary fixes will be distributed through the platform.
6.5 (Medium)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch | — | ||
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src | — |
Threats
Impact
Moderate
A flaw was found in the Jenkins JUnit plugin. The affected versions of the JUnit Plugin do not escape test case class names in JavaScript expressions, resulting in a stored cross-site scripting (XSS) vulnerability. This may allow an attacker to control test case class names in the JUnit resources processed by the plugin.
5.4 (Medium)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch | — | ||
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src | — |
Threats
Impact
Moderate
A flaw was found in the Jenkins pipeline-build-step plugin. Affected versions of the pipeline-build-step plugin do not escape job names in a JavaScript expression used in the Pipeline Snippet Generator. This can result in a stored cross-site scripting (XSS) vulnerability that may allow attackers to control job names.
5.4 (Medium)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch | — | ||
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src | — |
Threats
Impact
Moderate
A flaw was found in Jenkins. Affected versions of Jenkins use the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in hudson.util.MultipartFormDataParser, allowing attackers to trigger a denial of service.
7.5 (High)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch | — | ||
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src | — |
Threats
Impact
Moderate
A flaw was found in Jenkins. Affected versions of Jenkins use the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl, allowing attackers to trigger a denial of service.
7.5 (High)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch | — | ||
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src | — |
Threats
Impact
Moderate
A flaw was found in Jenkins. Jenkins uses temporary directories adjacent to workspace directories, usually with the @tmp name suffix, to store temporary files related to the build. In pipelines, these temporary directories are adjacent to the current working directory when operating in a subdirectory of the automatically allocated workspace. Jenkins-controlled processes, like SCMs, may store credentials in these directories. Affected versions of Jenkins show these temporary directories when viewing job workspaces, which allows attackers with Item/Workspace permission to access their contents.
4.3 (Medium)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch | — | ||
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src | — |
Threats
Impact
Moderate
A flaw was found in Jenkins. The affected version of Jenkins prints an error stack trace on agent-related pages when agent connections are broken. This stack trace may contain information about Jenkins configuration that is otherwise inaccessible to attackers.
5.3 (Medium)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch | — | ||
| Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src | — |
Threats
Impact
Low
References
96 references
Acknowledgments
Jordy Versmissen
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.13.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.\n\nSecurity Fix(es):\n\n* apache-commons-text: variable interpolation RCE (CVE-2022-42889)\n\n* google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper authorization (CVE-2020-7692)\n\n* jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin (CVE-2023-24422)\n\n* kubernetes-client: Insecure deserialization in unmarshalYaml method (CVE-2021-4178)\n\n* jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877)\n\n* springframework: Authorization Bypass in RegexRequestMatcher (CVE-2022-22978)\n\n* xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40151)\n\n* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)\n\n* Apache Commons FileUpload: FileUpload DoS with excessive parts (CVE-2023-24998)\n\n* jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin (CVE-2023-25761)\n\n* jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin (CVE-2023-25762)\n\n* Jenkins: Denial of Service attack (CVE-2023-27900)\n\n* Jenkins: Denial of Service attack (CVE-2023-27901)\n\n* Jenkins: Workspace temporary directories accessible through directory browser (CVE-2023-27902)\n\n* Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:3299",
"url": "https://access.redhat.com/errata/RHSA-2023:3299"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1856376",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1856376"
},
{
"category": "external",
"summary": "2034388",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034388"
},
{
"category": "external",
"summary": "2087606",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2087606"
},
{
"category": "external",
"summary": "2134291",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134291"
},
{
"category": "external",
"summary": "2134292",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134292"
},
{
"category": "external",
"summary": "2135435",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135435"
},
{
"category": "external",
"summary": "2164278",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164278"
},
{
"category": "external",
"summary": "2170039",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2170039"
},
{
"category": "external",
"summary": "2170041",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2170041"
},
{
"category": "external",
"summary": "2172298",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2172298"
},
{
"category": "external",
"summary": "2177630",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2177630"
},
{
"category": "external",
"summary": "2177634",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2177634"
},
{
"category": "external",
"summary": "2177638",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2177638"
},
{
"category": "external",
"summary": "2177646",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2177646"
},
{
"category": "external",
"summary": "2185707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2185707"
},
{
"category": "external",
"summary": "PITEAM-10",
"url": "https://issues.redhat.com/browse/PITEAM-10"
},
{
"category": "external",
"summary": "PITEAM-9",
"url": "https://issues.redhat.com/browse/PITEAM-9"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3299.json"
}
],
"title": "Red Hat Security Advisory: jenkins and jenkins-2-plugins security update",
"tracking": {
"current_release_date": "2024-12-17T22:55:52+00:00",
"generator": {
"date": "2024-12-17T22:55:52+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2023:3299",
"initial_release_date": "2023-05-24T17:13:53+00:00",
"revision_history": [
{
"date": "2023-05-24T17:13:53+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-05-24T17:13:53+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-17T22:55:52+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Developer Tools and Services for OCP 4.13",
"product": {
"name": "OpenShift Developer Tools and Services for OCP 4.13",
"product_id": "8Base-OCP-Tools-4.13",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ocp_tools:4.13::el8"
}
}
}
],
"category": "product_family",
"name": "OpenShift Jenkins"
},
{
"branches": [
{
"category": "product_version",
"name": "jenkins-0:2.387.3.1684911776-3.el8.src",
"product": {
"name": "jenkins-0:2.387.3.1684911776-3.el8.src",
"product_id": "jenkins-0:2.387.3.1684911776-3.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins@2.387.3.1684911776-3.el8?arch=src"
}
}
},
{
"category": "product_version",
"name": "jenkins-2-plugins-0:4.13.1684911916-1.el8.src",
"product": {
"name": "jenkins-2-plugins-0:4.13.1684911916-1.el8.src",
"product_id": "jenkins-2-plugins-0:4.13.1684911916-1.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins-2-plugins@4.13.1684911916-1.el8?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "jenkins-0:2.387.3.1684911776-3.el8.noarch",
"product": {
"name": "jenkins-0:2.387.3.1684911776-3.el8.noarch",
"product_id": "jenkins-0:2.387.3.1684911776-3.el8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins@2.387.3.1684911776-3.el8?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"product": {
"name": "jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"product_id": "jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins-2-plugins@4.13.1684911916-1.el8?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-0:2.387.3.1684911776-3.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.13",
"product_id": "8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch"
},
"product_reference": "jenkins-0:2.387.3.1684911776-3.el8.noarch",
"relates_to_product_reference": "8Base-OCP-Tools-4.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-0:2.387.3.1684911776-3.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.13",
"product_id": "8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
},
"product_reference": "jenkins-0:2.387.3.1684911776-3.el8.src",
"relates_to_product_reference": "8Base-OCP-Tools-4.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.13",
"product_id": "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch"
},
"product_reference": "jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"relates_to_product_reference": "8Base-OCP-Tools-4.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-2-plugins-0:4.13.1684911916-1.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.13",
"product_id": "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
},
"product_reference": "jenkins-2-plugins-0:4.13.1684911916-1.el8.src",
"relates_to_product_reference": "8Base-OCP-Tools-4.13"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-7692",
"cwe": {
"id": "CWE-358",
"name": "Improperly Implemented Security Check for Standard"
},
"discovery_date": "2020-07-09T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1856376"
}
],
"notes": [
{
"category": "description",
"text": "PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-client before 1.31.0.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper authorization",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-7692"
},
{
"category": "external",
"summary": "RHBZ#1856376",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1856376"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-7692",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7692"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-7692",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7692"
}
],
"release_date": "2020-07-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-24T17:13:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3299"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper authorization"
},
{
"acknowledgments": [
{
"names": [
"Jordy Versmissen"
]
}
],
"cve": "CVE-2021-4178",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2021-12-16T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2034388"
}
],
"notes": [
{
"category": "description",
"text": "A arbitrary code execution flaw was found in the Fabric 8 Kubernetes client affecting versions 5.0.0-beta-1 and above. Due to an improperly configured YAML parsing, this will allow a local and privileged attacker to supply malicious YAML.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "kubernetes-client: Insecure deserialization in unmarshalYaml method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat CodeReady Studio 12 is not affected by this flaw because it does not ship a vulnerable version of kubernetes-client; the version that it ships does not use SnakeYAML.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-4178"
},
{
"category": "external",
"summary": "RHBZ#2034388",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034388"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-4178",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4178"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4178",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4178"
}
],
"release_date": "2022-01-05T15:05:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-24T17:13:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3299"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "kubernetes-client: Insecure deserialization in unmarshalYaml method"
},
{
"cve": "CVE-2021-46877",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2023-04-11T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2185707"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jackson Databind. This issue may allow a malicious user to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-46877"
},
{
"category": "external",
"summary": "RHBZ#2185707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2185707"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-46877",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-46877"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-46877",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46877"
}
],
"release_date": "2023-03-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-24T17:13:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3299"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode"
},
{
"cve": "CVE-2022-22978",
"cwe": {
"id": "CWE-1220",
"name": "Insufficient Granularity of Access Control"
},
"discovery_date": "2022-05-18T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2087606"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Spring Security. When using RegexRequestMatcher, an easy misconfiguration can bypass some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "springframework: Authorization Bypass in RegexRequestMatcher",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-22978"
},
{
"category": "external",
"summary": "RHBZ#2087606",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2087606"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-22978",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22978"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-22978",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22978"
},
{
"category": "external",
"summary": "https://tanzu.vmware.com/security/cve-2022-22978",
"url": "https://tanzu.vmware.com/security/cve-2022-22978"
}
],
"release_date": "2022-05-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-24T17:13:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3299"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "springframework: Authorization Bypass in RegexRequestMatcher"
},
{
"cve": "CVE-2022-25647",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-05-02T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2080850"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in gson, which is vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes. This issue may lead to availability attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "com.google.code.gson-gson: Deserialization of Untrusted Data in com.google.code.gson-gson",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-25647"
},
{
"category": "external",
"summary": "RHBZ#2080850",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2080850"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-25647",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25647"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-25647",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25647"
}
],
"release_date": "2022-05-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-24T17:13:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3299"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "com.google.code.gson-gson: Deserialization of Untrusted Data in com.google.code.gson-gson"
},
{
"cve": "CVE-2022-40151",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-10-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2134292"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the XStream package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40151"
},
{
"category": "external",
"summary": "RHBZ#2134292",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134292"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40151",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40151"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40151",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40151"
}
],
"release_date": "2022-09-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-24T17:13:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3299"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks"
},
{
"cve": "CVE-2022-40152",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-10-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2134291"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the FasterXML/woodstox package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization. An attacker may benefit from the parser sending a malicious input that may cause a crash. This vulnerability is only relevant for users using the DTD parsing functionality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40152"
},
{
"category": "external",
"summary": "RHBZ#2134291",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134291"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40152",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40152"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4",
"url": "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4"
}
],
"release_date": "2022-09-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-24T17:13:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3299"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks"
},
{
"cve": "CVE-2022-42889",
"cwe": {
"id": "CWE-1188",
"name": "Initialization of a Resource with an Insecure Default"
},
"discovery_date": "2022-10-15T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135435"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Commons Text packages 1.5 through 1.9. The affected versions allow an attacker to benefit from a variable interpolation process contained in Apache Commons Text, which can cause properties to be dynamically defined. Server applications are vulnerable to remote code execution (RCE) and unintentional contact with untrusted remote servers.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-commons-text: variable interpolation RCE",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In order to carry successful exploitation of this vulnerability, the following conditions must be in place on the affected target:\n - Usage of specific methods that interpolate the variables as described in the flaw\n - Usage of external input for those methods\n - Usage of that external input has to be unsanitized/no \"allow list\"/etc.\n\nThe following products have *Low* impact because they have maven references to the affected package but do not ship it nor use the code:\n- Red Hat EAP Expansion Pack (EAP-XP)\n- Red Hat Camel-K\n- Red Hat Camel-Quarkus\n\nRed Hat Satellite ships Candlepin that embeds Apache Commons Text, however, it is not vulnerable to the flaw since the library has not been exposed in the product code. In Candlepin, the Commons Text is being pulled for the Liquibase and ActiveMQ Artemis libraries as a dependency. Red Hat Product Security has evaluated and rated the impact of the flaw as Low for Satellite since there was no harm identified to the confidentiality, integrity, or availability of systems.\n\n- The OCP has a *Moderate* impact because the affected library is a third-party library in the OCP jenkins-2-plugin component which reduces the possibilities of successful exploitation.\n- The OCP-4.8 is affected by this CVE and is in an extended life phase. For versions of products in the Extended Life Phase, Red Hat will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42889"
},
{
"category": "external",
"summary": "RHBZ#2135435",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135435"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42889",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42889"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42889",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42889"
},
{
"category": "external",
"summary": "https://blogs.apache.org/security/entry/cve-2022-42889",
"url": "https://blogs.apache.org/security/entry/cve-2022-42889"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om",
"url": "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om"
},
{
"category": "external",
"summary": "https://seclists.org/oss-sec/2022/q4/22",
"url": "https://seclists.org/oss-sec/2022/q4/22"
}
],
"release_date": "2022-10-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-24T17:13:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3299"
},
{
"category": "workaround",
"details": "This flaw may be avoided by ensuring that any external inputs used with the Commons-Text lookup methods are sanitized properly. Untrusted input should always be thoroughly sanitized before using in any potentially risky situations.",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "apache-commons-text: variable interpolation RCE"
},
{
"cve": "CVE-2023-24422",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2023-01-25T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2164278"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the script-security Jenkins Plugin. In affected versions of the script-security plugin, property assignments performed implicitly by the Groovy language runtime when invoking map constructors were not intercepted by the sandbox. This vulnerability allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as out of support scope.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-24422"
},
{
"category": "external",
"summary": "RHBZ#2164278",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164278"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-24422",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24422"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-24422",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24422"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-3016",
"url": "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-3016"
}
],
"release_date": "2023-01-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-24T17:13:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3299"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin"
},
{
"cve": "CVE-2023-24998",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2023-02-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2172298"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Commons FileUpload, where it does not limit the number of parts being processed in a request. This issue may allow an attacker to use a malicious upload or series of uploads to trigger a denial of service.\r\n\r\nWhile Red Hat Satellite relies upon Apache Tomcat, it does not directly ship it. Tomcat is shipped with Red Hat Enterprise Linux and consumed by the Candlepin component of Satellite. Red Hat Satellite users are therefore advised to check the impact state of Red Hat Enterprise Linux, since any necessary fixes will be distributed through the platform.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "FileUpload: FileUpload DoS with excessive parts",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-24998"
},
{
"category": "external",
"summary": "RHBZ#2172298",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2172298"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-24998",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24998"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-24998",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24998"
},
{
"category": "external",
"summary": "https://commons.apache.org/proper/commons-fileupload/security-reports.html#Fixed_in_Apache_Commons_FileUpload_1.5",
"url": "https://commons.apache.org/proper/commons-fileupload/security-reports.html#Fixed_in_Apache_Commons_FileUpload_1.5"
}
],
"release_date": "2023-02-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-24T17:13:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3299"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "FileUpload: FileUpload DoS with excessive parts"
},
{
"cve": "CVE-2023-25761",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2023-02-15T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2170039"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Jenkins JUnit plugin. The affected versions of the JUnit Plugin do not escape test case class names in JavaScript expressions, resulting in a stored cross-site scripting (XSS) vulnerability. This may allow an attacker to control test case class names in the JUnit resources processed by the plugin.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of scope of the ELS support, therefore, the OpenShift 3.11 Jenkins component is marked as out of support scope in this CVE.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-25761"
},
{
"category": "external",
"summary": "RHBZ#2170039",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2170039"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-25761",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-25761"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-25761",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25761"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2023-02-15/#SECURITY-3032",
"url": "https://www.jenkins.io/security/advisory/2023-02-15/#SECURITY-3032"
}
],
"release_date": "2023-02-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-24T17:13:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3299"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin"
},
{
"cve": "CVE-2023-25762",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2023-02-15T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2170041"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Jenkins pipeline-build-step plugin. Affected versions of the pipeline-build-step plugin do not escape job names in a JavaScript expression used in the Pipeline Snippet Generator. This can result in a stored cross-site scripting (XSS) vulnerability that may allow attackers to control job names.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of scope of the ELS support, therefore, the OpenShift 3.11 Jenkins component is marked as out of support scope in this CVE.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-25762"
},
{
"category": "external",
"summary": "RHBZ#2170041",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2170041"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-25762",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-25762"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-25762",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25762"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2023-02-15/#SECURITY-3019",
"url": "https://www.jenkins.io/security/advisory/2023-02-15/#SECURITY-3019"
}
],
"release_date": "2023-02-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-24T17:13:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3299"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin"
},
{
"cve": "CVE-2023-27900",
"cwe": {
"id": "CWE-404",
"name": "Improper Resource Shutdown or Release"
},
"discovery_date": "2023-03-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2177638"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. Affected versions of Jenkins use the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in hudson.util.MultipartFormDataParser, allowing attackers to trigger a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Jenkins: Denial of Service attack",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of the scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as Out of Support Scope.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-27900"
},
{
"category": "external",
"summary": "RHBZ#2177638",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2177638"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-27900",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-27900"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-27900",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27900"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3030",
"url": "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3030"
}
],
"release_date": "2023-03-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-24T17:13:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3299"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Jenkins: Denial of Service attack"
},
{
"cve": "CVE-2023-27901",
"cwe": {
"id": "CWE-404",
"name": "Improper Resource Shutdown or Release"
},
"discovery_date": "2023-03-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2177646"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. Affected versions of Jenkins use the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl, allowing attackers to trigger a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Jenkins: Denial of Service attack",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of the scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as Out of Support Scope.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-27901"
},
{
"category": "external",
"summary": "RHBZ#2177646",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2177646"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-27901",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-27901"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-27901",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27901"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3030",
"url": "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3030"
}
],
"release_date": "2023-03-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-24T17:13:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3299"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Jenkins: Denial of Service attack"
},
{
"cve": "CVE-2023-27902",
"cwe": {
"id": "CWE-266",
"name": "Incorrect Privilege Assignment"
},
"discovery_date": "2023-03-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2177630"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. Jenkins uses temporary directories adjacent to workspace directories, usually with the @tmp name suffix, to store temporary files related to the build. In pipelines, these temporary directories are adjacent to the current working directory when operating in a subdirectory of the automatically allocated workspace. Jenkins-controlled processes, like SCMs, may store credentials in these directories. Affected versions of Jenkins show these temporary directories when viewing job workspaces, which allows attackers with Item/Workspace permission to access their contents.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Jenkins: Workspace temporary directories accessible through directory browser",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of the scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as Out of Support Scope.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-27902"
},
{
"category": "external",
"summary": "RHBZ#2177630",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2177630"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-27902",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-27902"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-27902",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27902"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-1807",
"url": "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-1807"
}
],
"release_date": "2023-03-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-24T17:13:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3299"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Jenkins: Workspace temporary directories accessible through directory browser"
},
{
"cve": "CVE-2023-27904",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2023-03-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2177634"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. The affected version of Jenkins prints an error stack trace on agent-related pages when agent connections are broken. This stack trace may contain information about Jenkins configuration that is otherwise inaccessible to attackers.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Jenkins: Information disclosure through error stack traces related to agents",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of the scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as Out of Support Scope.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-27904"
},
{
"category": "external",
"summary": "RHBZ#2177634",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2177634"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-27904",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-27904"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-27904",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27904"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2120",
"url": "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2120"
}
],
"release_date": "2023-03-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-24T17:13:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3299"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-0:2.387.3.1684911776-3.el8.src",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.noarch",
"8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1684911916-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "Jenkins: Information disclosure through error stack traces related to agents"
}
]
}
WID-SEC-W-2023-0609
Vulnerability from csaf_certbund - Published: 2023-03-08 23:00 - Updated: 2024-02-11 23:00Summary
Jenkins: Mehrere Schwachstellen
Severity
Mittel
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Jenkins ist ein erweiterbarer, webbasierter Integration Server zur kontinuierlichen Unterstützung bei Softwareentwicklungen aller Art.
Angriff: Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Jenkins ausnutzen, um Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Cross-Site-Scripting-Angriff durchzuführen und Code auszuführen
Betroffene Betriebssysteme: - UNIX
- Linux
- Windows
- Sonstiges
In Jenkins existieren mehrere Schwachstellen in unterschiedlichen Plugins und Komponenten. Dabei handelt es sich um ungenügende Eingabeüberprüfungen, unsichere Datei-Berechtigungen und unsichere Speicherung von Informationen. Ein Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Cross-Site-Scripting-Angriff durchzuführen und Code auszuführen. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder Anmeldung.
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Red Hat OpenShift container platform 4.10
Red Hat / OpenShift
|
cpe:/a:redhat:openshift:container_platform_4.10
|
container platform 4.10 |
In Jenkins existieren mehrere Schwachstellen in unterschiedlichen Plugins und Komponenten. Dabei handelt es sich um ungenügende Eingabeüberprüfungen, unsichere Datei-Berechtigungen und unsichere Speicherung von Informationen. Ein Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Cross-Site-Scripting-Angriff durchzuführen und Code auszuführen. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder Anmeldung.
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Red Hat OpenShift container platform 4.10
Red Hat / OpenShift
|
cpe:/a:redhat:openshift:container_platform_4.10
|
container platform 4.10 |
In Jenkins existieren mehrere Schwachstellen in unterschiedlichen Plugins und Komponenten. Dabei handelt es sich um ungenügende Eingabeüberprüfungen, unsichere Datei-Berechtigungen und unsichere Speicherung von Informationen. Ein Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Cross-Site-Scripting-Angriff durchzuführen und Code auszuführen. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder Anmeldung.
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Red Hat OpenShift container platform 4.10
Red Hat / OpenShift
|
cpe:/a:redhat:openshift:container_platform_4.10
|
container platform 4.10 |
In Jenkins existieren mehrere Schwachstellen in unterschiedlichen Plugins und Komponenten. Dabei handelt es sich um ungenügende Eingabeüberprüfungen, unsichere Datei-Berechtigungen und unsichere Speicherung von Informationen. Ein Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Cross-Site-Scripting-Angriff durchzuführen und Code auszuführen. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder Anmeldung.
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Red Hat OpenShift container platform 4.10
Red Hat / OpenShift
|
cpe:/a:redhat:openshift:container_platform_4.10
|
container platform 4.10 |
In Jenkins existieren mehrere Schwachstellen in unterschiedlichen Plugins und Komponenten. Dabei handelt es sich um ungenügende Eingabeüberprüfungen, unsichere Datei-Berechtigungen und unsichere Speicherung von Informationen. Ein Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Cross-Site-Scripting-Angriff durchzuführen und Code auszuführen. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder Anmeldung.
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Red Hat OpenShift container platform 4.10
Red Hat / OpenShift
|
cpe:/a:redhat:openshift:container_platform_4.10
|
container platform 4.10 |
In Jenkins existieren mehrere Schwachstellen in unterschiedlichen Plugins und Komponenten. Dabei handelt es sich um ungenügende Eingabeüberprüfungen, unsichere Datei-Berechtigungen und unsichere Speicherung von Informationen. Ein Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Cross-Site-Scripting-Angriff durchzuführen und Code auszuführen. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder Anmeldung.
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Red Hat OpenShift container platform 4.10
Red Hat / OpenShift
|
cpe:/a:redhat:openshift:container_platform_4.10
|
container platform 4.10 |
In Jenkins existieren mehrere Schwachstellen in unterschiedlichen Plugins und Komponenten. Dabei handelt es sich um ungenügende Eingabeüberprüfungen, unsichere Datei-Berechtigungen und unsichere Speicherung von Informationen. Ein Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Cross-Site-Scripting-Angriff durchzuführen und Code auszuführen. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder Anmeldung.
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Red Hat OpenShift container platform 4.10
Red Hat / OpenShift
|
cpe:/a:redhat:openshift:container_platform_4.10
|
container platform 4.10 |
In Jenkins existieren mehrere Schwachstellen in unterschiedlichen Plugins und Komponenten. Dabei handelt es sich um ungenügende Eingabeüberprüfungen, unsichere Datei-Berechtigungen und unsichere Speicherung von Informationen. Ein Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Cross-Site-Scripting-Angriff durchzuführen und Code auszuführen. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder Anmeldung.
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Red Hat OpenShift container platform 4.10
Red Hat / OpenShift
|
cpe:/a:redhat:openshift:container_platform_4.10
|
container platform 4.10 |
In Jenkins existieren mehrere Schwachstellen in unterschiedlichen Plugins und Komponenten. Dabei handelt es sich um ungenügende Eingabeüberprüfungen, unsichere Datei-Berechtigungen und unsichere Speicherung von Informationen. Ein Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Cross-Site-Scripting-Angriff durchzuführen und Code auszuführen. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder Anmeldung.
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Red Hat OpenShift container platform 4.10
Red Hat / OpenShift
|
cpe:/a:redhat:openshift:container_platform_4.10
|
container platform 4.10 |
References
11 references
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Jenkins ist ein erweiterbarer, webbasierter Integration Server zur kontinuierlichen Unterst\u00fctzung bei Softwareentwicklungen aller Art.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Jenkins ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren und Code auszuf\u00fchren",
"title": "Angriff"
},
{
"category": "general",
"text": "- UNIX\n- Linux\n- Windows\n- Sonstiges",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2023-0609 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-0609.json"
},
{
"category": "self",
"summary": "WID-SEC-2023-0609 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0609"
},
{
"category": "external",
"summary": "Jenkins Security Advisory vom 2023-03-08",
"url": "https://www.jenkins.io/security/advisory/2023-03-08/"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:1655 vom 2023-04-12",
"url": "https://access.redhat.com/errata/RHSA-2023:1655"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:3195 vom 2023-05-19",
"url": "https://access.redhat.com/errata/RHSA-2023:3195"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:3198 vom 2023-05-18",
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:3299 vom 2023-05-24",
"url": "https://access.redhat.com/errata/RHSA-2023:3299"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:3622 vom 2023-06-15",
"url": "https://access.redhat.com/errata/RHSA-2023:3622"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:3663 vom 2023-06-19",
"url": "https://access.redhat.com/errata/RHSA-2023:3663"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2024:0775 vom 2024-02-12",
"url": "https://access.redhat.com/errata/RHSA-2024:0775"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2024:0778 vom 2024-02-12",
"url": "https://access.redhat.com/errata/RHSA-2024:0778"
}
],
"source_lang": "en-US",
"title": "Jenkins: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2024-02-11T23:00:00.000+00:00",
"generator": {
"date": "2024-08-15T17:46:24.013+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.5"
}
},
"id": "WID-SEC-W-2023-0609",
"initial_release_date": "2023-03-08T23:00:00.000+00:00",
"revision_history": [
{
"date": "2023-03-08T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2023-04-12T22:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2023-05-18T22:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2023-05-24T22:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2023-06-15T22:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2023-06-19T22:00:00.000+00:00",
"number": "6",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2024-02-11T23:00:00.000+00:00",
"number": "7",
"summary": "Neue Updates von Red Hat aufgenommen"
}
],
"status": "final",
"version": "7"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c 2.394",
"product": {
"name": "Jenkins Jenkins \u003c 2.394",
"product_id": "T026692"
}
},
{
"category": "product_version_range",
"name": "\u003c 2.375.4 LTS",
"product": {
"name": "Jenkins Jenkins \u003c 2.375.4 LTS",
"product_id": "T026693"
}
},
{
"category": "product_version_range",
"name": "\u003c 2.387.1 LTS",
"product": {
"name": "Jenkins Jenkins \u003c 2.387.1 LTS",
"product_id": "T026694"
}
}
],
"category": "product_name",
"name": "Jenkins"
}
],
"category": "vendor",
"name": "Jenkins"
},
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
},
{
"branches": [
{
"category": "product_version",
"name": "container platform 4.10",
"product": {
"name": "Red Hat OpenShift container platform 4.10",
"product_id": "T027233",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:container_platform_4.10"
}
}
}
],
"category": "product_name",
"name": "OpenShift"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-27905",
"notes": [
{
"category": "description",
"text": "In Jenkins existieren mehrere Schwachstellen in unterschiedlichen Plugins und Komponenten. Dabei handelt es sich um ungen\u00fcgende Eingabe\u00fcberpr\u00fcfungen, unsichere Datei-Berechtigungen und unsichere Speicherung von Informationen. Ein Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren und Code auszuf\u00fchren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder Anmeldung."
}
],
"product_status": {
"known_affected": [
"67646",
"T027233"
]
},
"release_date": "2023-03-08T23:00:00.000+00:00",
"title": "CVE-2023-27905"
},
{
"cve": "CVE-2023-27904",
"notes": [
{
"category": "description",
"text": "In Jenkins existieren mehrere Schwachstellen in unterschiedlichen Plugins und Komponenten. Dabei handelt es sich um ungen\u00fcgende Eingabe\u00fcberpr\u00fcfungen, unsichere Datei-Berechtigungen und unsichere Speicherung von Informationen. Ein Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren und Code auszuf\u00fchren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder Anmeldung."
}
],
"product_status": {
"known_affected": [
"67646",
"T027233"
]
},
"release_date": "2023-03-08T23:00:00.000+00:00",
"title": "CVE-2023-27904"
},
{
"cve": "CVE-2023-27903",
"notes": [
{
"category": "description",
"text": "In Jenkins existieren mehrere Schwachstellen in unterschiedlichen Plugins und Komponenten. Dabei handelt es sich um ungen\u00fcgende Eingabe\u00fcberpr\u00fcfungen, unsichere Datei-Berechtigungen und unsichere Speicherung von Informationen. Ein Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren und Code auszuf\u00fchren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder Anmeldung."
}
],
"product_status": {
"known_affected": [
"67646",
"T027233"
]
},
"release_date": "2023-03-08T23:00:00.000+00:00",
"title": "CVE-2023-27903"
},
{
"cve": "CVE-2023-27902",
"notes": [
{
"category": "description",
"text": "In Jenkins existieren mehrere Schwachstellen in unterschiedlichen Plugins und Komponenten. Dabei handelt es sich um ungen\u00fcgende Eingabe\u00fcberpr\u00fcfungen, unsichere Datei-Berechtigungen und unsichere Speicherung von Informationen. Ein Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren und Code auszuf\u00fchren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder Anmeldung."
}
],
"product_status": {
"known_affected": [
"67646",
"T027233"
]
},
"release_date": "2023-03-08T23:00:00.000+00:00",
"title": "CVE-2023-27902"
},
{
"cve": "CVE-2023-27901",
"notes": [
{
"category": "description",
"text": "In Jenkins existieren mehrere Schwachstellen in unterschiedlichen Plugins und Komponenten. Dabei handelt es sich um ungen\u00fcgende Eingabe\u00fcberpr\u00fcfungen, unsichere Datei-Berechtigungen und unsichere Speicherung von Informationen. Ein Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren und Code auszuf\u00fchren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder Anmeldung."
}
],
"product_status": {
"known_affected": [
"67646",
"T027233"
]
},
"release_date": "2023-03-08T23:00:00.000+00:00",
"title": "CVE-2023-27901"
},
{
"cve": "CVE-2023-27900",
"notes": [
{
"category": "description",
"text": "In Jenkins existieren mehrere Schwachstellen in unterschiedlichen Plugins und Komponenten. Dabei handelt es sich um ungen\u00fcgende Eingabe\u00fcberpr\u00fcfungen, unsichere Datei-Berechtigungen und unsichere Speicherung von Informationen. Ein Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren und Code auszuf\u00fchren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder Anmeldung."
}
],
"product_status": {
"known_affected": [
"67646",
"T027233"
]
},
"release_date": "2023-03-08T23:00:00.000+00:00",
"title": "CVE-2023-27900"
},
{
"cve": "CVE-2023-27899",
"notes": [
{
"category": "description",
"text": "In Jenkins existieren mehrere Schwachstellen in unterschiedlichen Plugins und Komponenten. Dabei handelt es sich um ungen\u00fcgende Eingabe\u00fcberpr\u00fcfungen, unsichere Datei-Berechtigungen und unsichere Speicherung von Informationen. Ein Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren und Code auszuf\u00fchren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder Anmeldung."
}
],
"product_status": {
"known_affected": [
"67646",
"T027233"
]
},
"release_date": "2023-03-08T23:00:00.000+00:00",
"title": "CVE-2023-27899"
},
{
"cve": "CVE-2023-27898",
"notes": [
{
"category": "description",
"text": "In Jenkins existieren mehrere Schwachstellen in unterschiedlichen Plugins und Komponenten. Dabei handelt es sich um ungen\u00fcgende Eingabe\u00fcberpr\u00fcfungen, unsichere Datei-Berechtigungen und unsichere Speicherung von Informationen. Ein Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren und Code auszuf\u00fchren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder Anmeldung."
}
],
"product_status": {
"known_affected": [
"67646",
"T027233"
]
},
"release_date": "2023-03-08T23:00:00.000+00:00",
"title": "CVE-2023-27898"
},
{
"cve": "CVE-2023-24998",
"notes": [
{
"category": "description",
"text": "In Jenkins existieren mehrere Schwachstellen in unterschiedlichen Plugins und Komponenten. Dabei handelt es sich um ungen\u00fcgende Eingabe\u00fcberpr\u00fcfungen, unsichere Datei-Berechtigungen und unsichere Speicherung von Informationen. Ein Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren und Code auszuf\u00fchren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion oder Anmeldung."
}
],
"product_status": {
"known_affected": [
"67646",
"T027233"
]
},
"release_date": "2023-03-08T23:00:00.000+00:00",
"title": "CVE-2023-24998"
}
]
}
WID-SEC-W-2023-1812
Vulnerability from csaf_certbund - Published: 2023-07-18 22:00 - Updated: 2023-07-20 22:00Summary
Oracle Communications: Mehrere Schwachstellen
Severity
Hoch
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Oracle Communications umfasst branchenspezifische Lösungen für die Telekommunikationsbranche.
Angriff: Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Communications ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme: - UNIX
- Linux
- Windows
In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist "HIGH" für "Confidentiality", "Integrity" und "Availability" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert "HOCH" für die Schadenshöhe.
Affected products
Known affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Communications 23.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.2.0
|
— | |
|
Oracle Communications 6.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:6.2.0
|
— | |
|
Oracle Communications 22.4.3
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.3
|
— | |
|
Oracle Communications 23.1.2
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.2
|
— | |
|
Oracle Communications 22.4.1
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.1
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Oracle Communications 22.3.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.3.2
|
— | |
|
Oracle Communications 5.0
Oracle / Communications
|
cpe:/a:oracle:communications:5.0
|
— | |
|
Oracle Communications 23.1.1
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.1
|
— | |
|
Oracle Communications 23.1.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.0
|
— | |
|
Oracle Communications 8.6.0.0
Oracle / Communications
|
cpe:/a:oracle:communications:8.6.0.0
|
— | |
|
Oracle Communications 22.4.0
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.0
|
— | |
|
Oracle Communications 22.4.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.2
|
— | |
|
Oracle Communications 5.1
Oracle / Communications
|
cpe:/a:oracle:communications:5.1
|
— | |
|
Oracle Communications 9.1.1.5.0
Oracle / Communications
|
cpe:/a:oracle:communications:9.1.1.5.0
|
— |
In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist "HIGH" für "Confidentiality", "Integrity" und "Availability" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert "HOCH" für die Schadenshöhe.
Affected products
Known affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Communications 23.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.2.0
|
— | |
|
Oracle Communications 6.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:6.2.0
|
— | |
|
Oracle Communications 22.4.3
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.3
|
— | |
|
Oracle Communications 23.1.2
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.2
|
— | |
|
Oracle Communications 22.4.1
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.1
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Oracle Communications 22.3.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.3.2
|
— | |
|
Oracle Communications 5.0
Oracle / Communications
|
cpe:/a:oracle:communications:5.0
|
— | |
|
Oracle Communications 23.1.1
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.1
|
— | |
|
Oracle Communications 23.1.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.0
|
— | |
|
Oracle Communications 8.6.0.0
Oracle / Communications
|
cpe:/a:oracle:communications:8.6.0.0
|
— | |
|
Oracle Communications 22.4.0
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.0
|
— | |
|
Oracle Communications 22.4.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.2
|
— | |
|
Oracle Communications 5.1
Oracle / Communications
|
cpe:/a:oracle:communications:5.1
|
— | |
|
Oracle Communications 9.1.1.5.0
Oracle / Communications
|
cpe:/a:oracle:communications:9.1.1.5.0
|
— |
In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist "HIGH" für "Confidentiality", "Integrity" und "Availability" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert "HOCH" für die Schadenshöhe.
Affected products
Known affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Communications 23.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.2.0
|
— | |
|
Oracle Communications 6.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:6.2.0
|
— | |
|
Oracle Communications 22.4.3
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.3
|
— | |
|
Oracle Communications 23.1.2
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.2
|
— | |
|
Oracle Communications 22.4.1
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.1
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Oracle Communications 22.3.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.3.2
|
— | |
|
Oracle Communications 5.0
Oracle / Communications
|
cpe:/a:oracle:communications:5.0
|
— | |
|
Oracle Communications 23.1.1
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.1
|
— | |
|
Oracle Communications 23.1.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.0
|
— | |
|
Oracle Communications 8.6.0.0
Oracle / Communications
|
cpe:/a:oracle:communications:8.6.0.0
|
— | |
|
Oracle Communications 22.4.0
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.0
|
— | |
|
Oracle Communications 22.4.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.2
|
— | |
|
Oracle Communications 5.1
Oracle / Communications
|
cpe:/a:oracle:communications:5.1
|
— | |
|
Oracle Communications 9.1.1.5.0
Oracle / Communications
|
cpe:/a:oracle:communications:9.1.1.5.0
|
— |
In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist "HIGH" für "Confidentiality", "Integrity" und "Availability" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert "HOCH" für die Schadenshöhe.
Affected products
Known affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Communications 23.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.2.0
|
— | |
|
Oracle Communications 6.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:6.2.0
|
— | |
|
Oracle Communications 22.4.3
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.3
|
— | |
|
Oracle Communications 23.1.2
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.2
|
— | |
|
Oracle Communications 22.4.1
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.1
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Oracle Communications 22.3.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.3.2
|
— | |
|
Oracle Communications 5.0
Oracle / Communications
|
cpe:/a:oracle:communications:5.0
|
— | |
|
Oracle Communications 23.1.1
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.1
|
— | |
|
Oracle Communications 23.1.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.0
|
— | |
|
Oracle Communications 8.6.0.0
Oracle / Communications
|
cpe:/a:oracle:communications:8.6.0.0
|
— | |
|
Oracle Communications 22.4.0
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.0
|
— | |
|
Oracle Communications 22.4.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.2
|
— | |
|
Oracle Communications 5.1
Oracle / Communications
|
cpe:/a:oracle:communications:5.1
|
— | |
|
Oracle Communications 9.1.1.5.0
Oracle / Communications
|
cpe:/a:oracle:communications:9.1.1.5.0
|
— |
In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist "HIGH" für "Confidentiality", "Integrity" und "Availability" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert "HOCH" für die Schadenshöhe.
Affected products
Known affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Communications 23.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.2.0
|
— | |
|
Oracle Communications 6.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:6.2.0
|
— | |
|
Oracle Communications 22.4.3
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.3
|
— | |
|
Oracle Communications 23.1.2
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.2
|
— | |
|
Oracle Communications 22.4.1
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.1
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Oracle Communications 22.3.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.3.2
|
— | |
|
Oracle Communications 5.0
Oracle / Communications
|
cpe:/a:oracle:communications:5.0
|
— | |
|
Oracle Communications 23.1.1
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.1
|
— | |
|
Oracle Communications 23.1.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.0
|
— | |
|
Oracle Communications 8.6.0.0
Oracle / Communications
|
cpe:/a:oracle:communications:8.6.0.0
|
— | |
|
Oracle Communications 22.4.0
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.0
|
— | |
|
Oracle Communications 22.4.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.2
|
— | |
|
Oracle Communications 5.1
Oracle / Communications
|
cpe:/a:oracle:communications:5.1
|
— | |
|
Oracle Communications 9.1.1.5.0
Oracle / Communications
|
cpe:/a:oracle:communications:9.1.1.5.0
|
— |
In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist "HIGH" für "Confidentiality", "Integrity" und "Availability" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert "HOCH" für die Schadenshöhe.
Affected products
Known affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Communications 23.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.2.0
|
— | |
|
Oracle Communications 6.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:6.2.0
|
— | |
|
Oracle Communications 22.4.3
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.3
|
— | |
|
Oracle Communications 23.1.2
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.2
|
— | |
|
Oracle Communications 22.4.1
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.1
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Oracle Communications 22.3.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.3.2
|
— | |
|
Oracle Communications 5.0
Oracle / Communications
|
cpe:/a:oracle:communications:5.0
|
— | |
|
Oracle Communications 23.1.1
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.1
|
— | |
|
Oracle Communications 23.1.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.0
|
— | |
|
Oracle Communications 8.6.0.0
Oracle / Communications
|
cpe:/a:oracle:communications:8.6.0.0
|
— | |
|
Oracle Communications 22.4.0
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.0
|
— | |
|
Oracle Communications 22.4.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.2
|
— | |
|
Oracle Communications 5.1
Oracle / Communications
|
cpe:/a:oracle:communications:5.1
|
— | |
|
Oracle Communications 9.1.1.5.0
Oracle / Communications
|
cpe:/a:oracle:communications:9.1.1.5.0
|
— |
In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist "HIGH" für "Confidentiality", "Integrity" und "Availability" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert "HOCH" für die Schadenshöhe.
Affected products
Known affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Communications 23.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.2.0
|
— | |
|
Oracle Communications 6.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:6.2.0
|
— | |
|
Oracle Communications 22.4.3
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.3
|
— | |
|
Oracle Communications 23.1.2
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.2
|
— | |
|
Oracle Communications 22.4.1
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.1
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Oracle Communications 22.3.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.3.2
|
— | |
|
Oracle Communications 5.0
Oracle / Communications
|
cpe:/a:oracle:communications:5.0
|
— | |
|
Oracle Communications 23.1.1
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.1
|
— | |
|
Oracle Communications 23.1.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.0
|
— | |
|
Oracle Communications 8.6.0.0
Oracle / Communications
|
cpe:/a:oracle:communications:8.6.0.0
|
— | |
|
Oracle Communications 22.4.0
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.0
|
— | |
|
Oracle Communications 22.4.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.2
|
— | |
|
Oracle Communications 5.1
Oracle / Communications
|
cpe:/a:oracle:communications:5.1
|
— | |
|
Oracle Communications 9.1.1.5.0
Oracle / Communications
|
cpe:/a:oracle:communications:9.1.1.5.0
|
— |
In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist "HIGH" für "Confidentiality", "Integrity" und "Availability" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert "HOCH" für die Schadenshöhe.
Affected products
Known affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Communications 23.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.2.0
|
— | |
|
Oracle Communications 6.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:6.2.0
|
— | |
|
Oracle Communications 22.4.3
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.3
|
— | |
|
Oracle Communications 23.1.2
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.2
|
— | |
|
Oracle Communications 22.4.1
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.1
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Oracle Communications 22.3.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.3.2
|
— | |
|
Oracle Communications 5.0
Oracle / Communications
|
cpe:/a:oracle:communications:5.0
|
— | |
|
Oracle Communications 23.1.1
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.1
|
— | |
|
Oracle Communications 23.1.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.0
|
— | |
|
Oracle Communications 8.6.0.0
Oracle / Communications
|
cpe:/a:oracle:communications:8.6.0.0
|
— | |
|
Oracle Communications 22.4.0
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.0
|
— | |
|
Oracle Communications 22.4.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.2
|
— | |
|
Oracle Communications 5.1
Oracle / Communications
|
cpe:/a:oracle:communications:5.1
|
— | |
|
Oracle Communications 9.1.1.5.0
Oracle / Communications
|
cpe:/a:oracle:communications:9.1.1.5.0
|
— |
In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist "HIGH" für "Confidentiality", "Integrity" und "Availability" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert "HOCH" für die Schadenshöhe.
Affected products
Known affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Communications 23.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.2.0
|
— | |
|
Oracle Communications 6.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:6.2.0
|
— | |
|
Oracle Communications 22.4.3
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.3
|
— | |
|
Oracle Communications 23.1.2
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.2
|
— | |
|
Oracle Communications 22.4.1
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.1
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Oracle Communications 22.3.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.3.2
|
— | |
|
Oracle Communications 5.0
Oracle / Communications
|
cpe:/a:oracle:communications:5.0
|
— | |
|
Oracle Communications 23.1.1
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.1
|
— | |
|
Oracle Communications 23.1.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.0
|
— | |
|
Oracle Communications 8.6.0.0
Oracle / Communications
|
cpe:/a:oracle:communications:8.6.0.0
|
— | |
|
Oracle Communications 22.4.0
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.0
|
— | |
|
Oracle Communications 22.4.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.2
|
— | |
|
Oracle Communications 5.1
Oracle / Communications
|
cpe:/a:oracle:communications:5.1
|
— | |
|
Oracle Communications 9.1.1.5.0
Oracle / Communications
|
cpe:/a:oracle:communications:9.1.1.5.0
|
— |
In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist "HIGH" für "Confidentiality", "Integrity" und "Availability" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert "HOCH" für die Schadenshöhe.
Affected products
Known affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Communications 23.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.2.0
|
— | |
|
Oracle Communications 6.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:6.2.0
|
— | |
|
Oracle Communications 22.4.3
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.3
|
— | |
|
Oracle Communications 23.1.2
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.2
|
— | |
|
Oracle Communications 22.4.1
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.1
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Oracle Communications 22.3.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.3.2
|
— | |
|
Oracle Communications 5.0
Oracle / Communications
|
cpe:/a:oracle:communications:5.0
|
— | |
|
Oracle Communications 23.1.1
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.1
|
— | |
|
Oracle Communications 23.1.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.0
|
— | |
|
Oracle Communications 8.6.0.0
Oracle / Communications
|
cpe:/a:oracle:communications:8.6.0.0
|
— | |
|
Oracle Communications 22.4.0
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.0
|
— | |
|
Oracle Communications 22.4.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.2
|
— | |
|
Oracle Communications 5.1
Oracle / Communications
|
cpe:/a:oracle:communications:5.1
|
— | |
|
Oracle Communications 9.1.1.5.0
Oracle / Communications
|
cpe:/a:oracle:communications:9.1.1.5.0
|
— |
In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist "HIGH" für "Confidentiality", "Integrity" und "Availability" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert "HOCH" für die Schadenshöhe.
Affected products
Known affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Communications 23.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.2.0
|
— | |
|
Oracle Communications 6.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:6.2.0
|
— | |
|
Oracle Communications 22.4.3
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.3
|
— | |
|
Oracle Communications 23.1.2
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.2
|
— | |
|
Oracle Communications 22.4.1
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.1
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Oracle Communications 22.3.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.3.2
|
— | |
|
Oracle Communications 5.0
Oracle / Communications
|
cpe:/a:oracle:communications:5.0
|
— | |
|
Oracle Communications 23.1.1
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.1
|
— | |
|
Oracle Communications 23.1.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.0
|
— | |
|
Oracle Communications 8.6.0.0
Oracle / Communications
|
cpe:/a:oracle:communications:8.6.0.0
|
— | |
|
Oracle Communications 22.4.0
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.0
|
— | |
|
Oracle Communications 22.4.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.2
|
— | |
|
Oracle Communications 5.1
Oracle / Communications
|
cpe:/a:oracle:communications:5.1
|
— | |
|
Oracle Communications 9.1.1.5.0
Oracle / Communications
|
cpe:/a:oracle:communications:9.1.1.5.0
|
— |
In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist "HIGH" für "Confidentiality", "Integrity" und "Availability" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert "HOCH" für die Schadenshöhe.
Affected products
Known affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Communications 23.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.2.0
|
— | |
|
Oracle Communications 6.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:6.2.0
|
— | |
|
Oracle Communications 22.4.3
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.3
|
— | |
|
Oracle Communications 23.1.2
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.2
|
— | |
|
Oracle Communications 22.4.1
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.1
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Oracle Communications 22.3.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.3.2
|
— | |
|
Oracle Communications 5.0
Oracle / Communications
|
cpe:/a:oracle:communications:5.0
|
— | |
|
Oracle Communications 23.1.1
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.1
|
— | |
|
Oracle Communications 23.1.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.0
|
— | |
|
Oracle Communications 8.6.0.0
Oracle / Communications
|
cpe:/a:oracle:communications:8.6.0.0
|
— | |
|
Oracle Communications 22.4.0
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.0
|
— | |
|
Oracle Communications 22.4.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.2
|
— | |
|
Oracle Communications 5.1
Oracle / Communications
|
cpe:/a:oracle:communications:5.1
|
— | |
|
Oracle Communications 9.1.1.5.0
Oracle / Communications
|
cpe:/a:oracle:communications:9.1.1.5.0
|
— |
In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist "HIGH" für "Confidentiality", "Integrity" und "Availability" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert "HOCH" für die Schadenshöhe.
Affected products
Known affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Communications 23.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.2.0
|
— | |
|
Oracle Communications 6.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:6.2.0
|
— | |
|
Oracle Communications 22.4.3
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.3
|
— | |
|
Oracle Communications 23.1.2
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.2
|
— | |
|
Oracle Communications 22.4.1
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.1
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Oracle Communications 22.3.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.3.2
|
— | |
|
Oracle Communications 5.0
Oracle / Communications
|
cpe:/a:oracle:communications:5.0
|
— | |
|
Oracle Communications 23.1.1
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.1
|
— | |
|
Oracle Communications 23.1.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.0
|
— | |
|
Oracle Communications 8.6.0.0
Oracle / Communications
|
cpe:/a:oracle:communications:8.6.0.0
|
— | |
|
Oracle Communications 22.4.0
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.0
|
— | |
|
Oracle Communications 22.4.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.2
|
— | |
|
Oracle Communications 5.1
Oracle / Communications
|
cpe:/a:oracle:communications:5.1
|
— | |
|
Oracle Communications 9.1.1.5.0
Oracle / Communications
|
cpe:/a:oracle:communications:9.1.1.5.0
|
— |
In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist "HIGH" für "Confidentiality", "Integrity" und "Availability" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert "HOCH" für die Schadenshöhe.
Affected products
Known affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Communications 23.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.2.0
|
— | |
|
Oracle Communications 6.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:6.2.0
|
— | |
|
Oracle Communications 22.4.3
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.3
|
— | |
|
Oracle Communications 23.1.2
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.2
|
— | |
|
Oracle Communications 22.4.1
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.1
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Oracle Communications 22.3.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.3.2
|
— | |
|
Oracle Communications 5.0
Oracle / Communications
|
cpe:/a:oracle:communications:5.0
|
— | |
|
Oracle Communications 23.1.1
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.1
|
— | |
|
Oracle Communications 23.1.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.0
|
— | |
|
Oracle Communications 8.6.0.0
Oracle / Communications
|
cpe:/a:oracle:communications:8.6.0.0
|
— | |
|
Oracle Communications 22.4.0
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.0
|
— | |
|
Oracle Communications 22.4.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.2
|
— | |
|
Oracle Communications 5.1
Oracle / Communications
|
cpe:/a:oracle:communications:5.1
|
— | |
|
Oracle Communications 9.1.1.5.0
Oracle / Communications
|
cpe:/a:oracle:communications:9.1.1.5.0
|
— |
In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist "HIGH" für "Confidentiality", "Integrity" und "Availability" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert "HOCH" für die Schadenshöhe.
Affected products
Known affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Communications 23.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.2.0
|
— | |
|
Oracle Communications 6.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:6.2.0
|
— | |
|
Oracle Communications 22.4.3
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.3
|
— | |
|
Oracle Communications 23.1.2
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.2
|
— | |
|
Oracle Communications 22.4.1
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.1
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Oracle Communications 22.3.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.3.2
|
— | |
|
Oracle Communications 5.0
Oracle / Communications
|
cpe:/a:oracle:communications:5.0
|
— | |
|
Oracle Communications 23.1.1
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.1
|
— | |
|
Oracle Communications 23.1.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.0
|
— | |
|
Oracle Communications 8.6.0.0
Oracle / Communications
|
cpe:/a:oracle:communications:8.6.0.0
|
— | |
|
Oracle Communications 22.4.0
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.0
|
— | |
|
Oracle Communications 22.4.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.2
|
— | |
|
Oracle Communications 5.1
Oracle / Communications
|
cpe:/a:oracle:communications:5.1
|
— | |
|
Oracle Communications 9.1.1.5.0
Oracle / Communications
|
cpe:/a:oracle:communications:9.1.1.5.0
|
— |
In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist "HIGH" für "Confidentiality", "Integrity" und "Availability" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert "HOCH" für die Schadenshöhe.
Affected products
Known affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Communications 23.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.2.0
|
— | |
|
Oracle Communications 6.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:6.2.0
|
— | |
|
Oracle Communications 22.4.3
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.3
|
— | |
|
Oracle Communications 23.1.2
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.2
|
— | |
|
Oracle Communications 22.4.1
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.1
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Oracle Communications 22.3.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.3.2
|
— | |
|
Oracle Communications 5.0
Oracle / Communications
|
cpe:/a:oracle:communications:5.0
|
— | |
|
Oracle Communications 23.1.1
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.1
|
— | |
|
Oracle Communications 23.1.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.0
|
— | |
|
Oracle Communications 8.6.0.0
Oracle / Communications
|
cpe:/a:oracle:communications:8.6.0.0
|
— | |
|
Oracle Communications 22.4.0
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.0
|
— | |
|
Oracle Communications 22.4.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.2
|
— | |
|
Oracle Communications 5.1
Oracle / Communications
|
cpe:/a:oracle:communications:5.1
|
— | |
|
Oracle Communications 9.1.1.5.0
Oracle / Communications
|
cpe:/a:oracle:communications:9.1.1.5.0
|
— |
In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist "HIGH" für "Confidentiality", "Integrity" und "Availability" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert "HOCH" für die Schadenshöhe.
Affected products
Known affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Communications 23.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.2.0
|
— | |
|
Oracle Communications 6.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:6.2.0
|
— | |
|
Oracle Communications 22.4.3
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.3
|
— | |
|
Oracle Communications 23.1.2
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.2
|
— | |
|
Oracle Communications 22.4.1
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.1
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Oracle Communications 22.3.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.3.2
|
— | |
|
Oracle Communications 5.0
Oracle / Communications
|
cpe:/a:oracle:communications:5.0
|
— | |
|
Oracle Communications 23.1.1
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.1
|
— | |
|
Oracle Communications 23.1.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.0
|
— | |
|
Oracle Communications 8.6.0.0
Oracle / Communications
|
cpe:/a:oracle:communications:8.6.0.0
|
— | |
|
Oracle Communications 22.4.0
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.0
|
— | |
|
Oracle Communications 22.4.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.2
|
— | |
|
Oracle Communications 5.1
Oracle / Communications
|
cpe:/a:oracle:communications:5.1
|
— | |
|
Oracle Communications 9.1.1.5.0
Oracle / Communications
|
cpe:/a:oracle:communications:9.1.1.5.0
|
— |
In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist "HIGH" für "Confidentiality", "Integrity" und "Availability" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert "HOCH" für die Schadenshöhe.
Affected products
Known affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Communications 23.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.2.0
|
— | |
|
Oracle Communications 6.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:6.2.0
|
— | |
|
Oracle Communications 22.4.3
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.3
|
— | |
|
Oracle Communications 23.1.2
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.2
|
— | |
|
Oracle Communications 22.4.1
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.1
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Oracle Communications 22.3.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.3.2
|
— | |
|
Oracle Communications 5.0
Oracle / Communications
|
cpe:/a:oracle:communications:5.0
|
— | |
|
Oracle Communications 23.1.1
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.1
|
— | |
|
Oracle Communications 23.1.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.0
|
— | |
|
Oracle Communications 8.6.0.0
Oracle / Communications
|
cpe:/a:oracle:communications:8.6.0.0
|
— | |
|
Oracle Communications 22.4.0
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.0
|
— | |
|
Oracle Communications 22.4.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.2
|
— | |
|
Oracle Communications 5.1
Oracle / Communications
|
cpe:/a:oracle:communications:5.1
|
— | |
|
Oracle Communications 9.1.1.5.0
Oracle / Communications
|
cpe:/a:oracle:communications:9.1.1.5.0
|
— |
In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist "HIGH" für "Confidentiality", "Integrity" und "Availability" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert "HOCH" für die Schadenshöhe.
Affected products
Known affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Communications 23.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.2.0
|
— | |
|
Oracle Communications 6.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:6.2.0
|
— | |
|
Oracle Communications 22.4.3
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.3
|
— | |
|
Oracle Communications 23.1.2
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.2
|
— | |
|
Oracle Communications 22.4.1
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.1
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Oracle Communications 22.3.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.3.2
|
— | |
|
Oracle Communications 5.0
Oracle / Communications
|
cpe:/a:oracle:communications:5.0
|
— | |
|
Oracle Communications 23.1.1
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.1
|
— | |
|
Oracle Communications 23.1.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.0
|
— | |
|
Oracle Communications 8.6.0.0
Oracle / Communications
|
cpe:/a:oracle:communications:8.6.0.0
|
— | |
|
Oracle Communications 22.4.0
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.0
|
— | |
|
Oracle Communications 22.4.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.2
|
— | |
|
Oracle Communications 5.1
Oracle / Communications
|
cpe:/a:oracle:communications:5.1
|
— | |
|
Oracle Communications 9.1.1.5.0
Oracle / Communications
|
cpe:/a:oracle:communications:9.1.1.5.0
|
— |
In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist "HIGH" für "Confidentiality", "Integrity" und "Availability" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert "HOCH" für die Schadenshöhe.
Affected products
Known affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Communications 23.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.2.0
|
— | |
|
Oracle Communications 6.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:6.2.0
|
— | |
|
Oracle Communications 22.4.3
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.3
|
— | |
|
Oracle Communications 23.1.2
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.2
|
— | |
|
Oracle Communications 22.4.1
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.1
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Oracle Communications 22.3.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.3.2
|
— | |
|
Oracle Communications 5.0
Oracle / Communications
|
cpe:/a:oracle:communications:5.0
|
— | |
|
Oracle Communications 23.1.1
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.1
|
— | |
|
Oracle Communications 23.1.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.0
|
— | |
|
Oracle Communications 8.6.0.0
Oracle / Communications
|
cpe:/a:oracle:communications:8.6.0.0
|
— | |
|
Oracle Communications 22.4.0
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.0
|
— | |
|
Oracle Communications 22.4.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.2
|
— | |
|
Oracle Communications 5.1
Oracle / Communications
|
cpe:/a:oracle:communications:5.1
|
— | |
|
Oracle Communications 9.1.1.5.0
Oracle / Communications
|
cpe:/a:oracle:communications:9.1.1.5.0
|
— |
In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist "HIGH" für "Confidentiality", "Integrity" und "Availability" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert "HOCH" für die Schadenshöhe.
Affected products
Known affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Communications 23.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.2.0
|
— | |
|
Oracle Communications 6.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:6.2.0
|
— | |
|
Oracle Communications 22.4.3
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.3
|
— | |
|
Oracle Communications 23.1.2
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.2
|
— | |
|
Oracle Communications 22.4.1
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.1
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Oracle Communications 22.3.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.3.2
|
— | |
|
Oracle Communications 5.0
Oracle / Communications
|
cpe:/a:oracle:communications:5.0
|
— | |
|
Oracle Communications 23.1.1
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.1
|
— | |
|
Oracle Communications 23.1.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.0
|
— | |
|
Oracle Communications 8.6.0.0
Oracle / Communications
|
cpe:/a:oracle:communications:8.6.0.0
|
— | |
|
Oracle Communications 22.4.0
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.0
|
— | |
|
Oracle Communications 22.4.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.2
|
— | |
|
Oracle Communications 5.1
Oracle / Communications
|
cpe:/a:oracle:communications:5.1
|
— | |
|
Oracle Communications 9.1.1.5.0
Oracle / Communications
|
cpe:/a:oracle:communications:9.1.1.5.0
|
— |
In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist "HIGH" für "Confidentiality", "Integrity" und "Availability" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert "HOCH" für die Schadenshöhe.
Affected products
Known affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Communications 23.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.2.0
|
— | |
|
Oracle Communications 6.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:6.2.0
|
— | |
|
Oracle Communications 22.4.3
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.3
|
— | |
|
Oracle Communications 23.1.2
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.2
|
— | |
|
Oracle Communications 22.4.1
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.1
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Oracle Communications 22.3.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.3.2
|
— | |
|
Oracle Communications 5.0
Oracle / Communications
|
cpe:/a:oracle:communications:5.0
|
— | |
|
Oracle Communications 23.1.1
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.1
|
— | |
|
Oracle Communications 23.1.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.0
|
— | |
|
Oracle Communications 8.6.0.0
Oracle / Communications
|
cpe:/a:oracle:communications:8.6.0.0
|
— | |
|
Oracle Communications 22.4.0
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.0
|
— | |
|
Oracle Communications 22.4.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.2
|
— | |
|
Oracle Communications 5.1
Oracle / Communications
|
cpe:/a:oracle:communications:5.1
|
— | |
|
Oracle Communications 9.1.1.5.0
Oracle / Communications
|
cpe:/a:oracle:communications:9.1.1.5.0
|
— |
In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist "HIGH" für "Confidentiality", "Integrity" und "Availability" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert "HOCH" für die Schadenshöhe.
Affected products
Known affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Communications 23.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.2.0
|
— | |
|
Oracle Communications 6.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:6.2.0
|
— | |
|
Oracle Communications 22.4.3
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.3
|
— | |
|
Oracle Communications 23.1.2
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.2
|
— | |
|
Oracle Communications 22.4.1
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.1
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Oracle Communications 22.3.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.3.2
|
— | |
|
Oracle Communications 5.0
Oracle / Communications
|
cpe:/a:oracle:communications:5.0
|
— | |
|
Oracle Communications 23.1.1
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.1
|
— | |
|
Oracle Communications 23.1.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.0
|
— | |
|
Oracle Communications 8.6.0.0
Oracle / Communications
|
cpe:/a:oracle:communications:8.6.0.0
|
— | |
|
Oracle Communications 22.4.0
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.0
|
— | |
|
Oracle Communications 22.4.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.2
|
— | |
|
Oracle Communications 5.1
Oracle / Communications
|
cpe:/a:oracle:communications:5.1
|
— | |
|
Oracle Communications 9.1.1.5.0
Oracle / Communications
|
cpe:/a:oracle:communications:9.1.1.5.0
|
— |
In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist "HIGH" für "Confidentiality", "Integrity" und "Availability" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert "HOCH" für die Schadenshöhe.
Affected products
Known affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Communications 23.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.2.0
|
— | |
|
Oracle Communications 6.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:6.2.0
|
— | |
|
Oracle Communications 22.4.3
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.3
|
— | |
|
Oracle Communications 23.1.2
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.2
|
— | |
|
Oracle Communications 22.4.1
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.1
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Oracle Communications 22.3.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.3.2
|
— | |
|
Oracle Communications 5.0
Oracle / Communications
|
cpe:/a:oracle:communications:5.0
|
— | |
|
Oracle Communications 23.1.1
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.1
|
— | |
|
Oracle Communications 23.1.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.0
|
— | |
|
Oracle Communications 8.6.0.0
Oracle / Communications
|
cpe:/a:oracle:communications:8.6.0.0
|
— | |
|
Oracle Communications 22.4.0
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.0
|
— | |
|
Oracle Communications 22.4.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.2
|
— | |
|
Oracle Communications 5.1
Oracle / Communications
|
cpe:/a:oracle:communications:5.1
|
— | |
|
Oracle Communications 9.1.1.5.0
Oracle / Communications
|
cpe:/a:oracle:communications:9.1.1.5.0
|
— |
In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist "HIGH" für "Confidentiality", "Integrity" und "Availability" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert "HOCH" für die Schadenshöhe.
Affected products
Known affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Communications 23.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.2.0
|
— | |
|
Oracle Communications 6.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:6.2.0
|
— | |
|
Oracle Communications 22.4.3
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.3
|
— | |
|
Oracle Communications 23.1.2
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.2
|
— | |
|
Oracle Communications 22.4.1
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.1
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Oracle Communications 22.3.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.3.2
|
— | |
|
Oracle Communications 5.0
Oracle / Communications
|
cpe:/a:oracle:communications:5.0
|
— | |
|
Oracle Communications 23.1.1
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.1
|
— | |
|
Oracle Communications 23.1.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.0
|
— | |
|
Oracle Communications 8.6.0.0
Oracle / Communications
|
cpe:/a:oracle:communications:8.6.0.0
|
— | |
|
Oracle Communications 22.4.0
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.0
|
— | |
|
Oracle Communications 22.4.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.2
|
— | |
|
Oracle Communications 5.1
Oracle / Communications
|
cpe:/a:oracle:communications:5.1
|
— | |
|
Oracle Communications 9.1.1.5.0
Oracle / Communications
|
cpe:/a:oracle:communications:9.1.1.5.0
|
— |
In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist "HIGH" für "Confidentiality", "Integrity" und "Availability" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert "HOCH" für die Schadenshöhe.
Affected products
Known affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Communications 23.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.2.0
|
— | |
|
Oracle Communications 6.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:6.2.0
|
— | |
|
Oracle Communications 22.4.3
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.3
|
— | |
|
Oracle Communications 23.1.2
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.2
|
— | |
|
Oracle Communications 22.4.1
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.1
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Oracle Communications 22.3.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.3.2
|
— | |
|
Oracle Communications 5.0
Oracle / Communications
|
cpe:/a:oracle:communications:5.0
|
— | |
|
Oracle Communications 23.1.1
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.1
|
— | |
|
Oracle Communications 23.1.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.0
|
— | |
|
Oracle Communications 8.6.0.0
Oracle / Communications
|
cpe:/a:oracle:communications:8.6.0.0
|
— | |
|
Oracle Communications 22.4.0
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.0
|
— | |
|
Oracle Communications 22.4.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.2
|
— | |
|
Oracle Communications 5.1
Oracle / Communications
|
cpe:/a:oracle:communications:5.1
|
— | |
|
Oracle Communications 9.1.1.5.0
Oracle / Communications
|
cpe:/a:oracle:communications:9.1.1.5.0
|
— |
In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist "HIGH" für "Confidentiality", "Integrity" und "Availability" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert "HOCH" für die Schadenshöhe.
Affected products
Known affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Communications 23.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.2.0
|
— | |
|
Oracle Communications 6.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:6.2.0
|
— | |
|
Oracle Communications 22.4.3
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.3
|
— | |
|
Oracle Communications 23.1.2
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.2
|
— | |
|
Oracle Communications 22.4.1
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.1
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Oracle Communications 22.3.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.3.2
|
— | |
|
Oracle Communications 5.0
Oracle / Communications
|
cpe:/a:oracle:communications:5.0
|
— | |
|
Oracle Communications 23.1.1
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.1
|
— | |
|
Oracle Communications 23.1.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.0
|
— | |
|
Oracle Communications 8.6.0.0
Oracle / Communications
|
cpe:/a:oracle:communications:8.6.0.0
|
— | |
|
Oracle Communications 22.4.0
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.0
|
— | |
|
Oracle Communications 22.4.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.2
|
— | |
|
Oracle Communications 5.1
Oracle / Communications
|
cpe:/a:oracle:communications:5.1
|
— | |
|
Oracle Communications 9.1.1.5.0
Oracle / Communications
|
cpe:/a:oracle:communications:9.1.1.5.0
|
— |
In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist "HIGH" für "Confidentiality", "Integrity" und "Availability" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert "HOCH" für die Schadenshöhe.
Affected products
Known affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Communications 23.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.2.0
|
— | |
|
Oracle Communications 6.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:6.2.0
|
— | |
|
Oracle Communications 22.4.3
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.3
|
— | |
|
Oracle Communications 23.1.2
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.2
|
— | |
|
Oracle Communications 22.4.1
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.1
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Oracle Communications 22.3.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.3.2
|
— | |
|
Oracle Communications 5.0
Oracle / Communications
|
cpe:/a:oracle:communications:5.0
|
— | |
|
Oracle Communications 23.1.1
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.1
|
— | |
|
Oracle Communications 23.1.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.0
|
— | |
|
Oracle Communications 8.6.0.0
Oracle / Communications
|
cpe:/a:oracle:communications:8.6.0.0
|
— | |
|
Oracle Communications 22.4.0
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.0
|
— | |
|
Oracle Communications 22.4.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.2
|
— | |
|
Oracle Communications 5.1
Oracle / Communications
|
cpe:/a:oracle:communications:5.1
|
— | |
|
Oracle Communications 9.1.1.5.0
Oracle / Communications
|
cpe:/a:oracle:communications:9.1.1.5.0
|
— |
In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist "HIGH" für "Confidentiality", "Integrity" und "Availability" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert "HOCH" für die Schadenshöhe.
Affected products
Known affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Communications 23.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.2.0
|
— | |
|
Oracle Communications 6.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:6.2.0
|
— | |
|
Oracle Communications 22.4.3
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.3
|
— | |
|
Oracle Communications 23.1.2
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.2
|
— | |
|
Oracle Communications 22.4.1
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.1
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Oracle Communications 22.3.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.3.2
|
— | |
|
Oracle Communications 5.0
Oracle / Communications
|
cpe:/a:oracle:communications:5.0
|
— | |
|
Oracle Communications 23.1.1
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.1
|
— | |
|
Oracle Communications 23.1.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.0
|
— | |
|
Oracle Communications 8.6.0.0
Oracle / Communications
|
cpe:/a:oracle:communications:8.6.0.0
|
— | |
|
Oracle Communications 22.4.0
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.0
|
— | |
|
Oracle Communications 22.4.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.2
|
— | |
|
Oracle Communications 5.1
Oracle / Communications
|
cpe:/a:oracle:communications:5.1
|
— | |
|
Oracle Communications 9.1.1.5.0
Oracle / Communications
|
cpe:/a:oracle:communications:9.1.1.5.0
|
— |
In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist "HIGH" für "Confidentiality", "Integrity" und "Availability" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert "HOCH" für die Schadenshöhe.
Affected products
Known affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Communications 23.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.2.0
|
— | |
|
Oracle Communications 6.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:6.2.0
|
— | |
|
Oracle Communications 22.4.3
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.3
|
— | |
|
Oracle Communications 23.1.2
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.2
|
— | |
|
Oracle Communications 22.4.1
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.1
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Oracle Communications 22.3.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.3.2
|
— | |
|
Oracle Communications 5.0
Oracle / Communications
|
cpe:/a:oracle:communications:5.0
|
— | |
|
Oracle Communications 23.1.1
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.1
|
— | |
|
Oracle Communications 23.1.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.0
|
— | |
|
Oracle Communications 8.6.0.0
Oracle / Communications
|
cpe:/a:oracle:communications:8.6.0.0
|
— | |
|
Oracle Communications 22.4.0
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.0
|
— | |
|
Oracle Communications 22.4.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.2
|
— | |
|
Oracle Communications 5.1
Oracle / Communications
|
cpe:/a:oracle:communications:5.1
|
— | |
|
Oracle Communications 9.1.1.5.0
Oracle / Communications
|
cpe:/a:oracle:communications:9.1.1.5.0
|
— |
In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist "HIGH" für "Confidentiality", "Integrity" und "Availability" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert "HOCH" für die Schadenshöhe.
Affected products
Known affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Communications 23.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.2.0
|
— | |
|
Oracle Communications 6.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:6.2.0
|
— | |
|
Oracle Communications 22.4.3
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.3
|
— | |
|
Oracle Communications 23.1.2
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.2
|
— | |
|
Oracle Communications 22.4.1
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.1
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Oracle Communications 22.3.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.3.2
|
— | |
|
Oracle Communications 5.0
Oracle / Communications
|
cpe:/a:oracle:communications:5.0
|
— | |
|
Oracle Communications 23.1.1
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.1
|
— | |
|
Oracle Communications 23.1.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.0
|
— | |
|
Oracle Communications 8.6.0.0
Oracle / Communications
|
cpe:/a:oracle:communications:8.6.0.0
|
— | |
|
Oracle Communications 22.4.0
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.0
|
— | |
|
Oracle Communications 22.4.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.2
|
— | |
|
Oracle Communications 5.1
Oracle / Communications
|
cpe:/a:oracle:communications:5.1
|
— | |
|
Oracle Communications 9.1.1.5.0
Oracle / Communications
|
cpe:/a:oracle:communications:9.1.1.5.0
|
— |
In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist "HIGH" für "Confidentiality", "Integrity" und "Availability" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert "HOCH" für die Schadenshöhe.
Affected products
Known affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Communications 23.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.2.0
|
— | |
|
Oracle Communications 6.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:6.2.0
|
— | |
|
Oracle Communications 22.4.3
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.3
|
— | |
|
Oracle Communications 23.1.2
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.2
|
— | |
|
Oracle Communications 22.4.1
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.1
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Oracle Communications 22.3.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.3.2
|
— | |
|
Oracle Communications 5.0
Oracle / Communications
|
cpe:/a:oracle:communications:5.0
|
— | |
|
Oracle Communications 23.1.1
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.1
|
— | |
|
Oracle Communications 23.1.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.0
|
— | |
|
Oracle Communications 8.6.0.0
Oracle / Communications
|
cpe:/a:oracle:communications:8.6.0.0
|
— | |
|
Oracle Communications 22.4.0
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.0
|
— | |
|
Oracle Communications 22.4.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.2
|
— | |
|
Oracle Communications 5.1
Oracle / Communications
|
cpe:/a:oracle:communications:5.1
|
— | |
|
Oracle Communications 9.1.1.5.0
Oracle / Communications
|
cpe:/a:oracle:communications:9.1.1.5.0
|
— |
In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist "HIGH" für "Confidentiality", "Integrity" und "Availability" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert "HOCH" für die Schadenshöhe.
Affected products
Known affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Communications 23.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.2.0
|
— | |
|
Oracle Communications 6.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:6.2.0
|
— | |
|
Oracle Communications 22.4.3
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.3
|
— | |
|
Oracle Communications 23.1.2
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.2
|
— | |
|
Oracle Communications 22.4.1
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.1
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Oracle Communications 22.3.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.3.2
|
— | |
|
Oracle Communications 5.0
Oracle / Communications
|
cpe:/a:oracle:communications:5.0
|
— | |
|
Oracle Communications 23.1.1
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.1
|
— | |
|
Oracle Communications 23.1.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.0
|
— | |
|
Oracle Communications 8.6.0.0
Oracle / Communications
|
cpe:/a:oracle:communications:8.6.0.0
|
— | |
|
Oracle Communications 22.4.0
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.0
|
— | |
|
Oracle Communications 22.4.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.2
|
— | |
|
Oracle Communications 5.1
Oracle / Communications
|
cpe:/a:oracle:communications:5.1
|
— | |
|
Oracle Communications 9.1.1.5.0
Oracle / Communications
|
cpe:/a:oracle:communications:9.1.1.5.0
|
— |
In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist "HIGH" für "Confidentiality", "Integrity" und "Availability" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert "HOCH" für die Schadenshöhe.
Affected products
Known affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Communications 23.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.2.0
|
— | |
|
Oracle Communications 6.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:6.2.0
|
— | |
|
Oracle Communications 22.4.3
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.3
|
— | |
|
Oracle Communications 23.1.2
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.2
|
— | |
|
Oracle Communications 22.4.1
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.1
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Oracle Communications 22.3.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.3.2
|
— | |
|
Oracle Communications 5.0
Oracle / Communications
|
cpe:/a:oracle:communications:5.0
|
— | |
|
Oracle Communications 23.1.1
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.1
|
— | |
|
Oracle Communications 23.1.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.0
|
— | |
|
Oracle Communications 8.6.0.0
Oracle / Communications
|
cpe:/a:oracle:communications:8.6.0.0
|
— | |
|
Oracle Communications 22.4.0
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.0
|
— | |
|
Oracle Communications 22.4.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.2
|
— | |
|
Oracle Communications 5.1
Oracle / Communications
|
cpe:/a:oracle:communications:5.1
|
— | |
|
Oracle Communications 9.1.1.5.0
Oracle / Communications
|
cpe:/a:oracle:communications:9.1.1.5.0
|
— |
In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist "HIGH" für "Confidentiality", "Integrity" und "Availability" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert "HOCH" für die Schadenshöhe.
Affected products
Known affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Communications 23.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.2.0
|
— | |
|
Oracle Communications 6.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:6.2.0
|
— | |
|
Oracle Communications 22.4.3
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.3
|
— | |
|
Oracle Communications 23.1.2
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.2
|
— | |
|
Oracle Communications 22.4.1
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.1
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Oracle Communications 22.3.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.3.2
|
— | |
|
Oracle Communications 5.0
Oracle / Communications
|
cpe:/a:oracle:communications:5.0
|
— | |
|
Oracle Communications 23.1.1
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.1
|
— | |
|
Oracle Communications 23.1.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.0
|
— | |
|
Oracle Communications 8.6.0.0
Oracle / Communications
|
cpe:/a:oracle:communications:8.6.0.0
|
— | |
|
Oracle Communications 22.4.0
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.0
|
— | |
|
Oracle Communications 22.4.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.2
|
— | |
|
Oracle Communications 5.1
Oracle / Communications
|
cpe:/a:oracle:communications:5.1
|
— | |
|
Oracle Communications 9.1.1.5.0
Oracle / Communications
|
cpe:/a:oracle:communications:9.1.1.5.0
|
— |
In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist "HIGH" für "Confidentiality", "Integrity" und "Availability" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert "HOCH" für die Schadenshöhe.
Affected products
Known affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Communications 23.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.2.0
|
— | |
|
Oracle Communications 6.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:6.2.0
|
— | |
|
Oracle Communications 22.4.3
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.3
|
— | |
|
Oracle Communications 23.1.2
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.2
|
— | |
|
Oracle Communications 22.4.1
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.1
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Oracle Communications 22.3.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.3.2
|
— | |
|
Oracle Communications 5.0
Oracle / Communications
|
cpe:/a:oracle:communications:5.0
|
— | |
|
Oracle Communications 23.1.1
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.1
|
— | |
|
Oracle Communications 23.1.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.0
|
— | |
|
Oracle Communications 8.6.0.0
Oracle / Communications
|
cpe:/a:oracle:communications:8.6.0.0
|
— | |
|
Oracle Communications 22.4.0
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.0
|
— | |
|
Oracle Communications 22.4.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.2
|
— | |
|
Oracle Communications 5.1
Oracle / Communications
|
cpe:/a:oracle:communications:5.1
|
— | |
|
Oracle Communications 9.1.1.5.0
Oracle / Communications
|
cpe:/a:oracle:communications:9.1.1.5.0
|
— |
In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist "HIGH" für "Confidentiality", "Integrity" und "Availability" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert "HOCH" für die Schadenshöhe.
Affected products
Known affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Communications 23.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.2.0
|
— | |
|
Oracle Communications 6.2.0
Oracle / Communications
|
cpe:/a:oracle:communications:6.2.0
|
— | |
|
Oracle Communications 22.4.3
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.3
|
— | |
|
Oracle Communications 23.1.2
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.2
|
— | |
|
Oracle Communications 22.4.1
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.1
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Oracle Communications 22.3.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.3.2
|
— | |
|
Oracle Communications 5.0
Oracle / Communications
|
cpe:/a:oracle:communications:5.0
|
— | |
|
Oracle Communications 23.1.1
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.1
|
— | |
|
Oracle Communications 23.1.0
Oracle / Communications
|
cpe:/a:oracle:communications:23.1.0
|
— | |
|
Oracle Communications 8.6.0.0
Oracle / Communications
|
cpe:/a:oracle:communications:8.6.0.0
|
— | |
|
Oracle Communications 22.4.0
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.0
|
— | |
|
Oracle Communications 22.4.2
Oracle / Communications
|
cpe:/a:oracle:communications:22.4.2
|
— | |
|
Oracle Communications 5.1
Oracle / Communications
|
cpe:/a:oracle:communications:5.1
|
— | |
|
Oracle Communications 9.1.1.5.0
Oracle / Communications
|
cpe:/a:oracle:communications:9.1.1.5.0
|
— |
References
4 references
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Oracle Communications umfasst branchenspezifische L\u00f6sungen f\u00fcr die Telekommunikationsbranche.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Communications ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden.",
"title": "Angriff"
},
{
"category": "general",
"text": "- UNIX\n- Linux\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2023-1812 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1812.json"
},
{
"category": "self",
"summary": "WID-SEC-2023-1812 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1812"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2023:2263-2 vom 2023-07-20",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2023-July/015545.html"
},
{
"category": "external",
"summary": "Oracle Critical Patch Update Advisory - July 2023 - Appendix Oracle Communications vom 2023-07-18",
"url": "https://www.oracle.com/security-alerts/cpujul2023.html#AppendixCGBU"
}
],
"source_lang": "en-US",
"title": "Oracle Communications: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2023-07-20T22:00:00.000+00:00",
"generator": {
"date": "2024-08-15T17:55:52.927+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.5"
}
},
"id": "WID-SEC-W-2023-1812",
"initial_release_date": "2023-07-18T22:00:00.000+00:00",
"revision_history": [
{
"date": "2023-07-18T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2023-07-20T22:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von SUSE aufgenommen"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Oracle Communications 5.0",
"product": {
"name": "Oracle Communications 5.0",
"product_id": "T021645",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications:5.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Communications 8.6.0.0",
"product": {
"name": "Oracle Communications 8.6.0.0",
"product_id": "T024970",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications:8.6.0.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Communications 22.4.0",
"product": {
"name": "Oracle Communications 22.4.0",
"product_id": "T024981",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications:22.4.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Communications 22.3.2",
"product": {
"name": "Oracle Communications 22.3.2",
"product_id": "T025865",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications:22.3.2"
}
}
},
{
"category": "product_name",
"name": "Oracle Communications 22.4.1",
"product": {
"name": "Oracle Communications 22.4.1",
"product_id": "T025869",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications:22.4.1"
}
}
},
{
"category": "product_name",
"name": "Oracle Communications 23.1.0",
"product": {
"name": "Oracle Communications 23.1.0",
"product_id": "T027326",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications:23.1.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Communications 22.4.2",
"product": {
"name": "Oracle Communications 22.4.2",
"product_id": "T027327",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications:22.4.2"
}
}
},
{
"category": "product_name",
"name": "Oracle Communications 23.1.1",
"product": {
"name": "Oracle Communications 23.1.1",
"product_id": "T027329",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications:23.1.1"
}
}
},
{
"category": "product_name",
"name": "Oracle Communications 22.4.3",
"product": {
"name": "Oracle Communications 22.4.3",
"product_id": "T028680",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications:22.4.3"
}
}
},
{
"category": "product_name",
"name": "Oracle Communications 23.1.2",
"product": {
"name": "Oracle Communications 23.1.2",
"product_id": "T028681",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications:23.1.2"
}
}
},
{
"category": "product_name",
"name": "Oracle Communications 23.2.0",
"product": {
"name": "Oracle Communications 23.2.0",
"product_id": "T028682",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications:23.2.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Communications 6.2.0",
"product": {
"name": "Oracle Communications 6.2.0",
"product_id": "T028683",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications:6.2.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Communications 5.1",
"product": {
"name": "Oracle Communications 5.1",
"product_id": "T028684",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications:5.1"
}
}
},
{
"category": "product_name",
"name": "Oracle Communications 9.1.1.5.0",
"product": {
"name": "Oracle Communications 9.1.1.5.0",
"product_id": "T028685",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications:9.1.1.5.0"
}
}
}
],
"category": "product_name",
"name": "Communications"
}
],
"category": "vendor",
"name": "Oracle"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux",
"product": {
"name": "SUSE Linux",
"product_id": "T002207",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse_linux:-"
}
}
}
],
"category": "vendor",
"name": "SUSE"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-30861",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T028682",
"T028683",
"T028680",
"T028681",
"T025869",
"T002207",
"T025865",
"T021645",
"T027329",
"T027326",
"T024970",
"T024981",
"T027327",
"T028684",
"T028685"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-30861"
},
{
"cve": "CVE-2023-29007",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T028682",
"T028683",
"T028680",
"T028681",
"T025869",
"T002207",
"T025865",
"T021645",
"T027329",
"T027326",
"T024970",
"T024981",
"T027327",
"T028684",
"T028685"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-29007"
},
{
"cve": "CVE-2023-28856",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T028682",
"T028683",
"T028680",
"T028681",
"T025869",
"T002207",
"T025865",
"T021645",
"T027329",
"T027326",
"T024970",
"T024981",
"T027327",
"T028684",
"T028685"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-28856"
},
{
"cve": "CVE-2023-28708",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T028682",
"T028683",
"T028680",
"T028681",
"T025869",
"T002207",
"T025865",
"T021645",
"T027329",
"T027326",
"T024970",
"T024981",
"T027327",
"T028684",
"T028685"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-28708"
},
{
"cve": "CVE-2023-28484",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T028682",
"T028683",
"T028680",
"T028681",
"T025869",
"T002207",
"T025865",
"T021645",
"T027329",
"T027326",
"T024970",
"T024981",
"T027327",
"T028684",
"T028685"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-28484"
},
{
"cve": "CVE-2023-27901",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T028682",
"T028683",
"T028680",
"T028681",
"T025869",
"T002207",
"T025865",
"T021645",
"T027329",
"T027326",
"T024970",
"T024981",
"T027327",
"T028684",
"T028685"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-27901"
},
{
"cve": "CVE-2023-26049",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T028682",
"T028683",
"T028680",
"T028681",
"T025869",
"T002207",
"T025865",
"T021645",
"T027329",
"T027326",
"T024970",
"T024981",
"T027327",
"T028684",
"T028685"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-26049"
},
{
"cve": "CVE-2023-25194",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T028682",
"T028683",
"T028680",
"T028681",
"T025869",
"T002207",
"T025865",
"T021645",
"T027329",
"T027326",
"T024970",
"T024981",
"T027327",
"T028684",
"T028685"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-25194"
},
{
"cve": "CVE-2023-24998",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T028682",
"T028683",
"T028680",
"T028681",
"T025869",
"T002207",
"T025865",
"T021645",
"T027329",
"T027326",
"T024970",
"T024981",
"T027327",
"T028684",
"T028685"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-24998"
},
{
"cve": "CVE-2023-23931",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T028682",
"T028683",
"T028680",
"T028681",
"T025869",
"T002207",
"T025865",
"T021645",
"T027329",
"T027326",
"T024970",
"T024981",
"T027327",
"T028684",
"T028685"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-23931"
},
{
"cve": "CVE-2023-22809",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T028682",
"T028683",
"T028680",
"T028681",
"T025869",
"T002207",
"T025865",
"T021645",
"T027329",
"T027326",
"T024970",
"T024981",
"T027327",
"T028684",
"T028685"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-22809"
},
{
"cve": "CVE-2023-21971",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T028682",
"T028683",
"T028680",
"T028681",
"T025869",
"T002207",
"T025865",
"T021645",
"T027329",
"T027326",
"T024970",
"T024981",
"T027327",
"T028684",
"T028685"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-21971"
},
{
"cve": "CVE-2023-20873",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T028682",
"T028683",
"T028680",
"T028681",
"T025869",
"T002207",
"T025865",
"T021645",
"T027329",
"T027326",
"T024970",
"T024981",
"T027327",
"T028684",
"T028685"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-20873"
},
{
"cve": "CVE-2023-20863",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T028682",
"T028683",
"T028680",
"T028681",
"T025869",
"T002207",
"T025865",
"T021645",
"T027329",
"T027326",
"T024970",
"T024981",
"T027327",
"T028684",
"T028685"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-20863"
},
{
"cve": "CVE-2023-20862",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T028682",
"T028683",
"T028680",
"T028681",
"T025869",
"T002207",
"T025865",
"T021645",
"T027329",
"T027326",
"T024970",
"T024981",
"T027327",
"T028684",
"T028685"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-20862"
},
{
"cve": "CVE-2023-20861",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T028682",
"T028683",
"T028680",
"T028681",
"T025869",
"T002207",
"T025865",
"T021645",
"T027329",
"T027326",
"T024970",
"T024981",
"T027327",
"T028684",
"T028685"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-20861"
},
{
"cve": "CVE-2023-1999",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T028682",
"T028683",
"T028680",
"T028681",
"T025869",
"T002207",
"T025865",
"T021645",
"T027329",
"T027326",
"T024970",
"T024981",
"T027327",
"T028684",
"T028685"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-1999"
},
{
"cve": "CVE-2023-1436",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T028682",
"T028683",
"T028680",
"T028681",
"T025869",
"T002207",
"T025865",
"T021645",
"T027329",
"T027326",
"T024970",
"T024981",
"T027327",
"T028684",
"T028685"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-1436"
},
{
"cve": "CVE-2023-1370",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T028682",
"T028683",
"T028680",
"T028681",
"T025869",
"T002207",
"T025865",
"T021645",
"T027329",
"T027326",
"T024970",
"T024981",
"T027327",
"T028684",
"T028685"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-1370"
},
{
"cve": "CVE-2023-0767",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T028682",
"T028683",
"T028680",
"T028681",
"T025869",
"T002207",
"T025865",
"T021645",
"T027329",
"T027326",
"T024970",
"T024981",
"T027327",
"T028684",
"T028685"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-0767"
},
{
"cve": "CVE-2023-0361",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T028682",
"T028683",
"T028680",
"T028681",
"T025869",
"T002207",
"T025865",
"T021645",
"T027329",
"T027326",
"T024970",
"T024981",
"T027327",
"T028684",
"T028685"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-0361"
},
{
"cve": "CVE-2023-0286",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T028682",
"T028683",
"T028680",
"T028681",
"T025869",
"T002207",
"T025865",
"T021645",
"T027329",
"T027326",
"T024970",
"T024981",
"T027327",
"T028684",
"T028685"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-0286"
},
{
"cve": "CVE-2023-0215",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T028682",
"T028683",
"T028680",
"T028681",
"T025869",
"T002207",
"T025865",
"T021645",
"T027329",
"T027326",
"T024970",
"T024981",
"T027327",
"T028684",
"T028685"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-0215"
},
{
"cve": "CVE-2022-45787",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T028682",
"T028683",
"T028680",
"T028681",
"T025869",
"T002207",
"T025865",
"T021645",
"T027329",
"T027326",
"T024970",
"T024981",
"T027327",
"T028684",
"T028685"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2022-45787"
},
{
"cve": "CVE-2022-45688",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T028682",
"T028683",
"T028680",
"T028681",
"T025869",
"T002207",
"T025865",
"T021645",
"T027329",
"T027326",
"T024970",
"T024981",
"T027327",
"T028684",
"T028685"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2022-45688"
},
{
"cve": "CVE-2022-45061",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T028682",
"T028683",
"T028680",
"T028681",
"T025869",
"T002207",
"T025865",
"T021645",
"T027329",
"T027326",
"T024970",
"T024981",
"T027327",
"T028684",
"T028685"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2022-45061"
},
{
"cve": "CVE-2022-4450",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T028682",
"T028683",
"T028680",
"T028681",
"T025869",
"T002207",
"T025865",
"T021645",
"T027329",
"T027326",
"T024970",
"T024981",
"T027327",
"T028684",
"T028685"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2022-4450"
},
{
"cve": "CVE-2022-42898",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T028682",
"T028683",
"T028680",
"T028681",
"T025869",
"T002207",
"T025865",
"T021645",
"T027329",
"T027326",
"T024970",
"T024981",
"T027327",
"T028684",
"T028685"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2022-42898"
},
{
"cve": "CVE-2022-41881",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T028682",
"T028683",
"T028680",
"T028681",
"T025869",
"T002207",
"T025865",
"T021645",
"T027329",
"T027326",
"T024970",
"T024981",
"T027327",
"T028684",
"T028685"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2022-41881"
},
{
"cve": "CVE-2022-37434",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T028682",
"T028683",
"T028680",
"T028681",
"T025869",
"T002207",
"T025865",
"T021645",
"T027329",
"T027326",
"T024970",
"T024981",
"T027327",
"T028684",
"T028685"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2022-37434"
},
{
"cve": "CVE-2022-36944",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T028682",
"T028683",
"T028680",
"T028681",
"T025869",
"T002207",
"T025865",
"T021645",
"T027329",
"T027326",
"T024970",
"T024981",
"T027327",
"T028684",
"T028685"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2022-36944"
},
{
"cve": "CVE-2022-2963",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T028682",
"T028683",
"T028680",
"T028681",
"T025869",
"T002207",
"T025865",
"T021645",
"T027329",
"T027326",
"T024970",
"T024981",
"T027327",
"T028684",
"T028685"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2022-2963"
},
{
"cve": "CVE-2022-25147",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T028682",
"T028683",
"T028680",
"T028681",
"T025869",
"T002207",
"T025865",
"T021645",
"T027329",
"T027326",
"T024970",
"T024981",
"T027327",
"T028684",
"T028685"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2022-25147"
},
{
"cve": "CVE-2022-1471",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T028682",
"T028683",
"T028680",
"T028681",
"T025869",
"T002207",
"T025865",
"T021645",
"T027329",
"T027326",
"T024970",
"T024981",
"T027327",
"T028684",
"T028685"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2022-1471"
},
{
"cve": "CVE-2021-40528",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T028682",
"T028683",
"T028680",
"T028681",
"T025869",
"T002207",
"T025865",
"T021645",
"T027329",
"T027326",
"T024970",
"T024981",
"T027327",
"T028684",
"T028685"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2021-40528"
},
{
"cve": "CVE-2021-25220",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T028682",
"T028683",
"T028680",
"T028681",
"T025869",
"T002207",
"T025865",
"T021645",
"T027329",
"T027326",
"T024970",
"T024981",
"T027327",
"T028684",
"T028685"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2021-25220"
},
{
"cve": "CVE-2020-10735",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T028682",
"T028683",
"T028680",
"T028681",
"T025869",
"T002207",
"T025865",
"T021645",
"T027329",
"T027326",
"T024970",
"T024981",
"T027327",
"T028684",
"T028685"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2020-10735"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…