Action not permitted
Modal body text goes here.
Modal Title
Modal Body
cve-2015-7940
Vulnerability from cvelistv5
Published
2015-11-09 16:00
Modified
2024-08-06 08:06
Severity ?
EPSS score ?
Summary
The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an "invalid curve attack."
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T08:06:30.850Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2016:2035", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2035.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { name: "79091", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/79091", }, { name: "openSUSE-SU-2015:1911", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00012.html", }, { name: "FEDORA-2015-7d95466eda", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174915.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", }, { name: "RHSA-2016:2036", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2036.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", }, { name: "USN-3727-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred", ], url: "https://usn.ubuntu.com/3727-1/", }, { name: "[oss-security] 20151022 Re: CVE Request: invalid curve attack on bouncycastle", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2015/10/22/9", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", }, { name: "1037036", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1037036", }, { name: "[oss-security] 20151022 CVE Request: invalid curve attack on bouncycastle", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2015/10/22/7", }, { name: "DSA-3417", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "http://www.debian.org/security/2015/dsa-3417", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html", }, { name: "1037046", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1037046", }, { name: "1037053", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1037053", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2015-09-15T00:00:00", descriptions: [ { lang: "en", value: "The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an \"invalid curve attack.\"", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-04-15T21:06:39", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { name: "RHSA-2016:2035", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2035.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { name: "79091", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/79091", }, { name: "openSUSE-SU-2015:1911", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00012.html", }, { name: "FEDORA-2015-7d95466eda", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174915.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", }, { name: "RHSA-2016:2036", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2036.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", }, { name: "USN-3727-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", ], url: "https://usn.ubuntu.com/3727-1/", }, { name: "[oss-security] 20151022 Re: CVE Request: invalid curve attack on bouncycastle", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2015/10/22/9", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", }, { name: "1037036", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1037036", }, { name: "[oss-security] 20151022 CVE Request: invalid curve attack on bouncycastle", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2015/10/22/7", }, { name: "DSA-3417", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "http://www.debian.org/security/2015/dsa-3417", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html", }, { tags: [ "x_refsource_MISC", ], url: "http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html", }, { name: "1037046", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1037046", }, { name: "1037053", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1037053", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2015-7940", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an \"invalid curve attack.\"", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "RHSA-2016:2035", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2016-2035.html", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", refsource: "CONFIRM", url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { name: "79091", refsource: "BID", url: "http://www.securityfocus.com/bid/79091", }, { name: "openSUSE-SU-2015:1911", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00012.html", }, { name: "FEDORA-2015-7d95466eda", refsource: "FEDORA", url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174915.html", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", }, { name: "RHSA-2016:2036", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2016-2036.html", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", }, { name: "USN-3727-1", refsource: "UBUNTU", url: "https://usn.ubuntu.com/3727-1/", }, { name: "[oss-security] 20151022 Re: CVE Request: invalid curve attack on bouncycastle", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2015/10/22/9", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", }, { name: "1037036", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1037036", }, { name: "[oss-security] 20151022 CVE Request: invalid curve attack on bouncycastle", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2015/10/22/7", }, { name: "DSA-3417", refsource: "DEBIAN", url: "http://www.debian.org/security/2015/dsa-3417", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html", }, { name: "http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html", refsource: "MISC", url: "http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html", }, { name: "1037046", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1037046", }, { name: "1037053", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1037053", }, { name: "https://www.oracle.com/security-alerts/cpuapr2020.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2015-7940", datePublished: "2015-11-09T16:00:00", dateReserved: "2015-10-22T00:00:00", dateUpdated: "2024-08-06T08:06:30.850Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", "vulnerability-lookup:meta": { nvd: "{\"cve\":{\"id\":\"CVE-2015-7940\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2015-11-09T16:59:09.277\",\"lastModified\":\"2024-11-21T02:37:42.203\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an \\\"invalid curve attack.\\\"\"},{\"lang\":\"es\",\"value\":\"La librería Bouncy Castle Java en versiones anteriores a 1.51 no valida un punto que se encuentra dentro de la curva elíptica, lo que facilita a atacantes remotos obtener claves privadas a través de una serie de intercambios de clave de curva elíptica Diffie Hellman (ECDH) manipulados, también conocida como un 'ataque de curva no válida'.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"},{\"lang\":\"en\",\"value\":\"CWE-310\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4863BE36-D16A-4D75-90D9-FD76DB5B48B7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A10BC294-9196-425F-9FB0-B1625465B47F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"03117DF1-3BEC-4B8D-AD63-DBBDB2126081\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:bouncycastle:bouncy_castle_crypto_package:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1.50\",\"matchCriteriaId\":\"1F13E5A4-3B59-4F36-9876-1824D17B792F\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:application_testing_suite:12.5.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E3DDC0DF-B134-4168-8A29-5002305C1167\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:application_testing_suite:12.5.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"62E818A9-663D-4AFB-B3D6-686CE4DB9676\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"17EA8B91-7634-4636-B647-1049BA7CA088\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:enterprise_manager_ops_center:12.1.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BA2CF507-AA3F-464C-88DF-71E30672E623\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BE12B6A4-E128-41EC-8017-558F50B961BE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.54:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CDD82442-3535-4BB9-8888-F61A35B900AB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"45CB30A1-B2C9-4BF5-B510-1F2F18B60C64\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:virtual_desktop_infrastructure:3.5.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"89E7F3DD-4137-4613-A4CC-26DB2FFF2871\"}]}]}],\"references\":[{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174915.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00012.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-2035.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-2036.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Technical Description\"]},{\"url\":\"http://www.debian.org/security/2015/dsa-3417\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2015/10/22/7\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2015/10/22/9\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securityfocus.com/bid/79091\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securitytracker.com/id/1037036\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securitytracker.com/id/1037046\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securitytracker.com/id/1037053\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://usn.ubuntu.com/3727-1/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://www.oracle.com/security-alerts/cpuapr2020.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174915.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00012.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-2035.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-2036.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Technical Description\"]},{\"url\":\"http://www.debian.org/security/2015/dsa-3417\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2015/10/22/7\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2015/10/22/9\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/79091\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securitytracker.com/id/1037036\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securitytracker.com/id/1037046\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securitytracker.com/id/1037053\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://usn.ubuntu.com/3727-1/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.oracle.com/security-alerts/cpuapr2020.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}", }, }
wid-sec-w-2022-1375
Vulnerability from csaf_certbund
Published
2022-09-11 22:00
Modified
2023-09-14 22:00
Summary
JFrog Artifactory: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
JFrog Artifactory ist eine universelle DevOps-Lösung.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in JFrog Artifactory ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen.
Betroffene Betriebssysteme
- UNIX
- Linux
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "JFrog Artifactory ist eine universelle DevOps-Lösung.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in JFrog Artifactory ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen.", title: "Angriff", }, { category: "general", text: "- UNIX\n- Linux", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2022-1375 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2022-1375.json", }, { category: "self", summary: "WID-SEC-2022-1375 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1375", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:5165 vom 2023-09-14", url: "https://access.redhat.com/errata/RHSA-2023:5165", }, { category: "external", summary: "JFrog Fixed Security Vulnerabilities vom 2022-09-11", url: "https://www.jfrog.com/confluence/display/JFROG/Fixed+Security+Vulnerabilities", }, { category: "external", summary: "JFrog Fixed Security Vulnerabilities", url: "https://www.jfrog.com/confluence/display/JFROG/Fixed+Security+Vulnerabilities", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2022:6782 vom 2022-10-04", url: "https://access.redhat.com/errata/RHSA-2022:6782", }, { category: "external", summary: "Ubuntu Security Notice USN-5776-1 vom 2022-12-13", url: "https://ubuntu.com/security/notices/USN-5776-1", }, ], source_lang: "en-US", title: "JFrog Artifactory: Mehrere Schwachstellen", tracking: { current_release_date: "2023-09-14T22:00:00.000+00:00", generator: { date: "2024-08-15T17:34:59.214+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2022-1375", initial_release_date: "2022-09-11T22:00:00.000+00:00", revision_history: [ { date: "2022-09-11T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2022-10-03T22:00:00.000+00:00", number: "2", summary: "Neue Updates aufgenommen", }, { date: "2022-10-04T22:00:00.000+00:00", number: "3", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2022-12-12T23:00:00.000+00:00", number: "4", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2022-12-20T23:00:00.000+00:00", number: "5", summary: "Referenz(en) aufgenommen: FEDORA-2022-DB674BAFD9, FEDORA-2022-7E327A20BE", }, { date: "2023-09-14T22:00:00.000+00:00", number: "6", summary: "Neue Updates von Red Hat aufgenommen", }, ], status: "final", version: "6", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "JFrog Artifactory", product: { name: "JFrog Artifactory", product_id: "T024527", product_identification_helper: { cpe: "cpe:/a:jfrog:artifactory:-", }, }, }, { category: "product_name", name: "JFrog Artifactory < 7.46.3", product: { name: "JFrog Artifactory < 7.46.3", product_id: "T024764", product_identification_helper: { cpe: "cpe:/a:jfrog:artifactory:7.46.3", }, }, }, ], category: "product_name", name: "Artifactory", }, ], category: "vendor", name: "JFrog", }, { branches: [ { category: "product_name", name: "Red Hat Enterprise Linux", product: { name: "Red Hat Enterprise Linux", product_id: "67646", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:-", }, }, }, ], category: "vendor", name: "Red Hat", }, { branches: [ { category: "product_name", name: "Ubuntu Linux", product: { name: "Ubuntu Linux", product_id: "T000126", product_identification_helper: { cpe: "cpe:/o:canonical:ubuntu_linux:-", }, }, }, ], category: "vendor", name: "Ubuntu", }, ], }, vulnerabilities: [ { cve: "CVE-2013-4517", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2013-4517", }, { cve: "CVE-2013-7285", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2013-7285", }, { cve: "CVE-2014-0107", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2014-0107", }, { cve: "CVE-2014-0114", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2014-0114", }, { cve: "CVE-2014-3577", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2014-3577", }, { cve: "CVE-2014-3623", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2014-3623", }, { cve: "CVE-2015-0227", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2015-0227", }, { cve: "CVE-2015-2575", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2015-2575", }, { cve: "CVE-2015-3253", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2015-3253", }, { cve: "CVE-2015-4852", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2015-4852", }, { cve: "CVE-2015-7940", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2015-7940", }, { cve: "CVE-2016-10750", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2016-10750", }, { cve: "CVE-2016-3092", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2016-3092", }, { cve: "CVE-2016-3674", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2016-3674", }, { cve: "CVE-2016-6501", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2016-6501", }, { cve: "CVE-2016-8735", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2016-8735", }, { cve: "CVE-2016-8745", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2016-8745", }, { cve: "CVE-2017-1000487", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-1000487", }, { cve: "CVE-2017-15095", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-15095", }, { cve: "CVE-2017-17485", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-17485", }, { cve: "CVE-2017-18214", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-18214", }, { cve: "CVE-2017-18640", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-18640", }, { cve: "CVE-2017-7525", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-7525", }, { cve: "CVE-2017-7657", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-7657", }, { cve: "CVE-2017-7957", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-7957", }, { cve: "CVE-2017-9506", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-9506", }, { cve: "CVE-2018-1000206", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2018-1000206", }, { cve: "CVE-2018-9116", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2018-9116", }, { cve: "CVE-2019-10219", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2019-10219", }, { cve: "CVE-2019-12402", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2019-12402", }, { cve: "CVE-2019-17359", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2019-17359", }, { cve: "CVE-2019-17571", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2019-17571", }, { cve: "CVE-2019-20104", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2019-20104", }, { cve: "CVE-2020-11996", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-11996", }, { cve: "CVE-2020-13934", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-13934", }, { cve: "CVE-2020-13935", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-13935", }, { cve: "CVE-2020-13949", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-13949", }, { cve: "CVE-2020-14340", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-14340", }, { cve: "CVE-2020-15586", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-15586", }, { cve: "CVE-2020-1745", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-1745", }, { cve: "CVE-2020-17521", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-17521", }, { cve: "CVE-2020-25649", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-25649", }, { cve: "CVE-2020-28500", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-28500", }, { cve: "CVE-2020-29582", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-29582", }, { cve: "CVE-2020-36518", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-36518", }, { cve: "CVE-2020-7226", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-7226", }, { cve: "CVE-2020-7692", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-7692", }, { cve: "CVE-2020-8203", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-8203", }, { cve: "CVE-2021-13936", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-13936", }, { cve: "CVE-2021-21290", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-21290", }, { cve: "CVE-2021-22060", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-22060", }, { cve: "CVE-2021-22112", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-22112", }, { cve: "CVE-2021-22119", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-22119", }, { cve: "CVE-2021-22147", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-22147", }, { cve: "CVE-2021-22148", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-22148", }, { cve: "CVE-2021-22149", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-22149", }, { cve: "CVE-2021-22573", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-22573", }, { cve: "CVE-2021-23337", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-23337", }, { cve: "CVE-2021-25122", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-25122", }, { cve: "CVE-2021-26291", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-26291", }, { cve: "CVE-2021-27568", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-27568", }, { cve: "CVE-2021-29505", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-29505", }, { cve: "CVE-2021-30129", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-30129", }, { cve: "CVE-2021-33037", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-33037", }, { cve: "CVE-2021-35550", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35550", }, { cve: "CVE-2021-35556", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35556", }, { cve: "CVE-2021-35560", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35560", }, { cve: "CVE-2021-35561", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35561", }, { cve: "CVE-2021-35564", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35564", }, { cve: "CVE-2021-35565", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35565", }, { cve: "CVE-2021-35567", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35567", }, { cve: "CVE-2021-35578", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35578", }, { cve: "CVE-2021-35586", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35586", }, { cve: "CVE-2021-35588", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35588", }, { cve: "CVE-2021-35603", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35603", }, { cve: "CVE-2021-36374", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-36374", }, { cve: "CVE-2021-3765", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-3765", }, { cve: "CVE-2021-3807", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-3807", }, { cve: "CVE-2021-38561", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-38561", }, { cve: "CVE-2021-3859", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-3859", }, { cve: "CVE-2021-41090", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-41090", }, { cve: "CVE-2021-41091", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-41091", }, { cve: "CVE-2021-42340", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-42340", }, { cve: "CVE-2021-42550", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-42550", }, { cve: "CVE-2021-43797", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-43797", }, { cve: "CVE-2022-0536", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-0536", }, { cve: "CVE-2022-22963", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-22963", }, { cve: "CVE-2022-23632", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-23632", }, { cve: "CVE-2022-23648", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-23648", }, { cve: "CVE-2022-23806", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-23806", }, { cve: "CVE-2022-24769", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-24769", }, { cve: "CVE-2022-24823", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-24823", }, { cve: "CVE-2022-27191", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-27191", }, { cve: "CVE-2022-29153", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-29153", }, { cve: "CVE-2022-32212", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-32212", }, { cve: "CVE-2022-32213", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-32213", }, { cve: "CVE-2022-32214", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-32214", }, { cve: "CVE-2022-32215", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-32215", }, { cve: "CVE-2022-32223", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-32223", }, ], }
WID-SEC-W-2022-1375
Vulnerability from csaf_certbund
Published
2022-09-11 22:00
Modified
2023-09-14 22:00
Summary
JFrog Artifactory: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
JFrog Artifactory ist eine universelle DevOps-Lösung.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in JFrog Artifactory ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen.
Betroffene Betriebssysteme
- UNIX
- Linux
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "JFrog Artifactory ist eine universelle DevOps-Lösung.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in JFrog Artifactory ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen.", title: "Angriff", }, { category: "general", text: "- UNIX\n- Linux", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2022-1375 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2022-1375.json", }, { category: "self", summary: "WID-SEC-2022-1375 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1375", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:5165 vom 2023-09-14", url: "https://access.redhat.com/errata/RHSA-2023:5165", }, { category: "external", summary: "JFrog Fixed Security Vulnerabilities vom 2022-09-11", url: "https://www.jfrog.com/confluence/display/JFROG/Fixed+Security+Vulnerabilities", }, { category: "external", summary: "JFrog Fixed Security Vulnerabilities", url: "https://www.jfrog.com/confluence/display/JFROG/Fixed+Security+Vulnerabilities", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2022:6782 vom 2022-10-04", url: "https://access.redhat.com/errata/RHSA-2022:6782", }, { category: "external", summary: "Ubuntu Security Notice USN-5776-1 vom 2022-12-13", url: "https://ubuntu.com/security/notices/USN-5776-1", }, ], source_lang: "en-US", title: "JFrog Artifactory: Mehrere Schwachstellen", tracking: { current_release_date: "2023-09-14T22:00:00.000+00:00", generator: { date: "2024-08-15T17:34:59.214+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2022-1375", initial_release_date: "2022-09-11T22:00:00.000+00:00", revision_history: [ { date: "2022-09-11T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2022-10-03T22:00:00.000+00:00", number: "2", summary: "Neue Updates aufgenommen", }, { date: "2022-10-04T22:00:00.000+00:00", number: "3", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2022-12-12T23:00:00.000+00:00", number: "4", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2022-12-20T23:00:00.000+00:00", number: "5", summary: "Referenz(en) aufgenommen: FEDORA-2022-DB674BAFD9, FEDORA-2022-7E327A20BE", }, { date: "2023-09-14T22:00:00.000+00:00", number: "6", summary: "Neue Updates von Red Hat aufgenommen", }, ], status: "final", version: "6", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "JFrog Artifactory", product: { name: "JFrog Artifactory", product_id: "T024527", product_identification_helper: { cpe: "cpe:/a:jfrog:artifactory:-", }, }, }, { category: "product_name", name: "JFrog Artifactory < 7.46.3", product: { name: "JFrog Artifactory < 7.46.3", product_id: "T024764", product_identification_helper: { cpe: "cpe:/a:jfrog:artifactory:7.46.3", }, }, }, ], category: "product_name", name: "Artifactory", }, ], category: "vendor", name: "JFrog", }, { branches: [ { category: "product_name", name: "Red Hat Enterprise Linux", product: { name: "Red Hat Enterprise Linux", product_id: "67646", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:-", }, }, }, ], category: "vendor", name: "Red Hat", }, { branches: [ { category: "product_name", name: "Ubuntu Linux", product: { name: "Ubuntu Linux", product_id: "T000126", product_identification_helper: { cpe: "cpe:/o:canonical:ubuntu_linux:-", }, }, }, ], category: "vendor", name: "Ubuntu", }, ], }, vulnerabilities: [ { cve: "CVE-2013-4517", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2013-4517", }, { cve: "CVE-2013-7285", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2013-7285", }, { cve: "CVE-2014-0107", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2014-0107", }, { cve: "CVE-2014-0114", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2014-0114", }, { cve: "CVE-2014-3577", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2014-3577", }, { cve: "CVE-2014-3623", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2014-3623", }, { cve: "CVE-2015-0227", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2015-0227", }, { cve: "CVE-2015-2575", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2015-2575", }, { cve: "CVE-2015-3253", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2015-3253", }, { cve: "CVE-2015-4852", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2015-4852", }, { cve: "CVE-2015-7940", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2015-7940", }, { cve: "CVE-2016-10750", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2016-10750", }, { cve: "CVE-2016-3092", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2016-3092", }, { cve: "CVE-2016-3674", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2016-3674", }, { cve: "CVE-2016-6501", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2016-6501", }, { cve: "CVE-2016-8735", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2016-8735", }, { cve: "CVE-2016-8745", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2016-8745", }, { cve: "CVE-2017-1000487", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-1000487", }, { cve: "CVE-2017-15095", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-15095", }, { cve: "CVE-2017-17485", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-17485", }, { cve: "CVE-2017-18214", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-18214", }, { cve: "CVE-2017-18640", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-18640", }, { cve: "CVE-2017-7525", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-7525", }, { cve: "CVE-2017-7657", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-7657", }, { cve: "CVE-2017-7957", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-7957", }, { cve: "CVE-2017-9506", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-9506", }, { cve: "CVE-2018-1000206", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2018-1000206", }, { cve: "CVE-2018-9116", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2018-9116", }, { cve: "CVE-2019-10219", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2019-10219", }, { cve: "CVE-2019-12402", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2019-12402", }, { cve: "CVE-2019-17359", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2019-17359", }, { cve: "CVE-2019-17571", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2019-17571", }, { cve: "CVE-2019-20104", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2019-20104", }, { cve: "CVE-2020-11996", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-11996", }, { cve: "CVE-2020-13934", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-13934", }, { cve: "CVE-2020-13935", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-13935", }, { cve: "CVE-2020-13949", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-13949", }, { cve: "CVE-2020-14340", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-14340", }, { cve: "CVE-2020-15586", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-15586", }, { cve: "CVE-2020-1745", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-1745", }, { cve: "CVE-2020-17521", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-17521", }, { cve: "CVE-2020-25649", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-25649", }, { cve: "CVE-2020-28500", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-28500", }, { cve: "CVE-2020-29582", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-29582", }, { cve: "CVE-2020-36518", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-36518", }, { cve: "CVE-2020-7226", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-7226", }, { cve: "CVE-2020-7692", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-7692", }, { cve: "CVE-2020-8203", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-8203", }, { cve: "CVE-2021-13936", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-13936", }, { cve: "CVE-2021-21290", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-21290", }, { cve: "CVE-2021-22060", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-22060", }, { cve: "CVE-2021-22112", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-22112", }, { cve: "CVE-2021-22119", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-22119", }, { cve: "CVE-2021-22147", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-22147", }, { cve: "CVE-2021-22148", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-22148", }, { cve: "CVE-2021-22149", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-22149", }, { cve: "CVE-2021-22573", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-22573", }, { cve: "CVE-2021-23337", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-23337", }, { cve: "CVE-2021-25122", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-25122", }, { cve: "CVE-2021-26291", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-26291", }, { cve: "CVE-2021-27568", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-27568", }, { cve: "CVE-2021-29505", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-29505", }, { cve: "CVE-2021-30129", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-30129", }, { cve: "CVE-2021-33037", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-33037", }, { cve: "CVE-2021-35550", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35550", }, { cve: "CVE-2021-35556", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35556", }, { cve: "CVE-2021-35560", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35560", }, { cve: "CVE-2021-35561", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35561", }, { cve: "CVE-2021-35564", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35564", }, { cve: "CVE-2021-35565", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35565", }, { cve: "CVE-2021-35567", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35567", }, { cve: "CVE-2021-35578", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35578", }, { cve: "CVE-2021-35586", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35586", }, { cve: "CVE-2021-35588", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35588", }, { cve: "CVE-2021-35603", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35603", }, { cve: "CVE-2021-36374", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-36374", }, { cve: "CVE-2021-3765", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-3765", }, { cve: "CVE-2021-3807", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-3807", }, { cve: "CVE-2021-38561", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-38561", }, { cve: "CVE-2021-3859", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-3859", }, { cve: "CVE-2021-41090", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-41090", }, { cve: "CVE-2021-41091", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-41091", }, { cve: "CVE-2021-42340", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-42340", }, { cve: "CVE-2021-42550", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-42550", }, { cve: "CVE-2021-43797", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-43797", }, { cve: "CVE-2022-0536", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-0536", }, { cve: "CVE-2022-22963", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-22963", }, { cve: "CVE-2022-23632", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-23632", }, { cve: "CVE-2022-23648", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-23648", }, { cve: "CVE-2022-23806", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-23806", }, { cve: "CVE-2022-24769", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-24769", }, { cve: "CVE-2022-24823", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-24823", }, { cve: "CVE-2022-27191", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-27191", }, { cve: "CVE-2022-29153", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-29153", }, { cve: "CVE-2022-32212", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-32212", }, { cve: "CVE-2022-32213", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-32213", }, { cve: "CVE-2022-32214", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-32214", }, { cve: "CVE-2022-32215", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-32215", }, { cve: "CVE-2022-32223", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-32223", }, ], }
wid-sec-w-2024-3616
Vulnerability from csaf_certbund
Published
2016-10-06 22:00
Modified
2024-12-05 23:00
Summary
Red Hat JBoss Fuse: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
JBoss Fuse ist ein Open Source Enterprise Service Bus (ESB).
JBoss A-MQ ist eine Messaging-Plattform.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat JBoss Fuse und Red Hat JBoss A-MQ ausnutzen, um einen Denial of Service Angriff durchzuführen, Code mit den Privilegien des angegriffenen Dienstes zur Ausführung bringen, vertrauliche Daten einzusehen, Informationen zu manipulieren oder Sicherheitsmechanismen zu umgehen.
Betroffene Betriebssysteme
- Linux
{ document: { aggregate_severity: { text: "mittel", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "JBoss Fuse ist ein Open Source Enterprise Service Bus (ESB).\r\nJBoss A-MQ ist eine Messaging-Plattform.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat JBoss Fuse und Red Hat JBoss A-MQ ausnutzen, um einen Denial of Service Angriff durchzuführen, Code mit den Privilegien des angegriffenen Dienstes zur Ausführung bringen, vertrauliche Daten einzusehen, Informationen zu manipulieren oder Sicherheitsmechanismen zu umgehen.", title: "Angriff", }, { category: "general", text: "- Linux", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2024-3616 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2016/wid-sec-w-2024-3616.json", }, { category: "self", summary: "WID-SEC-2024-3616 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-3616", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2016:2036-1 vom 2016-10-06", url: "https://rhn.redhat.com/errata/RHSA-2016-2036.html", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2016:2035-1 vom 2016-10-06", url: "https://rhn.redhat.com/errata/RHSA-2016-2035.html", }, { category: "external", summary: "Juniper Security Advisory JSA11023 vom 2020-07-08", url: "http://kb.juniper.net/InfoCenter/index?page=content&id=JSA11023", }, { category: "external", summary: "Ubuntu Security Notice USN-7139-1 vom 2024-12-05", url: "https://ubuntu.com/security/notices/USN-7139-1", }, ], source_lang: "en-US", title: "Red Hat JBoss Fuse: Mehrere Schwachstellen", tracking: { current_release_date: "2024-12-05T23:00:00.000+00:00", generator: { date: "2024-12-06T09:15:40.792+00:00", engine: { name: "BSI-WID", version: "1.3.10", }, }, id: "WID-SEC-W-2024-3616", initial_release_date: "2016-10-06T22:00:00.000+00:00", revision_history: [ { date: "2016-10-06T22:00:00.000+00:00", number: "1", summary: "Initial Release", }, { date: "2016-10-06T22:00:00.000+00:00", number: "2", summary: "Version nicht vorhanden", }, { date: "2016-10-06T22:00:00.000+00:00", number: "3", summary: "Version nicht vorhanden", }, { date: "2019-06-18T22:00:00.000+00:00", number: "4", summary: "Referenz(en) aufgenommen: RHSA-2019:1545", }, { date: "2020-07-08T22:00:00.000+00:00", number: "5", summary: "Neue Updates von Juniper aufgenommen", }, { date: "2024-12-05T23:00:00.000+00:00", number: "6", summary: "Neue Updates von Ubuntu aufgenommen", }, ], status: "final", version: "6", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version_range", name: "<20.1R1", product: { name: "Juniper Junos Space <20.1R1", product_id: "T016874", }, }, { category: "product_version", name: "20.1R1", product: { name: "Juniper Junos Space 20.1R1", product_id: "T016874-fixed", product_identification_helper: { cpe: "cpe:/a:juniper:junos_space:20.1r1", }, }, }, ], category: "product_name", name: "Junos Space", }, ], category: "vendor", name: "Juniper", }, { branches: [ { branches: [ { category: "product_version", name: "6.3", product: { name: "Red Hat JBoss A-MQ 6.3", product_id: "T008598", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_amq:6.3", }, }, }, ], category: "product_name", name: "JBoss A-MQ", }, { branches: [ { category: "product_version", name: "6.3", product: { name: "Red Hat JBoss Fuse 6.3", product_id: "T008597", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_fuse:6.3", }, }, }, ], category: "product_name", name: "JBoss Fuse", }, ], category: "vendor", name: "Red Hat", }, { branches: [ { category: "product_name", name: "Ubuntu Linux", product: { name: "Ubuntu Linux", product_id: "T000126", product_identification_helper: { cpe: "cpe:/o:canonical:ubuntu_linux:-", }, }, }, ], category: "vendor", name: "Ubuntu", }, ], }, vulnerabilities: [ { cve: "CVE-2015-3192", notes: [ { category: "description", text: "Es existiert eine Schwachstelle in Red Hat JBoss Fuse und Red Hat JBoss A-MQ. Die Schwachstelle besteht im Spring Framework und beruht auf der Art und WEise, wie \"inline DTD Deklarationen\" verarbeitet werden. Ein Angreifer kann dieses durch Übermitteln geeignet gestalteter XML Daten zu einem Denial of Service Angirff nutzen.", }, ], product_status: { known_affected: [ "T008598", "T000126", "T016874", "T008597", ], }, release_date: "2016-10-06T22:00:00.000+00:00", title: "CVE-2015-3192", }, { cve: "CVE-2015-5344", notes: [ { category: "description", text: "Es existiert eine Schwachstelle in Red Hat JBoss Fuse in der Apache Camel camel-xstream Komponente. Die Schwachstelle beruht auf einem Deseialisierungfehler von Java Objekten. Ein Angreifer kann dieses nutzen und u. a. vertrauliche Daten einsehen oder Code zur Ausführung bringen.", }, ], product_status: { known_affected: [ "T000126", "T008597", ], }, release_date: "2016-10-06T22:00:00.000+00:00", title: "CVE-2015-5344", }, { cve: "CVE-2015-5348", notes: [ { category: "description", text: "Es existiert eine Schwachstelle in Red Hat JBoss Fuse. Die Schwachstelle besteht in dem Apache Camels Jetty/Servlet und beruht auf einem Deserialisierungsfehler. Ein Angreifer kann dieses durch Übermitteln geeignet gestalteter Daten nutzen und beliebigen Code zur Ausführung bringen.", }, ], product_status: { known_affected: [ "T000126", "T008597", ], }, release_date: "2016-10-06T22:00:00.000+00:00", title: "CVE-2015-5348", }, { cve: "CVE-2015-7940", notes: [ { category: "description", text: "Es existiert eine Schwachstelle in Red Hat JBoss Fuse und Red Hat JBoss A-MQ in der Komponente \"bouncycastle\". Die Schwachstelle beruht darauf, dass ein Angreifer private Schlüssel bei Verwendung von elliptischen Kurven in der Kryptographie auslesen kann.", }, ], product_status: { known_affected: [ "T008598", "T000126", "T008597", ], }, release_date: "2016-10-06T22:00:00.000+00:00", title: "CVE-2015-7940", }, { cve: "CVE-2016-2141", notes: [ { category: "description", text: "Es existiert eine Schwachstelle in Red Hat JBoss Fuse. Die Schwachstelle beruht darauf, dass neue Nodes durch JGroups nicht korrekt authentisiert werden. Ein Angreifer kann dieses nutzen und Sicherheitsmechanismen umgehen.", }, ], product_status: { known_affected: [ "T000126", "T008597", ], }, release_date: "2016-10-06T22:00:00.000+00:00", title: "CVE-2016-2141", }, { cve: "CVE-2016-2510", notes: [ { category: "description", text: "Es existiert eine Schwachstelle in Red Hat JBoss Fuse im Zusammenhang mit BeanShell. Ein anonymer, entfernter Angreifer kann diese Schwachstelle nutzen, um bei der Deserialisierung einer speziell konstruierten Klassenkette beliebigen Programmcode mit den Rechten des Dienstes auszuführen. Zur erfolgreichen Ausnutzung dieser Schwachstelle muss der Angreifer den Benutzer dazu bringen, eine modifizierte URL oder Webseite in seinem Web-Browser zu öffnen.", }, ], product_status: { known_affected: [ "T000126", "T008597", ], }, release_date: "2016-10-06T22:00:00.000+00:00", title: "CVE-2016-2510", }, { cve: "CVE-2016-4437", notes: [ { category: "description", text: "Es existiert eine Schwachstelle in Red Hat JBoss Fuse und Red Hat JBoss A-MQ. Die Schwachstelle besteht in darin, dass Apache Shiro einen Standardschlüssel für die \"remember me\" Funktion verwendet. Ein Angreifer kann dieses ausnutzen und unautorisiert Zugriff auf die Inhalte erlangen.", }, ], product_status: { known_affected: [ "T008598", "T000126", "T008597", ], }, release_date: "2016-10-06T22:00:00.000+00:00", title: "CVE-2016-4437", }, ], }
rhsa-2016:2036
Vulnerability from csaf_redhat
Published
2016-10-06 16:18
Modified
2024-11-22 10:24
Summary
Red Hat Security Advisory: Red Hat JBoss A-MQ 6.3 security update
Notes
Topic
Red Hat JBoss A-MQ 6.3, which fixes multiple security issues and includes several bug fixes and enhancements, is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards-compliant messaging system that is tailored for use in mission critical applications.
Red Hat JBoss A-MQ 6.3 is a minor product release that updates Red Hat JBoss A-MQ 6.2.1, and includes several bug fixes and enhancements. Refer to the Release Notes document, available from the Product Documentation link in the References section, for a list of these changes.
Security Fix(es):
It was found that Apache Shiro uses a default cipher key for its "remember me" feature. An attacker could use this to devise a malicious request parameter and gain access to unauthorized content. (CVE-2016-4437)
A denial of service flaw was found in the way Spring processes inline DTD declarations. A remote attacker could submit a specially crafted XML file that would cause out-of-memory errors when parsed. (CVE-2015-3192)
It was found that bouncycastle is vulnerable to an invalid curve attack. An attacker could extract private keys used in elliptic curve cryptography with a few thousand queries. (CVE-2015-7940)
Refer to the Product Documentation link in the References section for installation instructions.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat JBoss A-MQ 6.3, which fixes multiple security issues and includes several bug fixes and enhancements, is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards-compliant messaging system that is tailored for use in mission critical applications.\n\nRed Hat JBoss A-MQ 6.3 is a minor product release that updates Red Hat JBoss A-MQ 6.2.1, and includes several bug fixes and enhancements. Refer to the Release Notes document, available from the Product Documentation link in the References section, for a list of these changes.\n\nSecurity Fix(es):\n\nIt was found that Apache Shiro uses a default cipher key for its \"remember me\" feature. An attacker could use this to devise a malicious request parameter and gain access to unauthorized content. (CVE-2016-4437)\n\nA denial of service flaw was found in the way Spring processes inline DTD declarations. A remote attacker could submit a specially crafted XML file that would cause out-of-memory errors when parsed. (CVE-2015-3192)\n\nIt was found that bouncycastle is vulnerable to an invalid curve attack. An attacker could extract private keys used in elliptic curve cryptography with a few thousand queries. (CVE-2015-7940)\n\nRefer to the Product Documentation link in the References section for installation instructions.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2016:2036", url: "https://access.redhat.com/errata/RHSA-2016:2036", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq&downloadType=distributions&version=6.3.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq&downloadType=distributions&version=6.3.0", }, { category: "external", summary: "https://access.redhat.com/documentation/en/red-hat-jboss-fuse/?version=6.3", url: "https://access.redhat.com/documentation/en/red-hat-jboss-fuse/?version=6.3", }, { category: "external", summary: "1239002", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1239002", }, { category: "external", summary: "1276272", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1276272", }, { category: "external", summary: "1343346", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1343346", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2016/rhsa-2016_2036.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss A-MQ 6.3 security update", tracking: { current_release_date: "2024-11-22T10:24:24+00:00", generator: { date: "2024-11-22T10:24:24+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2016:2036", initial_release_date: "2016-10-06T16:18:02+00:00", revision_history: [ { date: "2016-10-06T16:18:02+00:00", number: "1", summary: "Initial version", }, { date: "2019-02-20T12:40:10+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T10:24:24+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss A-MQ 6.3", product: { name: "Red Hat JBoss A-MQ 6.3", product_id: "Red Hat JBoss A-MQ 6.3", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_amq:6.3", }, }, }, ], category: "product_family", name: "Red Hat JBoss AMQ", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2015-3192", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2015-06-30T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1239002", }, ], notes: [ { category: "description", text: "A denial of service flaw was found in the way Spring processes inline DTD declarations. A remote attacker could submit a specially crafted XML file that would cause out-of-memory errors when parsed.", title: "Vulnerability description", }, { category: "summary", text: "Framework: denial-of-service attack with XML input", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-3192", }, { category: "external", summary: "RHBZ#1239002", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1239002", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-3192", url: "https://www.cve.org/CVERecord?id=CVE-2015-3192", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-3192", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-3192", }, { category: "external", summary: "http://pivotal.io/security/cve-2015-3192", url: "http://pivotal.io/security/cve-2015-3192", }, ], release_date: "2015-06-30T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-06T16:18:02+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2036", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.0", }, products: [ "Red Hat JBoss A-MQ 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Framework: denial-of-service attack with XML input", }, { cve: "CVE-2015-5254", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2015-12-08T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1291292", }, ], notes: [ { category: "description", text: "It was found that use of a JMS ObjectMessage does not safely handle user supplied data when deserializing objects. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using a JMS ObjectMessage.", title: "Vulnerability description", }, { category: "summary", text: "ObjectMessage: unsafe deserialization", title: "Vulnerability summary", }, { category: "other", text: "A malicious message producer needs to authenticate to EAP in order to send messages. Also, the use of JMS ObjectMessage needs to be chosen by the developer of the application. Therefore this issue is rated as moderate.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-5254", }, { category: "external", summary: "RHBZ#1291292", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1291292", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-5254", url: "https://www.cve.org/CVERecord?id=CVE-2015-5254", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-5254", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-5254", }, { category: "external", summary: "http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt", url: "http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt", }, ], release_date: "2015-12-08T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-06T16:18:02+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2036", }, { category: "workaround", details: "If you do deploy a JMS publisher, and subscriber, and don't trust the messages sent to you by your clients, you could mitigate this issue by installing a Java agent which restricts the classes which can be deserialized. This is an article with the recommended approach:\n\nhttps://access.redhat.com/solutions/2190911\n\nYou could also mitigate this issue using the features of the Java Virtual Machine added in JEP 290:\n\nhttp://openjdk.java.net/jeps/290", product_ids: [ "Red Hat JBoss A-MQ 6.3", ], }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 6, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:S/C:P/I:P/A:P", version: "2.0", }, products: [ "Red Hat JBoss A-MQ 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "ObjectMessage: unsafe deserialization", }, { cve: "CVE-2015-7940", cwe: { id: "CWE-358", name: "Improperly Implemented Security Check for Standard", }, discovery_date: "2015-10-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1276272", }, ], notes: [ { category: "description", text: "It was found that bouncycastle is vulnerable to an invalid curve attack. An attacker could extract private keys used in elliptic curve cryptography with a few thousand queries.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: Invalid curve attack allowing to extract private keys", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-7940", }, { category: "external", summary: "RHBZ#1276272", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1276272", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-7940", url: "https://www.cve.org/CVERecord?id=CVE-2015-7940", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-7940", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-7940", }, ], release_date: "2015-09-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-06T16:18:02+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2036", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.7, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss A-MQ 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: Invalid curve attack allowing to extract private keys", }, { cve: "CVE-2016-3088", cwe: { id: "CWE-22", name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", }, discovery_date: "2016-05-24T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1339318", }, ], notes: [ { category: "description", text: "The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.", title: "Vulnerability description", }, { category: "summary", text: "activemq: Fileserver web application vulnerability allowing RCE", title: "Vulnerability summary", }, { category: "other", text: "Red Hat JBoss A-MQ 6.3 , Red Hat JBoss Fuse 6.3, and Red Hat JBoss Fuse Service Works 6.0.0 do not provide the vulnerable component and are not affected by this flaw. Red Hat JBoss A-MQ 6.2.1 and Red Hat JBoss Fuse 6.2.1 disable the vulnerable component and as such are not vulnerable to this flaw. The fileserver component was first disabled in A-MQ 6.2.0 and Fuse 6.2.0. Users of older, unsupported versions of these products are strongly advised to observe the mitigation provided on this page.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-3088", }, { category: "external", summary: "RHBZ#1339318", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1339318", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-3088", url: "https://www.cve.org/CVERecord?id=CVE-2016-3088", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-3088", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-3088", }, { category: "external", summary: "http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt", url: "http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt", }, { category: "external", summary: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", url: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", }, ], release_date: "2016-05-24T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-06T16:18:02+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2036", }, { category: "workaround", details: "Users are advised to use other FTP and HTTP based file servers for transferring blob messages. Fileserver web application SHOULD NOT be used in older version of the broker and it should be disabled (it has been disabled by default since 5.12.0). This can be done by removing (commenting out) the following lines from conf\\jetty.xml file\n\n<bean class=\"org.eclipse.jetty.webapp.WebAppContext\">\n <property name=\"contextPath\" value=\"/fileserver\" />\n <property name=\"resourceBase\" value=\"${activemq.home}/webapps/fileserver\" />\n <property name=\"logUrlOnStart\" value=\"true\" />\n <property name=\"parentLoaderPriority\" value=\"true\" />\n</bean>", product_ids: [ "Red Hat JBoss A-MQ 6.3", ], }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, products: [ "Red Hat JBoss A-MQ 6.3", ], }, ], threats: [ { category: "exploit_status", date: "2022-02-10T00:00:00+00:00", details: "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog", }, { category: "impact", details: "Important", }, ], title: "activemq: Fileserver web application vulnerability allowing RCE", }, { cve: "CVE-2016-4437", cwe: { id: "CWE-287", name: "Improper Authentication", }, discovery_date: "2016-06-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1343346", }, ], notes: [ { category: "description", text: "It was found that Apache Shiro uses a default cipher key for its \"remember me\" feature. An attacker could use this to devise a malicious request parameter and gain access to unauthorized content.", title: "Vulnerability description", }, { category: "summary", text: "shiro: Security constraint bypass", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-4437", }, { category: "external", summary: "RHBZ#1343346", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1343346", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-4437", url: "https://www.cve.org/CVERecord?id=CVE-2016-4437", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-4437", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-4437", }, { category: "external", summary: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", url: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", }, ], release_date: "2016-06-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-06T16:18:02+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2036", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 7.3, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", version: "3.0", }, products: [ "Red Hat JBoss A-MQ 6.3", ], }, ], threats: [ { category: "exploit_status", date: "2021-11-03T00:00:00+00:00", details: "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog", }, { category: "impact", details: "Important", }, ], title: "shiro: Security constraint bypass", }, ], }
RHSA-2016:2035
Vulnerability from csaf_redhat
Published
2016-10-06 16:18
Modified
2024-12-29 18:16
Summary
Red Hat Security Advisory: Red Hat JBoss Fuse 6.3 security update
Notes
Topic
Red Hat JBoss Fuse 6.3, which fixes multiple security issues and includes several bug fixes and enhancements, is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform.
Red Hat JBoss Fuse 6.3 is a minor product release that updates Red Hat JBoss Fuse 6.2.1, and includes several bug fixes and enhancements. Refer to the Release Notes document, available from the Product Documentation link in the References section, for a list of these changes.
Security Fix(es):
It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks. (CVE-2016-2141)
A deserialization flaw allowing remote code execution was found in the BeanShell library. If BeanShell was on the classpath, it could permit code execution if another part of the application deserialized objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the BeanShell library. (CVE-2016-2510)
It was found that Apache Shiro uses a default cipher key for its "remember me" feature. An attacker could use this to devise a malicious request parameter and gain access to unauthorized content. (CVE-2016-4437)
A denial of service flaw was found in the way Spring processes inline DTD declarations. A remote attacker could submit a specially crafted XML file that would cause out-of-memory errors when parsed. (CVE-2015-3192)
It was found that Apache Camel's camel-xstream component was vulnerable to Java object deserialization. This vulnerability permits deserialization of data which could lead to information disclosure, code execution, or other possible attacks. (CVE-2015-5344)
It was found that Apache Camel's Jetty/Servlet permitted object deserialization. If using camel-jetty or camel-servlet as a consumer in Camel routes, then Camel will automatically deserialize HTTP requests that use the content-header: application/x-java-serialized-object. An attacker could use this vulnerability to gain access to unauthorized information or conduct further attacks. (CVE-2015-5348)
It was found that bouncycastle is vulnerable to an invalid curve attack. An attacker could extract private keys used in elliptic curve cryptography with a few thousand queries. (CVE-2015-7940)
The CVE-2016-2141 issue was discovered by Dennis Reed (Red Hat).
Refer to the Product Documentation link in the References section for installation instructions.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat JBoss Fuse 6.3, which fixes multiple security issues and includes several bug fixes and enhancements, is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform.\n\nRed Hat JBoss Fuse 6.3 is a minor product release that updates Red Hat JBoss Fuse 6.2.1, and includes several bug fixes and enhancements. Refer to the Release Notes document, available from the Product Documentation link in the References section, for a list of these changes.\n\nSecurity Fix(es):\n\nIt was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks. (CVE-2016-2141)\n\nA deserialization flaw allowing remote code execution was found in the BeanShell library. If BeanShell was on the classpath, it could permit code execution if another part of the application deserialized objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the BeanShell library. (CVE-2016-2510)\n\nIt was found that Apache Shiro uses a default cipher key for its \"remember me\" feature. An attacker could use this to devise a malicious request parameter and gain access to unauthorized content. (CVE-2016-4437)\n\nA denial of service flaw was found in the way Spring processes inline DTD declarations. A remote attacker could submit a specially crafted XML file that would cause out-of-memory errors when parsed. (CVE-2015-3192)\n\nIt was found that Apache Camel's camel-xstream component was vulnerable to Java object deserialization. This vulnerability permits deserialization of data which could lead to information disclosure, code execution, or other possible attacks. (CVE-2015-5344)\n\nIt was found that Apache Camel's Jetty/Servlet permitted object deserialization. If using camel-jetty or camel-servlet as a consumer in Camel routes, then Camel will automatically deserialize HTTP requests that use the content-header: application/x-java-serialized-object. An attacker could use this vulnerability to gain access to unauthorized information or conduct further attacks. (CVE-2015-5348)\n\nIt was found that bouncycastle is vulnerable to an invalid curve attack. An attacker could extract private keys used in elliptic curve cryptography with a few thousand queries. (CVE-2015-7940)\n\nThe CVE-2016-2141 issue was discovered by Dennis Reed (Red Hat).\n\nRefer to the Product Documentation link in the References section for installation instructions.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2016:2035", url: "https://access.redhat.com/errata/RHSA-2016:2035", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=distributions&version=6.3.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=distributions&version=6.3.0", }, { category: "external", summary: "https://access.redhat.com/documentation/en/red-hat-jboss-fuse/?version=6.3", url: "https://access.redhat.com/documentation/en/red-hat-jboss-fuse/?version=6.3", }, { category: "external", summary: "1239002", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1239002", }, { category: "external", summary: "1276272", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1276272", }, { category: "external", summary: "1292849", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1292849", }, { category: "external", summary: "1303609", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1303609", }, { category: "external", summary: "1310647", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1310647", }, { category: "external", summary: "1313589", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1313589", }, { category: "external", summary: "1343346", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1343346", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2016/rhsa-2016_2035.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss Fuse 6.3 security update", tracking: { current_release_date: "2024-12-29T18:16:31+00:00", generator: { date: "2024-12-29T18:16:31+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.4", }, }, id: "RHSA-2016:2035", initial_release_date: "2016-10-06T16:18:07+00:00", revision_history: [ { date: "2016-10-06T16:18:07+00:00", number: "1", summary: "Initial version", }, { date: "2019-02-20T12:38:22+00:00", number: "2", summary: "Last updated version", }, { date: "2024-12-29T18:16:31+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss Fuse 6.3", product: { name: "Red Hat JBoss Fuse 6.3", product_id: "Red Hat JBoss Fuse 6.3", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_fuse:6.3", }, }, }, ], category: "product_family", name: "Red Hat JBoss Fuse", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2015-3192", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2015-06-30T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1239002", }, ], notes: [ { category: "description", text: "A denial of service flaw was found in the way Spring processes inline DTD declarations. A remote attacker could submit a specially crafted XML file that would cause out-of-memory errors when parsed.", title: "Vulnerability description", }, { category: "summary", text: "Framework: denial-of-service attack with XML input", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-3192", }, { category: "external", summary: "RHBZ#1239002", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1239002", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-3192", url: "https://www.cve.org/CVERecord?id=CVE-2015-3192", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-3192", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-3192", }, { category: "external", summary: "http://pivotal.io/security/cve-2015-3192", url: "http://pivotal.io/security/cve-2015-3192", }, ], release_date: "2015-06-30T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-06T16:18:07+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2035", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.0", }, products: [ "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Framework: denial-of-service attack with XML input", }, { cve: "CVE-2015-5254", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2015-12-08T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1291292", }, ], notes: [ { category: "description", text: "It was found that use of a JMS ObjectMessage does not safely handle user supplied data when deserializing objects. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using a JMS ObjectMessage.", title: "Vulnerability description", }, { category: "summary", text: "ObjectMessage: unsafe deserialization", title: "Vulnerability summary", }, { category: "other", text: "A malicious message producer needs to authenticate to EAP in order to send messages. Also, the use of JMS ObjectMessage needs to be chosen by the developer of the application. Therefore this issue is rated as moderate.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-5254", }, { category: "external", summary: "RHBZ#1291292", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1291292", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-5254", url: "https://www.cve.org/CVERecord?id=CVE-2015-5254", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-5254", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-5254", }, { category: "external", summary: "http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt", url: "http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt", }, ], release_date: "2015-12-08T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-06T16:18:07+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2035", }, { category: "workaround", details: "If you do deploy a JMS publisher, and subscriber, and don't trust the messages sent to you by your clients, you could mitigate this issue by installing a Java agent which restricts the classes which can be deserialized. This is an article with the recommended approach:\n\nhttps://access.redhat.com/solutions/2190911\n\nYou could also mitigate this issue using the features of the Java Virtual Machine added in JEP 290:\n\nhttp://openjdk.java.net/jeps/290", product_ids: [ "Red Hat JBoss Fuse 6.3", ], }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 6, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:S/C:P/I:P/A:P", version: "2.0", }, products: [ "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "ObjectMessage: unsafe deserialization", }, { cve: "CVE-2015-5344", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2016-01-30T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1303609", }, ], notes: [ { category: "description", text: "It was found that Apache Camel's camel-xstream component was vulnerable to Java object deserialization. This vulnerability permits deserialization of data which could lead to information disclosure, code execution, or other possible attacks.", title: "Vulnerability description", }, { category: "summary", text: "camel-xstream: Java object de-serialization vulnerability leads to RCE", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-5344", }, { category: "external", summary: "RHBZ#1303609", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1303609", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-5344", url: "https://www.cve.org/CVERecord?id=CVE-2015-5344", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-5344", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-5344", }, { category: "external", summary: "https://camel.apache.org/security-advisories.data/CVE-2015-5344.txt.asc?version=1&modificationDate=1454056803000&api=v2", url: "https://camel.apache.org/security-advisories.data/CVE-2015-5344.txt.asc?version=1&modificationDate=1454056803000&api=v2", }, ], release_date: "2015-11-06T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-06T16:18:07+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2035", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "MULTIPLE", availabilityImpact: "PARTIAL", baseScore: 4.3, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:H/Au:M/C:P/I:P/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.2, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "camel-xstream: Java object de-serialization vulnerability leads to RCE", }, { cve: "CVE-2015-5348", discovery_date: "2015-12-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1292849", }, ], notes: [ { category: "description", text: "It was found that Apache Camel's Jetty/Servlet usage is vulnerable to Java object de-serialisation vulnerability. If using camel-jetty, or camel-servlet as a consumer in Camel routes, then Camel will automatically de-serialize HTTP requests that uses the content-header: application/x-java-serialized-object.", title: "Vulnerability description", }, { category: "summary", text: "Camel: Java object deserialisation in Jetty/Servlet", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-5348", }, { category: "external", summary: "RHBZ#1292849", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1292849", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-5348", url: "https://www.cve.org/CVERecord?id=CVE-2015-5348", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-5348", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-5348", }, { category: "external", summary: "https://camel.apache.org/security-advisories.data/CVE-2015-5348.txt", url: "https://camel.apache.org/security-advisories.data/CVE-2015-5348.txt", }, ], release_date: "2015-12-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-06T16:18:07+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2035", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.7, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Camel: Java object deserialisation in Jetty/Servlet", }, { cve: "CVE-2015-7940", cwe: { id: "CWE-358", name: "Improperly Implemented Security Check for Standard", }, discovery_date: "2015-10-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1276272", }, ], notes: [ { category: "description", text: "It was found that bouncycastle is vulnerable to an invalid curve attack. An attacker could extract private keys used in elliptic curve cryptography with a few thousand queries.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: Invalid curve attack allowing to extract private keys", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-7940", }, { category: "external", summary: "RHBZ#1276272", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1276272", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-7940", url: "https://www.cve.org/CVERecord?id=CVE-2015-7940", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-7940", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-7940", }, ], release_date: "2015-09-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-06T16:18:07+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2035", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.7, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: Invalid curve attack allowing to extract private keys", }, { acknowledgments: [ { names: [ "Dennis Reed", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2016-2141", discovery_date: "2015-11-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1313589", }, ], notes: [ { category: "description", text: "It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks.", title: "Vulnerability description", }, { category: "summary", text: "JGroups: Authorization bypass", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-2141", }, { category: "external", summary: "RHBZ#1313589", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1313589", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-2141", url: "https://www.cve.org/CVERecord?id=CVE-2016-2141", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-2141", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-2141", }, ], release_date: "2016-06-23T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-06T16:18:07+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2035", }, { category: "workaround", details: "Please refer to https://access.redhat.com/articles/2360521 for more information.", product_ids: [ "Red Hat JBoss Fuse 6.3", ], }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Critical", }, ], title: "JGroups: Authorization bypass", }, { cve: "CVE-2016-2510", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2016-02-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1310647", }, ], notes: [ { category: "description", text: "A deserialization flaw allowing remote code execution was found in the BeanShell library. If BeanShell was on the classpath, it could permit code execution if another part of the application deserialized objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the BeanShell library.", title: "Vulnerability description", }, { category: "summary", text: "bsh2: remote code execution via deserialization", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-2510", }, { category: "external", summary: "RHBZ#1310647", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1310647", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-2510", url: "https://www.cve.org/CVERecord?id=CVE-2016-2510", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-2510", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-2510", }, { category: "external", summary: "https://github.com/beanshell/beanshell/releases/tag/2.0b6", url: "https://github.com/beanshell/beanshell/releases/tag/2.0b6", }, ], release_date: "2016-02-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-06T16:18:07+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2035", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.4, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "bsh2: remote code execution via deserialization", }, { cve: "CVE-2016-4437", cwe: { id: "CWE-287", name: "Improper Authentication", }, discovery_date: "2016-06-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1343346", }, ], notes: [ { category: "description", text: "It was found that Apache Shiro uses a default cipher key for its \"remember me\" feature. An attacker could use this to devise a malicious request parameter and gain access to unauthorized content.", title: "Vulnerability description", }, { category: "summary", text: "shiro: Security constraint bypass", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-4437", }, { category: "external", summary: "RHBZ#1343346", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1343346", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-4437", url: "https://www.cve.org/CVERecord?id=CVE-2016-4437", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-4437", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-4437", }, { category: "external", summary: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", url: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", }, ], release_date: "2016-06-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-06T16:18:07+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2035", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 7.3, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", version: "3.0", }, products: [ "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "exploit_status", date: "2021-11-03T00:00:00+00:00", details: "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog", }, { category: "impact", details: "Important", }, ], title: "shiro: Security constraint bypass", }, ], }
rhsa-2016:2035
Vulnerability from csaf_redhat
Published
2016-10-06 16:18
Modified
2024-12-29 18:16
Summary
Red Hat Security Advisory: Red Hat JBoss Fuse 6.3 security update
Notes
Topic
Red Hat JBoss Fuse 6.3, which fixes multiple security issues and includes several bug fixes and enhancements, is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform.
Red Hat JBoss Fuse 6.3 is a minor product release that updates Red Hat JBoss Fuse 6.2.1, and includes several bug fixes and enhancements. Refer to the Release Notes document, available from the Product Documentation link in the References section, for a list of these changes.
Security Fix(es):
It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks. (CVE-2016-2141)
A deserialization flaw allowing remote code execution was found in the BeanShell library. If BeanShell was on the classpath, it could permit code execution if another part of the application deserialized objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the BeanShell library. (CVE-2016-2510)
It was found that Apache Shiro uses a default cipher key for its "remember me" feature. An attacker could use this to devise a malicious request parameter and gain access to unauthorized content. (CVE-2016-4437)
A denial of service flaw was found in the way Spring processes inline DTD declarations. A remote attacker could submit a specially crafted XML file that would cause out-of-memory errors when parsed. (CVE-2015-3192)
It was found that Apache Camel's camel-xstream component was vulnerable to Java object deserialization. This vulnerability permits deserialization of data which could lead to information disclosure, code execution, or other possible attacks. (CVE-2015-5344)
It was found that Apache Camel's Jetty/Servlet permitted object deserialization. If using camel-jetty or camel-servlet as a consumer in Camel routes, then Camel will automatically deserialize HTTP requests that use the content-header: application/x-java-serialized-object. An attacker could use this vulnerability to gain access to unauthorized information or conduct further attacks. (CVE-2015-5348)
It was found that bouncycastle is vulnerable to an invalid curve attack. An attacker could extract private keys used in elliptic curve cryptography with a few thousand queries. (CVE-2015-7940)
The CVE-2016-2141 issue was discovered by Dennis Reed (Red Hat).
Refer to the Product Documentation link in the References section for installation instructions.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat JBoss Fuse 6.3, which fixes multiple security issues and includes several bug fixes and enhancements, is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform.\n\nRed Hat JBoss Fuse 6.3 is a minor product release that updates Red Hat JBoss Fuse 6.2.1, and includes several bug fixes and enhancements. Refer to the Release Notes document, available from the Product Documentation link in the References section, for a list of these changes.\n\nSecurity Fix(es):\n\nIt was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks. (CVE-2016-2141)\n\nA deserialization flaw allowing remote code execution was found in the BeanShell library. If BeanShell was on the classpath, it could permit code execution if another part of the application deserialized objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the BeanShell library. (CVE-2016-2510)\n\nIt was found that Apache Shiro uses a default cipher key for its \"remember me\" feature. An attacker could use this to devise a malicious request parameter and gain access to unauthorized content. (CVE-2016-4437)\n\nA denial of service flaw was found in the way Spring processes inline DTD declarations. A remote attacker could submit a specially crafted XML file that would cause out-of-memory errors when parsed. (CVE-2015-3192)\n\nIt was found that Apache Camel's camel-xstream component was vulnerable to Java object deserialization. This vulnerability permits deserialization of data which could lead to information disclosure, code execution, or other possible attacks. (CVE-2015-5344)\n\nIt was found that Apache Camel's Jetty/Servlet permitted object deserialization. If using camel-jetty or camel-servlet as a consumer in Camel routes, then Camel will automatically deserialize HTTP requests that use the content-header: application/x-java-serialized-object. An attacker could use this vulnerability to gain access to unauthorized information or conduct further attacks. (CVE-2015-5348)\n\nIt was found that bouncycastle is vulnerable to an invalid curve attack. An attacker could extract private keys used in elliptic curve cryptography with a few thousand queries. (CVE-2015-7940)\n\nThe CVE-2016-2141 issue was discovered by Dennis Reed (Red Hat).\n\nRefer to the Product Documentation link in the References section for installation instructions.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2016:2035", url: "https://access.redhat.com/errata/RHSA-2016:2035", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=distributions&version=6.3.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=distributions&version=6.3.0", }, { category: "external", summary: "https://access.redhat.com/documentation/en/red-hat-jboss-fuse/?version=6.3", url: "https://access.redhat.com/documentation/en/red-hat-jboss-fuse/?version=6.3", }, { category: "external", summary: "1239002", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1239002", }, { category: "external", summary: "1276272", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1276272", }, { category: "external", summary: "1292849", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1292849", }, { category: "external", summary: "1303609", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1303609", }, { category: "external", summary: "1310647", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1310647", }, { category: "external", summary: "1313589", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1313589", }, { category: "external", summary: "1343346", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1343346", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2016/rhsa-2016_2035.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss Fuse 6.3 security update", tracking: { current_release_date: "2024-12-29T18:16:31+00:00", generator: { date: "2024-12-29T18:16:31+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.4", }, }, id: "RHSA-2016:2035", initial_release_date: "2016-10-06T16:18:07+00:00", revision_history: [ { date: "2016-10-06T16:18:07+00:00", number: "1", summary: "Initial version", }, { date: "2019-02-20T12:38:22+00:00", number: "2", summary: "Last updated version", }, { date: "2024-12-29T18:16:31+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss Fuse 6.3", product: { name: "Red Hat JBoss Fuse 6.3", product_id: "Red Hat JBoss Fuse 6.3", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_fuse:6.3", }, }, }, ], category: "product_family", name: "Red Hat JBoss Fuse", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2015-3192", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2015-06-30T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1239002", }, ], notes: [ { category: "description", text: "A denial of service flaw was found in the way Spring processes inline DTD declarations. A remote attacker could submit a specially crafted XML file that would cause out-of-memory errors when parsed.", title: "Vulnerability description", }, { category: "summary", text: "Framework: denial-of-service attack with XML input", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-3192", }, { category: "external", summary: "RHBZ#1239002", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1239002", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-3192", url: "https://www.cve.org/CVERecord?id=CVE-2015-3192", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-3192", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-3192", }, { category: "external", summary: "http://pivotal.io/security/cve-2015-3192", url: "http://pivotal.io/security/cve-2015-3192", }, ], release_date: "2015-06-30T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-06T16:18:07+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2035", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.0", }, products: [ "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Framework: denial-of-service attack with XML input", }, { cve: "CVE-2015-5254", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2015-12-08T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1291292", }, ], notes: [ { category: "description", text: "It was found that use of a JMS ObjectMessage does not safely handle user supplied data when deserializing objects. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using a JMS ObjectMessage.", title: "Vulnerability description", }, { category: "summary", text: "ObjectMessage: unsafe deserialization", title: "Vulnerability summary", }, { category: "other", text: "A malicious message producer needs to authenticate to EAP in order to send messages. Also, the use of JMS ObjectMessage needs to be chosen by the developer of the application. Therefore this issue is rated as moderate.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-5254", }, { category: "external", summary: "RHBZ#1291292", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1291292", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-5254", url: "https://www.cve.org/CVERecord?id=CVE-2015-5254", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-5254", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-5254", }, { category: "external", summary: "http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt", url: "http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt", }, ], release_date: "2015-12-08T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-06T16:18:07+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2035", }, { category: "workaround", details: "If you do deploy a JMS publisher, and subscriber, and don't trust the messages sent to you by your clients, you could mitigate this issue by installing a Java agent which restricts the classes which can be deserialized. This is an article with the recommended approach:\n\nhttps://access.redhat.com/solutions/2190911\n\nYou could also mitigate this issue using the features of the Java Virtual Machine added in JEP 290:\n\nhttp://openjdk.java.net/jeps/290", product_ids: [ "Red Hat JBoss Fuse 6.3", ], }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 6, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:S/C:P/I:P/A:P", version: "2.0", }, products: [ "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "ObjectMessage: unsafe deserialization", }, { cve: "CVE-2015-5344", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2016-01-30T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1303609", }, ], notes: [ { category: "description", text: "It was found that Apache Camel's camel-xstream component was vulnerable to Java object deserialization. This vulnerability permits deserialization of data which could lead to information disclosure, code execution, or other possible attacks.", title: "Vulnerability description", }, { category: "summary", text: "camel-xstream: Java object de-serialization vulnerability leads to RCE", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-5344", }, { category: "external", summary: "RHBZ#1303609", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1303609", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-5344", url: "https://www.cve.org/CVERecord?id=CVE-2015-5344", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-5344", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-5344", }, { category: "external", summary: "https://camel.apache.org/security-advisories.data/CVE-2015-5344.txt.asc?version=1&modificationDate=1454056803000&api=v2", url: "https://camel.apache.org/security-advisories.data/CVE-2015-5344.txt.asc?version=1&modificationDate=1454056803000&api=v2", }, ], release_date: "2015-11-06T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-06T16:18:07+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2035", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "MULTIPLE", availabilityImpact: "PARTIAL", baseScore: 4.3, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:H/Au:M/C:P/I:P/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.2, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "camel-xstream: Java object de-serialization vulnerability leads to RCE", }, { cve: "CVE-2015-5348", discovery_date: "2015-12-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1292849", }, ], notes: [ { category: "description", text: "It was found that Apache Camel's Jetty/Servlet usage is vulnerable to Java object de-serialisation vulnerability. If using camel-jetty, or camel-servlet as a consumer in Camel routes, then Camel will automatically de-serialize HTTP requests that uses the content-header: application/x-java-serialized-object.", title: "Vulnerability description", }, { category: "summary", text: "Camel: Java object deserialisation in Jetty/Servlet", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-5348", }, { category: "external", summary: "RHBZ#1292849", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1292849", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-5348", url: "https://www.cve.org/CVERecord?id=CVE-2015-5348", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-5348", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-5348", }, { category: "external", summary: "https://camel.apache.org/security-advisories.data/CVE-2015-5348.txt", url: "https://camel.apache.org/security-advisories.data/CVE-2015-5348.txt", }, ], release_date: "2015-12-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-06T16:18:07+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2035", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.7, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Camel: Java object deserialisation in Jetty/Servlet", }, { cve: "CVE-2015-7940", cwe: { id: "CWE-358", name: "Improperly Implemented Security Check for Standard", }, discovery_date: "2015-10-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1276272", }, ], notes: [ { category: "description", text: "It was found that bouncycastle is vulnerable to an invalid curve attack. An attacker could extract private keys used in elliptic curve cryptography with a few thousand queries.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: Invalid curve attack allowing to extract private keys", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-7940", }, { category: "external", summary: "RHBZ#1276272", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1276272", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-7940", url: "https://www.cve.org/CVERecord?id=CVE-2015-7940", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-7940", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-7940", }, ], release_date: "2015-09-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-06T16:18:07+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2035", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.7, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: Invalid curve attack allowing to extract private keys", }, { acknowledgments: [ { names: [ "Dennis Reed", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2016-2141", discovery_date: "2015-11-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1313589", }, ], notes: [ { category: "description", text: "It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks.", title: "Vulnerability description", }, { category: "summary", text: "JGroups: Authorization bypass", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-2141", }, { category: "external", summary: "RHBZ#1313589", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1313589", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-2141", url: "https://www.cve.org/CVERecord?id=CVE-2016-2141", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-2141", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-2141", }, ], release_date: "2016-06-23T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-06T16:18:07+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2035", }, { category: "workaround", details: "Please refer to https://access.redhat.com/articles/2360521 for more information.", product_ids: [ "Red Hat JBoss Fuse 6.3", ], }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Critical", }, ], title: "JGroups: Authorization bypass", }, { cve: "CVE-2016-2510", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2016-02-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1310647", }, ], notes: [ { category: "description", text: "A deserialization flaw allowing remote code execution was found in the BeanShell library. If BeanShell was on the classpath, it could permit code execution if another part of the application deserialized objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the BeanShell library.", title: "Vulnerability description", }, { category: "summary", text: "bsh2: remote code execution via deserialization", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-2510", }, { category: "external", summary: "RHBZ#1310647", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1310647", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-2510", url: "https://www.cve.org/CVERecord?id=CVE-2016-2510", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-2510", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-2510", }, { category: "external", summary: "https://github.com/beanshell/beanshell/releases/tag/2.0b6", url: "https://github.com/beanshell/beanshell/releases/tag/2.0b6", }, ], release_date: "2016-02-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-06T16:18:07+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2035", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.4, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "bsh2: remote code execution via deserialization", }, { cve: "CVE-2016-4437", cwe: { id: "CWE-287", name: "Improper Authentication", }, discovery_date: "2016-06-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1343346", }, ], notes: [ { category: "description", text: "It was found that Apache Shiro uses a default cipher key for its \"remember me\" feature. An attacker could use this to devise a malicious request parameter and gain access to unauthorized content.", title: "Vulnerability description", }, { category: "summary", text: "shiro: Security constraint bypass", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-4437", }, { category: "external", summary: "RHBZ#1343346", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1343346", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-4437", url: "https://www.cve.org/CVERecord?id=CVE-2016-4437", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-4437", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-4437", }, { category: "external", summary: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", url: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", }, ], release_date: "2016-06-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-06T16:18:07+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2035", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 7.3, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", version: "3.0", }, products: [ "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "exploit_status", date: "2021-11-03T00:00:00+00:00", details: "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog", }, { category: "impact", details: "Important", }, ], title: "shiro: Security constraint bypass", }, ], }
rhsa-2016_2035
Vulnerability from csaf_redhat
Published
2016-10-06 16:18
Modified
2024-12-29 18:16
Summary
Red Hat Security Advisory: Red Hat JBoss Fuse 6.3 security update
Notes
Topic
Red Hat JBoss Fuse 6.3, which fixes multiple security issues and includes several bug fixes and enhancements, is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform.
Red Hat JBoss Fuse 6.3 is a minor product release that updates Red Hat JBoss Fuse 6.2.1, and includes several bug fixes and enhancements. Refer to the Release Notes document, available from the Product Documentation link in the References section, for a list of these changes.
Security Fix(es):
It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks. (CVE-2016-2141)
A deserialization flaw allowing remote code execution was found in the BeanShell library. If BeanShell was on the classpath, it could permit code execution if another part of the application deserialized objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the BeanShell library. (CVE-2016-2510)
It was found that Apache Shiro uses a default cipher key for its "remember me" feature. An attacker could use this to devise a malicious request parameter and gain access to unauthorized content. (CVE-2016-4437)
A denial of service flaw was found in the way Spring processes inline DTD declarations. A remote attacker could submit a specially crafted XML file that would cause out-of-memory errors when parsed. (CVE-2015-3192)
It was found that Apache Camel's camel-xstream component was vulnerable to Java object deserialization. This vulnerability permits deserialization of data which could lead to information disclosure, code execution, or other possible attacks. (CVE-2015-5344)
It was found that Apache Camel's Jetty/Servlet permitted object deserialization. If using camel-jetty or camel-servlet as a consumer in Camel routes, then Camel will automatically deserialize HTTP requests that use the content-header: application/x-java-serialized-object. An attacker could use this vulnerability to gain access to unauthorized information or conduct further attacks. (CVE-2015-5348)
It was found that bouncycastle is vulnerable to an invalid curve attack. An attacker could extract private keys used in elliptic curve cryptography with a few thousand queries. (CVE-2015-7940)
The CVE-2016-2141 issue was discovered by Dennis Reed (Red Hat).
Refer to the Product Documentation link in the References section for installation instructions.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat JBoss Fuse 6.3, which fixes multiple security issues and includes several bug fixes and enhancements, is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform.\n\nRed Hat JBoss Fuse 6.3 is a minor product release that updates Red Hat JBoss Fuse 6.2.1, and includes several bug fixes and enhancements. Refer to the Release Notes document, available from the Product Documentation link in the References section, for a list of these changes.\n\nSecurity Fix(es):\n\nIt was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks. (CVE-2016-2141)\n\nA deserialization flaw allowing remote code execution was found in the BeanShell library. If BeanShell was on the classpath, it could permit code execution if another part of the application deserialized objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the BeanShell library. (CVE-2016-2510)\n\nIt was found that Apache Shiro uses a default cipher key for its \"remember me\" feature. An attacker could use this to devise a malicious request parameter and gain access to unauthorized content. (CVE-2016-4437)\n\nA denial of service flaw was found in the way Spring processes inline DTD declarations. A remote attacker could submit a specially crafted XML file that would cause out-of-memory errors when parsed. (CVE-2015-3192)\n\nIt was found that Apache Camel's camel-xstream component was vulnerable to Java object deserialization. This vulnerability permits deserialization of data which could lead to information disclosure, code execution, or other possible attacks. (CVE-2015-5344)\n\nIt was found that Apache Camel's Jetty/Servlet permitted object deserialization. If using camel-jetty or camel-servlet as a consumer in Camel routes, then Camel will automatically deserialize HTTP requests that use the content-header: application/x-java-serialized-object. An attacker could use this vulnerability to gain access to unauthorized information or conduct further attacks. (CVE-2015-5348)\n\nIt was found that bouncycastle is vulnerable to an invalid curve attack. An attacker could extract private keys used in elliptic curve cryptography with a few thousand queries. (CVE-2015-7940)\n\nThe CVE-2016-2141 issue was discovered by Dennis Reed (Red Hat).\n\nRefer to the Product Documentation link in the References section for installation instructions.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2016:2035", url: "https://access.redhat.com/errata/RHSA-2016:2035", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=distributions&version=6.3.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=distributions&version=6.3.0", }, { category: "external", summary: "https://access.redhat.com/documentation/en/red-hat-jboss-fuse/?version=6.3", url: "https://access.redhat.com/documentation/en/red-hat-jboss-fuse/?version=6.3", }, { category: "external", summary: "1239002", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1239002", }, { category: "external", summary: "1276272", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1276272", }, { category: "external", summary: "1292849", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1292849", }, { category: "external", summary: "1303609", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1303609", }, { category: "external", summary: "1310647", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1310647", }, { category: "external", summary: "1313589", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1313589", }, { category: "external", summary: "1343346", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1343346", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2016/rhsa-2016_2035.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss Fuse 6.3 security update", tracking: { current_release_date: "2024-12-29T18:16:31+00:00", generator: { date: "2024-12-29T18:16:31+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.4", }, }, id: "RHSA-2016:2035", initial_release_date: "2016-10-06T16:18:07+00:00", revision_history: [ { date: "2016-10-06T16:18:07+00:00", number: "1", summary: "Initial version", }, { date: "2019-02-20T12:38:22+00:00", number: "2", summary: "Last updated version", }, { date: "2024-12-29T18:16:31+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss Fuse 6.3", product: { name: "Red Hat JBoss Fuse 6.3", product_id: "Red Hat JBoss Fuse 6.3", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_fuse:6.3", }, }, }, ], category: "product_family", name: "Red Hat JBoss Fuse", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2015-3192", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2015-06-30T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1239002", }, ], notes: [ { category: "description", text: "A denial of service flaw was found in the way Spring processes inline DTD declarations. A remote attacker could submit a specially crafted XML file that would cause out-of-memory errors when parsed.", title: "Vulnerability description", }, { category: "summary", text: "Framework: denial-of-service attack with XML input", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-3192", }, { category: "external", summary: "RHBZ#1239002", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1239002", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-3192", url: "https://www.cve.org/CVERecord?id=CVE-2015-3192", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-3192", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-3192", }, { category: "external", summary: "http://pivotal.io/security/cve-2015-3192", url: "http://pivotal.io/security/cve-2015-3192", }, ], release_date: "2015-06-30T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-06T16:18:07+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2035", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.0", }, products: [ "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Framework: denial-of-service attack with XML input", }, { cve: "CVE-2015-5254", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2015-12-08T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1291292", }, ], notes: [ { category: "description", text: "It was found that use of a JMS ObjectMessage does not safely handle user supplied data when deserializing objects. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using a JMS ObjectMessage.", title: "Vulnerability description", }, { category: "summary", text: "ObjectMessage: unsafe deserialization", title: "Vulnerability summary", }, { category: "other", text: "A malicious message producer needs to authenticate to EAP in order to send messages. Also, the use of JMS ObjectMessage needs to be chosen by the developer of the application. Therefore this issue is rated as moderate.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-5254", }, { category: "external", summary: "RHBZ#1291292", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1291292", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-5254", url: "https://www.cve.org/CVERecord?id=CVE-2015-5254", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-5254", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-5254", }, { category: "external", summary: "http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt", url: "http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt", }, ], release_date: "2015-12-08T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-06T16:18:07+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2035", }, { category: "workaround", details: "If you do deploy a JMS publisher, and subscriber, and don't trust the messages sent to you by your clients, you could mitigate this issue by installing a Java agent which restricts the classes which can be deserialized. This is an article with the recommended approach:\n\nhttps://access.redhat.com/solutions/2190911\n\nYou could also mitigate this issue using the features of the Java Virtual Machine added in JEP 290:\n\nhttp://openjdk.java.net/jeps/290", product_ids: [ "Red Hat JBoss Fuse 6.3", ], }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 6, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:S/C:P/I:P/A:P", version: "2.0", }, products: [ "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "ObjectMessage: unsafe deserialization", }, { cve: "CVE-2015-5344", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2016-01-30T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1303609", }, ], notes: [ { category: "description", text: "It was found that Apache Camel's camel-xstream component was vulnerable to Java object deserialization. This vulnerability permits deserialization of data which could lead to information disclosure, code execution, or other possible attacks.", title: "Vulnerability description", }, { category: "summary", text: "camel-xstream: Java object de-serialization vulnerability leads to RCE", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-5344", }, { category: "external", summary: "RHBZ#1303609", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1303609", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-5344", url: "https://www.cve.org/CVERecord?id=CVE-2015-5344", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-5344", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-5344", }, { category: "external", summary: "https://camel.apache.org/security-advisories.data/CVE-2015-5344.txt.asc?version=1&modificationDate=1454056803000&api=v2", url: "https://camel.apache.org/security-advisories.data/CVE-2015-5344.txt.asc?version=1&modificationDate=1454056803000&api=v2", }, ], release_date: "2015-11-06T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-06T16:18:07+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2035", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "MULTIPLE", availabilityImpact: "PARTIAL", baseScore: 4.3, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:H/Au:M/C:P/I:P/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.2, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "camel-xstream: Java object de-serialization vulnerability leads to RCE", }, { cve: "CVE-2015-5348", discovery_date: "2015-12-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1292849", }, ], notes: [ { category: "description", text: "It was found that Apache Camel's Jetty/Servlet usage is vulnerable to Java object de-serialisation vulnerability. If using camel-jetty, or camel-servlet as a consumer in Camel routes, then Camel will automatically de-serialize HTTP requests that uses the content-header: application/x-java-serialized-object.", title: "Vulnerability description", }, { category: "summary", text: "Camel: Java object deserialisation in Jetty/Servlet", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-5348", }, { category: "external", summary: "RHBZ#1292849", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1292849", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-5348", url: "https://www.cve.org/CVERecord?id=CVE-2015-5348", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-5348", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-5348", }, { category: "external", summary: "https://camel.apache.org/security-advisories.data/CVE-2015-5348.txt", url: "https://camel.apache.org/security-advisories.data/CVE-2015-5348.txt", }, ], release_date: "2015-12-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-06T16:18:07+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2035", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.7, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Camel: Java object deserialisation in Jetty/Servlet", }, { cve: "CVE-2015-7940", cwe: { id: "CWE-358", name: "Improperly Implemented Security Check for Standard", }, discovery_date: "2015-10-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1276272", }, ], notes: [ { category: "description", text: "It was found that bouncycastle is vulnerable to an invalid curve attack. An attacker could extract private keys used in elliptic curve cryptography with a few thousand queries.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: Invalid curve attack allowing to extract private keys", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-7940", }, { category: "external", summary: "RHBZ#1276272", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1276272", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-7940", url: "https://www.cve.org/CVERecord?id=CVE-2015-7940", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-7940", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-7940", }, ], release_date: "2015-09-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-06T16:18:07+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2035", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.7, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: Invalid curve attack allowing to extract private keys", }, { acknowledgments: [ { names: [ "Dennis Reed", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2016-2141", discovery_date: "2015-11-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1313589", }, ], notes: [ { category: "description", text: "It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks.", title: "Vulnerability description", }, { category: "summary", text: "JGroups: Authorization bypass", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-2141", }, { category: "external", summary: "RHBZ#1313589", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1313589", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-2141", url: "https://www.cve.org/CVERecord?id=CVE-2016-2141", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-2141", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-2141", }, ], release_date: "2016-06-23T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-06T16:18:07+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2035", }, { category: "workaround", details: "Please refer to https://access.redhat.com/articles/2360521 for more information.", product_ids: [ "Red Hat JBoss Fuse 6.3", ], }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Critical", }, ], title: "JGroups: Authorization bypass", }, { cve: "CVE-2016-2510", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2016-02-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1310647", }, ], notes: [ { category: "description", text: "A deserialization flaw allowing remote code execution was found in the BeanShell library. If BeanShell was on the classpath, it could permit code execution if another part of the application deserialized objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the BeanShell library.", title: "Vulnerability description", }, { category: "summary", text: "bsh2: remote code execution via deserialization", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-2510", }, { category: "external", summary: "RHBZ#1310647", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1310647", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-2510", url: "https://www.cve.org/CVERecord?id=CVE-2016-2510", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-2510", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-2510", }, { category: "external", summary: "https://github.com/beanshell/beanshell/releases/tag/2.0b6", url: "https://github.com/beanshell/beanshell/releases/tag/2.0b6", }, ], release_date: "2016-02-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-06T16:18:07+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2035", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.4, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "bsh2: remote code execution via deserialization", }, { cve: "CVE-2016-4437", cwe: { id: "CWE-287", name: "Improper Authentication", }, discovery_date: "2016-06-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1343346", }, ], notes: [ { category: "description", text: "It was found that Apache Shiro uses a default cipher key for its \"remember me\" feature. An attacker could use this to devise a malicious request parameter and gain access to unauthorized content.", title: "Vulnerability description", }, { category: "summary", text: "shiro: Security constraint bypass", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-4437", }, { category: "external", summary: "RHBZ#1343346", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1343346", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-4437", url: "https://www.cve.org/CVERecord?id=CVE-2016-4437", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-4437", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-4437", }, { category: "external", summary: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", url: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", }, ], release_date: "2016-06-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-06T16:18:07+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2035", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 7.3, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", version: "3.0", }, products: [ "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "exploit_status", date: "2021-11-03T00:00:00+00:00", details: "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog", }, { category: "impact", details: "Important", }, ], title: "shiro: Security constraint bypass", }, ], }
RHSA-2016:2036
Vulnerability from csaf_redhat
Published
2016-10-06 16:18
Modified
2024-11-22 10:24
Summary
Red Hat Security Advisory: Red Hat JBoss A-MQ 6.3 security update
Notes
Topic
Red Hat JBoss A-MQ 6.3, which fixes multiple security issues and includes several bug fixes and enhancements, is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards-compliant messaging system that is tailored for use in mission critical applications.
Red Hat JBoss A-MQ 6.3 is a minor product release that updates Red Hat JBoss A-MQ 6.2.1, and includes several bug fixes and enhancements. Refer to the Release Notes document, available from the Product Documentation link in the References section, for a list of these changes.
Security Fix(es):
It was found that Apache Shiro uses a default cipher key for its "remember me" feature. An attacker could use this to devise a malicious request parameter and gain access to unauthorized content. (CVE-2016-4437)
A denial of service flaw was found in the way Spring processes inline DTD declarations. A remote attacker could submit a specially crafted XML file that would cause out-of-memory errors when parsed. (CVE-2015-3192)
It was found that bouncycastle is vulnerable to an invalid curve attack. An attacker could extract private keys used in elliptic curve cryptography with a few thousand queries. (CVE-2015-7940)
Refer to the Product Documentation link in the References section for installation instructions.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat JBoss A-MQ 6.3, which fixes multiple security issues and includes several bug fixes and enhancements, is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards-compliant messaging system that is tailored for use in mission critical applications.\n\nRed Hat JBoss A-MQ 6.3 is a minor product release that updates Red Hat JBoss A-MQ 6.2.1, and includes several bug fixes and enhancements. Refer to the Release Notes document, available from the Product Documentation link in the References section, for a list of these changes.\n\nSecurity Fix(es):\n\nIt was found that Apache Shiro uses a default cipher key for its \"remember me\" feature. An attacker could use this to devise a malicious request parameter and gain access to unauthorized content. (CVE-2016-4437)\n\nA denial of service flaw was found in the way Spring processes inline DTD declarations. A remote attacker could submit a specially crafted XML file that would cause out-of-memory errors when parsed. (CVE-2015-3192)\n\nIt was found that bouncycastle is vulnerable to an invalid curve attack. An attacker could extract private keys used in elliptic curve cryptography with a few thousand queries. (CVE-2015-7940)\n\nRefer to the Product Documentation link in the References section for installation instructions.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2016:2036", url: "https://access.redhat.com/errata/RHSA-2016:2036", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq&downloadType=distributions&version=6.3.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq&downloadType=distributions&version=6.3.0", }, { category: "external", summary: "https://access.redhat.com/documentation/en/red-hat-jboss-fuse/?version=6.3", url: "https://access.redhat.com/documentation/en/red-hat-jboss-fuse/?version=6.3", }, { category: "external", summary: "1239002", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1239002", }, { category: "external", summary: "1276272", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1276272", }, { category: "external", summary: "1343346", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1343346", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2016/rhsa-2016_2036.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss A-MQ 6.3 security update", tracking: { current_release_date: "2024-11-22T10:24:24+00:00", generator: { date: "2024-11-22T10:24:24+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2016:2036", initial_release_date: "2016-10-06T16:18:02+00:00", revision_history: [ { date: "2016-10-06T16:18:02+00:00", number: "1", summary: "Initial version", }, { date: "2019-02-20T12:40:10+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T10:24:24+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss A-MQ 6.3", product: { name: "Red Hat JBoss A-MQ 6.3", product_id: "Red Hat JBoss A-MQ 6.3", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_amq:6.3", }, }, }, ], category: "product_family", name: "Red Hat JBoss AMQ", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2015-3192", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2015-06-30T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1239002", }, ], notes: [ { category: "description", text: "A denial of service flaw was found in the way Spring processes inline DTD declarations. A remote attacker could submit a specially crafted XML file that would cause out-of-memory errors when parsed.", title: "Vulnerability description", }, { category: "summary", text: "Framework: denial-of-service attack with XML input", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-3192", }, { category: "external", summary: "RHBZ#1239002", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1239002", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-3192", url: "https://www.cve.org/CVERecord?id=CVE-2015-3192", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-3192", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-3192", }, { category: "external", summary: "http://pivotal.io/security/cve-2015-3192", url: "http://pivotal.io/security/cve-2015-3192", }, ], release_date: "2015-06-30T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-06T16:18:02+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2036", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.0", }, products: [ "Red Hat JBoss A-MQ 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Framework: denial-of-service attack with XML input", }, { cve: "CVE-2015-5254", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2015-12-08T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1291292", }, ], notes: [ { category: "description", text: "It was found that use of a JMS ObjectMessage does not safely handle user supplied data when deserializing objects. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using a JMS ObjectMessage.", title: "Vulnerability description", }, { category: "summary", text: "ObjectMessage: unsafe deserialization", title: "Vulnerability summary", }, { category: "other", text: "A malicious message producer needs to authenticate to EAP in order to send messages. Also, the use of JMS ObjectMessage needs to be chosen by the developer of the application. Therefore this issue is rated as moderate.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-5254", }, { category: "external", summary: "RHBZ#1291292", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1291292", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-5254", url: "https://www.cve.org/CVERecord?id=CVE-2015-5254", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-5254", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-5254", }, { category: "external", summary: "http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt", url: "http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt", }, ], release_date: "2015-12-08T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-06T16:18:02+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2036", }, { category: "workaround", details: "If you do deploy a JMS publisher, and subscriber, and don't trust the messages sent to you by your clients, you could mitigate this issue by installing a Java agent which restricts the classes which can be deserialized. This is an article with the recommended approach:\n\nhttps://access.redhat.com/solutions/2190911\n\nYou could also mitigate this issue using the features of the Java Virtual Machine added in JEP 290:\n\nhttp://openjdk.java.net/jeps/290", product_ids: [ "Red Hat JBoss A-MQ 6.3", ], }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 6, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:S/C:P/I:P/A:P", version: "2.0", }, products: [ "Red Hat JBoss A-MQ 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "ObjectMessage: unsafe deserialization", }, { cve: "CVE-2015-7940", cwe: { id: "CWE-358", name: "Improperly Implemented Security Check for Standard", }, discovery_date: "2015-10-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1276272", }, ], notes: [ { category: "description", text: "It was found that bouncycastle is vulnerable to an invalid curve attack. An attacker could extract private keys used in elliptic curve cryptography with a few thousand queries.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: Invalid curve attack allowing to extract private keys", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-7940", }, { category: "external", summary: "RHBZ#1276272", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1276272", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-7940", url: "https://www.cve.org/CVERecord?id=CVE-2015-7940", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-7940", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-7940", }, ], release_date: "2015-09-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-06T16:18:02+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2036", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.7, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss A-MQ 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: Invalid curve attack allowing to extract private keys", }, { cve: "CVE-2016-3088", cwe: { id: "CWE-22", name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", }, discovery_date: "2016-05-24T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1339318", }, ], notes: [ { category: "description", text: "The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.", title: "Vulnerability description", }, { category: "summary", text: "activemq: Fileserver web application vulnerability allowing RCE", title: "Vulnerability summary", }, { category: "other", text: "Red Hat JBoss A-MQ 6.3 , Red Hat JBoss Fuse 6.3, and Red Hat JBoss Fuse Service Works 6.0.0 do not provide the vulnerable component and are not affected by this flaw. Red Hat JBoss A-MQ 6.2.1 and Red Hat JBoss Fuse 6.2.1 disable the vulnerable component and as such are not vulnerable to this flaw. The fileserver component was first disabled in A-MQ 6.2.0 and Fuse 6.2.0. Users of older, unsupported versions of these products are strongly advised to observe the mitigation provided on this page.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-3088", }, { category: "external", summary: "RHBZ#1339318", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1339318", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-3088", url: "https://www.cve.org/CVERecord?id=CVE-2016-3088", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-3088", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-3088", }, { category: "external", summary: "http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt", url: "http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt", }, { category: "external", summary: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", url: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", }, ], release_date: "2016-05-24T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-06T16:18:02+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2036", }, { category: "workaround", details: "Users are advised to use other FTP and HTTP based file servers for transferring blob messages. Fileserver web application SHOULD NOT be used in older version of the broker and it should be disabled (it has been disabled by default since 5.12.0). This can be done by removing (commenting out) the following lines from conf\\jetty.xml file\n\n<bean class=\"org.eclipse.jetty.webapp.WebAppContext\">\n <property name=\"contextPath\" value=\"/fileserver\" />\n <property name=\"resourceBase\" value=\"${activemq.home}/webapps/fileserver\" />\n <property name=\"logUrlOnStart\" value=\"true\" />\n <property name=\"parentLoaderPriority\" value=\"true\" />\n</bean>", product_ids: [ "Red Hat JBoss A-MQ 6.3", ], }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, products: [ "Red Hat JBoss A-MQ 6.3", ], }, ], threats: [ { category: "exploit_status", date: "2022-02-10T00:00:00+00:00", details: "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog", }, { category: "impact", details: "Important", }, ], title: "activemq: Fileserver web application vulnerability allowing RCE", }, { cve: "CVE-2016-4437", cwe: { id: "CWE-287", name: "Improper Authentication", }, discovery_date: "2016-06-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1343346", }, ], notes: [ { category: "description", text: "It was found that Apache Shiro uses a default cipher key for its \"remember me\" feature. An attacker could use this to devise a malicious request parameter and gain access to unauthorized content.", title: "Vulnerability description", }, { category: "summary", text: "shiro: Security constraint bypass", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-4437", }, { category: "external", summary: "RHBZ#1343346", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1343346", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-4437", url: "https://www.cve.org/CVERecord?id=CVE-2016-4437", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-4437", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-4437", }, { category: "external", summary: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", url: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", }, ], release_date: "2016-06-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-06T16:18:02+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2036", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 7.3, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", version: "3.0", }, products: [ "Red Hat JBoss A-MQ 6.3", ], }, ], threats: [ { category: "exploit_status", date: "2021-11-03T00:00:00+00:00", details: "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog", }, { category: "impact", details: "Important", }, ], title: "shiro: Security constraint bypass", }, ], }
rhsa-2016_2036
Vulnerability from csaf_redhat
Published
2016-10-06 16:18
Modified
2024-11-22 10:24
Summary
Red Hat Security Advisory: Red Hat JBoss A-MQ 6.3 security update
Notes
Topic
Red Hat JBoss A-MQ 6.3, which fixes multiple security issues and includes several bug fixes and enhancements, is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards-compliant messaging system that is tailored for use in mission critical applications.
Red Hat JBoss A-MQ 6.3 is a minor product release that updates Red Hat JBoss A-MQ 6.2.1, and includes several bug fixes and enhancements. Refer to the Release Notes document, available from the Product Documentation link in the References section, for a list of these changes.
Security Fix(es):
It was found that Apache Shiro uses a default cipher key for its "remember me" feature. An attacker could use this to devise a malicious request parameter and gain access to unauthorized content. (CVE-2016-4437)
A denial of service flaw was found in the way Spring processes inline DTD declarations. A remote attacker could submit a specially crafted XML file that would cause out-of-memory errors when parsed. (CVE-2015-3192)
It was found that bouncycastle is vulnerable to an invalid curve attack. An attacker could extract private keys used in elliptic curve cryptography with a few thousand queries. (CVE-2015-7940)
Refer to the Product Documentation link in the References section for installation instructions.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat JBoss A-MQ 6.3, which fixes multiple security issues and includes several bug fixes and enhancements, is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards-compliant messaging system that is tailored for use in mission critical applications.\n\nRed Hat JBoss A-MQ 6.3 is a minor product release that updates Red Hat JBoss A-MQ 6.2.1, and includes several bug fixes and enhancements. Refer to the Release Notes document, available from the Product Documentation link in the References section, for a list of these changes.\n\nSecurity Fix(es):\n\nIt was found that Apache Shiro uses a default cipher key for its \"remember me\" feature. An attacker could use this to devise a malicious request parameter and gain access to unauthorized content. (CVE-2016-4437)\n\nA denial of service flaw was found in the way Spring processes inline DTD declarations. A remote attacker could submit a specially crafted XML file that would cause out-of-memory errors when parsed. (CVE-2015-3192)\n\nIt was found that bouncycastle is vulnerable to an invalid curve attack. An attacker could extract private keys used in elliptic curve cryptography with a few thousand queries. (CVE-2015-7940)\n\nRefer to the Product Documentation link in the References section for installation instructions.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2016:2036", url: "https://access.redhat.com/errata/RHSA-2016:2036", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq&downloadType=distributions&version=6.3.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq&downloadType=distributions&version=6.3.0", }, { category: "external", summary: "https://access.redhat.com/documentation/en/red-hat-jboss-fuse/?version=6.3", url: "https://access.redhat.com/documentation/en/red-hat-jboss-fuse/?version=6.3", }, { category: "external", summary: "1239002", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1239002", }, { category: "external", summary: "1276272", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1276272", }, { category: "external", summary: "1343346", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1343346", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2016/rhsa-2016_2036.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss A-MQ 6.3 security update", tracking: { current_release_date: "2024-11-22T10:24:24+00:00", generator: { date: "2024-11-22T10:24:24+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2016:2036", initial_release_date: "2016-10-06T16:18:02+00:00", revision_history: [ { date: "2016-10-06T16:18:02+00:00", number: "1", summary: "Initial version", }, { date: "2019-02-20T12:40:10+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T10:24:24+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss A-MQ 6.3", product: { name: "Red Hat JBoss A-MQ 6.3", product_id: "Red Hat JBoss A-MQ 6.3", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_amq:6.3", }, }, }, ], category: "product_family", name: "Red Hat JBoss AMQ", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2015-3192", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2015-06-30T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1239002", }, ], notes: [ { category: "description", text: "A denial of service flaw was found in the way Spring processes inline DTD declarations. A remote attacker could submit a specially crafted XML file that would cause out-of-memory errors when parsed.", title: "Vulnerability description", }, { category: "summary", text: "Framework: denial-of-service attack with XML input", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-3192", }, { category: "external", summary: "RHBZ#1239002", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1239002", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-3192", url: "https://www.cve.org/CVERecord?id=CVE-2015-3192", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-3192", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-3192", }, { category: "external", summary: "http://pivotal.io/security/cve-2015-3192", url: "http://pivotal.io/security/cve-2015-3192", }, ], release_date: "2015-06-30T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-06T16:18:02+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2036", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.0", }, products: [ "Red Hat JBoss A-MQ 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Framework: denial-of-service attack with XML input", }, { cve: "CVE-2015-5254", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2015-12-08T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1291292", }, ], notes: [ { category: "description", text: "It was found that use of a JMS ObjectMessage does not safely handle user supplied data when deserializing objects. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using a JMS ObjectMessage.", title: "Vulnerability description", }, { category: "summary", text: "ObjectMessage: unsafe deserialization", title: "Vulnerability summary", }, { category: "other", text: "A malicious message producer needs to authenticate to EAP in order to send messages. Also, the use of JMS ObjectMessage needs to be chosen by the developer of the application. Therefore this issue is rated as moderate.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-5254", }, { category: "external", summary: "RHBZ#1291292", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1291292", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-5254", url: "https://www.cve.org/CVERecord?id=CVE-2015-5254", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-5254", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-5254", }, { category: "external", summary: "http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt", url: "http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt", }, ], release_date: "2015-12-08T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-06T16:18:02+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2036", }, { category: "workaround", details: "If you do deploy a JMS publisher, and subscriber, and don't trust the messages sent to you by your clients, you could mitigate this issue by installing a Java agent which restricts the classes which can be deserialized. This is an article with the recommended approach:\n\nhttps://access.redhat.com/solutions/2190911\n\nYou could also mitigate this issue using the features of the Java Virtual Machine added in JEP 290:\n\nhttp://openjdk.java.net/jeps/290", product_ids: [ "Red Hat JBoss A-MQ 6.3", ], }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 6, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:S/C:P/I:P/A:P", version: "2.0", }, products: [ "Red Hat JBoss A-MQ 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "ObjectMessage: unsafe deserialization", }, { cve: "CVE-2015-7940", cwe: { id: "CWE-358", name: "Improperly Implemented Security Check for Standard", }, discovery_date: "2015-10-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1276272", }, ], notes: [ { category: "description", text: "It was found that bouncycastle is vulnerable to an invalid curve attack. An attacker could extract private keys used in elliptic curve cryptography with a few thousand queries.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: Invalid curve attack allowing to extract private keys", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-7940", }, { category: "external", summary: "RHBZ#1276272", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1276272", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-7940", url: "https://www.cve.org/CVERecord?id=CVE-2015-7940", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-7940", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-7940", }, ], release_date: "2015-09-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-06T16:18:02+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2036", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.7, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss A-MQ 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: Invalid curve attack allowing to extract private keys", }, { cve: "CVE-2016-3088", cwe: { id: "CWE-22", name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", }, discovery_date: "2016-05-24T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1339318", }, ], notes: [ { category: "description", text: "The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.", title: "Vulnerability description", }, { category: "summary", text: "activemq: Fileserver web application vulnerability allowing RCE", title: "Vulnerability summary", }, { category: "other", text: "Red Hat JBoss A-MQ 6.3 , Red Hat JBoss Fuse 6.3, and Red Hat JBoss Fuse Service Works 6.0.0 do not provide the vulnerable component and are not affected by this flaw. Red Hat JBoss A-MQ 6.2.1 and Red Hat JBoss Fuse 6.2.1 disable the vulnerable component and as such are not vulnerable to this flaw. The fileserver component was first disabled in A-MQ 6.2.0 and Fuse 6.2.0. Users of older, unsupported versions of these products are strongly advised to observe the mitigation provided on this page.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-3088", }, { category: "external", summary: "RHBZ#1339318", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1339318", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-3088", url: "https://www.cve.org/CVERecord?id=CVE-2016-3088", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-3088", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-3088", }, { category: "external", summary: "http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt", url: "http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt", }, { category: "external", summary: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", url: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", }, ], release_date: "2016-05-24T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-06T16:18:02+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2036", }, { category: "workaround", details: "Users are advised to use other FTP and HTTP based file servers for transferring blob messages. Fileserver web application SHOULD NOT be used in older version of the broker and it should be disabled (it has been disabled by default since 5.12.0). This can be done by removing (commenting out) the following lines from conf\\jetty.xml file\n\n<bean class=\"org.eclipse.jetty.webapp.WebAppContext\">\n <property name=\"contextPath\" value=\"/fileserver\" />\n <property name=\"resourceBase\" value=\"${activemq.home}/webapps/fileserver\" />\n <property name=\"logUrlOnStart\" value=\"true\" />\n <property name=\"parentLoaderPriority\" value=\"true\" />\n</bean>", product_ids: [ "Red Hat JBoss A-MQ 6.3", ], }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, products: [ "Red Hat JBoss A-MQ 6.3", ], }, ], threats: [ { category: "exploit_status", date: "2022-02-10T00:00:00+00:00", details: "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog", }, { category: "impact", details: "Important", }, ], title: "activemq: Fileserver web application vulnerability allowing RCE", }, { cve: "CVE-2016-4437", cwe: { id: "CWE-287", name: "Improper Authentication", }, discovery_date: "2016-06-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1343346", }, ], notes: [ { category: "description", text: "It was found that Apache Shiro uses a default cipher key for its \"remember me\" feature. An attacker could use this to devise a malicious request parameter and gain access to unauthorized content.", title: "Vulnerability description", }, { category: "summary", text: "shiro: Security constraint bypass", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-4437", }, { category: "external", summary: "RHBZ#1343346", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1343346", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-4437", url: "https://www.cve.org/CVERecord?id=CVE-2016-4437", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-4437", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-4437", }, { category: "external", summary: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", url: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", }, ], release_date: "2016-06-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-06T16:18:02+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2036", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 7.3, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", version: "3.0", }, products: [ "Red Hat JBoss A-MQ 6.3", ], }, ], threats: [ { category: "exploit_status", date: "2021-11-03T00:00:00+00:00", details: "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog", }, { category: "impact", details: "Important", }, ], title: "shiro: Security constraint bypass", }, ], }
fkie_cve-2015-7940
Vulnerability from fkie_nvd
Published
2015-11-09 16:59
Modified
2024-11-21 02:37
Severity ?
Summary
The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an "invalid curve attack."
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| opensuse | leap | 42.1 | |
| opensuse | opensuse | 13.1 | |
| opensuse | opensuse | 13.2 | |
| bouncycastle | bouncy_castle_crypto_package | * | |
| oracle | application_testing_suite | 12.5.0.1 | |
| oracle | application_testing_suite | 12.5.0.2 | |
| oracle | application_testing_suite | 12.5.0.3 | |
| oracle | enterprise_manager_ops_center | 12.1.4 | |
| oracle | enterprise_manager_ops_center | 12.2.2 | |
| oracle | peoplesoft_enterprise_peopletools | 8.54 | |
| oracle | peoplesoft_enterprise_peopletools | 8.55 | |
| oracle | virtual_desktop_infrastructure | 3.5.2 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*", matchCriteriaId: "4863BE36-D16A-4D75-90D9-FD76DB5B48B7", vulnerable: true, }, { criteria: "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*", matchCriteriaId: "A10BC294-9196-425F-9FB0-B1625465B47F", vulnerable: true, }, { criteria: "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*", matchCriteriaId: "03117DF1-3BEC-4B8D-AD63-DBBDB2126081", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:bouncycastle:bouncy_castle_crypto_package:*:*:*:*:*:*:*:*", matchCriteriaId: "1F13E5A4-3B59-4F36-9876-1824D17B792F", versionEndIncluding: "1.50", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:application_testing_suite:12.5.0.1:*:*:*:*:*:*:*", matchCriteriaId: "E3DDC0DF-B134-4168-8A29-5002305C1167", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:application_testing_suite:12.5.0.2:*:*:*:*:*:*:*", matchCriteriaId: "62E818A9-663D-4AFB-B3D6-686CE4DB9676", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:*", matchCriteriaId: "17EA8B91-7634-4636-B647-1049BA7CA088", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.1.4:*:*:*:*:*:*:*", matchCriteriaId: "BA2CF507-AA3F-464C-88DF-71E30672E623", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:*", matchCriteriaId: "BE12B6A4-E128-41EC-8017-558F50B961BE", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.54:*:*:*:*:*:*:*", matchCriteriaId: "CDD82442-3535-4BB9-8888-F61A35B900AB", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:*", matchCriteriaId: "45CB30A1-B2C9-4BF5-B510-1F2F18B60C64", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:virtual_desktop_infrastructure:3.5.2:*:*:*:*:*:*:*", matchCriteriaId: "89E7F3DD-4137-4613-A4CC-26DB2FFF2871", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an \"invalid curve attack.\"", }, { lang: "es", value: "La librería Bouncy Castle Java en versiones anteriores a 1.51 no valida un punto que se encuentra dentro de la curva elíptica, lo que facilita a atacantes remotos obtener claves privadas a través de una serie de intercambios de clave de curva elíptica Diffie Hellman (ECDH) manipulados, también conocida como un 'ataque de curva no válida'.", }, ], id: "CVE-2015-7940", lastModified: "2024-11-21T02:37:42.203", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2015-11-09T16:59:09.277", references: [ { source: "cve@mitre.org", url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174915.html", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00012.html", }, { source: "cve@mitre.org", url: "http://rhn.redhat.com/errata/RHSA-2016-2035.html", }, { source: "cve@mitre.org", url: "http://rhn.redhat.com/errata/RHSA-2016-2036.html", }, { source: "cve@mitre.org", tags: [ "Technical Description", ], url: "http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html", }, { source: "cve@mitre.org", url: "http://www.debian.org/security/2015/dsa-3417", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.openwall.com/lists/oss-security/2015/10/22/7", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.openwall.com/lists/oss-security/2015/10/22/9", }, { source: "cve@mitre.org", url: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", }, { source: "cve@mitre.org", url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { source: "cve@mitre.org", url: "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html", }, { source: "cve@mitre.org", url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", }, { source: "cve@mitre.org", url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", }, { source: "cve@mitre.org", url: "http://www.securityfocus.com/bid/79091", }, { source: "cve@mitre.org", url: "http://www.securitytracker.com/id/1037036", }, { source: "cve@mitre.org", url: "http://www.securitytracker.com/id/1037046", }, { source: "cve@mitre.org", url: "http://www.securitytracker.com/id/1037053", }, { source: "cve@mitre.org", url: "https://usn.ubuntu.com/3727-1/", }, { source: "cve@mitre.org", url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, { source: "cve@mitre.org", url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174915.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00012.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2016-2035.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2016-2036.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Technical Description", ], url: "http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.debian.org/security/2015/dsa-3417", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.openwall.com/lists/oss-security/2015/10/22/7", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.openwall.com/lists/oss-security/2015/10/22/9", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securityfocus.com/bid/79091", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securitytracker.com/id/1037036", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securitytracker.com/id/1037046", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securitytracker.com/id/1037053", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://usn.ubuntu.com/3727-1/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-200", }, { lang: "en", value: "CWE-310", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
gsd-2015-7940
Vulnerability from gsd
Modified
2023-12-13 01:20
Details
The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an "invalid curve attack."
Aliases
Aliases
{ GSD: { alias: "CVE-2015-7940", description: "The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an \"invalid curve attack.\"", id: "GSD-2015-7940", references: [ "https://www.suse.com/security/cve/CVE-2015-7940.html", "https://www.debian.org/security/2015/dsa-3417", "https://access.redhat.com/errata/RHSA-2016:2036", "https://access.redhat.com/errata/RHSA-2016:2035", "https://ubuntu.com/security/CVE-2015-7940", "https://advisories.mageia.org/CVE-2015-7940.html", ], }, gsd: { metadata: { exploitCode: "unknown", remediation: "unknown", reportConfidence: "confirmed", type: "vulnerability", }, osvSchema: { aliases: [ "CVE-2015-7940", ], details: "The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an \"invalid curve attack.\"", id: "GSD-2015-7940", modified: "2023-12-13T01:20:01.049751Z", schema_version: "1.4.0", }, }, namespaces: { "cve.org": { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2015-7940", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an \"invalid curve attack.\"", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "RHSA-2016:2035", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2016-2035.html", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", refsource: "CONFIRM", url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { name: "79091", refsource: "BID", url: "http://www.securityfocus.com/bid/79091", }, { name: "openSUSE-SU-2015:1911", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00012.html", }, { name: "FEDORA-2015-7d95466eda", refsource: "FEDORA", url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174915.html", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", }, { name: "RHSA-2016:2036", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2016-2036.html", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", }, { name: "USN-3727-1", refsource: "UBUNTU", url: "https://usn.ubuntu.com/3727-1/", }, { name: "[oss-security] 20151022 Re: CVE Request: invalid curve attack on bouncycastle", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2015/10/22/9", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", }, { name: "1037036", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1037036", }, { name: "[oss-security] 20151022 CVE Request: invalid curve attack on bouncycastle", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2015/10/22/7", }, { name: "DSA-3417", refsource: "DEBIAN", url: "http://www.debian.org/security/2015/dsa-3417", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html", }, { name: "http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html", refsource: "MISC", url: "http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html", }, { name: "1037046", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1037046", }, { name: "1037053", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1037053", }, { name: "https://www.oracle.com/security-alerts/cpuapr2020.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, ], }, }, "gitlab.com": { advisories: [ { affected_range: "(,1.51)", affected_versions: "All versions before 1.51", cvss_v2: "AV:N/AC:L/Au:N/C:P/I:N/A:N", cwe_ids: [ "CWE-1035", "CWE-200", "CWE-310", "CWE-937", ], date: "2021-09-01", description: "The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an \"invalid curve attack.\"", fixed_versions: [ "1.51", ], identifier: "CVE-2015-7940", identifiers: [ "GHSA-4mv7-cq75-3qjm", "CVE-2015-7940", ], not_impacted: "All versions starting from 1.51", package_slug: "maven/org.bouncycastle/bcprov-jdk14", pubdate: "2018-10-17", solution: "Upgrade to version 1.51 or above.", title: "Exposure of Sensitive Information to an Unauthorized Actor", urls: [ "https://nvd.nist.gov/vuln/detail/CVE-2015-7940", "https://github.com/advisories/GHSA-4mv7-cq75-3qjm", ], uuid: "c1a1fdd9-c8dd-45d6-ac51-9b40e769c8b7", }, { affected_range: "(,1.51)", affected_versions: "All versions before 1.51", cvss_v2: "AV:N/AC:L/Au:N/C:P/I:N/A:N", cwe_ids: [ "CWE-1035", "CWE-200", "CWE-310", "CWE-937", ], date: "2021-09-01", description: "The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an \"invalid curve attack.\"", fixed_versions: [ "1.51", ], identifier: "CVE-2015-7940", identifiers: [ "GHSA-4mv7-cq75-3qjm", "CVE-2015-7940", ], not_impacted: "All versions starting from 1.51", package_slug: "maven/org.bouncycastle/bcprov-jdk15", pubdate: "2018-10-17", solution: "Upgrade to version 1.51 or above.", title: "Exposure of Sensitive Information to an Unauthorized Actor", urls: [ "https://nvd.nist.gov/vuln/detail/CVE-2015-7940", "https://github.com/advisories/GHSA-4mv7-cq75-3qjm", ], uuid: "d2c4109a-45c3-4ca9-bba4-e70c3a896cc3", }, ], }, "nvd.nist.gov": { configurations: { CVE_data_version: "4.0", nodes: [ { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, ], operator: "OR", }, { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:a:bouncycastle:bouncy_castle_crypto_package:*:*:*:*:*:*:*:*", cpe_name: [], versionEndIncluding: "1.50", vulnerable: true, }, ], operator: "OR", }, { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:a:oracle:virtual_desktop_infrastructure:3.5.2:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.1.4:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.54:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:oracle:application_testing_suite:12.5.0.2:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:oracle:application_testing_suite:12.5.0.1:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, ], operator: "OR", }, ], }, cve: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2015-7940", }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "en", value: "The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an \"invalid curve attack.\"", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "en", value: "CWE-310", }, { lang: "en", value: "CWE-200", }, ], }, ], }, references: { reference_data: [ { name: "http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html", refsource: "MISC", tags: [ "Technical Description", ], url: "http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html", }, { name: "openSUSE-SU-2015:1911", refsource: "SUSE", tags: [ "Third Party Advisory", ], url: "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00012.html", }, { name: "[oss-security] 20151022 Re: CVE Request: invalid curve attack on bouncycastle", refsource: "MLIST", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.openwall.com/lists/oss-security/2015/10/22/9", }, { name: "[oss-security] 20151022 CVE Request: invalid curve attack on bouncycastle", refsource: "MLIST", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.openwall.com/lists/oss-security/2015/10/22/7", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", refsource: "CONFIRM", tags: [ "Third Party Advisory", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", }, { name: "79091", refsource: "BID", tags: [], url: "http://www.securityfocus.com/bid/79091", }, { name: "DSA-3417", refsource: "DEBIAN", tags: [], url: "http://www.debian.org/security/2015/dsa-3417", }, { name: "FEDORA-2015-7d95466eda", refsource: "FEDORA", tags: [], url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174915.html", }, { name: "1037053", refsource: "SECTRACK", tags: [], url: "http://www.securitytracker.com/id/1037053", }, { name: "1037046", refsource: "SECTRACK", tags: [], url: "http://www.securitytracker.com/id/1037046", }, { name: "1037036", refsource: "SECTRACK", tags: [], url: "http://www.securitytracker.com/id/1037036", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html", refsource: "CONFIRM", tags: [], url: "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", refsource: "CONFIRM", tags: [], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", }, { name: "RHSA-2016:2036", refsource: "REDHAT", tags: [], url: "http://rhn.redhat.com/errata/RHSA-2016-2036.html", }, { name: "RHSA-2016:2035", refsource: "REDHAT", tags: [], url: "http://rhn.redhat.com/errata/RHSA-2016-2035.html", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", refsource: "CONFIRM", tags: [], url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", refsource: "CONFIRM", tags: [], url: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", refsource: "CONFIRM", tags: [], url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { name: "USN-3727-1", refsource: "UBUNTU", tags: [], url: "https://usn.ubuntu.com/3727-1/", }, { name: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", refsource: "CONFIRM", tags: [], url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { name: "N/A", refsource: "N/A", tags: [], url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, ], }, }, impact: { baseMetricV2: { cvssV2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, severity: "MEDIUM", userInteractionRequired: false, }, }, lastModifiedDate: "2019-01-16T19:29Z", publishedDate: "2015-11-09T16:59Z", }, }, }
ghsa-4mv7-cq75-3qjm
Vulnerability from github
Published
2018-10-17 16:27
Modified
2020-06-16 20:58
Summary
Moderate severity vulnerability that affects org.bouncycastle:bcprov-jdk14 and org.bouncycastle:bcprov-jdk15
Details
The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an "invalid curve attack."
{ affected: [ { package: { ecosystem: "Maven", name: "org.bouncycastle:bcprov-jdk15", }, ranges: [ { events: [ { introduced: "0", }, { fixed: "1.51", }, ], type: "ECOSYSTEM", }, ], }, { package: { ecosystem: "Maven", name: "org.bouncycastle:bcprov-jdk14", }, ranges: [ { events: [ { introduced: "0", }, { fixed: "1.51", }, ], type: "ECOSYSTEM", }, ], }, ], aliases: [ "CVE-2015-7940", ], database_specific: { cwe_ids: [ "CWE-200", ], github_reviewed: true, github_reviewed_at: "2020-06-16T20:58:37Z", nvd_published_at: null, severity: "MODERATE", }, details: "The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an \"invalid curve attack.\"", id: "GHSA-4mv7-cq75-3qjm", modified: "2020-06-16T20:58:37Z", published: "2018-10-17T16:27:50Z", references: [ { type: "ADVISORY", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-7940", }, { type: "ADVISORY", url: "https://github.com/advisories/GHSA-4mv7-cq75-3qjm", }, { type: "WEB", url: "https://usn.ubuntu.com/3727-1", }, { type: "WEB", url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, { type: "WEB", url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { type: "WEB", url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174915.html", }, { type: "WEB", url: "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00012.html", }, { type: "WEB", url: "http://rhn.redhat.com/errata/RHSA-2016-2035.html", }, { type: "WEB", url: "http://rhn.redhat.com/errata/RHSA-2016-2036.html", }, { type: "WEB", url: "http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html", }, { type: "WEB", url: "http://www.debian.org/security/2015/dsa-3417", }, { type: "WEB", url: "http://www.openwall.com/lists/oss-security/2015/10/22/7", }, { type: "WEB", url: "http://www.openwall.com/lists/oss-security/2015/10/22/9", }, { type: "WEB", url: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", }, { type: "WEB", url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { type: "WEB", url: "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html", }, { type: "WEB", url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { type: "WEB", url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", }, { type: "WEB", url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", }, { type: "WEB", url: "http://www.securityfocus.com/bid/79091", }, { type: "WEB", url: "http://www.securitytracker.com/id/1037036", }, { type: "WEB", url: "http://www.securitytracker.com/id/1037046", }, { type: "WEB", url: "http://www.securitytracker.com/id/1037053", }, ], schema_version: "1.4.0", severity: [], summary: "Moderate severity vulnerability that affects org.bouncycastle:bcprov-jdk14 and org.bouncycastle:bcprov-jdk15", }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.