Action not permitted
Modal body text goes here.
Modal Title
Modal Body
cve-2017-7957
Vulnerability from cvelistv5
Published
2017-04-29 19:00
Modified
2024-08-05 16:19
Severity ?
EPSS score ?
Summary
XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("<void/>") call.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T16:19:29.479Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2017:2888", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:2888", }, { name: "RHSA-2017:1832", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:1832", }, { name: "RHSA-2017:2889", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:2889", }, { name: "1039499", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1039499", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www-prd-trops.events.ibm.com/node/715749", }, { name: "xstream-cve20177957-dos(125800)", tags: [ "vdb-entry", "x_refsource_XF", "x_transferred", ], url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/125800", }, { name: "DSA-3841", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "http://www.debian.org/security/2017/dsa-3841", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://x-stream.github.io/CVE-2017-7957.html", }, { name: "100687", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/100687", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2017-04-29T00:00:00", descriptions: [ { lang: "en", value: "XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML(\"<void/>\") call.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-07-05T17:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { name: "RHSA-2017:2888", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:2888", }, { name: "RHSA-2017:1832", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:1832", }, { name: "RHSA-2017:2889", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:2889", }, { name: "1039499", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1039499", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://www-prd-trops.events.ibm.com/node/715749", }, { name: "xstream-cve20177957-dos(125800)", tags: [ "vdb-entry", "x_refsource_XF", ], url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/125800", }, { name: "DSA-3841", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "http://www.debian.org/security/2017/dsa-3841", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://x-stream.github.io/CVE-2017-7957.html", }, { name: "100687", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/100687", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2017-7957", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML(\"<void/>\") call.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "RHSA-2017:2888", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:2888", }, { name: "RHSA-2017:1832", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:1832", }, { name: "RHSA-2017:2889", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:2889", }, { name: "1039499", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1039499", }, { name: "https://www-prd-trops.events.ibm.com/node/715749", refsource: "CONFIRM", url: "https://www-prd-trops.events.ibm.com/node/715749", }, { name: "xstream-cve20177957-dos(125800)", refsource: "XF", url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/125800", }, { name: "DSA-3841", refsource: "DEBIAN", url: "http://www.debian.org/security/2017/dsa-3841", }, { name: "http://x-stream.github.io/CVE-2017-7957.html", refsource: "CONFIRM", url: "http://x-stream.github.io/CVE-2017-7957.html", }, { name: "100687", refsource: "BID", url: "http://www.securityfocus.com/bid/100687", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2017-7957", datePublished: "2017-04-29T19:00:00", dateReserved: "2017-04-19T00:00:00", dateUpdated: "2024-08-05T16:19:29.479Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", "vulnerability-lookup:meta": { nvd: "{\"cve\":{\"id\":\"CVE-2017-7957\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2017-04-29T19:59:00.167\",\"lastModified\":\"2024-11-21T03:33:02.627\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML(\\\"<void/>\\\") call.\"},{\"lang\":\"es\",\"value\":\"XStream a través de 1.4.9, cuando no se utiliza una solución de denyTypes, mishandles intenta crear una instancia del tipo primitivo 'void' durante unmarshalling, dando lugar a un fallo de aplicación remota, como lo demuestra una llamda a xstream.fromXML (\\\" > \\\").\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":true,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1.4.9\",\"matchCriteriaId\":\"09F03F13-9D82-4AC4-805E-330346A0A37A\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DEECE5FC-CACF-4496-A3E7-164736409252\"}]}]}],\"references\":[{\"url\":\"http://www.debian.org/security/2017/dsa-3841\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/100687\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securitytracker.com/id/1039499\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://x-stream.github.io/CVE-2017-7957.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:1832\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2888\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2889\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/125800\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://www-prd-trops.events.ibm.com/node/715749\",\"source\":\"cve@mitre.org\",\"tags\":[\"Permissions Required\"]},{\"url\":\"http://www.debian.org/security/2017/dsa-3841\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/100687\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securitytracker.com/id/1039499\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://x-stream.github.io/CVE-2017-7957.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:1832\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2888\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2889\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/125800\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://www-prd-trops.events.ibm.com/node/715749\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Permissions Required\"]}]}}", }, }
RHSA-2017:2888
Vulnerability from csaf_redhat
Published
2017-10-12 21:59
Modified
2025-02-02 20:02
Summary
Red Hat Security Advisory: Red Hat JBoss BRMS 6.4.6 security update
Notes
Topic
An update is now available for Red Hat JBoss BRMS.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss BRMS is a business rules management system for the management, storage, creation, modification, and deployment of JBoss Rules.
This release of Red Hat JBoss BRMS 6.4.6 serves as a replacement for Red Hat JBoss BRMS 6.4.5, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)
* It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type 'void'. An attacker could use this flaw to create a denial of service on the target system. (CVE-2017-7957)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat JBoss BRMS.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss BRMS is a business rules management system for the management, storage, creation, modification, and deployment of JBoss Rules.\n\nThis release of Red Hat JBoss BRMS 6.4.6 serves as a replacement for Red Hat JBoss BRMS 6.4.5, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)\n\n* It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type 'void'. An attacker could use this flaw to create a denial of service on the target system. (CVE-2017-7957)", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2888", url: "https://access.redhat.com/errata/RHSA-2017:2888", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=securityPatches&version=6.4", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=securityPatches&version=6.4", }, { category: "external", summary: "https://access.redhat.com/documentation/en/red-hat-jboss-brms/", url: "https://access.redhat.com/documentation/en/red-hat-jboss-brms/", }, { category: "external", summary: "1441538", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1441538", }, { category: "external", summary: "1443635", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443635", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2888.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss BRMS 6.4.6 security update", tracking: { current_release_date: "2025-02-02T20:02:51+00:00", generator: { date: "2025-02-02T20:02:51+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.6", }, }, id: "RHSA-2017:2888", initial_release_date: "2017-10-12T21:59:23+00:00", revision_history: [ { date: "2017-10-12T21:59:23+00:00", number: "1", summary: "Initial version", }, { date: "2017-10-12T21:59:23+00:00", number: "2", summary: "Last updated version", }, { date: "2025-02-02T20:02:51+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss BRMS 6.4", product: { name: "Red Hat JBoss BRMS 6.4", product_id: "Red Hat JBoss BRMS 6.4", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_enterprise_brms_platform:6.4", }, }, }, ], category: "product_family", name: "Red Hat Decision Manager", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2017-5645", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2017-04-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1443635", }, ], notes: [ { category: "description", text: "It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application.", title: "Vulnerability description", }, { category: "summary", text: "log4j: Socket receiver deserialization vulnerability", title: "Vulnerability summary", }, { category: "other", text: "The flaw in Log4j-1.x is now identified by CVE-2019-17571. CVE-2017-5645 has been assigned by MITRE to a similar flaw identified in Log4j-2.x", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BRMS 6.4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-5645", }, { category: "external", summary: "RHBZ#1443635", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443635", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-5645", url: "https://www.cve.org/CVERecord?id=CVE-2017-5645", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-5645", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-5645", }, ], release_date: "2017-04-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-12T21:59:23+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss BRMS 6.4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2888", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss BRMS 6.4", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "log4j: Socket receiver deserialization vulnerability", }, { cve: "CVE-2017-7957", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2017-04-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1441538", }, ], notes: [ { category: "description", text: "It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type 'void'. An attacker could use this flaw to create a denial of service on the target system.", title: "Vulnerability description", }, { category: "summary", text: "XStream: DoS when unmarshalling void type", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BRMS 6.4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7957", }, { category: "external", summary: "RHBZ#1441538", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1441538", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7957", url: "https://www.cve.org/CVERecord?id=CVE-2017-7957", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7957", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7957", }, { category: "external", summary: "http://x-stream.github.io/CVE-2017-7957.html", url: "http://x-stream.github.io/CVE-2017-7957.html", }, ], release_date: "2017-04-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-12T21:59:23+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss BRMS 6.4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2888", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "Red Hat JBoss BRMS 6.4", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "XStream: DoS when unmarshalling void type", }, { cve: "CVE-2019-17571", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2019-12-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1785616", }, ], notes: [ { category: "description", text: "A flaw was discovered in Log4j, where a vulnerable SocketServer class may lead to the deserialization of untrusted data. This flaw allows an attacker to remotely execute arbitrary code when combined with a deserialization gadget.", title: "Vulnerability description", }, { category: "summary", text: "log4j: deserialization of untrusted data in SocketServer", title: "Vulnerability summary", }, { category: "other", text: "This is the same issue as CVE-2017-5645. MITRE has CVE-2017-5645 to a similar flaw found in log4j-2.x. The flaw found in log4j-1.2 has been assigned CVE-2019-17571. CVE-2019-17571 has been addressed in Red Hat Enterprise Linux via RHSA-2017:2423.\nAlso the rh-java-common-log4j package shipped with Red Hat Software Collections was addressed via RHSA-2017:1417\n\nIn Satellite 5.8, although the version of log4j as shipped in the nutch package is affected, nutch does not load any of the SocketServer classes from log4j. Satellite 5 is considered not vulnerable to this flaw since the affected code can not be reached.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BRMS 6.4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2019-17571", }, { category: "external", summary: "RHBZ#1785616", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1785616", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2019-17571", url: "https://www.cve.org/CVERecord?id=CVE-2019-17571", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2019-17571", url: "https://nvd.nist.gov/vuln/detail/CVE-2019-17571", }, ], release_date: "2019-12-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-12T21:59:23+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss BRMS 6.4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2888", }, { category: "workaround", details: "Please note that the Log4j upstream strongly recommends against using the SerializedLayout with the SocketAppenders. Customers may mitigate this issue by removing the SocketServer class outright; or if they must continue to use SocketAppenders, they can modify their SocketAppender configuration from SerializedLayout to use JsonLayout instead. An example of this in log4j-server.properties might look like this:\n\nlog4j.appender.file.layout=org.apache.log4j.JsonLayout", product_ids: [ "Red Hat JBoss BRMS 6.4", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat JBoss BRMS 6.4", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "log4j: deserialization of untrusted data in SocketServer", }, ], }
rhsa-2017:2888
Vulnerability from csaf_redhat
Published
2017-10-12 21:59
Modified
2025-02-02 20:02
Summary
Red Hat Security Advisory: Red Hat JBoss BRMS 6.4.6 security update
Notes
Topic
An update is now available for Red Hat JBoss BRMS.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss BRMS is a business rules management system for the management, storage, creation, modification, and deployment of JBoss Rules.
This release of Red Hat JBoss BRMS 6.4.6 serves as a replacement for Red Hat JBoss BRMS 6.4.5, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)
* It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type 'void'. An attacker could use this flaw to create a denial of service on the target system. (CVE-2017-7957)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat JBoss BRMS.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss BRMS is a business rules management system for the management, storage, creation, modification, and deployment of JBoss Rules.\n\nThis release of Red Hat JBoss BRMS 6.4.6 serves as a replacement for Red Hat JBoss BRMS 6.4.5, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)\n\n* It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type 'void'. An attacker could use this flaw to create a denial of service on the target system. (CVE-2017-7957)", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2888", url: "https://access.redhat.com/errata/RHSA-2017:2888", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=securityPatches&version=6.4", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=securityPatches&version=6.4", }, { category: "external", summary: "https://access.redhat.com/documentation/en/red-hat-jboss-brms/", url: "https://access.redhat.com/documentation/en/red-hat-jboss-brms/", }, { category: "external", summary: "1441538", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1441538", }, { category: "external", summary: "1443635", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443635", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2888.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss BRMS 6.4.6 security update", tracking: { current_release_date: "2025-02-02T20:02:51+00:00", generator: { date: "2025-02-02T20:02:51+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.6", }, }, id: "RHSA-2017:2888", initial_release_date: "2017-10-12T21:59:23+00:00", revision_history: [ { date: "2017-10-12T21:59:23+00:00", number: "1", summary: "Initial version", }, { date: "2017-10-12T21:59:23+00:00", number: "2", summary: "Last updated version", }, { date: "2025-02-02T20:02:51+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss BRMS 6.4", product: { name: "Red Hat JBoss BRMS 6.4", product_id: "Red Hat JBoss BRMS 6.4", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_enterprise_brms_platform:6.4", }, }, }, ], category: "product_family", name: "Red Hat Decision Manager", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2017-5645", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2017-04-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1443635", }, ], notes: [ { category: "description", text: "It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application.", title: "Vulnerability description", }, { category: "summary", text: "log4j: Socket receiver deserialization vulnerability", title: "Vulnerability summary", }, { category: "other", text: "The flaw in Log4j-1.x is now identified by CVE-2019-17571. CVE-2017-5645 has been assigned by MITRE to a similar flaw identified in Log4j-2.x", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BRMS 6.4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-5645", }, { category: "external", summary: "RHBZ#1443635", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443635", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-5645", url: "https://www.cve.org/CVERecord?id=CVE-2017-5645", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-5645", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-5645", }, ], release_date: "2017-04-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-12T21:59:23+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss BRMS 6.4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2888", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss BRMS 6.4", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "log4j: Socket receiver deserialization vulnerability", }, { cve: "CVE-2017-7957", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2017-04-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1441538", }, ], notes: [ { category: "description", text: "It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type 'void'. An attacker could use this flaw to create a denial of service on the target system.", title: "Vulnerability description", }, { category: "summary", text: "XStream: DoS when unmarshalling void type", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BRMS 6.4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7957", }, { category: "external", summary: "RHBZ#1441538", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1441538", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7957", url: "https://www.cve.org/CVERecord?id=CVE-2017-7957", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7957", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7957", }, { category: "external", summary: "http://x-stream.github.io/CVE-2017-7957.html", url: "http://x-stream.github.io/CVE-2017-7957.html", }, ], release_date: "2017-04-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-12T21:59:23+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss BRMS 6.4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2888", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "Red Hat JBoss BRMS 6.4", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "XStream: DoS when unmarshalling void type", }, { cve: "CVE-2019-17571", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2019-12-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1785616", }, ], notes: [ { category: "description", text: "A flaw was discovered in Log4j, where a vulnerable SocketServer class may lead to the deserialization of untrusted data. This flaw allows an attacker to remotely execute arbitrary code when combined with a deserialization gadget.", title: "Vulnerability description", }, { category: "summary", text: "log4j: deserialization of untrusted data in SocketServer", title: "Vulnerability summary", }, { category: "other", text: "This is the same issue as CVE-2017-5645. MITRE has CVE-2017-5645 to a similar flaw found in log4j-2.x. The flaw found in log4j-1.2 has been assigned CVE-2019-17571. CVE-2019-17571 has been addressed in Red Hat Enterprise Linux via RHSA-2017:2423.\nAlso the rh-java-common-log4j package shipped with Red Hat Software Collections was addressed via RHSA-2017:1417\n\nIn Satellite 5.8, although the version of log4j as shipped in the nutch package is affected, nutch does not load any of the SocketServer classes from log4j. Satellite 5 is considered not vulnerable to this flaw since the affected code can not be reached.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BRMS 6.4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2019-17571", }, { category: "external", summary: "RHBZ#1785616", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1785616", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2019-17571", url: "https://www.cve.org/CVERecord?id=CVE-2019-17571", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2019-17571", url: "https://nvd.nist.gov/vuln/detail/CVE-2019-17571", }, ], release_date: "2019-12-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-12T21:59:23+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss BRMS 6.4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2888", }, { category: "workaround", details: "Please note that the Log4j upstream strongly recommends against using the SerializedLayout with the SocketAppenders. Customers may mitigate this issue by removing the SocketServer class outright; or if they must continue to use SocketAppenders, they can modify their SocketAppender configuration from SerializedLayout to use JsonLayout instead. An example of this in log4j-server.properties might look like this:\n\nlog4j.appender.file.layout=org.apache.log4j.JsonLayout", product_ids: [ "Red Hat JBoss BRMS 6.4", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat JBoss BRMS 6.4", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "log4j: deserialization of untrusted data in SocketServer", }, ], }
RHSA-2017:1832
Vulnerability from csaf_redhat
Published
2017-08-10 23:03
Modified
2024-11-22 11:10
Summary
Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.3 R4 security and bug fix update
Notes
Topic
An update is now available for Red Hat JBoss Fuse and Red Hat JBoss A-MQ.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant messaging system that is tailored for use in mission critical applications.
This patch is an update to Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ 6.3. It includes bug fixes and enhancements, which are documented in the readme.txt file included with the patch files.
Security Fix(es):
* It was discovered that the hawtio servlet uses a single HttpClient instance to proxy requests with a persistent cookie store (cookies are stored locally and are not passed between the client and the end URL) which means all clients using that proxy are sharing the same cookies. (CVE-2017-2589)
* It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information. (CVE-2015-6644)
* It was found that Apache Camel's camel-jackson and camel-jacksonxml components are vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws as demonstrated in various similar reports about Java de-serialization issues. (CVE-2016-8749)
* It was found that Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded / to a request an attacker may be able to bypass a security constraint. (CVE-2016-9879)
* It was found that a path traversal vulnerability in hawtio leads to a NullPointerException with a full stacktrace. An attacker could use this flaw to gather undisclosed information from within hawtio's root. (CVE-2017-2594)
* It was found that Apache CXF OAuth2 Hawk and JOSE MAC Validation code is not using a constant time MAC signature comparison algorithm which may be exploited by some sophisticated timing attacks. It may only affect OAuth2 Hawk, JWT access tokens, or JOSE JWS/JWE interceptors which depend on HMAC secret key algorithms. (CVE-2017-3156)
* It was found that Apache Camel's validation component evaluates DTD headers of XML stream sources, although a validation against XML schemas (XSD) is executed. Remote attackers can use this feature to make Server-Side Request Forgery (SSRF) attacks by sending XML documents with remote DTDs URLs or XML External Entities (XXE). (CVE-2017-5643)
* It was found that a flaw exists in JAX-RS clients using the streaming approach for XML signatures and encryption, where it does not enforce the message to be signed/encrypted. This could allow an attacker to subvert the integrity of the message. (CVE-2017-5653)
* It was found that the token cacher in Apache cxf uses a flawed way of caching tokens that are associated with the delegation token received from Security Token Service (STS). This vulnerability could allow an attacker to craft a token which could return an identifier corresponding to a cached token for another user. (CVE-2017-5656)
* It was found that logback is vulnerable to a deserialization issue. Logback can be configured to allow remote logging through SocketServer/ServerSocketReceiver interfaces that can accept untrusted serialized data. Authenticated attackers on the adjacent network can leverage this vulnerability to execute arbitrary code through deserialization of custom gadget chains. (CVE-2017-5929)
* It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type 'void'. An attacker could use this flaw to create a denial of service on the target system. (CVE-2017-7957)
The CVE-2017-2589 issue was discovered by Adam Willard (Blue Canopy) and Dennis Reed (Red Hat) and the CVE-2017-2594 issue was discovered by Hooman Broujerdi (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat JBoss Fuse and Red Hat JBoss A-MQ.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant messaging system that is tailored for use in mission critical applications.\n\nThis patch is an update to Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ 6.3. It includes bug fixes and enhancements, which are documented in the readme.txt file included with the patch files.\n\nSecurity Fix(es):\n\n* It was discovered that the hawtio servlet uses a single HttpClient instance to proxy requests with a persistent cookie store (cookies are stored locally and are not passed between the client and the end URL) which means all clients using that proxy are sharing the same cookies. (CVE-2017-2589)\n\n* It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information. (CVE-2015-6644)\n\n* It was found that Apache Camel's camel-jackson and camel-jacksonxml components are vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws as demonstrated in various similar reports about Java de-serialization issues. (CVE-2016-8749)\n\n* It was found that Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded / to a request an attacker may be able to bypass a security constraint. (CVE-2016-9879)\n\n* It was found that a path traversal vulnerability in hawtio leads to a NullPointerException with a full stacktrace. An attacker could use this flaw to gather undisclosed information from within hawtio's root. (CVE-2017-2594)\n\n* It was found that Apache CXF OAuth2 Hawk and JOSE MAC Validation code is not using a constant time MAC signature comparison algorithm which may be exploited by some sophisticated timing attacks. It may only affect OAuth2 Hawk, JWT access tokens, or JOSE JWS/JWE interceptors which depend on HMAC secret key algorithms. (CVE-2017-3156)\n\n* It was found that Apache Camel's validation component evaluates DTD headers of XML stream sources, although a validation against XML schemas (XSD) is executed. Remote attackers can use this feature to make Server-Side Request Forgery (SSRF) attacks by sending XML documents with remote DTDs URLs or XML External Entities (XXE). (CVE-2017-5643)\n\n* It was found that a flaw exists in JAX-RS clients using the streaming approach for XML signatures and encryption, where it does not enforce the message to be signed/encrypted. This could allow an attacker to subvert the integrity of the message. (CVE-2017-5653)\n\n* It was found that the token cacher in Apache cxf uses a flawed way of caching tokens that are associated with the delegation token received from Security Token Service (STS). This vulnerability could allow an attacker to craft a token which could return an identifier corresponding to a cached token for another user. (CVE-2017-5656)\n\n* It was found that logback is vulnerable to a deserialization issue. Logback can be configured to allow remote logging through SocketServer/ServerSocketReceiver interfaces that can accept untrusted serialized data. Authenticated attackers on the adjacent network can leverage this vulnerability to execute arbitrary code through deserialization of custom gadget chains. (CVE-2017-5929)\n\n* It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type 'void'. An attacker could use this flaw to create a denial of service on the target system. (CVE-2017-7957)\n\nThe CVE-2017-2589 issue was discovered by Adam Willard (Blue Canopy) and Dennis Reed (Red Hat) and the CVE-2017-2594 issue was discovered by Hooman Broujerdi (Red Hat).", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:1832", url: "https://access.redhat.com/errata/RHSA-2017:1832", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.3", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.3", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=jboss.amq&version=6.3.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=jboss.amq&version=6.3.0", }, { category: "external", summary: "https://access.redhat.com/documentation/en/red-hat-jboss-fuse/", url: "https://access.redhat.com/documentation/en/red-hat-jboss-fuse/", }, { category: "external", summary: "1409838", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1409838", }, { category: "external", summary: "1413905", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1413905", }, { category: "external", summary: "1415543", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1415543", }, { category: "external", summary: "1420832", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1420832", }, { category: "external", summary: "1425455", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1425455", }, { category: "external", summary: "1432858", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1432858", }, { category: "external", summary: "1433374", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1433374", }, { category: "external", summary: "1441538", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1441538", }, { category: "external", summary: "1444015", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1444015", }, { category: "external", summary: "1445327", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1445327", }, { category: "external", summary: "1445329", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1445329", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_1832.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.3 R4 security and bug fix update", tracking: { current_release_date: "2024-11-22T11:10:23+00:00", generator: { date: "2024-11-22T11:10:23+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2017:1832", initial_release_date: "2017-08-10T23:03:00+00:00", revision_history: [ { date: "2017-08-10T23:03:00+00:00", number: "1", summary: "Initial version", }, { date: "2017-08-15T01:47:49+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T11:10:23+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss A-MQ 6.3", product: { name: "Red Hat JBoss A-MQ 6.3", product_id: "Red Hat JBoss A-MQ 6.3", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_amq:6.3", }, }, }, { category: "product_name", name: "Red Hat JBoss Fuse 6.3", product: { name: "Red Hat JBoss Fuse 6.3", product_id: "Red Hat JBoss Fuse 6.3", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_fuse:6.3", }, }, }, ], category: "product_family", name: "Red Hat JBoss Fuse", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2015-6644", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2017-04-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1444015", }, ], notes: [ { category: "description", text: "It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: Information disclosure in GCMBlockCipher", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-6644", }, { category: "external", summary: "RHBZ#1444015", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1444015", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-6644", url: "https://www.cve.org/CVERecord?id=CVE-2015-6644", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-6644", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-6644", }, ], release_date: "2016-01-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-10T23:03:00+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:1832", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: Information disclosure in GCMBlockCipher", }, { cve: "CVE-2016-8749", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2017-02-08T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1420832", }, ], notes: [ { category: "description", text: "It was found that Apache Camel's camel-jackson and camel-jacksonxml components are vulnerable to Java object de-serialisation vulnerability. Camel allows such a type through the 'CamelJacksonUnmarshalType' property. De-serializing untrusted data can lead to security flaws as demonstrated in various similar reports about Java de-serialization issues.", title: "Vulnerability description", }, { category: "summary", text: "camel-jacksonxml: Unmarshalling operation are vulnerable to RCE", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-8749", }, { category: "external", summary: "RHBZ#1420832", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1420832", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-8749", url: "https://www.cve.org/CVERecord?id=CVE-2016-8749", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-8749", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-8749", }, { category: "external", summary: "http://camel.apache.org/security-advisories.data/CVE-2016-8749.txt.asc", url: "http://camel.apache.org/security-advisories.data/CVE-2016-8749.txt.asc", }, ], release_date: "2016-12-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-10T23:03:00+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:1832", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "camel-jacksonxml: Unmarshalling operation are vulnerable to RCE", }, { cve: "CVE-2016-9879", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2016-12-29T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1409838", }, ], notes: [ { category: "description", text: "It was found that Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded / to a request an attacker may be able to bypass a security constraint.", title: "Vulnerability description", }, { category: "summary", text: "Security: Improper handling of path parameters allows bypassing the security constraint", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-9879", }, { category: "external", summary: "RHBZ#1409838", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1409838", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-9879", url: "https://www.cve.org/CVERecord?id=CVE-2016-9879", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-9879", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-9879", }, { category: "external", summary: "https://pivotal.io/security/cve-2016-9879", url: "https://pivotal.io/security/cve-2016-9879", }, ], release_date: "2016-12-28T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-10T23:03:00+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:1832", }, { category: "workaround", details: "Use a Servlet container known not to include path parameters in the return values for getServletPath() and getPathInfo()", product_ids: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", version: "3.0", }, products: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Security: Improper handling of path parameters allows bypassing the security constraint", }, { acknowledgments: [ { names: [ "Adam Willard", ], organization: "Blue Canopy", }, { names: [ "Dennis Reed", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-2589", cwe: { id: "CWE-285", name: "Improper Authorization", }, discovery_date: "2017-01-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1413905", }, ], notes: [ { category: "description", text: "It was discovered that the hawtio servlet uses a single HttpClient instance to proxy requests with a persistent cookie store (cookies are stored locally and are not passed between the client and the end URL) which means all clients using that proxy are sharing the same cookies.", title: "Vulnerability description", }, { category: "summary", text: "hawtio: Proxy is sharing cookies among all the clients", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-2589", }, { category: "external", summary: "RHBZ#1413905", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1413905", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-2589", url: "https://www.cve.org/CVERecord?id=CVE-2017-2589", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-2589", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-2589", }, ], release_date: "2017-07-28T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-10T23:03:00+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:1832", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 8.7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", version: "3.0", }, products: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "hawtio: Proxy is sharing cookies among all the clients", }, { acknowledgments: [ { names: [ "Hooman Broujerdi", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-2594", cwe: { id: "CWE-209", name: "Generation of Error Message Containing Sensitive Information", }, discovery_date: "2017-01-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1415543", }, ], notes: [ { category: "description", text: "It was found that a path traversal vulnerability in hawtio leads to a NullPointerException with a full stacktrace. An attacker could use this flaw to gather undisclosed information from within hawtio's root.", title: "Vulnerability description", }, { category: "summary", text: "hawtio: information Disclosure flaws due to unsafe path traversal", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-2594", }, { category: "external", summary: "RHBZ#1415543", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1415543", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-2594", url: "https://www.cve.org/CVERecord?id=CVE-2017-2594", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-2594", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-2594", }, ], release_date: "2017-01-23T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-10T23:03:00+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:1832", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "hawtio: information Disclosure flaws due to unsafe path traversal", }, { cve: "CVE-2017-3156", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2017-02-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1425455", }, ], notes: [ { category: "description", text: "It was found that Apache CXF OAuth2 Hawk and JOSE MAC Validation code is not using a constant time MAC signature comparison algorithm which may be exploited by some sophisticated timing attacks. It may only affect OAuth2 Hawk or JWT access tokens or JOSE JWS/JWE interceptors which depend on HMAC secret key algorithms.", title: "Vulnerability description", }, { category: "summary", text: "cxf: CXF OAuth2 Hawk and JOSE MAC Validation code are vulnerable to timing attacks", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-3156", }, { category: "external", summary: "RHBZ#1425455", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1425455", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-3156", url: "https://www.cve.org/CVERecord?id=CVE-2017-3156", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-3156", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-3156", }, { category: "external", summary: "https://cxf.apache.org/security-advisories.data/CVE-2017-3156.txt.asc", url: "https://cxf.apache.org/security-advisories.data/CVE-2017-3156.txt.asc", }, ], release_date: "2017-02-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-10T23:03:00+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:1832", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "cxf: CXF OAuth2 Hawk and JOSE MAC Validation code are vulnerable to timing attacks", }, { cve: "CVE-2017-5643", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2017-03-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1433374", }, ], notes: [ { category: "description", text: "It was found that Apache Camel's validation component evaluates DTD headers of XML stream sources, although a validation against XML schemas (XSD) is executed. Remote attackers can use this feature to make Server-Side Request Forgery (SSRF) attacks by sending XML documents with remote DTDs URLs or XML External Entities (XXE). The vulnerability is not given for SAX or StAX sources.", title: "Vulnerability description", }, { category: "summary", text: "camel-core: Validation component vulnerable to SSRF via remote DTDs and XXE", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-5643", }, { category: "external", summary: "RHBZ#1433374", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1433374", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-5643", url: "https://www.cve.org/CVERecord?id=CVE-2017-5643", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-5643", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-5643", }, { category: "external", summary: "https://camel.apache.org/security-advisories.data/CVE-2017-5643.txt", url: "https://camel.apache.org/security-advisories.data/CVE-2017-5643.txt", }, ], release_date: "2017-02-24T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-10T23:03:00+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:1832", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "camel-core: Validation component vulnerable to SSRF via remote DTDs and XXE", }, { cve: "CVE-2017-5653", discovery_date: "2017-04-18T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1445327", }, ], notes: [ { category: "description", text: "It was found that a flaw exists in JAX-RS clients using the streaming approach for XML signatures and encryption, where it does not enforce the message to be signed/encrypted. This could allow an attacker to subvert the integrity of the message.", title: "Vulnerability description", }, { category: "summary", text: "cxf: CXF JAX-RS XML Security streaming clients do not validate that the service response was signed or encrypted", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-5653", }, { category: "external", summary: "RHBZ#1445327", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1445327", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-5653", url: "https://www.cve.org/CVERecord?id=CVE-2017-5653", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-5653", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-5653", }, { category: "external", summary: "http://cxf.apache.org/security-advisories.data/CVE-2017-5653.txt.asc", url: "http://cxf.apache.org/security-advisories.data/CVE-2017-5653.txt.asc", }, ], release_date: "2017-03-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-10T23:03:00+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:1832", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "cxf: CXF JAX-RS XML Security streaming clients do not validate that the service response was signed or encrypted", }, { cve: "CVE-2017-5656", discovery_date: "2017-04-18T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1445329", }, ], notes: [ { category: "description", text: "It was found that the token cacher in Apache cxf uses a flawed way of caching tokens that are associated with the delegation token received from Security Token Service (STS). This vulnerability could allow an attacker to craft a token which could return an identifier corresponding to a cached token for another user.", title: "Vulnerability description", }, { category: "summary", text: "cxf: CXF's STSClient uses a flawed way of caching tokens that are associated with delegation tokens", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-5656", }, { category: "external", summary: "RHBZ#1445329", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1445329", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-5656", url: "https://www.cve.org/CVERecord?id=CVE-2017-5656", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-5656", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-5656", }, { category: "external", summary: "http://cxf.apache.org/security-advisories.data/CVE-2017-5656.txt.asc", url: "http://cxf.apache.org/security-advisories.data/CVE-2017-5656.txt.asc", }, ], release_date: "2017-04-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-10T23:03:00+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:1832", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "cxf: CXF's STSClient uses a flawed way of caching tokens that are associated with delegation tokens", }, { cve: "CVE-2017-5929", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2017-03-10T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1432858", }, ], notes: [ { category: "description", text: "It was found that logback is vulnerable to a deserialization issue. Logback can be configured to allow remote logging through SocketServer/ServerSocketReceiver interfaces that can accept untrusted serialized data. Authenticated attackers on the adjacent network can leverage this vulnerability to execute arbitrary code through deserialization of custom gadget chains.", title: "Vulnerability description", }, { category: "summary", text: "logback: Serialization vulnerability in SocketServer and ServerSocketReceiver", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-5929", }, { category: "external", summary: "RHBZ#1432858", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1432858", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-5929", url: "https://www.cve.org/CVERecord?id=CVE-2017-5929", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-5929", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-5929", }, ], release_date: "2017-02-08T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-10T23:03:00+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:1832", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "LOW", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", version: "3.0", }, products: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "logback: Serialization vulnerability in SocketServer and ServerSocketReceiver", }, { cve: "CVE-2017-7957", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2017-04-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1441538", }, ], notes: [ { category: "description", text: "It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type 'void'. An attacker could use this flaw to create a denial of service on the target system.", title: "Vulnerability description", }, { category: "summary", text: "XStream: DoS when unmarshalling void type", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7957", }, { category: "external", summary: "RHBZ#1441538", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1441538", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7957", url: "https://www.cve.org/CVERecord?id=CVE-2017-7957", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7957", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7957", }, { category: "external", summary: "http://x-stream.github.io/CVE-2017-7957.html", url: "http://x-stream.github.io/CVE-2017-7957.html", }, ], release_date: "2017-04-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-10T23:03:00+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:1832", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "XStream: DoS when unmarshalling void type", }, ], }
rhsa-2017_2889
Vulnerability from csaf_redhat
Published
2017-10-12 21:59
Modified
2024-12-29 18:21
Summary
Red Hat Security Advisory: Red Hat JBoss BPM Suite 6.4.6 security update
Notes
Topic
An update is now available for Red Hat JBoss BPM Suite.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss BPM Suite is a business rules and processes management system for the management, storage, creation, modification, and deployment of JBoss rules and BPMN2-compliant business processes.
This release of Red Hat JBoss BPM Suite 6.4.6 serves as a replacement for Red Hat JBoss BPM Suite 6.4.5, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)
* It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type 'void'. An attacker could use this flaw to create a denial of service on the target system. (CVE-2017-7957)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat JBoss BPM Suite.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss BPM Suite is a business rules and processes management system for the management, storage, creation, modification, and deployment of JBoss rules and BPMN2-compliant business processes.\n\nThis release of Red Hat JBoss BPM Suite 6.4.6 serves as a replacement for Red Hat JBoss BPM Suite 6.4.5, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)\n\n* It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type 'void'. An attacker could use this flaw to create a denial of service on the target system. (CVE-2017-7957)", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2889", url: "https://access.redhat.com/errata/RHSA-2017:2889", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=securityPatches&version=6.4", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=securityPatches&version=6.4", }, { category: "external", summary: "https://access.redhat.com/documentation/en/red-hat-jboss-bpm-suite/", url: "https://access.redhat.com/documentation/en/red-hat-jboss-bpm-suite/", }, { category: "external", summary: "1441538", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1441538", }, { category: "external", summary: "1443635", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443635", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2889.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss BPM Suite 6.4.6 security update", tracking: { current_release_date: "2024-12-29T18:21:38+00:00", generator: { date: "2024-12-29T18:21:38+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.4", }, }, id: "RHSA-2017:2889", initial_release_date: "2017-10-12T21:59:42+00:00", revision_history: [ { date: "2017-10-12T21:59:42+00:00", number: "1", summary: "Initial version", }, { date: "2017-10-12T21:59:42+00:00", number: "2", summary: "Last updated version", }, { date: "2024-12-29T18:21:38+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss BPMS 6.4", product: { name: "Red Hat JBoss BPMS 6.4", product_id: "Red Hat JBoss BPMS 6.4", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_bpms:6.4", }, }, }, ], category: "product_family", name: "Red Hat Process Automation Manager", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2017-5645", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2017-04-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1443635", }, ], notes: [ { category: "description", text: "It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application.", title: "Vulnerability description", }, { category: "summary", text: "log4j: Socket receiver deserialization vulnerability", title: "Vulnerability summary", }, { category: "other", text: "The flaw in Log4j-1.x is now identified by CVE-2019-17571. CVE-2017-5645 has been assigned by MITRE to a similar flaw identified in Log4j-2.x", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BPMS 6.4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-5645", }, { category: "external", summary: "RHBZ#1443635", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443635", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-5645", url: "https://www.cve.org/CVERecord?id=CVE-2017-5645", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-5645", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-5645", }, ], release_date: "2017-04-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-12T21:59:42+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss BPMS 6.4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2889", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss BPMS 6.4", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "log4j: Socket receiver deserialization vulnerability", }, { cve: "CVE-2017-7957", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2017-04-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1441538", }, ], notes: [ { category: "description", text: "It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type 'void'. An attacker could use this flaw to create a denial of service on the target system.", title: "Vulnerability description", }, { category: "summary", text: "XStream: DoS when unmarshalling void type", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BPMS 6.4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7957", }, { category: "external", summary: "RHBZ#1441538", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1441538", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7957", url: "https://www.cve.org/CVERecord?id=CVE-2017-7957", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7957", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7957", }, { category: "external", summary: "http://x-stream.github.io/CVE-2017-7957.html", url: "http://x-stream.github.io/CVE-2017-7957.html", }, ], release_date: "2017-04-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-12T21:59:42+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss BPMS 6.4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2889", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "Red Hat JBoss BPMS 6.4", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "XStream: DoS when unmarshalling void type", }, { cve: "CVE-2019-17571", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2019-12-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1785616", }, ], notes: [ { category: "description", text: "A flaw was discovered in Log4j, where a vulnerable SocketServer class may lead to the deserialization of untrusted data. This flaw allows an attacker to remotely execute arbitrary code when combined with a deserialization gadget.", title: "Vulnerability description", }, { category: "summary", text: "log4j: deserialization of untrusted data in SocketServer", title: "Vulnerability summary", }, { category: "other", text: "This is the same issue as CVE-2017-5645. MITRE has CVE-2017-5645 to a similar flaw found in log4j-2.x. The flaw found in log4j-1.2 has been assigned CVE-2019-17571. CVE-2019-17571 has been addressed in Red Hat Enterprise Linux via RHSA-2017:2423.\nAlso the rh-java-common-log4j package shipped with Red Hat Software Collections was addressed via RHSA-2017:1417\n\nIn Satellite 5.8, although the version of log4j as shipped in the nutch package is affected, nutch does not load any of the SocketServer classes from log4j. Satellite 5 is considered not vulnerable to this flaw since the affected code can not be reached.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BPMS 6.4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2019-17571", }, { category: "external", summary: "RHBZ#1785616", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1785616", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2019-17571", url: "https://www.cve.org/CVERecord?id=CVE-2019-17571", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2019-17571", url: "https://nvd.nist.gov/vuln/detail/CVE-2019-17571", }, ], release_date: "2019-12-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-12T21:59:42+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss BPMS 6.4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2889", }, { category: "workaround", details: "Please note that the Log4j upstream strongly recommends against using the SerializedLayout with the SocketAppenders. Customers may mitigate this issue by removing the SocketServer class outright; or if they must continue to use SocketAppenders, they can modify their SocketAppender configuration from SerializedLayout to use JsonLayout instead. An example of this in log4j-server.properties might look like this:\n\nlog4j.appender.file.layout=org.apache.log4j.JsonLayout", product_ids: [ "Red Hat JBoss BPMS 6.4", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat JBoss BPMS 6.4", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "log4j: deserialization of untrusted data in SocketServer", }, ], }
rhsa-2017_1832
Vulnerability from csaf_redhat
Published
2017-08-10 23:03
Modified
2024-11-22 11:10
Summary
Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.3 R4 security and bug fix update
Notes
Topic
An update is now available for Red Hat JBoss Fuse and Red Hat JBoss A-MQ.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant messaging system that is tailored for use in mission critical applications.
This patch is an update to Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ 6.3. It includes bug fixes and enhancements, which are documented in the readme.txt file included with the patch files.
Security Fix(es):
* It was discovered that the hawtio servlet uses a single HttpClient instance to proxy requests with a persistent cookie store (cookies are stored locally and are not passed between the client and the end URL) which means all clients using that proxy are sharing the same cookies. (CVE-2017-2589)
* It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information. (CVE-2015-6644)
* It was found that Apache Camel's camel-jackson and camel-jacksonxml components are vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws as demonstrated in various similar reports about Java de-serialization issues. (CVE-2016-8749)
* It was found that Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded / to a request an attacker may be able to bypass a security constraint. (CVE-2016-9879)
* It was found that a path traversal vulnerability in hawtio leads to a NullPointerException with a full stacktrace. An attacker could use this flaw to gather undisclosed information from within hawtio's root. (CVE-2017-2594)
* It was found that Apache CXF OAuth2 Hawk and JOSE MAC Validation code is not using a constant time MAC signature comparison algorithm which may be exploited by some sophisticated timing attacks. It may only affect OAuth2 Hawk, JWT access tokens, or JOSE JWS/JWE interceptors which depend on HMAC secret key algorithms. (CVE-2017-3156)
* It was found that Apache Camel's validation component evaluates DTD headers of XML stream sources, although a validation against XML schemas (XSD) is executed. Remote attackers can use this feature to make Server-Side Request Forgery (SSRF) attacks by sending XML documents with remote DTDs URLs or XML External Entities (XXE). (CVE-2017-5643)
* It was found that a flaw exists in JAX-RS clients using the streaming approach for XML signatures and encryption, where it does not enforce the message to be signed/encrypted. This could allow an attacker to subvert the integrity of the message. (CVE-2017-5653)
* It was found that the token cacher in Apache cxf uses a flawed way of caching tokens that are associated with the delegation token received from Security Token Service (STS). This vulnerability could allow an attacker to craft a token which could return an identifier corresponding to a cached token for another user. (CVE-2017-5656)
* It was found that logback is vulnerable to a deserialization issue. Logback can be configured to allow remote logging through SocketServer/ServerSocketReceiver interfaces that can accept untrusted serialized data. Authenticated attackers on the adjacent network can leverage this vulnerability to execute arbitrary code through deserialization of custom gadget chains. (CVE-2017-5929)
* It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type 'void'. An attacker could use this flaw to create a denial of service on the target system. (CVE-2017-7957)
The CVE-2017-2589 issue was discovered by Adam Willard (Blue Canopy) and Dennis Reed (Red Hat) and the CVE-2017-2594 issue was discovered by Hooman Broujerdi (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat JBoss Fuse and Red Hat JBoss A-MQ.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant messaging system that is tailored for use in mission critical applications.\n\nThis patch is an update to Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ 6.3. It includes bug fixes and enhancements, which are documented in the readme.txt file included with the patch files.\n\nSecurity Fix(es):\n\n* It was discovered that the hawtio servlet uses a single HttpClient instance to proxy requests with a persistent cookie store (cookies are stored locally and are not passed between the client and the end URL) which means all clients using that proxy are sharing the same cookies. (CVE-2017-2589)\n\n* It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information. (CVE-2015-6644)\n\n* It was found that Apache Camel's camel-jackson and camel-jacksonxml components are vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws as demonstrated in various similar reports about Java de-serialization issues. (CVE-2016-8749)\n\n* It was found that Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded / to a request an attacker may be able to bypass a security constraint. (CVE-2016-9879)\n\n* It was found that a path traversal vulnerability in hawtio leads to a NullPointerException with a full stacktrace. An attacker could use this flaw to gather undisclosed information from within hawtio's root. (CVE-2017-2594)\n\n* It was found that Apache CXF OAuth2 Hawk and JOSE MAC Validation code is not using a constant time MAC signature comparison algorithm which may be exploited by some sophisticated timing attacks. It may only affect OAuth2 Hawk, JWT access tokens, or JOSE JWS/JWE interceptors which depend on HMAC secret key algorithms. (CVE-2017-3156)\n\n* It was found that Apache Camel's validation component evaluates DTD headers of XML stream sources, although a validation against XML schemas (XSD) is executed. Remote attackers can use this feature to make Server-Side Request Forgery (SSRF) attacks by sending XML documents with remote DTDs URLs or XML External Entities (XXE). (CVE-2017-5643)\n\n* It was found that a flaw exists in JAX-RS clients using the streaming approach for XML signatures and encryption, where it does not enforce the message to be signed/encrypted. This could allow an attacker to subvert the integrity of the message. (CVE-2017-5653)\n\n* It was found that the token cacher in Apache cxf uses a flawed way of caching tokens that are associated with the delegation token received from Security Token Service (STS). This vulnerability could allow an attacker to craft a token which could return an identifier corresponding to a cached token for another user. (CVE-2017-5656)\n\n* It was found that logback is vulnerable to a deserialization issue. Logback can be configured to allow remote logging through SocketServer/ServerSocketReceiver interfaces that can accept untrusted serialized data. Authenticated attackers on the adjacent network can leverage this vulnerability to execute arbitrary code through deserialization of custom gadget chains. (CVE-2017-5929)\n\n* It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type 'void'. An attacker could use this flaw to create a denial of service on the target system. (CVE-2017-7957)\n\nThe CVE-2017-2589 issue was discovered by Adam Willard (Blue Canopy) and Dennis Reed (Red Hat) and the CVE-2017-2594 issue was discovered by Hooman Broujerdi (Red Hat).", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:1832", url: "https://access.redhat.com/errata/RHSA-2017:1832", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.3", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.3", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=jboss.amq&version=6.3.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=jboss.amq&version=6.3.0", }, { category: "external", summary: "https://access.redhat.com/documentation/en/red-hat-jboss-fuse/", url: "https://access.redhat.com/documentation/en/red-hat-jboss-fuse/", }, { category: "external", summary: "1409838", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1409838", }, { category: "external", summary: "1413905", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1413905", }, { category: "external", summary: "1415543", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1415543", }, { category: "external", summary: "1420832", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1420832", }, { category: "external", summary: "1425455", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1425455", }, { category: "external", summary: "1432858", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1432858", }, { category: "external", summary: "1433374", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1433374", }, { category: "external", summary: "1441538", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1441538", }, { category: "external", summary: "1444015", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1444015", }, { category: "external", summary: "1445327", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1445327", }, { category: "external", summary: "1445329", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1445329", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_1832.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.3 R4 security and bug fix update", tracking: { current_release_date: "2024-11-22T11:10:23+00:00", generator: { date: "2024-11-22T11:10:23+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2017:1832", initial_release_date: "2017-08-10T23:03:00+00:00", revision_history: [ { date: "2017-08-10T23:03:00+00:00", number: "1", summary: "Initial version", }, { date: "2017-08-15T01:47:49+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T11:10:23+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss A-MQ 6.3", product: { name: "Red Hat JBoss A-MQ 6.3", product_id: "Red Hat JBoss A-MQ 6.3", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_amq:6.3", }, }, }, { category: "product_name", name: "Red Hat JBoss Fuse 6.3", product: { name: "Red Hat JBoss Fuse 6.3", product_id: "Red Hat JBoss Fuse 6.3", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_fuse:6.3", }, }, }, ], category: "product_family", name: "Red Hat JBoss Fuse", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2015-6644", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2017-04-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1444015", }, ], notes: [ { category: "description", text: "It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: Information disclosure in GCMBlockCipher", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-6644", }, { category: "external", summary: "RHBZ#1444015", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1444015", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-6644", url: "https://www.cve.org/CVERecord?id=CVE-2015-6644", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-6644", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-6644", }, ], release_date: "2016-01-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-10T23:03:00+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:1832", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: Information disclosure in GCMBlockCipher", }, { cve: "CVE-2016-8749", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2017-02-08T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1420832", }, ], notes: [ { category: "description", text: "It was found that Apache Camel's camel-jackson and camel-jacksonxml components are vulnerable to Java object de-serialisation vulnerability. Camel allows such a type through the 'CamelJacksonUnmarshalType' property. De-serializing untrusted data can lead to security flaws as demonstrated in various similar reports about Java de-serialization issues.", title: "Vulnerability description", }, { category: "summary", text: "camel-jacksonxml: Unmarshalling operation are vulnerable to RCE", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-8749", }, { category: "external", summary: "RHBZ#1420832", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1420832", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-8749", url: "https://www.cve.org/CVERecord?id=CVE-2016-8749", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-8749", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-8749", }, { category: "external", summary: "http://camel.apache.org/security-advisories.data/CVE-2016-8749.txt.asc", url: "http://camel.apache.org/security-advisories.data/CVE-2016-8749.txt.asc", }, ], release_date: "2016-12-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-10T23:03:00+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:1832", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "camel-jacksonxml: Unmarshalling operation are vulnerable to RCE", }, { cve: "CVE-2016-9879", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2016-12-29T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1409838", }, ], notes: [ { category: "description", text: "It was found that Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded / to a request an attacker may be able to bypass a security constraint.", title: "Vulnerability description", }, { category: "summary", text: "Security: Improper handling of path parameters allows bypassing the security constraint", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-9879", }, { category: "external", summary: "RHBZ#1409838", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1409838", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-9879", url: "https://www.cve.org/CVERecord?id=CVE-2016-9879", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-9879", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-9879", }, { category: "external", summary: "https://pivotal.io/security/cve-2016-9879", url: "https://pivotal.io/security/cve-2016-9879", }, ], release_date: "2016-12-28T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-10T23:03:00+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:1832", }, { category: "workaround", details: "Use a Servlet container known not to include path parameters in the return values for getServletPath() and getPathInfo()", product_ids: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", version: "3.0", }, products: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Security: Improper handling of path parameters allows bypassing the security constraint", }, { acknowledgments: [ { names: [ "Adam Willard", ], organization: "Blue Canopy", }, { names: [ "Dennis Reed", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-2589", cwe: { id: "CWE-285", name: "Improper Authorization", }, discovery_date: "2017-01-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1413905", }, ], notes: [ { category: "description", text: "It was discovered that the hawtio servlet uses a single HttpClient instance to proxy requests with a persistent cookie store (cookies are stored locally and are not passed between the client and the end URL) which means all clients using that proxy are sharing the same cookies.", title: "Vulnerability description", }, { category: "summary", text: "hawtio: Proxy is sharing cookies among all the clients", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-2589", }, { category: "external", summary: "RHBZ#1413905", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1413905", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-2589", url: "https://www.cve.org/CVERecord?id=CVE-2017-2589", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-2589", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-2589", }, ], release_date: "2017-07-28T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-10T23:03:00+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:1832", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 8.7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", version: "3.0", }, products: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "hawtio: Proxy is sharing cookies among all the clients", }, { acknowledgments: [ { names: [ "Hooman Broujerdi", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-2594", cwe: { id: "CWE-209", name: "Generation of Error Message Containing Sensitive Information", }, discovery_date: "2017-01-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1415543", }, ], notes: [ { category: "description", text: "It was found that a path traversal vulnerability in hawtio leads to a NullPointerException with a full stacktrace. An attacker could use this flaw to gather undisclosed information from within hawtio's root.", title: "Vulnerability description", }, { category: "summary", text: "hawtio: information Disclosure flaws due to unsafe path traversal", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-2594", }, { category: "external", summary: "RHBZ#1415543", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1415543", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-2594", url: "https://www.cve.org/CVERecord?id=CVE-2017-2594", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-2594", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-2594", }, ], release_date: "2017-01-23T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-10T23:03:00+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:1832", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "hawtio: information Disclosure flaws due to unsafe path traversal", }, { cve: "CVE-2017-3156", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2017-02-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1425455", }, ], notes: [ { category: "description", text: "It was found that Apache CXF OAuth2 Hawk and JOSE MAC Validation code is not using a constant time MAC signature comparison algorithm which may be exploited by some sophisticated timing attacks. It may only affect OAuth2 Hawk or JWT access tokens or JOSE JWS/JWE interceptors which depend on HMAC secret key algorithms.", title: "Vulnerability description", }, { category: "summary", text: "cxf: CXF OAuth2 Hawk and JOSE MAC Validation code are vulnerable to timing attacks", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-3156", }, { category: "external", summary: "RHBZ#1425455", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1425455", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-3156", url: "https://www.cve.org/CVERecord?id=CVE-2017-3156", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-3156", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-3156", }, { category: "external", summary: "https://cxf.apache.org/security-advisories.data/CVE-2017-3156.txt.asc", url: "https://cxf.apache.org/security-advisories.data/CVE-2017-3156.txt.asc", }, ], release_date: "2017-02-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-10T23:03:00+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:1832", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "cxf: CXF OAuth2 Hawk and JOSE MAC Validation code are vulnerable to timing attacks", }, { cve: "CVE-2017-5643", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2017-03-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1433374", }, ], notes: [ { category: "description", text: "It was found that Apache Camel's validation component evaluates DTD headers of XML stream sources, although a validation against XML schemas (XSD) is executed. Remote attackers can use this feature to make Server-Side Request Forgery (SSRF) attacks by sending XML documents with remote DTDs URLs or XML External Entities (XXE). The vulnerability is not given for SAX or StAX sources.", title: "Vulnerability description", }, { category: "summary", text: "camel-core: Validation component vulnerable to SSRF via remote DTDs and XXE", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-5643", }, { category: "external", summary: "RHBZ#1433374", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1433374", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-5643", url: "https://www.cve.org/CVERecord?id=CVE-2017-5643", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-5643", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-5643", }, { category: "external", summary: "https://camel.apache.org/security-advisories.data/CVE-2017-5643.txt", url: "https://camel.apache.org/security-advisories.data/CVE-2017-5643.txt", }, ], release_date: "2017-02-24T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-10T23:03:00+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:1832", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "camel-core: Validation component vulnerable to SSRF via remote DTDs and XXE", }, { cve: "CVE-2017-5653", discovery_date: "2017-04-18T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1445327", }, ], notes: [ { category: "description", text: "It was found that a flaw exists in JAX-RS clients using the streaming approach for XML signatures and encryption, where it does not enforce the message to be signed/encrypted. This could allow an attacker to subvert the integrity of the message.", title: "Vulnerability description", }, { category: "summary", text: "cxf: CXF JAX-RS XML Security streaming clients do not validate that the service response was signed or encrypted", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-5653", }, { category: "external", summary: "RHBZ#1445327", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1445327", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-5653", url: "https://www.cve.org/CVERecord?id=CVE-2017-5653", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-5653", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-5653", }, { category: "external", summary: "http://cxf.apache.org/security-advisories.data/CVE-2017-5653.txt.asc", url: "http://cxf.apache.org/security-advisories.data/CVE-2017-5653.txt.asc", }, ], release_date: "2017-03-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-10T23:03:00+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:1832", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "cxf: CXF JAX-RS XML Security streaming clients do not validate that the service response was signed or encrypted", }, { cve: "CVE-2017-5656", discovery_date: "2017-04-18T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1445329", }, ], notes: [ { category: "description", text: "It was found that the token cacher in Apache cxf uses a flawed way of caching tokens that are associated with the delegation token received from Security Token Service (STS). This vulnerability could allow an attacker to craft a token which could return an identifier corresponding to a cached token for another user.", title: "Vulnerability description", }, { category: "summary", text: "cxf: CXF's STSClient uses a flawed way of caching tokens that are associated with delegation tokens", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-5656", }, { category: "external", summary: "RHBZ#1445329", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1445329", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-5656", url: "https://www.cve.org/CVERecord?id=CVE-2017-5656", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-5656", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-5656", }, { category: "external", summary: "http://cxf.apache.org/security-advisories.data/CVE-2017-5656.txt.asc", url: "http://cxf.apache.org/security-advisories.data/CVE-2017-5656.txt.asc", }, ], release_date: "2017-04-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-10T23:03:00+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:1832", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "cxf: CXF's STSClient uses a flawed way of caching tokens that are associated with delegation tokens", }, { cve: "CVE-2017-5929", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2017-03-10T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1432858", }, ], notes: [ { category: "description", text: "It was found that logback is vulnerable to a deserialization issue. Logback can be configured to allow remote logging through SocketServer/ServerSocketReceiver interfaces that can accept untrusted serialized data. Authenticated attackers on the adjacent network can leverage this vulnerability to execute arbitrary code through deserialization of custom gadget chains.", title: "Vulnerability description", }, { category: "summary", text: "logback: Serialization vulnerability in SocketServer and ServerSocketReceiver", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-5929", }, { category: "external", summary: "RHBZ#1432858", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1432858", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-5929", url: "https://www.cve.org/CVERecord?id=CVE-2017-5929", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-5929", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-5929", }, ], release_date: "2017-02-08T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-10T23:03:00+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:1832", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "LOW", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", version: "3.0", }, products: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "logback: Serialization vulnerability in SocketServer and ServerSocketReceiver", }, { cve: "CVE-2017-7957", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2017-04-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1441538", }, ], notes: [ { category: "description", text: "It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type 'void'. An attacker could use this flaw to create a denial of service on the target system.", title: "Vulnerability description", }, { category: "summary", text: "XStream: DoS when unmarshalling void type", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7957", }, { category: "external", summary: "RHBZ#1441538", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1441538", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7957", url: "https://www.cve.org/CVERecord?id=CVE-2017-7957", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7957", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7957", }, { category: "external", summary: "http://x-stream.github.io/CVE-2017-7957.html", url: "http://x-stream.github.io/CVE-2017-7957.html", }, ], release_date: "2017-04-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-10T23:03:00+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:1832", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "XStream: DoS when unmarshalling void type", }, ], }
rhsa-2017:2889
Vulnerability from csaf_redhat
Published
2017-10-12 21:59
Modified
2025-02-02 20:02
Summary
Red Hat Security Advisory: Red Hat JBoss BPM Suite 6.4.6 security update
Notes
Topic
An update is now available for Red Hat JBoss BPM Suite.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss BPM Suite is a business rules and processes management system for the management, storage, creation, modification, and deployment of JBoss rules and BPMN2-compliant business processes.
This release of Red Hat JBoss BPM Suite 6.4.6 serves as a replacement for Red Hat JBoss BPM Suite 6.4.5, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)
* It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type 'void'. An attacker could use this flaw to create a denial of service on the target system. (CVE-2017-7957)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat JBoss BPM Suite.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss BPM Suite is a business rules and processes management system for the management, storage, creation, modification, and deployment of JBoss rules and BPMN2-compliant business processes.\n\nThis release of Red Hat JBoss BPM Suite 6.4.6 serves as a replacement for Red Hat JBoss BPM Suite 6.4.5, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)\n\n* It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type 'void'. An attacker could use this flaw to create a denial of service on the target system. (CVE-2017-7957)", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2889", url: "https://access.redhat.com/errata/RHSA-2017:2889", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=securityPatches&version=6.4", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=securityPatches&version=6.4", }, { category: "external", summary: "https://access.redhat.com/documentation/en/red-hat-jboss-bpm-suite/", url: "https://access.redhat.com/documentation/en/red-hat-jboss-bpm-suite/", }, { category: "external", summary: "1441538", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1441538", }, { category: "external", summary: "1443635", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443635", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2889.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss BPM Suite 6.4.6 security update", tracking: { current_release_date: "2025-02-02T20:02:55+00:00", generator: { date: "2025-02-02T20:02:55+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.6", }, }, id: "RHSA-2017:2889", initial_release_date: "2017-10-12T21:59:42+00:00", revision_history: [ { date: "2017-10-12T21:59:42+00:00", number: "1", summary: "Initial version", }, { date: "2017-10-12T21:59:42+00:00", number: "2", summary: "Last updated version", }, { date: "2025-02-02T20:02:55+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss BPMS 6.4", product: { name: "Red Hat JBoss BPMS 6.4", product_id: "Red Hat JBoss BPMS 6.4", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_bpms:6.4", }, }, }, ], category: "product_family", name: "Red Hat Process Automation Manager", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2017-5645", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2017-04-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1443635", }, ], notes: [ { category: "description", text: "It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application.", title: "Vulnerability description", }, { category: "summary", text: "log4j: Socket receiver deserialization vulnerability", title: "Vulnerability summary", }, { category: "other", text: "The flaw in Log4j-1.x is now identified by CVE-2019-17571. CVE-2017-5645 has been assigned by MITRE to a similar flaw identified in Log4j-2.x", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BPMS 6.4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-5645", }, { category: "external", summary: "RHBZ#1443635", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443635", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-5645", url: "https://www.cve.org/CVERecord?id=CVE-2017-5645", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-5645", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-5645", }, ], release_date: "2017-04-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-12T21:59:42+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss BPMS 6.4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2889", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss BPMS 6.4", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "log4j: Socket receiver deserialization vulnerability", }, { cve: "CVE-2017-7957", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2017-04-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1441538", }, ], notes: [ { category: "description", text: "It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type 'void'. An attacker could use this flaw to create a denial of service on the target system.", title: "Vulnerability description", }, { category: "summary", text: "XStream: DoS when unmarshalling void type", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BPMS 6.4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7957", }, { category: "external", summary: "RHBZ#1441538", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1441538", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7957", url: "https://www.cve.org/CVERecord?id=CVE-2017-7957", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7957", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7957", }, { category: "external", summary: "http://x-stream.github.io/CVE-2017-7957.html", url: "http://x-stream.github.io/CVE-2017-7957.html", }, ], release_date: "2017-04-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-12T21:59:42+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss BPMS 6.4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2889", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "Red Hat JBoss BPMS 6.4", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "XStream: DoS when unmarshalling void type", }, { cve: "CVE-2019-17571", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2019-12-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1785616", }, ], notes: [ { category: "description", text: "A flaw was discovered in Log4j, where a vulnerable SocketServer class may lead to the deserialization of untrusted data. This flaw allows an attacker to remotely execute arbitrary code when combined with a deserialization gadget.", title: "Vulnerability description", }, { category: "summary", text: "log4j: deserialization of untrusted data in SocketServer", title: "Vulnerability summary", }, { category: "other", text: "This is the same issue as CVE-2017-5645. MITRE has CVE-2017-5645 to a similar flaw found in log4j-2.x. The flaw found in log4j-1.2 has been assigned CVE-2019-17571. CVE-2019-17571 has been addressed in Red Hat Enterprise Linux via RHSA-2017:2423.\nAlso the rh-java-common-log4j package shipped with Red Hat Software Collections was addressed via RHSA-2017:1417\n\nIn Satellite 5.8, although the version of log4j as shipped in the nutch package is affected, nutch does not load any of the SocketServer classes from log4j. Satellite 5 is considered not vulnerable to this flaw since the affected code can not be reached.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BPMS 6.4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2019-17571", }, { category: "external", summary: "RHBZ#1785616", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1785616", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2019-17571", url: "https://www.cve.org/CVERecord?id=CVE-2019-17571", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2019-17571", url: "https://nvd.nist.gov/vuln/detail/CVE-2019-17571", }, ], release_date: "2019-12-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-12T21:59:42+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss BPMS 6.4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2889", }, { category: "workaround", details: "Please note that the Log4j upstream strongly recommends against using the SerializedLayout with the SocketAppenders. Customers may mitigate this issue by removing the SocketServer class outright; or if they must continue to use SocketAppenders, they can modify their SocketAppender configuration from SerializedLayout to use JsonLayout instead. An example of this in log4j-server.properties might look like this:\n\nlog4j.appender.file.layout=org.apache.log4j.JsonLayout", product_ids: [ "Red Hat JBoss BPMS 6.4", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat JBoss BPMS 6.4", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "log4j: deserialization of untrusted data in SocketServer", }, ], }
RHSA-2017:2889
Vulnerability from csaf_redhat
Published
2017-10-12 21:59
Modified
2025-02-02 20:02
Summary
Red Hat Security Advisory: Red Hat JBoss BPM Suite 6.4.6 security update
Notes
Topic
An update is now available for Red Hat JBoss BPM Suite.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss BPM Suite is a business rules and processes management system for the management, storage, creation, modification, and deployment of JBoss rules and BPMN2-compliant business processes.
This release of Red Hat JBoss BPM Suite 6.4.6 serves as a replacement for Red Hat JBoss BPM Suite 6.4.5, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)
* It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type 'void'. An attacker could use this flaw to create a denial of service on the target system. (CVE-2017-7957)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat JBoss BPM Suite.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss BPM Suite is a business rules and processes management system for the management, storage, creation, modification, and deployment of JBoss rules and BPMN2-compliant business processes.\n\nThis release of Red Hat JBoss BPM Suite 6.4.6 serves as a replacement for Red Hat JBoss BPM Suite 6.4.5, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)\n\n* It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type 'void'. An attacker could use this flaw to create a denial of service on the target system. (CVE-2017-7957)", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2889", url: "https://access.redhat.com/errata/RHSA-2017:2889", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=securityPatches&version=6.4", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=securityPatches&version=6.4", }, { category: "external", summary: "https://access.redhat.com/documentation/en/red-hat-jboss-bpm-suite/", url: "https://access.redhat.com/documentation/en/red-hat-jboss-bpm-suite/", }, { category: "external", summary: "1441538", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1441538", }, { category: "external", summary: "1443635", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443635", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2889.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss BPM Suite 6.4.6 security update", tracking: { current_release_date: "2025-02-02T20:02:55+00:00", generator: { date: "2025-02-02T20:02:55+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.6", }, }, id: "RHSA-2017:2889", initial_release_date: "2017-10-12T21:59:42+00:00", revision_history: [ { date: "2017-10-12T21:59:42+00:00", number: "1", summary: "Initial version", }, { date: "2017-10-12T21:59:42+00:00", number: "2", summary: "Last updated version", }, { date: "2025-02-02T20:02:55+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss BPMS 6.4", product: { name: "Red Hat JBoss BPMS 6.4", product_id: "Red Hat JBoss BPMS 6.4", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_bpms:6.4", }, }, }, ], category: "product_family", name: "Red Hat Process Automation Manager", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2017-5645", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2017-04-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1443635", }, ], notes: [ { category: "description", text: "It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application.", title: "Vulnerability description", }, { category: "summary", text: "log4j: Socket receiver deserialization vulnerability", title: "Vulnerability summary", }, { category: "other", text: "The flaw in Log4j-1.x is now identified by CVE-2019-17571. CVE-2017-5645 has been assigned by MITRE to a similar flaw identified in Log4j-2.x", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BPMS 6.4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-5645", }, { category: "external", summary: "RHBZ#1443635", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443635", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-5645", url: "https://www.cve.org/CVERecord?id=CVE-2017-5645", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-5645", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-5645", }, ], release_date: "2017-04-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-12T21:59:42+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss BPMS 6.4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2889", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss BPMS 6.4", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "log4j: Socket receiver deserialization vulnerability", }, { cve: "CVE-2017-7957", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2017-04-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1441538", }, ], notes: [ { category: "description", text: "It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type 'void'. An attacker could use this flaw to create a denial of service on the target system.", title: "Vulnerability description", }, { category: "summary", text: "XStream: DoS when unmarshalling void type", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BPMS 6.4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7957", }, { category: "external", summary: "RHBZ#1441538", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1441538", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7957", url: "https://www.cve.org/CVERecord?id=CVE-2017-7957", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7957", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7957", }, { category: "external", summary: "http://x-stream.github.io/CVE-2017-7957.html", url: "http://x-stream.github.io/CVE-2017-7957.html", }, ], release_date: "2017-04-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-12T21:59:42+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss BPMS 6.4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2889", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "Red Hat JBoss BPMS 6.4", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "XStream: DoS when unmarshalling void type", }, { cve: "CVE-2019-17571", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2019-12-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1785616", }, ], notes: [ { category: "description", text: "A flaw was discovered in Log4j, where a vulnerable SocketServer class may lead to the deserialization of untrusted data. This flaw allows an attacker to remotely execute arbitrary code when combined with a deserialization gadget.", title: "Vulnerability description", }, { category: "summary", text: "log4j: deserialization of untrusted data in SocketServer", title: "Vulnerability summary", }, { category: "other", text: "This is the same issue as CVE-2017-5645. MITRE has CVE-2017-5645 to a similar flaw found in log4j-2.x. The flaw found in log4j-1.2 has been assigned CVE-2019-17571. CVE-2019-17571 has been addressed in Red Hat Enterprise Linux via RHSA-2017:2423.\nAlso the rh-java-common-log4j package shipped with Red Hat Software Collections was addressed via RHSA-2017:1417\n\nIn Satellite 5.8, although the version of log4j as shipped in the nutch package is affected, nutch does not load any of the SocketServer classes from log4j. Satellite 5 is considered not vulnerable to this flaw since the affected code can not be reached.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BPMS 6.4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2019-17571", }, { category: "external", summary: "RHBZ#1785616", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1785616", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2019-17571", url: "https://www.cve.org/CVERecord?id=CVE-2019-17571", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2019-17571", url: "https://nvd.nist.gov/vuln/detail/CVE-2019-17571", }, ], release_date: "2019-12-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-12T21:59:42+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss BPMS 6.4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2889", }, { category: "workaround", details: "Please note that the Log4j upstream strongly recommends against using the SerializedLayout with the SocketAppenders. Customers may mitigate this issue by removing the SocketServer class outright; or if they must continue to use SocketAppenders, they can modify their SocketAppender configuration from SerializedLayout to use JsonLayout instead. An example of this in log4j-server.properties might look like this:\n\nlog4j.appender.file.layout=org.apache.log4j.JsonLayout", product_ids: [ "Red Hat JBoss BPMS 6.4", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat JBoss BPMS 6.4", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "log4j: deserialization of untrusted data in SocketServer", }, ], }
rhsa-2017_2888
Vulnerability from csaf_redhat
Published
2017-10-12 21:59
Modified
2024-12-29 18:21
Summary
Red Hat Security Advisory: Red Hat JBoss BRMS 6.4.6 security update
Notes
Topic
An update is now available for Red Hat JBoss BRMS.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss BRMS is a business rules management system for the management, storage, creation, modification, and deployment of JBoss Rules.
This release of Red Hat JBoss BRMS 6.4.6 serves as a replacement for Red Hat JBoss BRMS 6.4.5, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)
* It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type 'void'. An attacker could use this flaw to create a denial of service on the target system. (CVE-2017-7957)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat JBoss BRMS.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss BRMS is a business rules management system for the management, storage, creation, modification, and deployment of JBoss Rules.\n\nThis release of Red Hat JBoss BRMS 6.4.6 serves as a replacement for Red Hat JBoss BRMS 6.4.5, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)\n\n* It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type 'void'. An attacker could use this flaw to create a denial of service on the target system. (CVE-2017-7957)", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2888", url: "https://access.redhat.com/errata/RHSA-2017:2888", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=securityPatches&version=6.4", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=securityPatches&version=6.4", }, { category: "external", summary: "https://access.redhat.com/documentation/en/red-hat-jboss-brms/", url: "https://access.redhat.com/documentation/en/red-hat-jboss-brms/", }, { category: "external", summary: "1441538", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1441538", }, { category: "external", summary: "1443635", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443635", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2888.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss BRMS 6.4.6 security update", tracking: { current_release_date: "2024-12-29T18:21:33+00:00", generator: { date: "2024-12-29T18:21:33+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.4", }, }, id: "RHSA-2017:2888", initial_release_date: "2017-10-12T21:59:23+00:00", revision_history: [ { date: "2017-10-12T21:59:23+00:00", number: "1", summary: "Initial version", }, { date: "2017-10-12T21:59:23+00:00", number: "2", summary: "Last updated version", }, { date: "2024-12-29T18:21:33+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss BRMS 6.4", product: { name: "Red Hat JBoss BRMS 6.4", product_id: "Red Hat JBoss BRMS 6.4", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_enterprise_brms_platform:6.4", }, }, }, ], category: "product_family", name: "Red Hat Decision Manager", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2017-5645", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2017-04-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1443635", }, ], notes: [ { category: "description", text: "It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application.", title: "Vulnerability description", }, { category: "summary", text: "log4j: Socket receiver deserialization vulnerability", title: "Vulnerability summary", }, { category: "other", text: "The flaw in Log4j-1.x is now identified by CVE-2019-17571. CVE-2017-5645 has been assigned by MITRE to a similar flaw identified in Log4j-2.x", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BRMS 6.4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-5645", }, { category: "external", summary: "RHBZ#1443635", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443635", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-5645", url: "https://www.cve.org/CVERecord?id=CVE-2017-5645", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-5645", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-5645", }, ], release_date: "2017-04-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-12T21:59:23+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss BRMS 6.4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2888", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss BRMS 6.4", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "log4j: Socket receiver deserialization vulnerability", }, { cve: "CVE-2017-7957", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2017-04-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1441538", }, ], notes: [ { category: "description", text: "It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type 'void'. An attacker could use this flaw to create a denial of service on the target system.", title: "Vulnerability description", }, { category: "summary", text: "XStream: DoS when unmarshalling void type", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BRMS 6.4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7957", }, { category: "external", summary: "RHBZ#1441538", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1441538", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7957", url: "https://www.cve.org/CVERecord?id=CVE-2017-7957", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7957", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7957", }, { category: "external", summary: "http://x-stream.github.io/CVE-2017-7957.html", url: "http://x-stream.github.io/CVE-2017-7957.html", }, ], release_date: "2017-04-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-12T21:59:23+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss BRMS 6.4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2888", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "Red Hat JBoss BRMS 6.4", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "XStream: DoS when unmarshalling void type", }, { cve: "CVE-2019-17571", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2019-12-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1785616", }, ], notes: [ { category: "description", text: "A flaw was discovered in Log4j, where a vulnerable SocketServer class may lead to the deserialization of untrusted data. This flaw allows an attacker to remotely execute arbitrary code when combined with a deserialization gadget.", title: "Vulnerability description", }, { category: "summary", text: "log4j: deserialization of untrusted data in SocketServer", title: "Vulnerability summary", }, { category: "other", text: "This is the same issue as CVE-2017-5645. MITRE has CVE-2017-5645 to a similar flaw found in log4j-2.x. The flaw found in log4j-1.2 has been assigned CVE-2019-17571. CVE-2019-17571 has been addressed in Red Hat Enterprise Linux via RHSA-2017:2423.\nAlso the rh-java-common-log4j package shipped with Red Hat Software Collections was addressed via RHSA-2017:1417\n\nIn Satellite 5.8, although the version of log4j as shipped in the nutch package is affected, nutch does not load any of the SocketServer classes from log4j. Satellite 5 is considered not vulnerable to this flaw since the affected code can not be reached.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BRMS 6.4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2019-17571", }, { category: "external", summary: "RHBZ#1785616", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1785616", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2019-17571", url: "https://www.cve.org/CVERecord?id=CVE-2019-17571", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2019-17571", url: "https://nvd.nist.gov/vuln/detail/CVE-2019-17571", }, ], release_date: "2019-12-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-12T21:59:23+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss BRMS 6.4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2888", }, { category: "workaround", details: "Please note that the Log4j upstream strongly recommends against using the SerializedLayout with the SocketAppenders. Customers may mitigate this issue by removing the SocketServer class outright; or if they must continue to use SocketAppenders, they can modify their SocketAppender configuration from SerializedLayout to use JsonLayout instead. An example of this in log4j-server.properties might look like this:\n\nlog4j.appender.file.layout=org.apache.log4j.JsonLayout", product_ids: [ "Red Hat JBoss BRMS 6.4", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat JBoss BRMS 6.4", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "log4j: deserialization of untrusted data in SocketServer", }, ], }
rhsa-2017:1832
Vulnerability from csaf_redhat
Published
2017-08-10 23:03
Modified
2024-11-22 11:10
Summary
Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.3 R4 security and bug fix update
Notes
Topic
An update is now available for Red Hat JBoss Fuse and Red Hat JBoss A-MQ.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant messaging system that is tailored for use in mission critical applications.
This patch is an update to Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ 6.3. It includes bug fixes and enhancements, which are documented in the readme.txt file included with the patch files.
Security Fix(es):
* It was discovered that the hawtio servlet uses a single HttpClient instance to proxy requests with a persistent cookie store (cookies are stored locally and are not passed between the client and the end URL) which means all clients using that proxy are sharing the same cookies. (CVE-2017-2589)
* It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information. (CVE-2015-6644)
* It was found that Apache Camel's camel-jackson and camel-jacksonxml components are vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws as demonstrated in various similar reports about Java de-serialization issues. (CVE-2016-8749)
* It was found that Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded / to a request an attacker may be able to bypass a security constraint. (CVE-2016-9879)
* It was found that a path traversal vulnerability in hawtio leads to a NullPointerException with a full stacktrace. An attacker could use this flaw to gather undisclosed information from within hawtio's root. (CVE-2017-2594)
* It was found that Apache CXF OAuth2 Hawk and JOSE MAC Validation code is not using a constant time MAC signature comparison algorithm which may be exploited by some sophisticated timing attacks. It may only affect OAuth2 Hawk, JWT access tokens, or JOSE JWS/JWE interceptors which depend on HMAC secret key algorithms. (CVE-2017-3156)
* It was found that Apache Camel's validation component evaluates DTD headers of XML stream sources, although a validation against XML schemas (XSD) is executed. Remote attackers can use this feature to make Server-Side Request Forgery (SSRF) attacks by sending XML documents with remote DTDs URLs or XML External Entities (XXE). (CVE-2017-5643)
* It was found that a flaw exists in JAX-RS clients using the streaming approach for XML signatures and encryption, where it does not enforce the message to be signed/encrypted. This could allow an attacker to subvert the integrity of the message. (CVE-2017-5653)
* It was found that the token cacher in Apache cxf uses a flawed way of caching tokens that are associated with the delegation token received from Security Token Service (STS). This vulnerability could allow an attacker to craft a token which could return an identifier corresponding to a cached token for another user. (CVE-2017-5656)
* It was found that logback is vulnerable to a deserialization issue. Logback can be configured to allow remote logging through SocketServer/ServerSocketReceiver interfaces that can accept untrusted serialized data. Authenticated attackers on the adjacent network can leverage this vulnerability to execute arbitrary code through deserialization of custom gadget chains. (CVE-2017-5929)
* It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type 'void'. An attacker could use this flaw to create a denial of service on the target system. (CVE-2017-7957)
The CVE-2017-2589 issue was discovered by Adam Willard (Blue Canopy) and Dennis Reed (Red Hat) and the CVE-2017-2594 issue was discovered by Hooman Broujerdi (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat JBoss Fuse and Red Hat JBoss A-MQ.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant messaging system that is tailored for use in mission critical applications.\n\nThis patch is an update to Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ 6.3. It includes bug fixes and enhancements, which are documented in the readme.txt file included with the patch files.\n\nSecurity Fix(es):\n\n* It was discovered that the hawtio servlet uses a single HttpClient instance to proxy requests with a persistent cookie store (cookies are stored locally and are not passed between the client and the end URL) which means all clients using that proxy are sharing the same cookies. (CVE-2017-2589)\n\n* It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information. (CVE-2015-6644)\n\n* It was found that Apache Camel's camel-jackson and camel-jacksonxml components are vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws as demonstrated in various similar reports about Java de-serialization issues. (CVE-2016-8749)\n\n* It was found that Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded / to a request an attacker may be able to bypass a security constraint. (CVE-2016-9879)\n\n* It was found that a path traversal vulnerability in hawtio leads to a NullPointerException with a full stacktrace. An attacker could use this flaw to gather undisclosed information from within hawtio's root. (CVE-2017-2594)\n\n* It was found that Apache CXF OAuth2 Hawk and JOSE MAC Validation code is not using a constant time MAC signature comparison algorithm which may be exploited by some sophisticated timing attacks. It may only affect OAuth2 Hawk, JWT access tokens, or JOSE JWS/JWE interceptors which depend on HMAC secret key algorithms. (CVE-2017-3156)\n\n* It was found that Apache Camel's validation component evaluates DTD headers of XML stream sources, although a validation against XML schemas (XSD) is executed. Remote attackers can use this feature to make Server-Side Request Forgery (SSRF) attacks by sending XML documents with remote DTDs URLs or XML External Entities (XXE). (CVE-2017-5643)\n\n* It was found that a flaw exists in JAX-RS clients using the streaming approach for XML signatures and encryption, where it does not enforce the message to be signed/encrypted. This could allow an attacker to subvert the integrity of the message. (CVE-2017-5653)\n\n* It was found that the token cacher in Apache cxf uses a flawed way of caching tokens that are associated with the delegation token received from Security Token Service (STS). This vulnerability could allow an attacker to craft a token which could return an identifier corresponding to a cached token for another user. (CVE-2017-5656)\n\n* It was found that logback is vulnerable to a deserialization issue. Logback can be configured to allow remote logging through SocketServer/ServerSocketReceiver interfaces that can accept untrusted serialized data. Authenticated attackers on the adjacent network can leverage this vulnerability to execute arbitrary code through deserialization of custom gadget chains. (CVE-2017-5929)\n\n* It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type 'void'. An attacker could use this flaw to create a denial of service on the target system. (CVE-2017-7957)\n\nThe CVE-2017-2589 issue was discovered by Adam Willard (Blue Canopy) and Dennis Reed (Red Hat) and the CVE-2017-2594 issue was discovered by Hooman Broujerdi (Red Hat).", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:1832", url: "https://access.redhat.com/errata/RHSA-2017:1832", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.3", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.3", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=jboss.amq&version=6.3.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=jboss.amq&version=6.3.0", }, { category: "external", summary: "https://access.redhat.com/documentation/en/red-hat-jboss-fuse/", url: "https://access.redhat.com/documentation/en/red-hat-jboss-fuse/", }, { category: "external", summary: "1409838", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1409838", }, { category: "external", summary: "1413905", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1413905", }, { category: "external", summary: "1415543", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1415543", }, { category: "external", summary: "1420832", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1420832", }, { category: "external", summary: "1425455", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1425455", }, { category: "external", summary: "1432858", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1432858", }, { category: "external", summary: "1433374", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1433374", }, { category: "external", summary: "1441538", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1441538", }, { category: "external", summary: "1444015", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1444015", }, { category: "external", summary: "1445327", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1445327", }, { category: "external", summary: "1445329", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1445329", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_1832.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.3 R4 security and bug fix update", tracking: { current_release_date: "2024-11-22T11:10:23+00:00", generator: { date: "2024-11-22T11:10:23+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2017:1832", initial_release_date: "2017-08-10T23:03:00+00:00", revision_history: [ { date: "2017-08-10T23:03:00+00:00", number: "1", summary: "Initial version", }, { date: "2017-08-15T01:47:49+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T11:10:23+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss A-MQ 6.3", product: { name: "Red Hat JBoss A-MQ 6.3", product_id: "Red Hat JBoss A-MQ 6.3", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_amq:6.3", }, }, }, { category: "product_name", name: "Red Hat JBoss Fuse 6.3", product: { name: "Red Hat JBoss Fuse 6.3", product_id: "Red Hat JBoss Fuse 6.3", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_fuse:6.3", }, }, }, ], category: "product_family", name: "Red Hat JBoss Fuse", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2015-6644", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2017-04-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1444015", }, ], notes: [ { category: "description", text: "It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: Information disclosure in GCMBlockCipher", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-6644", }, { category: "external", summary: "RHBZ#1444015", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1444015", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-6644", url: "https://www.cve.org/CVERecord?id=CVE-2015-6644", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-6644", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-6644", }, ], release_date: "2016-01-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-10T23:03:00+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:1832", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: Information disclosure in GCMBlockCipher", }, { cve: "CVE-2016-8749", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2017-02-08T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1420832", }, ], notes: [ { category: "description", text: "It was found that Apache Camel's camel-jackson and camel-jacksonxml components are vulnerable to Java object de-serialisation vulnerability. Camel allows such a type through the 'CamelJacksonUnmarshalType' property. De-serializing untrusted data can lead to security flaws as demonstrated in various similar reports about Java de-serialization issues.", title: "Vulnerability description", }, { category: "summary", text: "camel-jacksonxml: Unmarshalling operation are vulnerable to RCE", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-8749", }, { category: "external", summary: "RHBZ#1420832", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1420832", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-8749", url: "https://www.cve.org/CVERecord?id=CVE-2016-8749", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-8749", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-8749", }, { category: "external", summary: "http://camel.apache.org/security-advisories.data/CVE-2016-8749.txt.asc", url: "http://camel.apache.org/security-advisories.data/CVE-2016-8749.txt.asc", }, ], release_date: "2016-12-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-10T23:03:00+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:1832", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "camel-jacksonxml: Unmarshalling operation are vulnerable to RCE", }, { cve: "CVE-2016-9879", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2016-12-29T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1409838", }, ], notes: [ { category: "description", text: "It was found that Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded / to a request an attacker may be able to bypass a security constraint.", title: "Vulnerability description", }, { category: "summary", text: "Security: Improper handling of path parameters allows bypassing the security constraint", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-9879", }, { category: "external", summary: "RHBZ#1409838", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1409838", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-9879", url: "https://www.cve.org/CVERecord?id=CVE-2016-9879", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-9879", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-9879", }, { category: "external", summary: "https://pivotal.io/security/cve-2016-9879", url: "https://pivotal.io/security/cve-2016-9879", }, ], release_date: "2016-12-28T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-10T23:03:00+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:1832", }, { category: "workaround", details: "Use a Servlet container known not to include path parameters in the return values for getServletPath() and getPathInfo()", product_ids: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", version: "3.0", }, products: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Security: Improper handling of path parameters allows bypassing the security constraint", }, { acknowledgments: [ { names: [ "Adam Willard", ], organization: "Blue Canopy", }, { names: [ "Dennis Reed", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-2589", cwe: { id: "CWE-285", name: "Improper Authorization", }, discovery_date: "2017-01-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1413905", }, ], notes: [ { category: "description", text: "It was discovered that the hawtio servlet uses a single HttpClient instance to proxy requests with a persistent cookie store (cookies are stored locally and are not passed between the client and the end URL) which means all clients using that proxy are sharing the same cookies.", title: "Vulnerability description", }, { category: "summary", text: "hawtio: Proxy is sharing cookies among all the clients", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-2589", }, { category: "external", summary: "RHBZ#1413905", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1413905", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-2589", url: "https://www.cve.org/CVERecord?id=CVE-2017-2589", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-2589", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-2589", }, ], release_date: "2017-07-28T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-10T23:03:00+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:1832", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 8.7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", version: "3.0", }, products: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "hawtio: Proxy is sharing cookies among all the clients", }, { acknowledgments: [ { names: [ "Hooman Broujerdi", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-2594", cwe: { id: "CWE-209", name: "Generation of Error Message Containing Sensitive Information", }, discovery_date: "2017-01-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1415543", }, ], notes: [ { category: "description", text: "It was found that a path traversal vulnerability in hawtio leads to a NullPointerException with a full stacktrace. An attacker could use this flaw to gather undisclosed information from within hawtio's root.", title: "Vulnerability description", }, { category: "summary", text: "hawtio: information Disclosure flaws due to unsafe path traversal", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-2594", }, { category: "external", summary: "RHBZ#1415543", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1415543", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-2594", url: "https://www.cve.org/CVERecord?id=CVE-2017-2594", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-2594", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-2594", }, ], release_date: "2017-01-23T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-10T23:03:00+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:1832", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "hawtio: information Disclosure flaws due to unsafe path traversal", }, { cve: "CVE-2017-3156", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2017-02-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1425455", }, ], notes: [ { category: "description", text: "It was found that Apache CXF OAuth2 Hawk and JOSE MAC Validation code is not using a constant time MAC signature comparison algorithm which may be exploited by some sophisticated timing attacks. It may only affect OAuth2 Hawk or JWT access tokens or JOSE JWS/JWE interceptors which depend on HMAC secret key algorithms.", title: "Vulnerability description", }, { category: "summary", text: "cxf: CXF OAuth2 Hawk and JOSE MAC Validation code are vulnerable to timing attacks", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-3156", }, { category: "external", summary: "RHBZ#1425455", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1425455", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-3156", url: "https://www.cve.org/CVERecord?id=CVE-2017-3156", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-3156", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-3156", }, { category: "external", summary: "https://cxf.apache.org/security-advisories.data/CVE-2017-3156.txt.asc", url: "https://cxf.apache.org/security-advisories.data/CVE-2017-3156.txt.asc", }, ], release_date: "2017-02-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-10T23:03:00+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:1832", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "cxf: CXF OAuth2 Hawk and JOSE MAC Validation code are vulnerable to timing attacks", }, { cve: "CVE-2017-5643", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2017-03-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1433374", }, ], notes: [ { category: "description", text: "It was found that Apache Camel's validation component evaluates DTD headers of XML stream sources, although a validation against XML schemas (XSD) is executed. Remote attackers can use this feature to make Server-Side Request Forgery (SSRF) attacks by sending XML documents with remote DTDs URLs or XML External Entities (XXE). The vulnerability is not given for SAX or StAX sources.", title: "Vulnerability description", }, { category: "summary", text: "camel-core: Validation component vulnerable to SSRF via remote DTDs and XXE", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-5643", }, { category: "external", summary: "RHBZ#1433374", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1433374", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-5643", url: "https://www.cve.org/CVERecord?id=CVE-2017-5643", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-5643", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-5643", }, { category: "external", summary: "https://camel.apache.org/security-advisories.data/CVE-2017-5643.txt", url: "https://camel.apache.org/security-advisories.data/CVE-2017-5643.txt", }, ], release_date: "2017-02-24T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-10T23:03:00+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:1832", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "camel-core: Validation component vulnerable to SSRF via remote DTDs and XXE", }, { cve: "CVE-2017-5653", discovery_date: "2017-04-18T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1445327", }, ], notes: [ { category: "description", text: "It was found that a flaw exists in JAX-RS clients using the streaming approach for XML signatures and encryption, where it does not enforce the message to be signed/encrypted. This could allow an attacker to subvert the integrity of the message.", title: "Vulnerability description", }, { category: "summary", text: "cxf: CXF JAX-RS XML Security streaming clients do not validate that the service response was signed or encrypted", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-5653", }, { category: "external", summary: "RHBZ#1445327", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1445327", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-5653", url: "https://www.cve.org/CVERecord?id=CVE-2017-5653", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-5653", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-5653", }, { category: "external", summary: "http://cxf.apache.org/security-advisories.data/CVE-2017-5653.txt.asc", url: "http://cxf.apache.org/security-advisories.data/CVE-2017-5653.txt.asc", }, ], release_date: "2017-03-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-10T23:03:00+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:1832", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "cxf: CXF JAX-RS XML Security streaming clients do not validate that the service response was signed or encrypted", }, { cve: "CVE-2017-5656", discovery_date: "2017-04-18T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1445329", }, ], notes: [ { category: "description", text: "It was found that the token cacher in Apache cxf uses a flawed way of caching tokens that are associated with the delegation token received from Security Token Service (STS). This vulnerability could allow an attacker to craft a token which could return an identifier corresponding to a cached token for another user.", title: "Vulnerability description", }, { category: "summary", text: "cxf: CXF's STSClient uses a flawed way of caching tokens that are associated with delegation tokens", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-5656", }, { category: "external", summary: "RHBZ#1445329", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1445329", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-5656", url: "https://www.cve.org/CVERecord?id=CVE-2017-5656", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-5656", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-5656", }, { category: "external", summary: "http://cxf.apache.org/security-advisories.data/CVE-2017-5656.txt.asc", url: "http://cxf.apache.org/security-advisories.data/CVE-2017-5656.txt.asc", }, ], release_date: "2017-04-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-10T23:03:00+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:1832", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "cxf: CXF's STSClient uses a flawed way of caching tokens that are associated with delegation tokens", }, { cve: "CVE-2017-5929", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2017-03-10T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1432858", }, ], notes: [ { category: "description", text: "It was found that logback is vulnerable to a deserialization issue. Logback can be configured to allow remote logging through SocketServer/ServerSocketReceiver interfaces that can accept untrusted serialized data. Authenticated attackers on the adjacent network can leverage this vulnerability to execute arbitrary code through deserialization of custom gadget chains.", title: "Vulnerability description", }, { category: "summary", text: "logback: Serialization vulnerability in SocketServer and ServerSocketReceiver", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-5929", }, { category: "external", summary: "RHBZ#1432858", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1432858", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-5929", url: "https://www.cve.org/CVERecord?id=CVE-2017-5929", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-5929", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-5929", }, ], release_date: "2017-02-08T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-10T23:03:00+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:1832", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "LOW", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", version: "3.0", }, products: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "logback: Serialization vulnerability in SocketServer and ServerSocketReceiver", }, { cve: "CVE-2017-7957", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2017-04-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1441538", }, ], notes: [ { category: "description", text: "It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type 'void'. An attacker could use this flaw to create a denial of service on the target system.", title: "Vulnerability description", }, { category: "summary", text: "XStream: DoS when unmarshalling void type", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7957", }, { category: "external", summary: "RHBZ#1441538", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1441538", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7957", url: "https://www.cve.org/CVERecord?id=CVE-2017-7957", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7957", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7957", }, { category: "external", summary: "http://x-stream.github.io/CVE-2017-7957.html", url: "http://x-stream.github.io/CVE-2017-7957.html", }, ], release_date: "2017-04-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-10T23:03:00+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:1832", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "Red Hat JBoss A-MQ 6.3", "Red Hat JBoss Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "XStream: DoS when unmarshalling void type", }, ], }
ghsa-7hwc-46rm-65jh
Vulnerability from github
Published
2020-06-30 22:48
Modified
2021-09-22 18:46
Severity ?
Summary
Denial of service in XStream
Details
XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("") call.
{ affected: [ { package: { ecosystem: "Maven", name: "com.thoughtworks.xstream:xstream", }, ranges: [ { events: [ { introduced: "0", }, { fixed: "1.4.10", }, ], type: "ECOSYSTEM", }, ], }, ], aliases: [ "CVE-2017-7957", ], database_specific: { cwe_ids: [ "CWE-20", ], github_reviewed: true, github_reviewed_at: "2020-06-30T22:47:51Z", nvd_published_at: null, severity: "HIGH", }, details: "XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML(\"<void/>\") call.", id: "GHSA-7hwc-46rm-65jh", modified: "2021-09-22T18:46:25Z", published: "2020-06-30T22:48:24Z", references: [ { type: "ADVISORY", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7957", }, { type: "WEB", url: "https://github.com/x-stream/xstream/commit/6e546ec366419158b1e393211be6d78ab9604ab", }, { type: "WEB", url: "https://github.com/x-stream/xstream/commit/8542d02d9ac5d384c85f4b33d6c1888c53bd55d", }, { type: "WEB", url: "https://github.com/x-stream/xstream/commit/b3570be2f39234e61f99f9a20640756ea71b1b4", }, { type: "WEB", url: "https://access.redhat.com/errata/RHSA-2017:1832", }, { type: "WEB", url: "https://access.redhat.com/errata/RHSA-2017:2888", }, { type: "WEB", url: "https://access.redhat.com/errata/RHSA-2017:2889", }, { type: "WEB", url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/125800", }, { type: "PACKAGE", url: "https://github.com/x-stream/xstream", }, { type: "WEB", url: "https://www-prd-trops.events.ibm.com/node/715749", }, { type: "WEB", url: "http://www.debian.org/security/2017/dsa-3841", }, { type: "WEB", url: "http://www.securityfocus.com/bid/100687", }, { type: "WEB", url: "http://www.securitytracker.com/id/1039499", }, { type: "WEB", url: "http://x-stream.github.io/CVE-2017-7957.html", }, ], schema_version: "1.4.0", severity: [ { score: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", type: "CVSS_V3", }, ], summary: "Denial of service in XStream", }
suse-ru-2019:1006-1
Vulnerability from csaf_suse
Published
2019-04-24 10:06
Modified
2019-04-24 10:06
Summary
Security update for SUSE Manager Server 3.2
Notes
Title of the patch
Security update for SUSE Manager Server 3.2
Description of the patch
This update includes the following new features:
to the repository metadata (fate#325676)
This update fixes the following issues:
apache-commons-lang3:
- Run fdupes on javadoc
- Specify java target and source level 1.6
to make package compatible with JDK >= 1.8
cobbler:
- Fixes case where distribution detection returns None (bsc#1130658)
- SUSE texmode fix (bsc#1109316)
drools:
- Update Drools to 7.17.0
- Release Notes: https://issues.jboss.org/secure/ReleaseNote.jspa
- Fixes for SLE 15 compatibility
guava:
- Updated from 13.0.1 to 27.0.1
- Changes between 13.0.1 and 23.0:
https://github.com/google/guava/wiki/Release14
https://github.com/google/guava/wiki/Release15
https://github.com/google/guava/wiki/Release16
https://github.com/google/guava/wiki/Release17
https://github.com/google/guava/wiki/Release18
https://github.com/google/guava/wiki/Release19
https://github.com/google/guava/wiki/Release23
- Changes between 23.0 and 27.0.1:
see https://github.com/google/guava/releases
jade4j:
- Conditional java/java-devel requires based on os version
- Update dependency version for commons-lang3 to 3.4
- Fix building javadoc
kie-api:
- Update KIE to 7.17.0
- Release notes: https://issues.jboss.org/secure/ReleaseNote.jspa
optaplanner:
- Update Optaplanner to 7.17.0
py26-compat-salt:
- Fix minion arguments assign via sysctl (bsc#1124290)
smdba:
- Make 'smdba space-overview' postgresql version
agnostic (bsc#1129956)
- Fix version mismatch
spacecmd:
- Fix system_delete with SSM (bsc#1125744)
spacewalk-admin:
- Fix encoding bug in salt event processing (bsc#1129851)
spacewalk-backend:
- Fix linking of packages in reposync (bsc#1131677)
- Fix: handle non-standard filenames for comps.xml (bsc#1120242)
- Mgr-sign-metadata can optionally clear-sign metadata files
spacewalk-branding:
- Introduce a description label for the new 'minion-checkin' Taskomatic job (bsc#1122837)
spacewalk-certs-tools:
- Add support for Ubuntu to bootstrap script
- Clean up downloaded gpg keys after bootstrap (bsc#1126075)
spacewalk-java:
- Fix base channel selection for Ubuntu systems (bsc#1132579)
- Fix retrieval of build time for .deb repositories (bsc#1131721)
- Allow access to susemanager tools channels without res subscription (bsc#1127542)
- Add support for SLES 15 live patches in CVE audit
- Add a Taskomatic job to perform minion check-in regularly, drop use of Salt's Mine (bsc#1122837)
- Fix errata_details to return details correctly (bsc#1128228)
- Support ubuntu products and debian architectures in mgr-sync
- Adapt check for available repositories to debian style repositories
- Add support for custom username when bootstrapping with Salt-SSH
- Read and update running kernel release value at each startup of minion (bsc#1122381)
- Add error message on sync refresh when there are no scc credentials
- Fix apidoc issues
- Fix deleting server when minion_formulas.json is empty (bsc#1122230)
- Minion-action-cleanup Taskomatic task: do not clean actions younger than one hour
- Schedule full package refresh only once per action chain if needed (bsc#1126518)
- Check and schedule package refresh in response to events independently of what originates them (bsc#1126099)
- Add configuration option to limit the number of changelog entries added
to the repository metadata (fate#325676)
- Generate InRelease file for Debian/Ubuntu repos when metadata signing is enabled
spacewalk-web:
- Show undetected subscription-matching message object as a string anyway (bsc#1125600)
- Fix action scheduler time picker prefill when the server is on 'UTC/GMT' timezone (bsc#1121195)
- Allow username input on bootstrap page when using Salt-SSH
- Add cache buster for static files (js/css) to fix caching issues after upgrading.
subscription-matcher:
- Update dependencies (Drools, Optaplanner, Guava, Xstream)
- Make the java and java-devel requirements variable
- Relax the requirement condition on apache-commons-lang3
susemanager:
- Support creating bootstrap repos for Ubuntu 18.04 and 16.04.
- Allow alternative names for bootstrap packages, to allow
using old client tools after package renames
- Feat: create Ubuntu empty repository
- Fix creation of bootstrap repositories for SLE12 (no SP) by
requiring python-setuptools only for SLE12 >= SP1 (bsc#1129765)
- Add bootstrap repo definition for SLE15 SP1
susemanager-docs_en:
- Update text and image files.
- Fix bad link.
- Update Manual Backup and smdba sections.
- Troubleshooting Salt clients.
- Fix package endpoint in salt pillar content.
- Ubuntu Clients supported.
- Change License to GFL 1.2, as it is the real license for the doc
since 3.2.0
susemanager-schema:
- Add a Taskomatic job to perform minion check-in regularly, drop use of Salt's Mine (bsc#1122837)
- Fix performance regression in inter-server-sync (bsc#1128781)
- Set minion-action-cleanup run frequency from hourly to daily at midnight
susemanager-sls:
- Update get_kernel_live_version module to support older Salt versions (bsc#1131490)
- Update get_kernel_live_version module to support SLES 15 live patches
- Do not configure Salt Mine in newly registered minions (bsc#1122837)
- Fix Salt error related to remove_traditional_stack when bootstrapping an Ubuntu
minion (bsc#1128724)
- Automatically trust SUSE GPG key for client tools channels on Ubuntu systems
- Util.systeminfo sls has been added to perform different actions at minion startup(bsc#1122381)
susemanager-sync-data:
- Allow access to susemanager tools channels without res subscription (bsc#1127542)
- Add Ubuntu product definitions
- Adapt to SCC changes
- Add CaaSP 4 Toolchain
xstream:
- Update xstream to 1.4.10
- Major changes:
- CVE-2017-7957: XStream could cause a Denial of Service when unmarshalling void. (bsc#1070731)
- New XStream artifact with -java7 appended as version suffix for a library explicitly without the Java 8 stuff (lambda expression support, converters for java.time.* package).
- Improve performance by minimizing call stack of mapper chain.
- XSTR-774: Add converters for types of java.time, java.time.chrono, and java.time.temporal packages (converters for LocalDate, LocalDateTime, LocalTime, OffsetDateTime, and ZonedDateTime by Matej Cimbora).
- JavaBeanConverter does not respect ignored unknown elements.
- Add XStream.setupDefaultSecurity to initialize security framework with defaults of XStream 1.5.x.
- Emit error warning if security framework has not been initialized and the XStream instance is vulnerable to known exploits.
- Feat: modify patch to be compatible with JDK 11 building
- Fixes for SLE 15 compatibility
Patchnames
SUSE-2019-1006,SUSE-SUSE-Manager-Proxy-3.2-2019-1006,SUSE-SUSE-Manager-Server-3.2-2019-1006
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Security update for SUSE Manager Server 3.2", title: "Title of the patch", }, { category: "description", text: "\nThis update includes the following new features:\n\n to the repository metadata (fate#325676)\n\nThis update fixes the following issues:\n\napache-commons-lang3:\n\n- Run fdupes on javadoc\n- Specify java target and source level 1.6\n to make package compatible with JDK >= 1.8\n\ncobbler:\n\n- Fixes case where distribution detection returns None (bsc#1130658)\n- SUSE texmode fix (bsc#1109316)\n\ndrools:\n\n- Update Drools to 7.17.0\n- Release Notes: https://issues.jboss.org/secure/ReleaseNote.jspa\n- Fixes for SLE 15 compatibility \n\nguava:\n\n- Updated from 13.0.1 to 27.0.1\n- Changes between 13.0.1 and 23.0:\n https://github.com/google/guava/wiki/Release14\n https://github.com/google/guava/wiki/Release15\n https://github.com/google/guava/wiki/Release16\n https://github.com/google/guava/wiki/Release17\n https://github.com/google/guava/wiki/Release18\n https://github.com/google/guava/wiki/Release19\n https://github.com/google/guava/wiki/Release23\n- Changes between 23.0 and 27.0.1:\n see https://github.com/google/guava/releases\n\njade4j:\n\n- Conditional java/java-devel requires based on os version \n- Update dependency version for commons-lang3 to 3.4\n- Fix building javadoc\n\nkie-api:\n\n- Update KIE to 7.17.0 \n- Release notes: https://issues.jboss.org/secure/ReleaseNote.jspa\n\noptaplanner:\n\n- Update Optaplanner to 7.17.0\n\npy26-compat-salt:\n\n- Fix minion arguments assign via sysctl (bsc#1124290)\n\nsmdba:\n\n- Make 'smdba space-overview' postgresql version\n agnostic (bsc#1129956)\n- Fix version mismatch\n\nspacecmd:\n\n- Fix system_delete with SSM (bsc#1125744)\n\nspacewalk-admin:\n\n- Fix encoding bug in salt event processing (bsc#1129851)\n\nspacewalk-backend:\n\n- Fix linking of packages in reposync (bsc#1131677)\n- Fix: handle non-standard filenames for comps.xml (bsc#1120242)\n- Mgr-sign-metadata can optionally clear-sign metadata files\n\nspacewalk-branding:\n\n- Introduce a description label for the new 'minion-checkin' Taskomatic job (bsc#1122837)\n\nspacewalk-certs-tools:\n\n- Add support for Ubuntu to bootstrap script\n- Clean up downloaded gpg keys after bootstrap (bsc#1126075)\n\nspacewalk-java:\n\n- Fix base channel selection for Ubuntu systems (bsc#1132579)\n- Fix retrieval of build time for .deb repositories (bsc#1131721)\n- Allow access to susemanager tools channels without res subscription (bsc#1127542)\n- Add support for SLES 15 live patches in CVE audit\n- Add a Taskomatic job to perform minion check-in regularly, drop use of Salt's Mine (bsc#1122837)\n- Fix errata_details to return details correctly (bsc#1128228)\n- Support ubuntu products and debian architectures in mgr-sync\n- Adapt check for available repositories to debian style repositories\n- Add support for custom username when bootstrapping with Salt-SSH\n- Read and update running kernel release value at each startup of minion (bsc#1122381)\n- Add error message on sync refresh when there are no scc credentials\n- Fix apidoc issues \n- Fix deleting server when minion_formulas.json is empty (bsc#1122230)\n- Minion-action-cleanup Taskomatic task: do not clean actions younger than one hour\n- Schedule full package refresh only once per action chain if needed (bsc#1126518)\n- Check and schedule package refresh in response to events independently of what originates them (bsc#1126099)\n- Add configuration option to limit the number of changelog entries added\n to the repository metadata (fate#325676)\n- Generate InRelease file for Debian/Ubuntu repos when metadata signing is enabled\n\nspacewalk-web:\n\n- Show undetected subscription-matching message object as a string anyway (bsc#1125600)\n- Fix action scheduler time picker prefill when the server is on 'UTC/GMT' timezone (bsc#1121195)\n- Allow username input on bootstrap page when using Salt-SSH\n- Add cache buster for static files (js/css) to fix caching issues after upgrading.\n\nsubscription-matcher:\n\n- Update dependencies (Drools, Optaplanner, Guava, Xstream)\n- Make the java and java-devel requirements variable\n- Relax the requirement condition on apache-commons-lang3\n\nsusemanager:\n\n- Support creating bootstrap repos for Ubuntu 18.04 and 16.04.\n- Allow alternative names for bootstrap packages, to allow\n using old client tools after package renames\n- Feat: create Ubuntu empty repository\n- Fix creation of bootstrap repositories for SLE12 (no SP) by\n requiring python-setuptools only for SLE12 >= SP1 (bsc#1129765)\n- Add bootstrap repo definition for SLE15 SP1\n\nsusemanager-docs_en:\n\n- Update text and image files.\n- Fix bad link.\n- Update Manual Backup and smdba sections.\n- Troubleshooting Salt clients.\n- Fix package endpoint in salt pillar content.\n- Ubuntu Clients supported.\n- Change License to GFL 1.2, as it is the real license for the doc\n since 3.2.0\n\nsusemanager-schema:\n\n- Add a Taskomatic job to perform minion check-in regularly, drop use of Salt's Mine (bsc#1122837)\n- Fix performance regression in inter-server-sync (bsc#1128781)\n- Set minion-action-cleanup run frequency from hourly to daily at midnight\n\nsusemanager-sls:\n\n- Update get_kernel_live_version module to support older Salt versions (bsc#1131490)\n- Update get_kernel_live_version module to support SLES 15 live patches\n- Do not configure Salt Mine in newly registered minions (bsc#1122837)\n- Fix Salt error related to remove_traditional_stack when bootstrapping an Ubuntu\n minion (bsc#1128724)\n- Automatically trust SUSE GPG key for client tools channels on Ubuntu systems\n- Util.systeminfo sls has been added to perform different actions at minion startup(bsc#1122381) \n\nsusemanager-sync-data:\n\n- Allow access to susemanager tools channels without res subscription (bsc#1127542)\n- Add Ubuntu product definitions\n- Adapt to SCC changes\n- Add CaaSP 4 Toolchain\n\nxstream:\n\n- Update xstream to 1.4.10\n- Major changes:\n- CVE-2017-7957: XStream could cause a Denial of Service when unmarshalling void. (bsc#1070731)\n- New XStream artifact with -java7 appended as version suffix for a library explicitly without the Java 8 stuff (lambda expression support, converters for java.time.* package).\n- Improve performance by minimizing call stack of mapper chain.\n- XSTR-774: Add converters for types of java.time, java.time.chrono, and java.time.temporal packages (converters for LocalDate, LocalDateTime, LocalTime, OffsetDateTime, and ZonedDateTime by Matej Cimbora).\n- JavaBeanConverter does not respect ignored unknown elements.\n- Add XStream.setupDefaultSecurity to initialize security framework with defaults of XStream 1.5.x.\n- Emit error warning if security framework has not been initialized and the XStream instance is vulnerable to known exploits.\n- Feat: modify patch to be compatible with JDK 11 building\n- Fixes for SLE 15 compatibility\n\n", title: "Description of the patch", }, { category: "details", text: "SUSE-2019-1006,SUSE-SUSE-Manager-Proxy-3.2-2019-1006,SUSE-SUSE-Manager-Server-3.2-2019-1006", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/suse-ru-2019_1006-1.json", }, { category: "self", summary: "URL for SUSE-RU-2019:1006-1", url: "https://www.suse.com/support/update/announcement//suse-ru-20191006-1/", }, { category: "self", summary: "E-Mail link for SUSE-RU-2019:1006-1", url: "https://lists.suse.com/pipermail/sle-updates/2019-April/011286.html", }, { category: "self", summary: "SUSE Bug 1070731", url: "https://bugzilla.suse.com/1070731", }, { category: "self", summary: "SUSE Bug 1109316", url: "https://bugzilla.suse.com/1109316", }, { category: "self", summary: "SUSE Bug 1120242", url: "https://bugzilla.suse.com/1120242", }, { category: "self", summary: "SUSE Bug 1121195", url: "https://bugzilla.suse.com/1121195", }, { category: "self", summary: "SUSE Bug 1122230", url: "https://bugzilla.suse.com/1122230", }, { category: "self", summary: "SUSE Bug 1122381", url: "https://bugzilla.suse.com/1122381", }, { category: "self", summary: "SUSE Bug 1122837", url: "https://bugzilla.suse.com/1122837", }, { category: "self", summary: "SUSE Bug 1124290", url: "https://bugzilla.suse.com/1124290", }, { category: "self", summary: "SUSE Bug 1125600", url: "https://bugzilla.suse.com/1125600", }, { category: "self", summary: "SUSE Bug 1125744", url: "https://bugzilla.suse.com/1125744", }, { category: "self", summary: "SUSE Bug 1126075", url: "https://bugzilla.suse.com/1126075", }, { category: "self", summary: "SUSE Bug 1126099", url: "https://bugzilla.suse.com/1126099", }, { category: "self", summary: "SUSE Bug 1126518", url: "https://bugzilla.suse.com/1126518", }, { category: "self", summary: "SUSE Bug 1127542", url: "https://bugzilla.suse.com/1127542", }, { category: "self", summary: "SUSE Bug 1128228", url: "https://bugzilla.suse.com/1128228", }, { category: "self", summary: "SUSE Bug 1128724", url: "https://bugzilla.suse.com/1128724", }, { category: "self", summary: "SUSE Bug 1128781", url: "https://bugzilla.suse.com/1128781", }, { category: "self", summary: "SUSE Bug 1129765", url: "https://bugzilla.suse.com/1129765", }, { category: "self", summary: "SUSE Bug 1129851", url: "https://bugzilla.suse.com/1129851", }, { category: "self", summary: "SUSE Bug 1129956", url: "https://bugzilla.suse.com/1129956", }, { category: "self", summary: "SUSE Bug 1130658", url: "https://bugzilla.suse.com/1130658", }, { category: "self", summary: "SUSE Bug 1131490", url: "https://bugzilla.suse.com/1131490", }, { category: "self", summary: "SUSE Bug 1131677", url: "https://bugzilla.suse.com/1131677", }, { category: "self", summary: "SUSE Bug 1131721", url: "https://bugzilla.suse.com/1131721", }, { category: "self", summary: "SUSE Bug 1132579", url: "https://bugzilla.suse.com/1132579", }, { category: "self", summary: "SUSE CVE CVE-2017-7957 page", url: "https://www.suse.com/security/cve/CVE-2017-7957/", }, ], title: "Security update for SUSE Manager Server 3.2", tracking: { current_release_date: "2019-04-24T10:06:34Z", generator: { date: "2019-04-24T10:06:34Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "SUSE-RU-2019:1006-1", initial_release_date: "2019-04-24T10:06:34Z", revision_history: [ { date: "2019-04-24T10:06:34Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "reprepro-5.3.0-2.3.3.aarch64", product: { name: "reprepro-5.3.0-2.3.3.aarch64", product_id: "reprepro-5.3.0-2.3.3.aarch64", }, }, { category: "product_version", name: "smdba-1.6.4-0.3.9.3.aarch64", product: { name: "smdba-1.6.4-0.3.9.3.aarch64", product_id: "smdba-1.6.4-0.3.9.3.aarch64", }, }, { category: "product_version", name: "spacewalk-branding-2.8.5.15-3.19.3.aarch64", product: { name: "spacewalk-branding-2.8.5.15-3.19.3.aarch64", product_id: "spacewalk-branding-2.8.5.15-3.19.3.aarch64", }, }, { category: "product_version", name: "spacewalk-branding-devel-2.8.5.15-3.19.3.aarch64", product: { name: "spacewalk-branding-devel-2.8.5.15-3.19.3.aarch64", product_id: "spacewalk-branding-devel-2.8.5.15-3.19.3.aarch64", }, }, { category: "product_version", name: "susemanager-3.2.17-3.22.4.aarch64", product: { name: "susemanager-3.2.17-3.22.4.aarch64", product_id: "susemanager-3.2.17-3.22.4.aarch64", }, }, { category: "product_version", name: "susemanager-tools-3.2.17-3.22.4.aarch64", product: { name: "susemanager-tools-3.2.17-3.22.4.aarch64", product_id: "susemanager-tools-3.2.17-3.22.4.aarch64", }, }, ], category: "architecture", name: "aarch64", }, { branches: [ { category: "product_version", name: "apache-commons-lang3-3.4-3.3.3.noarch", product: { name: "apache-commons-lang3-3.4-3.3.3.noarch", product_id: "apache-commons-lang3-3.4-3.3.3.noarch", }, }, { category: "product_version", name: "apache-commons-lang3-javadoc-3.4-3.3.3.noarch", product: { name: "apache-commons-lang3-javadoc-3.4-3.3.3.noarch", product_id: "apache-commons-lang3-javadoc-3.4-3.3.3.noarch", }, }, { category: "product_version", name: "cobbler-2.6.6-6.16.3.noarch", product: { name: "cobbler-2.6.6-6.16.3.noarch", product_id: "cobbler-2.6.6-6.16.3.noarch", }, }, { category: "product_version", name: "cobbler-tests-2.6.6-6.16.3.noarch", product: { name: "cobbler-tests-2.6.6-6.16.3.noarch", product_id: "cobbler-tests-2.6.6-6.16.3.noarch", }, }, { category: "product_version", name: "cobbler-web-2.6.6-6.16.3.noarch", product: { name: "cobbler-web-2.6.6-6.16.3.noarch", product_id: "cobbler-web-2.6.6-6.16.3.noarch", }, }, { category: "product_version", name: "drools-7.17.0-3.3.3.noarch", product: { name: "drools-7.17.0-3.3.3.noarch", product_id: "drools-7.17.0-3.3.3.noarch", }, }, { category: "product_version", name: "drools-kit-53dfdb61201f3b0b269d4c852786ee0bf37fe43a-3.3.3.noarch", product: { name: "drools-kit-53dfdb61201f3b0b269d4c852786ee0bf37fe43a-3.3.3.noarch", product_id: "drools-kit-53dfdb61201f3b0b269d4c852786ee0bf37fe43a-3.3.3.noarch", }, }, { category: "product_version", name: "guava-27.0.1-3.3.3.noarch", product: { name: "guava-27.0.1-3.3.3.noarch", product_id: "guava-27.0.1-3.3.3.noarch", }, }, { category: "product_version", name: "guava-kit-7126fda31c41cb275edd3229be2927add848dc3a-3.3.3.noarch", product: { name: "guava-kit-7126fda31c41cb275edd3229be2927add848dc3a-3.3.3.noarch", product_id: "guava-kit-7126fda31c41cb275edd3229be2927add848dc3a-3.3.3.noarch", }, }, { category: "product_version", name: "jade4j-1.0.7-3.3.3.noarch", product: { name: "jade4j-1.0.7-3.3.3.noarch", product_id: "jade4j-1.0.7-3.3.3.noarch", }, }, { category: "product_version", name: "jade4j-kit-7a828bbbc0c99dbf7b2840d511ba06d9760a2817-3.3.3.noarch", product: { name: "jade4j-kit-7a828bbbc0c99dbf7b2840d511ba06d9760a2817-3.3.3.noarch", product_id: "jade4j-kit-7a828bbbc0c99dbf7b2840d511ba06d9760a2817-3.3.3.noarch", }, }, { category: "product_version", name: "kie-api-7.17.0-3.3.3.noarch", product: { name: "kie-api-7.17.0-3.3.3.noarch", product_id: "kie-api-7.17.0-3.3.3.noarch", }, }, { category: "product_version", name: "kie-api-kit-94b16c723b66df4b03a061e4ad5fc2ad9e289e94-3.3.3.noarch", product: { name: "kie-api-kit-94b16c723b66df4b03a061e4ad5fc2ad9e289e94-3.3.3.noarch", product_id: "kie-api-kit-94b16c723b66df4b03a061e4ad5fc2ad9e289e94-3.3.3.noarch", }, }, { category: "product_version", name: "kie-soup-7.17.0.Final-2.3.3.noarch", product: { name: "kie-soup-7.17.0.Final-2.3.3.noarch", product_id: "kie-soup-7.17.0.Final-2.3.3.noarch", }, }, { category: "product_version", name: "kie-soup-kit-17eb2802a66f42d59b44107c558f3ff0d5a360c5-2.3.3.noarch", product: { name: "kie-soup-kit-17eb2802a66f42d59b44107c558f3ff0d5a360c5-2.3.3.noarch", product_id: "kie-soup-kit-17eb2802a66f42d59b44107c558f3ff0d5a360c5-2.3.3.noarch", }, }, { category: "product_version", name: "koan-2.6.6-6.16.3.noarch", product: { name: "koan-2.6.6-6.16.3.noarch", product_id: "koan-2.6.6-6.16.3.noarch", }, }, { category: "product_version", name: "optaplanner-7.17.0-3.3.3.noarch", product: { name: "optaplanner-7.17.0-3.3.3.noarch", product_id: "optaplanner-7.17.0-3.3.3.noarch", }, }, { category: "product_version", name: "optaplanner-kit-9515bb1cc6a07917e87ad566c948bb789122bac1-3.3.3.noarch", product: { name: "optaplanner-kit-9515bb1cc6a07917e87ad566c948bb789122bac1-3.3.3.noarch", product_id: "optaplanner-kit-9515bb1cc6a07917e87ad566c948bb789122bac1-3.3.3.noarch", }, }, { category: "product_version", name: "py26-compat-salt-2016.11.10-6.21.3.noarch", product: { name: "py26-compat-salt-2016.11.10-6.21.3.noarch", product_id: "py26-compat-salt-2016.11.10-6.21.3.noarch", }, }, { category: "product_version", name: "python2-spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", product: { name: "python2-spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", product_id: "python2-spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", }, }, { category: "product_version", name: "spacecmd-2.8.25.10-3.20.3.noarch", product: { name: "spacecmd-2.8.25.10-3.20.3.noarch", product_id: "spacecmd-2.8.25.10-3.20.3.noarch", }, }, { category: "product_version", name: "spacewalk-admin-2.8.4.4-3.6.3.noarch", product: { name: "spacewalk-admin-2.8.4.4-3.6.3.noarch", product_id: "spacewalk-admin-2.8.4.4-3.6.3.noarch", }, }, { category: "product_version", name: "spacewalk-backend-2.8.57.14-3.25.3.noarch", product: { name: "spacewalk-backend-2.8.57.14-3.25.3.noarch", product_id: "spacewalk-backend-2.8.57.14-3.25.3.noarch", }, }, { category: "product_version", name: "spacewalk-backend-app-2.8.57.14-3.25.3.noarch", product: { name: "spacewalk-backend-app-2.8.57.14-3.25.3.noarch", product_id: "spacewalk-backend-app-2.8.57.14-3.25.3.noarch", }, }, { category: "product_version", name: "spacewalk-backend-applet-2.8.57.14-3.25.3.noarch", product: { name: "spacewalk-backend-applet-2.8.57.14-3.25.3.noarch", product_id: "spacewalk-backend-applet-2.8.57.14-3.25.3.noarch", }, }, { category: "product_version", name: "spacewalk-backend-cdn-2.8.57.14-3.25.3.noarch", product: { name: "spacewalk-backend-cdn-2.8.57.14-3.25.3.noarch", product_id: "spacewalk-backend-cdn-2.8.57.14-3.25.3.noarch", }, }, { category: "product_version", name: "spacewalk-backend-config-files-2.8.57.14-3.25.3.noarch", product: { name: "spacewalk-backend-config-files-2.8.57.14-3.25.3.noarch", product_id: "spacewalk-backend-config-files-2.8.57.14-3.25.3.noarch", }, }, { category: "product_version", name: "spacewalk-backend-config-files-common-2.8.57.14-3.25.3.noarch", product: { name: "spacewalk-backend-config-files-common-2.8.57.14-3.25.3.noarch", product_id: "spacewalk-backend-config-files-common-2.8.57.14-3.25.3.noarch", }, }, { category: "product_version", name: "spacewalk-backend-config-files-tool-2.8.57.14-3.25.3.noarch", product: { name: "spacewalk-backend-config-files-tool-2.8.57.14-3.25.3.noarch", product_id: "spacewalk-backend-config-files-tool-2.8.57.14-3.25.3.noarch", }, }, { category: "product_version", name: "spacewalk-backend-iss-2.8.57.14-3.25.3.noarch", product: { name: "spacewalk-backend-iss-2.8.57.14-3.25.3.noarch", product_id: "spacewalk-backend-iss-2.8.57.14-3.25.3.noarch", }, }, { category: "product_version", name: "spacewalk-backend-iss-export-2.8.57.14-3.25.3.noarch", product: { name: "spacewalk-backend-iss-export-2.8.57.14-3.25.3.noarch", product_id: "spacewalk-backend-iss-export-2.8.57.14-3.25.3.noarch", }, }, { category: "product_version", name: "spacewalk-backend-libs-2.8.57.14-3.25.3.noarch", product: { name: "spacewalk-backend-libs-2.8.57.14-3.25.3.noarch", product_id: "spacewalk-backend-libs-2.8.57.14-3.25.3.noarch", }, }, { category: "product_version", name: "spacewalk-backend-package-push-server-2.8.57.14-3.25.3.noarch", product: { name: "spacewalk-backend-package-push-server-2.8.57.14-3.25.3.noarch", product_id: "spacewalk-backend-package-push-server-2.8.57.14-3.25.3.noarch", }, }, { category: "product_version", name: "spacewalk-backend-server-2.8.57.14-3.25.3.noarch", product: { name: "spacewalk-backend-server-2.8.57.14-3.25.3.noarch", product_id: "spacewalk-backend-server-2.8.57.14-3.25.3.noarch", }, }, { category: "product_version", name: "spacewalk-backend-sql-2.8.57.14-3.25.3.noarch", product: { name: "spacewalk-backend-sql-2.8.57.14-3.25.3.noarch", product_id: "spacewalk-backend-sql-2.8.57.14-3.25.3.noarch", }, }, { category: "product_version", name: "spacewalk-backend-sql-oracle-2.8.57.14-3.25.3.noarch", product: { name: "spacewalk-backend-sql-oracle-2.8.57.14-3.25.3.noarch", product_id: "spacewalk-backend-sql-oracle-2.8.57.14-3.25.3.noarch", }, }, { category: "product_version", name: "spacewalk-backend-sql-postgresql-2.8.57.14-3.25.3.noarch", product: { name: "spacewalk-backend-sql-postgresql-2.8.57.14-3.25.3.noarch", product_id: "spacewalk-backend-sql-postgresql-2.8.57.14-3.25.3.noarch", }, }, { category: "product_version", name: "spacewalk-backend-tools-2.8.57.14-3.25.3.noarch", product: { name: "spacewalk-backend-tools-2.8.57.14-3.25.3.noarch", product_id: "spacewalk-backend-tools-2.8.57.14-3.25.3.noarch", }, }, { category: "product_version", name: "spacewalk-backend-xml-export-libs-2.8.57.14-3.25.3.noarch", product: { name: "spacewalk-backend-xml-export-libs-2.8.57.14-3.25.3.noarch", product_id: "spacewalk-backend-xml-export-libs-2.8.57.14-3.25.3.noarch", }, }, { category: "product_version", name: "spacewalk-backend-xmlrpc-2.8.57.14-3.25.3.noarch", product: { name: "spacewalk-backend-xmlrpc-2.8.57.14-3.25.3.noarch", product_id: "spacewalk-backend-xmlrpc-2.8.57.14-3.25.3.noarch", }, }, { category: "product_version", name: "spacewalk-base-2.8.7.15-3.24.3.noarch", product: { name: "spacewalk-base-2.8.7.15-3.24.3.noarch", product_id: "spacewalk-base-2.8.7.15-3.24.3.noarch", }, }, { category: "product_version", name: "spacewalk-base-minimal-2.8.7.15-3.24.3.noarch", product: { name: "spacewalk-base-minimal-2.8.7.15-3.24.3.noarch", product_id: "spacewalk-base-minimal-2.8.7.15-3.24.3.noarch", }, }, { category: "product_version", name: "spacewalk-base-minimal-config-2.8.7.15-3.24.3.noarch", product: { name: "spacewalk-base-minimal-config-2.8.7.15-3.24.3.noarch", product_id: "spacewalk-base-minimal-config-2.8.7.15-3.24.3.noarch", }, }, { category: "product_version", name: "spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", product: { name: "spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", product_id: "spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", }, }, { category: "product_version", name: "spacewalk-dobby-2.8.7.15-3.24.3.noarch", product: { name: "spacewalk-dobby-2.8.7.15-3.24.3.noarch", product_id: "spacewalk-dobby-2.8.7.15-3.24.3.noarch", }, }, { category: "product_version", name: "spacewalk-html-2.8.7.15-3.24.3.noarch", product: { name: "spacewalk-html-2.8.7.15-3.24.3.noarch", product_id: "spacewalk-html-2.8.7.15-3.24.3.noarch", }, }, { category: "product_version", name: "spacewalk-java-2.8.78.21-3.29.1.noarch", product: { name: "spacewalk-java-2.8.78.21-3.29.1.noarch", product_id: "spacewalk-java-2.8.78.21-3.29.1.noarch", }, }, { category: "product_version", name: "spacewalk-java-apidoc-sources-2.8.78.21-3.29.1.noarch", product: { name: "spacewalk-java-apidoc-sources-2.8.78.21-3.29.1.noarch", product_id: "spacewalk-java-apidoc-sources-2.8.78.21-3.29.1.noarch", }, }, { category: "product_version", name: "spacewalk-java-config-2.8.78.21-3.29.1.noarch", product: { name: "spacewalk-java-config-2.8.78.21-3.29.1.noarch", product_id: "spacewalk-java-config-2.8.78.21-3.29.1.noarch", }, }, { category: "product_version", name: "spacewalk-java-lib-2.8.78.21-3.29.1.noarch", product: { name: "spacewalk-java-lib-2.8.78.21-3.29.1.noarch", product_id: "spacewalk-java-lib-2.8.78.21-3.29.1.noarch", }, }, { category: "product_version", name: "spacewalk-java-oracle-2.8.78.21-3.29.1.noarch", product: { name: "spacewalk-java-oracle-2.8.78.21-3.29.1.noarch", product_id: "spacewalk-java-oracle-2.8.78.21-3.29.1.noarch", }, }, { category: "product_version", name: "spacewalk-java-postgresql-2.8.78.21-3.29.1.noarch", product: { name: "spacewalk-java-postgresql-2.8.78.21-3.29.1.noarch", product_id: "spacewalk-java-postgresql-2.8.78.21-3.29.1.noarch", }, }, { category: "product_version", name: "spacewalk-taskomatic-2.8.78.21-3.29.1.noarch", product: { name: "spacewalk-taskomatic-2.8.78.21-3.29.1.noarch", product_id: "spacewalk-taskomatic-2.8.78.21-3.29.1.noarch", }, }, { category: "product_version", name: "subscription-matcher-0.23-4.12.3.noarch", product: { name: "subscription-matcher-0.23-4.12.3.noarch", product_id: "subscription-matcher-0.23-4.12.3.noarch", }, }, { category: "product_version", name: "subscription-matcher-kit-2979e7aee24b9d228be76dc33d0f2f52ba6310c3-3.3.3.noarch", product: { name: "subscription-matcher-kit-2979e7aee24b9d228be76dc33d0f2f52ba6310c3-3.3.3.noarch", product_id: "subscription-matcher-kit-2979e7aee24b9d228be76dc33d0f2f52ba6310c3-3.3.3.noarch", }, }, { category: "product_version", name: "susemanager-schema-3.2.18-3.22.3.noarch", product: { name: "susemanager-schema-3.2.18-3.22.3.noarch", product_id: "susemanager-schema-3.2.18-3.22.3.noarch", }, }, { category: "product_version", name: "susemanager-schema-sanity-3.2.18-3.22.3.noarch", product: { name: "susemanager-schema-sanity-3.2.18-3.22.3.noarch", product_id: "susemanager-schema-sanity-3.2.18-3.22.3.noarch", }, }, { category: "product_version", name: "susemanager-sls-3.2.23-3.26.3.noarch", product: { name: "susemanager-sls-3.2.23-3.26.3.noarch", product_id: "susemanager-sls-3.2.23-3.26.3.noarch", }, }, { category: "product_version", name: "susemanager-sync-data-3.2.14-3.20.3.noarch", product: { name: "susemanager-sync-data-3.2.14-3.20.3.noarch", product_id: "susemanager-sync-data-3.2.14-3.20.3.noarch", }, }, { category: "product_version", name: "susemanager-web-libs-2.8.7.15-3.24.3.noarch", product: { name: "susemanager-web-libs-2.8.7.15-3.24.3.noarch", product_id: "susemanager-web-libs-2.8.7.15-3.24.3.noarch", }, }, { category: "product_version", name: "xstream-1.4.10-4.3.3.noarch", product: { name: "xstream-1.4.10-4.3.3.noarch", product_id: "xstream-1.4.10-4.3.3.noarch", }, }, { category: "product_version", name: "xstream-kit-e119e06fe95639ebcaaa1d03678754e7858b130e-3.3.3.noarch", product: { name: "xstream-kit-e119e06fe95639ebcaaa1d03678754e7858b130e-3.3.3.noarch", product_id: "xstream-kit-e119e06fe95639ebcaaa1d03678754e7858b130e-3.3.3.noarch", }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_version", name: "reprepro-5.3.0-2.3.3.ppc64le", product: { name: "reprepro-5.3.0-2.3.3.ppc64le", product_id: "reprepro-5.3.0-2.3.3.ppc64le", }, }, { category: "product_version", name: "smdba-1.6.4-0.3.9.3.ppc64le", product: { name: "smdba-1.6.4-0.3.9.3.ppc64le", product_id: "smdba-1.6.4-0.3.9.3.ppc64le", }, }, { category: "product_version", name: "spacewalk-branding-2.8.5.15-3.19.3.ppc64le", product: { name: "spacewalk-branding-2.8.5.15-3.19.3.ppc64le", product_id: "spacewalk-branding-2.8.5.15-3.19.3.ppc64le", }, }, { category: "product_version", name: "spacewalk-branding-devel-2.8.5.15-3.19.3.ppc64le", product: { name: "spacewalk-branding-devel-2.8.5.15-3.19.3.ppc64le", product_id: "spacewalk-branding-devel-2.8.5.15-3.19.3.ppc64le", }, }, { category: "product_version", name: "susemanager-3.2.17-3.22.4.ppc64le", product: { name: "susemanager-3.2.17-3.22.4.ppc64le", product_id: "susemanager-3.2.17-3.22.4.ppc64le", }, }, { category: "product_version", name: "susemanager-tools-3.2.17-3.22.4.ppc64le", product: { name: "susemanager-tools-3.2.17-3.22.4.ppc64le", product_id: "susemanager-tools-3.2.17-3.22.4.ppc64le", }, }, ], category: "architecture", name: "ppc64le", }, { branches: [ { category: "product_version", name: "reprepro-5.3.0-2.3.3.s390x", product: { name: "reprepro-5.3.0-2.3.3.s390x", product_id: "reprepro-5.3.0-2.3.3.s390x", }, }, { category: "product_version", name: "smdba-1.6.4-0.3.9.3.s390x", product: { name: "smdba-1.6.4-0.3.9.3.s390x", product_id: "smdba-1.6.4-0.3.9.3.s390x", }, }, { category: "product_version", name: "spacewalk-branding-2.8.5.15-3.19.3.s390x", product: { name: "spacewalk-branding-2.8.5.15-3.19.3.s390x", product_id: "spacewalk-branding-2.8.5.15-3.19.3.s390x", }, }, { category: "product_version", name: "spacewalk-branding-devel-2.8.5.15-3.19.3.s390x", product: { name: "spacewalk-branding-devel-2.8.5.15-3.19.3.s390x", product_id: "spacewalk-branding-devel-2.8.5.15-3.19.3.s390x", }, }, { category: "product_version", name: "susemanager-3.2.17-3.22.4.s390x", product: { name: "susemanager-3.2.17-3.22.4.s390x", product_id: "susemanager-3.2.17-3.22.4.s390x", }, }, { category: "product_version", name: "susemanager-tools-3.2.17-3.22.4.s390x", product: { name: "susemanager-tools-3.2.17-3.22.4.s390x", product_id: "susemanager-tools-3.2.17-3.22.4.s390x", }, }, ], category: "architecture", name: "s390x", }, { branches: [ { category: "product_version", name: "reprepro-5.3.0-2.3.3.x86_64", product: { name: "reprepro-5.3.0-2.3.3.x86_64", product_id: "reprepro-5.3.0-2.3.3.x86_64", }, }, { category: "product_version", name: "smdba-1.6.4-0.3.9.3.x86_64", product: { name: "smdba-1.6.4-0.3.9.3.x86_64", product_id: "smdba-1.6.4-0.3.9.3.x86_64", }, }, { category: "product_version", name: "spacewalk-branding-2.8.5.15-3.19.3.x86_64", product: { name: "spacewalk-branding-2.8.5.15-3.19.3.x86_64", product_id: "spacewalk-branding-2.8.5.15-3.19.3.x86_64", }, }, { category: "product_version", name: "spacewalk-branding-devel-2.8.5.15-3.19.3.x86_64", product: { name: "spacewalk-branding-devel-2.8.5.15-3.19.3.x86_64", product_id: "spacewalk-branding-devel-2.8.5.15-3.19.3.x86_64", }, }, { category: "product_version", name: "susemanager-3.2.17-3.22.4.x86_64", product: { name: "susemanager-3.2.17-3.22.4.x86_64", product_id: "susemanager-3.2.17-3.22.4.x86_64", }, }, { category: "product_version", name: "susemanager-tools-3.2.17-3.22.4.x86_64", product: { name: "susemanager-tools-3.2.17-3.22.4.x86_64", product_id: "susemanager-tools-3.2.17-3.22.4.x86_64", }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_name", name: "SUSE Manager Proxy 3.2", product: { name: "SUSE Manager Proxy 3.2", product_id: "SUSE Manager Proxy 3.2", product_identification_helper: { cpe: "cpe:/o:suse:suse-manager-proxy:3.2", }, }, }, { category: "product_name", name: "SUSE Manager Server 3.2", product: { name: "SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2", product_identification_helper: { cpe: "cpe:/o:suse:suse-manager-server:3.2", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "python2-spacewalk-certs-tools-2.8.8.7-3.6.3.noarch as component of SUSE Manager Proxy 3.2", product_id: "SUSE Manager Proxy 3.2:python2-spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", }, product_reference: "python2-spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", relates_to_product_reference: "SUSE Manager Proxy 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-2.8.57.14-3.25.3.noarch as component of SUSE Manager Proxy 3.2", product_id: "SUSE Manager Proxy 3.2:spacewalk-backend-2.8.57.14-3.25.3.noarch", }, product_reference: "spacewalk-backend-2.8.57.14-3.25.3.noarch", relates_to_product_reference: "SUSE Manager Proxy 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-libs-2.8.57.14-3.25.3.noarch as component of SUSE Manager Proxy 3.2", product_id: "SUSE Manager Proxy 3.2:spacewalk-backend-libs-2.8.57.14-3.25.3.noarch", }, product_reference: "spacewalk-backend-libs-2.8.57.14-3.25.3.noarch", relates_to_product_reference: "SUSE Manager Proxy 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-base-minimal-2.8.7.15-3.24.3.noarch as component of SUSE Manager Proxy 3.2", product_id: "SUSE Manager Proxy 3.2:spacewalk-base-minimal-2.8.7.15-3.24.3.noarch", }, product_reference: "spacewalk-base-minimal-2.8.7.15-3.24.3.noarch", relates_to_product_reference: "SUSE Manager Proxy 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-base-minimal-config-2.8.7.15-3.24.3.noarch as component of SUSE Manager Proxy 3.2", product_id: "SUSE Manager Proxy 3.2:spacewalk-base-minimal-config-2.8.7.15-3.24.3.noarch", }, product_reference: "spacewalk-base-minimal-config-2.8.7.15-3.24.3.noarch", relates_to_product_reference: "SUSE Manager Proxy 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-certs-tools-2.8.8.7-3.6.3.noarch as component of SUSE Manager Proxy 3.2", product_id: "SUSE Manager Proxy 3.2:spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", }, product_reference: "spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", relates_to_product_reference: "SUSE Manager Proxy 3.2", }, { category: "default_component_of", full_product_name: { name: "susemanager-web-libs-2.8.7.15-3.24.3.noarch as component of SUSE Manager Proxy 3.2", product_id: "SUSE Manager Proxy 3.2:susemanager-web-libs-2.8.7.15-3.24.3.noarch", }, product_reference: "susemanager-web-libs-2.8.7.15-3.24.3.noarch", relates_to_product_reference: "SUSE Manager Proxy 3.2", }, { category: "default_component_of", full_product_name: { name: "apache-commons-lang3-3.4-3.3.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:apache-commons-lang3-3.4-3.3.3.noarch", }, product_reference: "apache-commons-lang3-3.4-3.3.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "cobbler-2.6.6-6.16.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:cobbler-2.6.6-6.16.3.noarch", }, product_reference: "cobbler-2.6.6-6.16.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "drools-7.17.0-3.3.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:drools-7.17.0-3.3.3.noarch", }, product_reference: "drools-7.17.0-3.3.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "guava-27.0.1-3.3.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:guava-27.0.1-3.3.3.noarch", }, product_reference: "guava-27.0.1-3.3.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "jade4j-1.0.7-3.3.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:jade4j-1.0.7-3.3.3.noarch", }, product_reference: "jade4j-1.0.7-3.3.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "kie-api-7.17.0-3.3.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:kie-api-7.17.0-3.3.3.noarch", }, product_reference: "kie-api-7.17.0-3.3.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "kie-soup-7.17.0.Final-2.3.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:kie-soup-7.17.0.Final-2.3.3.noarch", }, product_reference: "kie-soup-7.17.0.Final-2.3.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "optaplanner-7.17.0-3.3.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:optaplanner-7.17.0-3.3.3.noarch", }, product_reference: "optaplanner-7.17.0-3.3.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "py26-compat-salt-2016.11.10-6.21.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:py26-compat-salt-2016.11.10-6.21.3.noarch", }, product_reference: "py26-compat-salt-2016.11.10-6.21.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "python2-spacewalk-certs-tools-2.8.8.7-3.6.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:python2-spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", }, product_reference: "python2-spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "reprepro-5.3.0-2.3.3.ppc64le as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:reprepro-5.3.0-2.3.3.ppc64le", }, product_reference: "reprepro-5.3.0-2.3.3.ppc64le", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "reprepro-5.3.0-2.3.3.s390x as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:reprepro-5.3.0-2.3.3.s390x", }, product_reference: "reprepro-5.3.0-2.3.3.s390x", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "reprepro-5.3.0-2.3.3.x86_64 as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:reprepro-5.3.0-2.3.3.x86_64", }, product_reference: "reprepro-5.3.0-2.3.3.x86_64", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "smdba-1.6.4-0.3.9.3.ppc64le as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:smdba-1.6.4-0.3.9.3.ppc64le", }, product_reference: "smdba-1.6.4-0.3.9.3.ppc64le", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "smdba-1.6.4-0.3.9.3.s390x as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:smdba-1.6.4-0.3.9.3.s390x", }, product_reference: "smdba-1.6.4-0.3.9.3.s390x", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "smdba-1.6.4-0.3.9.3.x86_64 as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:smdba-1.6.4-0.3.9.3.x86_64", }, product_reference: "smdba-1.6.4-0.3.9.3.x86_64", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacecmd-2.8.25.10-3.20.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacecmd-2.8.25.10-3.20.3.noarch", }, product_reference: "spacecmd-2.8.25.10-3.20.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-admin-2.8.4.4-3.6.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-admin-2.8.4.4-3.6.3.noarch", }, product_reference: "spacewalk-admin-2.8.4.4-3.6.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-2.8.57.14-3.25.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-backend-2.8.57.14-3.25.3.noarch", }, product_reference: "spacewalk-backend-2.8.57.14-3.25.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-app-2.8.57.14-3.25.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-backend-app-2.8.57.14-3.25.3.noarch", }, product_reference: "spacewalk-backend-app-2.8.57.14-3.25.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-applet-2.8.57.14-3.25.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-backend-applet-2.8.57.14-3.25.3.noarch", }, product_reference: "spacewalk-backend-applet-2.8.57.14-3.25.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-config-files-2.8.57.14-3.25.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-backend-config-files-2.8.57.14-3.25.3.noarch", }, product_reference: "spacewalk-backend-config-files-2.8.57.14-3.25.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-config-files-common-2.8.57.14-3.25.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-backend-config-files-common-2.8.57.14-3.25.3.noarch", }, product_reference: "spacewalk-backend-config-files-common-2.8.57.14-3.25.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-config-files-tool-2.8.57.14-3.25.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-backend-config-files-tool-2.8.57.14-3.25.3.noarch", }, product_reference: "spacewalk-backend-config-files-tool-2.8.57.14-3.25.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-iss-2.8.57.14-3.25.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-backend-iss-2.8.57.14-3.25.3.noarch", }, product_reference: "spacewalk-backend-iss-2.8.57.14-3.25.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-iss-export-2.8.57.14-3.25.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-backend-iss-export-2.8.57.14-3.25.3.noarch", }, product_reference: "spacewalk-backend-iss-export-2.8.57.14-3.25.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-libs-2.8.57.14-3.25.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-backend-libs-2.8.57.14-3.25.3.noarch", }, product_reference: "spacewalk-backend-libs-2.8.57.14-3.25.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-package-push-server-2.8.57.14-3.25.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-backend-package-push-server-2.8.57.14-3.25.3.noarch", }, product_reference: "spacewalk-backend-package-push-server-2.8.57.14-3.25.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-server-2.8.57.14-3.25.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-backend-server-2.8.57.14-3.25.3.noarch", }, product_reference: "spacewalk-backend-server-2.8.57.14-3.25.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-sql-2.8.57.14-3.25.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-backend-sql-2.8.57.14-3.25.3.noarch", }, product_reference: "spacewalk-backend-sql-2.8.57.14-3.25.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-sql-oracle-2.8.57.14-3.25.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-backend-sql-oracle-2.8.57.14-3.25.3.noarch", }, product_reference: "spacewalk-backend-sql-oracle-2.8.57.14-3.25.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-sql-postgresql-2.8.57.14-3.25.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-backend-sql-postgresql-2.8.57.14-3.25.3.noarch", }, product_reference: "spacewalk-backend-sql-postgresql-2.8.57.14-3.25.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-tools-2.8.57.14-3.25.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-backend-tools-2.8.57.14-3.25.3.noarch", }, product_reference: "spacewalk-backend-tools-2.8.57.14-3.25.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-xml-export-libs-2.8.57.14-3.25.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-backend-xml-export-libs-2.8.57.14-3.25.3.noarch", }, product_reference: "spacewalk-backend-xml-export-libs-2.8.57.14-3.25.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-xmlrpc-2.8.57.14-3.25.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-backend-xmlrpc-2.8.57.14-3.25.3.noarch", }, product_reference: "spacewalk-backend-xmlrpc-2.8.57.14-3.25.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-base-2.8.7.15-3.24.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-base-2.8.7.15-3.24.3.noarch", }, product_reference: "spacewalk-base-2.8.7.15-3.24.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-base-minimal-2.8.7.15-3.24.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-base-minimal-2.8.7.15-3.24.3.noarch", }, product_reference: "spacewalk-base-minimal-2.8.7.15-3.24.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-base-minimal-config-2.8.7.15-3.24.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-base-minimal-config-2.8.7.15-3.24.3.noarch", }, product_reference: "spacewalk-base-minimal-config-2.8.7.15-3.24.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-branding-2.8.5.15-3.19.3.ppc64le as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-branding-2.8.5.15-3.19.3.ppc64le", }, product_reference: "spacewalk-branding-2.8.5.15-3.19.3.ppc64le", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-branding-2.8.5.15-3.19.3.s390x as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-branding-2.8.5.15-3.19.3.s390x", }, product_reference: "spacewalk-branding-2.8.5.15-3.19.3.s390x", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-branding-2.8.5.15-3.19.3.x86_64 as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-branding-2.8.5.15-3.19.3.x86_64", }, product_reference: "spacewalk-branding-2.8.5.15-3.19.3.x86_64", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-certs-tools-2.8.8.7-3.6.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", }, product_reference: "spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-html-2.8.7.15-3.24.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-html-2.8.7.15-3.24.3.noarch", }, product_reference: "spacewalk-html-2.8.7.15-3.24.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-java-2.8.78.21-3.29.1.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-java-2.8.78.21-3.29.1.noarch", }, product_reference: "spacewalk-java-2.8.78.21-3.29.1.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-java-config-2.8.78.21-3.29.1.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-java-config-2.8.78.21-3.29.1.noarch", }, product_reference: "spacewalk-java-config-2.8.78.21-3.29.1.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-java-lib-2.8.78.21-3.29.1.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-java-lib-2.8.78.21-3.29.1.noarch", }, product_reference: "spacewalk-java-lib-2.8.78.21-3.29.1.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-java-oracle-2.8.78.21-3.29.1.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-java-oracle-2.8.78.21-3.29.1.noarch", }, product_reference: "spacewalk-java-oracle-2.8.78.21-3.29.1.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-java-postgresql-2.8.78.21-3.29.1.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-java-postgresql-2.8.78.21-3.29.1.noarch", }, product_reference: "spacewalk-java-postgresql-2.8.78.21-3.29.1.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-taskomatic-2.8.78.21-3.29.1.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-taskomatic-2.8.78.21-3.29.1.noarch", }, product_reference: "spacewalk-taskomatic-2.8.78.21-3.29.1.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "subscription-matcher-0.23-4.12.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:subscription-matcher-0.23-4.12.3.noarch", }, product_reference: "subscription-matcher-0.23-4.12.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "susemanager-3.2.17-3.22.4.ppc64le as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:susemanager-3.2.17-3.22.4.ppc64le", }, product_reference: "susemanager-3.2.17-3.22.4.ppc64le", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "susemanager-3.2.17-3.22.4.s390x as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:susemanager-3.2.17-3.22.4.s390x", }, product_reference: "susemanager-3.2.17-3.22.4.s390x", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "susemanager-3.2.17-3.22.4.x86_64 as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:susemanager-3.2.17-3.22.4.x86_64", }, product_reference: "susemanager-3.2.17-3.22.4.x86_64", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "susemanager-schema-3.2.18-3.22.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:susemanager-schema-3.2.18-3.22.3.noarch", }, product_reference: "susemanager-schema-3.2.18-3.22.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "susemanager-sls-3.2.23-3.26.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:susemanager-sls-3.2.23-3.26.3.noarch", }, product_reference: "susemanager-sls-3.2.23-3.26.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "susemanager-sync-data-3.2.14-3.20.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:susemanager-sync-data-3.2.14-3.20.3.noarch", }, product_reference: "susemanager-sync-data-3.2.14-3.20.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "susemanager-tools-3.2.17-3.22.4.ppc64le as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:susemanager-tools-3.2.17-3.22.4.ppc64le", }, product_reference: "susemanager-tools-3.2.17-3.22.4.ppc64le", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "susemanager-tools-3.2.17-3.22.4.s390x as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:susemanager-tools-3.2.17-3.22.4.s390x", }, product_reference: "susemanager-tools-3.2.17-3.22.4.s390x", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "susemanager-tools-3.2.17-3.22.4.x86_64 as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:susemanager-tools-3.2.17-3.22.4.x86_64", }, product_reference: "susemanager-tools-3.2.17-3.22.4.x86_64", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "susemanager-web-libs-2.8.7.15-3.24.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:susemanager-web-libs-2.8.7.15-3.24.3.noarch", }, product_reference: "susemanager-web-libs-2.8.7.15-3.24.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "xstream-1.4.10-4.3.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:xstream-1.4.10-4.3.3.noarch", }, product_reference: "xstream-1.4.10-4.3.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, ], }, vulnerabilities: [ { cve: "CVE-2017-7957", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2017-7957", }, ], notes: [ { category: "general", text: "XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML(\"<void/>\") call.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Manager Proxy 3.2:python2-spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", "SUSE Manager Proxy 3.2:spacewalk-backend-2.8.57.14-3.25.3.noarch", "SUSE Manager Proxy 3.2:spacewalk-backend-libs-2.8.57.14-3.25.3.noarch", "SUSE Manager Proxy 3.2:spacewalk-base-minimal-2.8.7.15-3.24.3.noarch", "SUSE Manager Proxy 3.2:spacewalk-base-minimal-config-2.8.7.15-3.24.3.noarch", "SUSE Manager Proxy 3.2:spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", "SUSE Manager Proxy 3.2:susemanager-web-libs-2.8.7.15-3.24.3.noarch", "SUSE Manager Server 3.2:apache-commons-lang3-3.4-3.3.3.noarch", "SUSE Manager Server 3.2:cobbler-2.6.6-6.16.3.noarch", "SUSE Manager Server 3.2:drools-7.17.0-3.3.3.noarch", "SUSE Manager Server 3.2:guava-27.0.1-3.3.3.noarch", "SUSE Manager Server 3.2:jade4j-1.0.7-3.3.3.noarch", "SUSE Manager Server 3.2:kie-api-7.17.0-3.3.3.noarch", "SUSE Manager Server 3.2:kie-soup-7.17.0.Final-2.3.3.noarch", "SUSE Manager Server 3.2:optaplanner-7.17.0-3.3.3.noarch", "SUSE Manager Server 3.2:py26-compat-salt-2016.11.10-6.21.3.noarch", "SUSE Manager Server 3.2:python2-spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", "SUSE Manager Server 3.2:reprepro-5.3.0-2.3.3.ppc64le", "SUSE Manager Server 3.2:reprepro-5.3.0-2.3.3.s390x", "SUSE Manager Server 3.2:reprepro-5.3.0-2.3.3.x86_64", "SUSE Manager Server 3.2:smdba-1.6.4-0.3.9.3.ppc64le", "SUSE Manager Server 3.2:smdba-1.6.4-0.3.9.3.s390x", "SUSE Manager Server 3.2:smdba-1.6.4-0.3.9.3.x86_64", "SUSE Manager Server 3.2:spacecmd-2.8.25.10-3.20.3.noarch", "SUSE Manager Server 3.2:spacewalk-admin-2.8.4.4-3.6.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-app-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-applet-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-config-files-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-config-files-common-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-config-files-tool-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-iss-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-iss-export-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-libs-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-package-push-server-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-server-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-sql-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-sql-oracle-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-sql-postgresql-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-tools-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-xml-export-libs-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-xmlrpc-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-base-2.8.7.15-3.24.3.noarch", "SUSE Manager Server 3.2:spacewalk-base-minimal-2.8.7.15-3.24.3.noarch", "SUSE Manager Server 3.2:spacewalk-base-minimal-config-2.8.7.15-3.24.3.noarch", "SUSE Manager Server 3.2:spacewalk-branding-2.8.5.15-3.19.3.ppc64le", "SUSE Manager Server 3.2:spacewalk-branding-2.8.5.15-3.19.3.s390x", "SUSE Manager Server 3.2:spacewalk-branding-2.8.5.15-3.19.3.x86_64", "SUSE Manager Server 3.2:spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", "SUSE Manager Server 3.2:spacewalk-html-2.8.7.15-3.24.3.noarch", "SUSE Manager Server 3.2:spacewalk-java-2.8.78.21-3.29.1.noarch", "SUSE Manager Server 3.2:spacewalk-java-config-2.8.78.21-3.29.1.noarch", "SUSE Manager Server 3.2:spacewalk-java-lib-2.8.78.21-3.29.1.noarch", "SUSE Manager Server 3.2:spacewalk-java-oracle-2.8.78.21-3.29.1.noarch", "SUSE Manager Server 3.2:spacewalk-java-postgresql-2.8.78.21-3.29.1.noarch", "SUSE Manager Server 3.2:spacewalk-taskomatic-2.8.78.21-3.29.1.noarch", "SUSE Manager Server 3.2:subscription-matcher-0.23-4.12.3.noarch", "SUSE Manager Server 3.2:susemanager-3.2.17-3.22.4.ppc64le", "SUSE Manager Server 3.2:susemanager-3.2.17-3.22.4.s390x", "SUSE Manager Server 3.2:susemanager-3.2.17-3.22.4.x86_64", "SUSE Manager Server 3.2:susemanager-schema-3.2.18-3.22.3.noarch", "SUSE Manager Server 3.2:susemanager-sls-3.2.23-3.26.3.noarch", "SUSE Manager Server 3.2:susemanager-sync-data-3.2.14-3.20.3.noarch", "SUSE Manager Server 3.2:susemanager-tools-3.2.17-3.22.4.ppc64le", "SUSE Manager Server 3.2:susemanager-tools-3.2.17-3.22.4.s390x", "SUSE Manager Server 3.2:susemanager-tools-3.2.17-3.22.4.x86_64", "SUSE Manager Server 3.2:susemanager-web-libs-2.8.7.15-3.24.3.noarch", "SUSE Manager Server 3.2:xstream-1.4.10-4.3.3.noarch", ], }, references: [ { category: "external", summary: "CVE-2017-7957", url: "https://www.suse.com/security/cve/CVE-2017-7957", }, { category: "external", summary: "SUSE Bug 1070731 for CVE-2017-7957", url: "https://bugzilla.suse.com/1070731", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Manager Proxy 3.2:python2-spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", "SUSE Manager Proxy 3.2:spacewalk-backend-2.8.57.14-3.25.3.noarch", "SUSE Manager Proxy 3.2:spacewalk-backend-libs-2.8.57.14-3.25.3.noarch", "SUSE Manager Proxy 3.2:spacewalk-base-minimal-2.8.7.15-3.24.3.noarch", "SUSE Manager Proxy 3.2:spacewalk-base-minimal-config-2.8.7.15-3.24.3.noarch", "SUSE Manager Proxy 3.2:spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", "SUSE Manager Proxy 3.2:susemanager-web-libs-2.8.7.15-3.24.3.noarch", "SUSE Manager Server 3.2:apache-commons-lang3-3.4-3.3.3.noarch", "SUSE Manager Server 3.2:cobbler-2.6.6-6.16.3.noarch", "SUSE Manager Server 3.2:drools-7.17.0-3.3.3.noarch", "SUSE Manager Server 3.2:guava-27.0.1-3.3.3.noarch", "SUSE Manager Server 3.2:jade4j-1.0.7-3.3.3.noarch", "SUSE Manager Server 3.2:kie-api-7.17.0-3.3.3.noarch", "SUSE Manager Server 3.2:kie-soup-7.17.0.Final-2.3.3.noarch", "SUSE Manager Server 3.2:optaplanner-7.17.0-3.3.3.noarch", "SUSE Manager Server 3.2:py26-compat-salt-2016.11.10-6.21.3.noarch", "SUSE Manager Server 3.2:python2-spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", "SUSE Manager Server 3.2:reprepro-5.3.0-2.3.3.ppc64le", "SUSE Manager Server 3.2:reprepro-5.3.0-2.3.3.s390x", "SUSE Manager Server 3.2:reprepro-5.3.0-2.3.3.x86_64", "SUSE Manager Server 3.2:smdba-1.6.4-0.3.9.3.ppc64le", "SUSE Manager Server 3.2:smdba-1.6.4-0.3.9.3.s390x", "SUSE Manager Server 3.2:smdba-1.6.4-0.3.9.3.x86_64", "SUSE Manager Server 3.2:spacecmd-2.8.25.10-3.20.3.noarch", "SUSE Manager Server 3.2:spacewalk-admin-2.8.4.4-3.6.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-app-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-applet-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-config-files-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-config-files-common-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-config-files-tool-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-iss-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-iss-export-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-libs-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-package-push-server-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-server-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-sql-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-sql-oracle-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-sql-postgresql-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-tools-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-xml-export-libs-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-xmlrpc-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-base-2.8.7.15-3.24.3.noarch", "SUSE Manager Server 3.2:spacewalk-base-minimal-2.8.7.15-3.24.3.noarch", "SUSE Manager Server 3.2:spacewalk-base-minimal-config-2.8.7.15-3.24.3.noarch", "SUSE Manager Server 3.2:spacewalk-branding-2.8.5.15-3.19.3.ppc64le", "SUSE Manager Server 3.2:spacewalk-branding-2.8.5.15-3.19.3.s390x", "SUSE Manager Server 3.2:spacewalk-branding-2.8.5.15-3.19.3.x86_64", "SUSE Manager Server 3.2:spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", "SUSE Manager Server 3.2:spacewalk-html-2.8.7.15-3.24.3.noarch", "SUSE Manager Server 3.2:spacewalk-java-2.8.78.21-3.29.1.noarch", "SUSE Manager Server 3.2:spacewalk-java-config-2.8.78.21-3.29.1.noarch", "SUSE Manager Server 3.2:spacewalk-java-lib-2.8.78.21-3.29.1.noarch", "SUSE Manager Server 3.2:spacewalk-java-oracle-2.8.78.21-3.29.1.noarch", "SUSE Manager Server 3.2:spacewalk-java-postgresql-2.8.78.21-3.29.1.noarch", "SUSE Manager Server 3.2:spacewalk-taskomatic-2.8.78.21-3.29.1.noarch", "SUSE Manager Server 3.2:subscription-matcher-0.23-4.12.3.noarch", "SUSE Manager Server 3.2:susemanager-3.2.17-3.22.4.ppc64le", "SUSE Manager Server 3.2:susemanager-3.2.17-3.22.4.s390x", "SUSE Manager Server 3.2:susemanager-3.2.17-3.22.4.x86_64", "SUSE Manager Server 3.2:susemanager-schema-3.2.18-3.22.3.noarch", "SUSE Manager Server 3.2:susemanager-sls-3.2.23-3.26.3.noarch", "SUSE Manager Server 3.2:susemanager-sync-data-3.2.14-3.20.3.noarch", "SUSE Manager Server 3.2:susemanager-tools-3.2.17-3.22.4.ppc64le", "SUSE Manager Server 3.2:susemanager-tools-3.2.17-3.22.4.s390x", "SUSE Manager Server 3.2:susemanager-tools-3.2.17-3.22.4.x86_64", "SUSE Manager Server 3.2:susemanager-web-libs-2.8.7.15-3.24.3.noarch", "SUSE Manager Server 3.2:xstream-1.4.10-4.3.3.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "SUSE Manager Proxy 3.2:python2-spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", "SUSE Manager Proxy 3.2:spacewalk-backend-2.8.57.14-3.25.3.noarch", "SUSE Manager Proxy 3.2:spacewalk-backend-libs-2.8.57.14-3.25.3.noarch", "SUSE Manager Proxy 3.2:spacewalk-base-minimal-2.8.7.15-3.24.3.noarch", "SUSE Manager Proxy 3.2:spacewalk-base-minimal-config-2.8.7.15-3.24.3.noarch", "SUSE Manager Proxy 3.2:spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", "SUSE Manager Proxy 3.2:susemanager-web-libs-2.8.7.15-3.24.3.noarch", "SUSE Manager Server 3.2:apache-commons-lang3-3.4-3.3.3.noarch", "SUSE Manager Server 3.2:cobbler-2.6.6-6.16.3.noarch", "SUSE Manager Server 3.2:drools-7.17.0-3.3.3.noarch", "SUSE Manager Server 3.2:guava-27.0.1-3.3.3.noarch", "SUSE Manager Server 3.2:jade4j-1.0.7-3.3.3.noarch", "SUSE Manager Server 3.2:kie-api-7.17.0-3.3.3.noarch", "SUSE Manager Server 3.2:kie-soup-7.17.0.Final-2.3.3.noarch", "SUSE Manager Server 3.2:optaplanner-7.17.0-3.3.3.noarch", "SUSE Manager Server 3.2:py26-compat-salt-2016.11.10-6.21.3.noarch", "SUSE Manager Server 3.2:python2-spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", "SUSE Manager Server 3.2:reprepro-5.3.0-2.3.3.ppc64le", "SUSE Manager Server 3.2:reprepro-5.3.0-2.3.3.s390x", "SUSE Manager Server 3.2:reprepro-5.3.0-2.3.3.x86_64", "SUSE Manager Server 3.2:smdba-1.6.4-0.3.9.3.ppc64le", "SUSE Manager Server 3.2:smdba-1.6.4-0.3.9.3.s390x", "SUSE Manager Server 3.2:smdba-1.6.4-0.3.9.3.x86_64", "SUSE Manager Server 3.2:spacecmd-2.8.25.10-3.20.3.noarch", "SUSE Manager Server 3.2:spacewalk-admin-2.8.4.4-3.6.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-app-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-applet-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-config-files-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-config-files-common-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-config-files-tool-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-iss-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-iss-export-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-libs-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-package-push-server-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-server-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-sql-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-sql-oracle-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-sql-postgresql-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-tools-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-xml-export-libs-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-xmlrpc-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-base-2.8.7.15-3.24.3.noarch", "SUSE Manager Server 3.2:spacewalk-base-minimal-2.8.7.15-3.24.3.noarch", "SUSE Manager Server 3.2:spacewalk-base-minimal-config-2.8.7.15-3.24.3.noarch", "SUSE Manager Server 3.2:spacewalk-branding-2.8.5.15-3.19.3.ppc64le", "SUSE Manager Server 3.2:spacewalk-branding-2.8.5.15-3.19.3.s390x", "SUSE Manager Server 3.2:spacewalk-branding-2.8.5.15-3.19.3.x86_64", "SUSE Manager Server 3.2:spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", "SUSE Manager Server 3.2:spacewalk-html-2.8.7.15-3.24.3.noarch", "SUSE Manager Server 3.2:spacewalk-java-2.8.78.21-3.29.1.noarch", "SUSE Manager Server 3.2:spacewalk-java-config-2.8.78.21-3.29.1.noarch", "SUSE Manager Server 3.2:spacewalk-java-lib-2.8.78.21-3.29.1.noarch", "SUSE Manager Server 3.2:spacewalk-java-oracle-2.8.78.21-3.29.1.noarch", "SUSE Manager Server 3.2:spacewalk-java-postgresql-2.8.78.21-3.29.1.noarch", "SUSE Manager Server 3.2:spacewalk-taskomatic-2.8.78.21-3.29.1.noarch", "SUSE Manager Server 3.2:subscription-matcher-0.23-4.12.3.noarch", "SUSE Manager Server 3.2:susemanager-3.2.17-3.22.4.ppc64le", "SUSE Manager Server 3.2:susemanager-3.2.17-3.22.4.s390x", "SUSE Manager Server 3.2:susemanager-3.2.17-3.22.4.x86_64", "SUSE Manager Server 3.2:susemanager-schema-3.2.18-3.22.3.noarch", "SUSE Manager Server 3.2:susemanager-sls-3.2.23-3.26.3.noarch", "SUSE Manager Server 3.2:susemanager-sync-data-3.2.14-3.20.3.noarch", "SUSE Manager Server 3.2:susemanager-tools-3.2.17-3.22.4.ppc64le", "SUSE Manager Server 3.2:susemanager-tools-3.2.17-3.22.4.s390x", "SUSE Manager Server 3.2:susemanager-tools-3.2.17-3.22.4.x86_64", "SUSE Manager Server 3.2:susemanager-web-libs-2.8.7.15-3.24.3.noarch", "SUSE Manager Server 3.2:xstream-1.4.10-4.3.3.noarch", ], }, ], threats: [ { category: "impact", date: "2019-04-24T10:06:34Z", details: "important", }, ], title: "CVE-2017-7957", }, ], }
suse-su-2017:3390-1
Vulnerability from csaf_suse
Published
2017-12-20 16:33
Modified
2017-12-20 16:33
Summary
Security update for xstream
Notes
Title of the patch
Security update for xstream
Description of the patch
This update for xstream fixes the following issues:
- CVE-2017-7957: XStream could cause a Denial of Service when unmarshalling void. (bsc#1070731)
Patchnames
SUSE-SUSE-Manager-Server-3.1-2017-2125
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Security update for xstream", title: "Title of the patch", }, { category: "description", text: "This update for xstream fixes the following issues:\n\n- CVE-2017-7957: XStream could cause a Denial of Service when unmarshalling void. (bsc#1070731)\n", title: "Description of the patch", }, { category: "details", text: "SUSE-SUSE-Manager-Server-3.1-2017-2125", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2017_3390-1.json", }, { category: "self", summary: "URL for SUSE-SU-2017:3390-1", url: "https://www.suse.com/support/update/announcement/2017/suse-su-20173390-1/", }, { category: "self", summary: "E-Mail link for SUSE-SU-2017:3390-1", url: "https://lists.suse.com/pipermail/sle-security-updates/2017-December/003546.html", }, { category: "self", summary: "SUSE Bug 1070731", url: "https://bugzilla.suse.com/1070731", }, { category: "self", summary: "SUSE CVE CVE-2017-7957 page", url: "https://www.suse.com/security/cve/CVE-2017-7957/", }, ], title: "Security update for xstream", tracking: { current_release_date: "2017-12-20T16:33:12Z", generator: { date: "2017-12-20T16:33:12Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "SUSE-SU-2017:3390-1", initial_release_date: "2017-12-20T16:33:12Z", revision_history: [ { date: "2017-12-20T16:33:12Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "xstream-1.4.9-3.3.1.noarch", product: { name: "xstream-1.4.9-3.3.1.noarch", product_id: "xstream-1.4.9-3.3.1.noarch", }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_name", name: "SUSE Manager Server 3.1", product: { name: "SUSE Manager Server 3.1", product_id: "SUSE Manager Server 3.1", product_identification_helper: { cpe: "cpe:/o:suse:suse-manager-server:3.1", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "xstream-1.4.9-3.3.1.noarch as component of SUSE Manager Server 3.1", product_id: "SUSE Manager Server 3.1:xstream-1.4.9-3.3.1.noarch", }, product_reference: "xstream-1.4.9-3.3.1.noarch", relates_to_product_reference: "SUSE Manager Server 3.1", }, ], }, vulnerabilities: [ { cve: "CVE-2017-7957", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2017-7957", }, ], notes: [ { category: "general", text: "XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML(\"<void/>\") call.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Manager Server 3.1:xstream-1.4.9-3.3.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2017-7957", url: "https://www.suse.com/security/cve/CVE-2017-7957", }, { category: "external", summary: "SUSE Bug 1070731 for CVE-2017-7957", url: "https://bugzilla.suse.com/1070731", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Manager Server 3.1:xstream-1.4.9-3.3.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "SUSE Manager Server 3.1:xstream-1.4.9-3.3.1.noarch", ], }, ], threats: [ { category: "impact", date: "2017-12-20T16:33:12Z", details: "important", }, ], title: "CVE-2017-7957", }, ], }
suse-su-2019:1006-1
Vulnerability from csaf_suse
Published
2019-04-24 10:06
Modified
2019-04-24 10:06
Summary
Security update for SUSE Manager Server 3.2
Notes
Title of the patch
Security update for SUSE Manager Server 3.2
Description of the patch
This update includes the following new features:
to the repository metadata (fate#325676)
This update fixes the following issues:
apache-commons-lang3:
- Run fdupes on javadoc
- Specify java target and source level 1.6
to make package compatible with JDK >= 1.8
cobbler:
- Fixes case where distribution detection returns None (bsc#1130658)
- SUSE texmode fix (bsc#1109316)
drools:
- Update Drools to 7.17.0
- Release Notes: https://issues.jboss.org/secure/ReleaseNote.jspa
- Fixes for SLE 15 compatibility
guava:
- Updated from 13.0.1 to 27.0.1
- Changes between 13.0.1 and 23.0:
https://github.com/google/guava/wiki/Release14
https://github.com/google/guava/wiki/Release15
https://github.com/google/guava/wiki/Release16
https://github.com/google/guava/wiki/Release17
https://github.com/google/guava/wiki/Release18
https://github.com/google/guava/wiki/Release19
https://github.com/google/guava/wiki/Release23
- Changes between 23.0 and 27.0.1:
see https://github.com/google/guava/releases
jade4j:
- Conditional java/java-devel requires based on os version
- Update dependency version for commons-lang3 to 3.4
- Fix building javadoc
kie-api:
- Update KIE to 7.17.0
- Release notes: https://issues.jboss.org/secure/ReleaseNote.jspa
optaplanner:
- Update Optaplanner to 7.17.0
py26-compat-salt:
- Fix minion arguments assign via sysctl (bsc#1124290)
smdba:
- Make 'smdba space-overview' postgresql version
agnostic (bsc#1129956)
- Fix version mismatch
spacecmd:
- Fix system_delete with SSM (bsc#1125744)
spacewalk-admin:
- Fix encoding bug in salt event processing (bsc#1129851)
spacewalk-backend:
- Fix linking of packages in reposync (bsc#1131677)
- Fix: handle non-standard filenames for comps.xml (bsc#1120242)
- Mgr-sign-metadata can optionally clear-sign metadata files
spacewalk-branding:
- Introduce a description label for the new 'minion-checkin' Taskomatic job (bsc#1122837)
spacewalk-certs-tools:
- Add support for Ubuntu to bootstrap script
- Clean up downloaded gpg keys after bootstrap (bsc#1126075)
spacewalk-java:
- Fix base channel selection for Ubuntu systems (bsc#1132579)
- Fix retrieval of build time for .deb repositories (bsc#1131721)
- Allow access to susemanager tools channels without res subscription (bsc#1127542)
- Add support for SLES 15 live patches in CVE audit
- Add a Taskomatic job to perform minion check-in regularly, drop use of Salt's Mine (bsc#1122837)
- Fix errata_details to return details correctly (bsc#1128228)
- Support ubuntu products and debian architectures in mgr-sync
- Adapt check for available repositories to debian style repositories
- Add support for custom username when bootstrapping with Salt-SSH
- Read and update running kernel release value at each startup of minion (bsc#1122381)
- Add error message on sync refresh when there are no scc credentials
- Fix apidoc issues
- Fix deleting server when minion_formulas.json is empty (bsc#1122230)
- Minion-action-cleanup Taskomatic task: do not clean actions younger than one hour
- Schedule full package refresh only once per action chain if needed (bsc#1126518)
- Check and schedule package refresh in response to events independently of what originates them (bsc#1126099)
- Add configuration option to limit the number of changelog entries added
to the repository metadata (fate#325676)
- Generate InRelease file for Debian/Ubuntu repos when metadata signing is enabled
spacewalk-web:
- Show undetected subscription-matching message object as a string anyway (bsc#1125600)
- Fix action scheduler time picker prefill when the server is on 'UTC/GMT' timezone (bsc#1121195)
- Allow username input on bootstrap page when using Salt-SSH
- Add cache buster for static files (js/css) to fix caching issues after upgrading.
subscription-matcher:
- Update dependencies (Drools, Optaplanner, Guava, Xstream)
- Make the java and java-devel requirements variable
- Relax the requirement condition on apache-commons-lang3
susemanager:
- Support creating bootstrap repos for Ubuntu 18.04 and 16.04.
- Allow alternative names for bootstrap packages, to allow
using old client tools after package renames
- Feat: create Ubuntu empty repository
- Fix creation of bootstrap repositories for SLE12 (no SP) by
requiring python-setuptools only for SLE12 >= SP1 (bsc#1129765)
- Add bootstrap repo definition for SLE15 SP1
susemanager-docs_en:
- Update text and image files.
- Fix bad link.
- Update Manual Backup and smdba sections.
- Troubleshooting Salt clients.
- Fix package endpoint in salt pillar content.
- Ubuntu Clients supported.
- Change License to GFL 1.2, as it is the real license for the doc
since 3.2.0
susemanager-schema:
- Add a Taskomatic job to perform minion check-in regularly, drop use of Salt's Mine (bsc#1122837)
- Fix performance regression in inter-server-sync (bsc#1128781)
- Set minion-action-cleanup run frequency from hourly to daily at midnight
susemanager-sls:
- Update get_kernel_live_version module to support older Salt versions (bsc#1131490)
- Update get_kernel_live_version module to support SLES 15 live patches
- Do not configure Salt Mine in newly registered minions (bsc#1122837)
- Fix Salt error related to remove_traditional_stack when bootstrapping an Ubuntu
minion (bsc#1128724)
- Automatically trust SUSE GPG key for client tools channels on Ubuntu systems
- Util.systeminfo sls has been added to perform different actions at minion startup(bsc#1122381)
susemanager-sync-data:
- Allow access to susemanager tools channels without res subscription (bsc#1127542)
- Add Ubuntu product definitions
- Adapt to SCC changes
- Add CaaSP 4 Toolchain
xstream:
- Update xstream to 1.4.10
- Major changes:
- CVE-2017-7957: XStream could cause a Denial of Service when unmarshalling void. (bsc#1070731)
- New XStream artifact with -java7 appended as version suffix for a library explicitly without the Java 8 stuff (lambda expression support, converters for java.time.* package).
- Improve performance by minimizing call stack of mapper chain.
- XSTR-774: Add converters for types of java.time, java.time.chrono, and java.time.temporal packages (converters for LocalDate, LocalDateTime, LocalTime, OffsetDateTime, and ZonedDateTime by Matej Cimbora).
- JavaBeanConverter does not respect ignored unknown elements.
- Add XStream.setupDefaultSecurity to initialize security framework with defaults of XStream 1.5.x.
- Emit error warning if security framework has not been initialized and the XStream instance is vulnerable to known exploits.
- Feat: modify patch to be compatible with JDK 11 building
- Fixes for SLE 15 compatibility
Patchnames
SUSE-2019-1006,SUSE-SUSE-Manager-Proxy-3.2-2019-1006,SUSE-SUSE-Manager-Server-3.2-2019-1006
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Security update for SUSE Manager Server 3.2", title: "Title of the patch", }, { category: "description", text: "\nThis update includes the following new features:\n\n to the repository metadata (fate#325676)\n\nThis update fixes the following issues:\n\napache-commons-lang3:\n\n- Run fdupes on javadoc\n- Specify java target and source level 1.6\n to make package compatible with JDK >= 1.8\n\ncobbler:\n\n- Fixes case where distribution detection returns None (bsc#1130658)\n- SUSE texmode fix (bsc#1109316)\n\ndrools:\n\n- Update Drools to 7.17.0\n- Release Notes: https://issues.jboss.org/secure/ReleaseNote.jspa\n- Fixes for SLE 15 compatibility \n\nguava:\n\n- Updated from 13.0.1 to 27.0.1\n- Changes between 13.0.1 and 23.0:\n https://github.com/google/guava/wiki/Release14\n https://github.com/google/guava/wiki/Release15\n https://github.com/google/guava/wiki/Release16\n https://github.com/google/guava/wiki/Release17\n https://github.com/google/guava/wiki/Release18\n https://github.com/google/guava/wiki/Release19\n https://github.com/google/guava/wiki/Release23\n- Changes between 23.0 and 27.0.1:\n see https://github.com/google/guava/releases\n\njade4j:\n\n- Conditional java/java-devel requires based on os version \n- Update dependency version for commons-lang3 to 3.4\n- Fix building javadoc\n\nkie-api:\n\n- Update KIE to 7.17.0 \n- Release notes: https://issues.jboss.org/secure/ReleaseNote.jspa\n\noptaplanner:\n\n- Update Optaplanner to 7.17.0\n\npy26-compat-salt:\n\n- Fix minion arguments assign via sysctl (bsc#1124290)\n\nsmdba:\n\n- Make 'smdba space-overview' postgresql version\n agnostic (bsc#1129956)\n- Fix version mismatch\n\nspacecmd:\n\n- Fix system_delete with SSM (bsc#1125744)\n\nspacewalk-admin:\n\n- Fix encoding bug in salt event processing (bsc#1129851)\n\nspacewalk-backend:\n\n- Fix linking of packages in reposync (bsc#1131677)\n- Fix: handle non-standard filenames for comps.xml (bsc#1120242)\n- Mgr-sign-metadata can optionally clear-sign metadata files\n\nspacewalk-branding:\n\n- Introduce a description label for the new 'minion-checkin' Taskomatic job (bsc#1122837)\n\nspacewalk-certs-tools:\n\n- Add support for Ubuntu to bootstrap script\n- Clean up downloaded gpg keys after bootstrap (bsc#1126075)\n\nspacewalk-java:\n\n- Fix base channel selection for Ubuntu systems (bsc#1132579)\n- Fix retrieval of build time for .deb repositories (bsc#1131721)\n- Allow access to susemanager tools channels without res subscription (bsc#1127542)\n- Add support for SLES 15 live patches in CVE audit\n- Add a Taskomatic job to perform minion check-in regularly, drop use of Salt's Mine (bsc#1122837)\n- Fix errata_details to return details correctly (bsc#1128228)\n- Support ubuntu products and debian architectures in mgr-sync\n- Adapt check for available repositories to debian style repositories\n- Add support for custom username when bootstrapping with Salt-SSH\n- Read and update running kernel release value at each startup of minion (bsc#1122381)\n- Add error message on sync refresh when there are no scc credentials\n- Fix apidoc issues \n- Fix deleting server when minion_formulas.json is empty (bsc#1122230)\n- Minion-action-cleanup Taskomatic task: do not clean actions younger than one hour\n- Schedule full package refresh only once per action chain if needed (bsc#1126518)\n- Check and schedule package refresh in response to events independently of what originates them (bsc#1126099)\n- Add configuration option to limit the number of changelog entries added\n to the repository metadata (fate#325676)\n- Generate InRelease file for Debian/Ubuntu repos when metadata signing is enabled\n\nspacewalk-web:\n\n- Show undetected subscription-matching message object as a string anyway (bsc#1125600)\n- Fix action scheduler time picker prefill when the server is on 'UTC/GMT' timezone (bsc#1121195)\n- Allow username input on bootstrap page when using Salt-SSH\n- Add cache buster for static files (js/css) to fix caching issues after upgrading.\n\nsubscription-matcher:\n\n- Update dependencies (Drools, Optaplanner, Guava, Xstream)\n- Make the java and java-devel requirements variable\n- Relax the requirement condition on apache-commons-lang3\n\nsusemanager:\n\n- Support creating bootstrap repos for Ubuntu 18.04 and 16.04.\n- Allow alternative names for bootstrap packages, to allow\n using old client tools after package renames\n- Feat: create Ubuntu empty repository\n- Fix creation of bootstrap repositories for SLE12 (no SP) by\n requiring python-setuptools only for SLE12 >= SP1 (bsc#1129765)\n- Add bootstrap repo definition for SLE15 SP1\n\nsusemanager-docs_en:\n\n- Update text and image files.\n- Fix bad link.\n- Update Manual Backup and smdba sections.\n- Troubleshooting Salt clients.\n- Fix package endpoint in salt pillar content.\n- Ubuntu Clients supported.\n- Change License to GFL 1.2, as it is the real license for the doc\n since 3.2.0\n\nsusemanager-schema:\n\n- Add a Taskomatic job to perform minion check-in regularly, drop use of Salt's Mine (bsc#1122837)\n- Fix performance regression in inter-server-sync (bsc#1128781)\n- Set minion-action-cleanup run frequency from hourly to daily at midnight\n\nsusemanager-sls:\n\n- Update get_kernel_live_version module to support older Salt versions (bsc#1131490)\n- Update get_kernel_live_version module to support SLES 15 live patches\n- Do not configure Salt Mine in newly registered minions (bsc#1122837)\n- Fix Salt error related to remove_traditional_stack when bootstrapping an Ubuntu\n minion (bsc#1128724)\n- Automatically trust SUSE GPG key for client tools channels on Ubuntu systems\n- Util.systeminfo sls has been added to perform different actions at minion startup(bsc#1122381) \n\nsusemanager-sync-data:\n\n- Allow access to susemanager tools channels without res subscription (bsc#1127542)\n- Add Ubuntu product definitions\n- Adapt to SCC changes\n- Add CaaSP 4 Toolchain\n\nxstream:\n\n- Update xstream to 1.4.10\n- Major changes:\n- CVE-2017-7957: XStream could cause a Denial of Service when unmarshalling void. (bsc#1070731)\n- New XStream artifact with -java7 appended as version suffix for a library explicitly without the Java 8 stuff (lambda expression support, converters for java.time.* package).\n- Improve performance by minimizing call stack of mapper chain.\n- XSTR-774: Add converters for types of java.time, java.time.chrono, and java.time.temporal packages (converters for LocalDate, LocalDateTime, LocalTime, OffsetDateTime, and ZonedDateTime by Matej Cimbora).\n- JavaBeanConverter does not respect ignored unknown elements.\n- Add XStream.setupDefaultSecurity to initialize security framework with defaults of XStream 1.5.x.\n- Emit error warning if security framework has not been initialized and the XStream instance is vulnerable to known exploits.\n- Feat: modify patch to be compatible with JDK 11 building\n- Fixes for SLE 15 compatibility\n\n", title: "Description of the patch", }, { category: "details", text: "SUSE-2019-1006,SUSE-SUSE-Manager-Proxy-3.2-2019-1006,SUSE-SUSE-Manager-Server-3.2-2019-1006", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2019_1006-1.json", }, { category: "self", summary: "URL for SUSE-SU-2019:1006-1", url: "https://www.suse.com/support/update/announcement/2019/suse-su-20191006-1/", }, { category: "self", summary: "E-Mail link for SUSE-SU-2019:1006-1", url: "https://lists.suse.com/pipermail/sle-security-updates/2019-April/005354.html", }, { category: "self", summary: "SUSE Bug 1070731", url: "https://bugzilla.suse.com/1070731", }, { category: "self", summary: "SUSE Bug 1109316", url: "https://bugzilla.suse.com/1109316", }, { category: "self", summary: "SUSE Bug 1120242", url: "https://bugzilla.suse.com/1120242", }, { category: "self", summary: "SUSE Bug 1121195", url: "https://bugzilla.suse.com/1121195", }, { category: "self", summary: "SUSE Bug 1122230", url: "https://bugzilla.suse.com/1122230", }, { category: "self", summary: "SUSE Bug 1122381", url: "https://bugzilla.suse.com/1122381", }, { category: "self", summary: "SUSE Bug 1122837", url: "https://bugzilla.suse.com/1122837", }, { category: "self", summary: "SUSE Bug 1124290", url: "https://bugzilla.suse.com/1124290", }, { category: "self", summary: "SUSE Bug 1125600", url: "https://bugzilla.suse.com/1125600", }, { category: "self", summary: "SUSE Bug 1125744", url: "https://bugzilla.suse.com/1125744", }, { category: "self", summary: "SUSE Bug 1126075", url: "https://bugzilla.suse.com/1126075", }, { category: "self", summary: "SUSE Bug 1126099", url: "https://bugzilla.suse.com/1126099", }, { category: "self", summary: "SUSE Bug 1126518", url: "https://bugzilla.suse.com/1126518", }, { category: "self", summary: "SUSE Bug 1127542", url: "https://bugzilla.suse.com/1127542", }, { category: "self", summary: "SUSE Bug 1128228", url: "https://bugzilla.suse.com/1128228", }, { category: "self", summary: "SUSE Bug 1128724", url: "https://bugzilla.suse.com/1128724", }, { category: "self", summary: "SUSE Bug 1128781", url: "https://bugzilla.suse.com/1128781", }, { category: "self", summary: "SUSE Bug 1129765", url: "https://bugzilla.suse.com/1129765", }, { category: "self", summary: "SUSE Bug 1129851", url: "https://bugzilla.suse.com/1129851", }, { category: "self", summary: "SUSE Bug 1129956", url: "https://bugzilla.suse.com/1129956", }, { category: "self", summary: "SUSE Bug 1130658", url: "https://bugzilla.suse.com/1130658", }, { category: "self", summary: "SUSE Bug 1131490", url: "https://bugzilla.suse.com/1131490", }, { category: "self", summary: "SUSE Bug 1131677", url: "https://bugzilla.suse.com/1131677", }, { category: "self", summary: "SUSE Bug 1131721", url: "https://bugzilla.suse.com/1131721", }, { category: "self", summary: "SUSE Bug 1132579", url: "https://bugzilla.suse.com/1132579", }, { category: "self", summary: "SUSE CVE CVE-2017-7957 page", url: "https://www.suse.com/security/cve/CVE-2017-7957/", }, ], title: "Security update for SUSE Manager Server 3.2", tracking: { current_release_date: "2019-04-24T10:06:34Z", generator: { date: "2019-04-24T10:06:34Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "SUSE-SU-2019:1006-1", initial_release_date: "2019-04-24T10:06:34Z", revision_history: [ { date: "2019-04-24T10:06:34Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "reprepro-5.3.0-2.3.3.aarch64", product: { name: "reprepro-5.3.0-2.3.3.aarch64", product_id: "reprepro-5.3.0-2.3.3.aarch64", }, }, { category: "product_version", name: "smdba-1.6.4-0.3.9.3.aarch64", product: { name: "smdba-1.6.4-0.3.9.3.aarch64", product_id: "smdba-1.6.4-0.3.9.3.aarch64", }, }, { category: "product_version", name: "spacewalk-branding-2.8.5.15-3.19.3.aarch64", product: { name: "spacewalk-branding-2.8.5.15-3.19.3.aarch64", product_id: "spacewalk-branding-2.8.5.15-3.19.3.aarch64", }, }, { category: "product_version", name: "spacewalk-branding-devel-2.8.5.15-3.19.3.aarch64", product: { name: "spacewalk-branding-devel-2.8.5.15-3.19.3.aarch64", product_id: "spacewalk-branding-devel-2.8.5.15-3.19.3.aarch64", }, }, { category: "product_version", name: "susemanager-3.2.17-3.22.4.aarch64", product: { name: "susemanager-3.2.17-3.22.4.aarch64", product_id: "susemanager-3.2.17-3.22.4.aarch64", }, }, { category: "product_version", name: "susemanager-tools-3.2.17-3.22.4.aarch64", product: { name: "susemanager-tools-3.2.17-3.22.4.aarch64", product_id: "susemanager-tools-3.2.17-3.22.4.aarch64", }, }, ], category: "architecture", name: "aarch64", }, { branches: [ { category: "product_version", name: "apache-commons-lang3-3.4-3.3.3.noarch", product: { name: "apache-commons-lang3-3.4-3.3.3.noarch", product_id: "apache-commons-lang3-3.4-3.3.3.noarch", }, }, { category: "product_version", name: "apache-commons-lang3-javadoc-3.4-3.3.3.noarch", product: { name: "apache-commons-lang3-javadoc-3.4-3.3.3.noarch", product_id: "apache-commons-lang3-javadoc-3.4-3.3.3.noarch", }, }, { category: "product_version", name: "cobbler-2.6.6-6.16.3.noarch", product: { name: "cobbler-2.6.6-6.16.3.noarch", product_id: "cobbler-2.6.6-6.16.3.noarch", }, }, { category: "product_version", name: "cobbler-tests-2.6.6-6.16.3.noarch", product: { name: "cobbler-tests-2.6.6-6.16.3.noarch", product_id: "cobbler-tests-2.6.6-6.16.3.noarch", }, }, { category: "product_version", name: "cobbler-web-2.6.6-6.16.3.noarch", product: { name: "cobbler-web-2.6.6-6.16.3.noarch", product_id: "cobbler-web-2.6.6-6.16.3.noarch", }, }, { category: "product_version", name: "drools-7.17.0-3.3.3.noarch", product: { name: "drools-7.17.0-3.3.3.noarch", product_id: "drools-7.17.0-3.3.3.noarch", }, }, { category: "product_version", name: "drools-kit-53dfdb61201f3b0b269d4c852786ee0bf37fe43a-3.3.3.noarch", product: { name: "drools-kit-53dfdb61201f3b0b269d4c852786ee0bf37fe43a-3.3.3.noarch", product_id: "drools-kit-53dfdb61201f3b0b269d4c852786ee0bf37fe43a-3.3.3.noarch", }, }, { category: "product_version", name: "guava-27.0.1-3.3.3.noarch", product: { name: "guava-27.0.1-3.3.3.noarch", product_id: "guava-27.0.1-3.3.3.noarch", }, }, { category: "product_version", name: "guava-kit-7126fda31c41cb275edd3229be2927add848dc3a-3.3.3.noarch", product: { name: "guava-kit-7126fda31c41cb275edd3229be2927add848dc3a-3.3.3.noarch", product_id: "guava-kit-7126fda31c41cb275edd3229be2927add848dc3a-3.3.3.noarch", }, }, { category: "product_version", name: "jade4j-1.0.7-3.3.3.noarch", product: { name: "jade4j-1.0.7-3.3.3.noarch", product_id: "jade4j-1.0.7-3.3.3.noarch", }, }, { category: "product_version", name: "jade4j-kit-7a828bbbc0c99dbf7b2840d511ba06d9760a2817-3.3.3.noarch", product: { name: "jade4j-kit-7a828bbbc0c99dbf7b2840d511ba06d9760a2817-3.3.3.noarch", product_id: "jade4j-kit-7a828bbbc0c99dbf7b2840d511ba06d9760a2817-3.3.3.noarch", }, }, { category: "product_version", name: "kie-api-7.17.0-3.3.3.noarch", product: { name: "kie-api-7.17.0-3.3.3.noarch", product_id: "kie-api-7.17.0-3.3.3.noarch", }, }, { category: "product_version", name: "kie-api-kit-94b16c723b66df4b03a061e4ad5fc2ad9e289e94-3.3.3.noarch", product: { name: "kie-api-kit-94b16c723b66df4b03a061e4ad5fc2ad9e289e94-3.3.3.noarch", product_id: "kie-api-kit-94b16c723b66df4b03a061e4ad5fc2ad9e289e94-3.3.3.noarch", }, }, { category: "product_version", name: "kie-soup-7.17.0.Final-2.3.3.noarch", product: { name: "kie-soup-7.17.0.Final-2.3.3.noarch", product_id: "kie-soup-7.17.0.Final-2.3.3.noarch", }, }, { category: "product_version", name: "kie-soup-kit-17eb2802a66f42d59b44107c558f3ff0d5a360c5-2.3.3.noarch", product: { name: "kie-soup-kit-17eb2802a66f42d59b44107c558f3ff0d5a360c5-2.3.3.noarch", product_id: "kie-soup-kit-17eb2802a66f42d59b44107c558f3ff0d5a360c5-2.3.3.noarch", }, }, { category: "product_version", name: "koan-2.6.6-6.16.3.noarch", product: { name: "koan-2.6.6-6.16.3.noarch", product_id: "koan-2.6.6-6.16.3.noarch", }, }, { category: "product_version", name: "optaplanner-7.17.0-3.3.3.noarch", product: { name: "optaplanner-7.17.0-3.3.3.noarch", product_id: "optaplanner-7.17.0-3.3.3.noarch", }, }, { category: "product_version", name: "optaplanner-kit-9515bb1cc6a07917e87ad566c948bb789122bac1-3.3.3.noarch", product: { name: "optaplanner-kit-9515bb1cc6a07917e87ad566c948bb789122bac1-3.3.3.noarch", product_id: "optaplanner-kit-9515bb1cc6a07917e87ad566c948bb789122bac1-3.3.3.noarch", }, }, { category: "product_version", name: "py26-compat-salt-2016.11.10-6.21.3.noarch", product: { name: "py26-compat-salt-2016.11.10-6.21.3.noarch", product_id: "py26-compat-salt-2016.11.10-6.21.3.noarch", }, }, { category: "product_version", name: "python2-spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", product: { name: "python2-spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", product_id: "python2-spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", }, }, { category: "product_version", name: "spacecmd-2.8.25.10-3.20.3.noarch", product: { name: "spacecmd-2.8.25.10-3.20.3.noarch", product_id: "spacecmd-2.8.25.10-3.20.3.noarch", }, }, { category: "product_version", name: "spacewalk-admin-2.8.4.4-3.6.3.noarch", product: { name: "spacewalk-admin-2.8.4.4-3.6.3.noarch", product_id: "spacewalk-admin-2.8.4.4-3.6.3.noarch", }, }, { category: "product_version", name: "spacewalk-backend-2.8.57.14-3.25.3.noarch", product: { name: "spacewalk-backend-2.8.57.14-3.25.3.noarch", product_id: "spacewalk-backend-2.8.57.14-3.25.3.noarch", }, }, { category: "product_version", name: "spacewalk-backend-app-2.8.57.14-3.25.3.noarch", product: { name: "spacewalk-backend-app-2.8.57.14-3.25.3.noarch", product_id: "spacewalk-backend-app-2.8.57.14-3.25.3.noarch", }, }, { category: "product_version", name: "spacewalk-backend-applet-2.8.57.14-3.25.3.noarch", product: { name: "spacewalk-backend-applet-2.8.57.14-3.25.3.noarch", product_id: "spacewalk-backend-applet-2.8.57.14-3.25.3.noarch", }, }, { category: "product_version", name: "spacewalk-backend-cdn-2.8.57.14-3.25.3.noarch", product: { name: "spacewalk-backend-cdn-2.8.57.14-3.25.3.noarch", product_id: "spacewalk-backend-cdn-2.8.57.14-3.25.3.noarch", }, }, { category: "product_version", name: "spacewalk-backend-config-files-2.8.57.14-3.25.3.noarch", product: { name: "spacewalk-backend-config-files-2.8.57.14-3.25.3.noarch", product_id: "spacewalk-backend-config-files-2.8.57.14-3.25.3.noarch", }, }, { category: "product_version", name: "spacewalk-backend-config-files-common-2.8.57.14-3.25.3.noarch", product: { name: "spacewalk-backend-config-files-common-2.8.57.14-3.25.3.noarch", product_id: "spacewalk-backend-config-files-common-2.8.57.14-3.25.3.noarch", }, }, { category: "product_version", name: "spacewalk-backend-config-files-tool-2.8.57.14-3.25.3.noarch", product: { name: "spacewalk-backend-config-files-tool-2.8.57.14-3.25.3.noarch", product_id: "spacewalk-backend-config-files-tool-2.8.57.14-3.25.3.noarch", }, }, { category: "product_version", name: "spacewalk-backend-iss-2.8.57.14-3.25.3.noarch", product: { name: "spacewalk-backend-iss-2.8.57.14-3.25.3.noarch", product_id: "spacewalk-backend-iss-2.8.57.14-3.25.3.noarch", }, }, { category: "product_version", name: "spacewalk-backend-iss-export-2.8.57.14-3.25.3.noarch", product: { name: "spacewalk-backend-iss-export-2.8.57.14-3.25.3.noarch", product_id: "spacewalk-backend-iss-export-2.8.57.14-3.25.3.noarch", }, }, { category: "product_version", name: "spacewalk-backend-libs-2.8.57.14-3.25.3.noarch", product: { name: "spacewalk-backend-libs-2.8.57.14-3.25.3.noarch", product_id: "spacewalk-backend-libs-2.8.57.14-3.25.3.noarch", }, }, { category: "product_version", name: "spacewalk-backend-package-push-server-2.8.57.14-3.25.3.noarch", product: { name: "spacewalk-backend-package-push-server-2.8.57.14-3.25.3.noarch", product_id: "spacewalk-backend-package-push-server-2.8.57.14-3.25.3.noarch", }, }, { category: "product_version", name: "spacewalk-backend-server-2.8.57.14-3.25.3.noarch", product: { name: "spacewalk-backend-server-2.8.57.14-3.25.3.noarch", product_id: "spacewalk-backend-server-2.8.57.14-3.25.3.noarch", }, }, { category: "product_version", name: "spacewalk-backend-sql-2.8.57.14-3.25.3.noarch", product: { name: "spacewalk-backend-sql-2.8.57.14-3.25.3.noarch", product_id: "spacewalk-backend-sql-2.8.57.14-3.25.3.noarch", }, }, { category: "product_version", name: "spacewalk-backend-sql-oracle-2.8.57.14-3.25.3.noarch", product: { name: "spacewalk-backend-sql-oracle-2.8.57.14-3.25.3.noarch", product_id: "spacewalk-backend-sql-oracle-2.8.57.14-3.25.3.noarch", }, }, { category: "product_version", name: "spacewalk-backend-sql-postgresql-2.8.57.14-3.25.3.noarch", product: { name: "spacewalk-backend-sql-postgresql-2.8.57.14-3.25.3.noarch", product_id: "spacewalk-backend-sql-postgresql-2.8.57.14-3.25.3.noarch", }, }, { category: "product_version", name: "spacewalk-backend-tools-2.8.57.14-3.25.3.noarch", product: { name: "spacewalk-backend-tools-2.8.57.14-3.25.3.noarch", product_id: "spacewalk-backend-tools-2.8.57.14-3.25.3.noarch", }, }, { category: "product_version", name: "spacewalk-backend-xml-export-libs-2.8.57.14-3.25.3.noarch", product: { name: "spacewalk-backend-xml-export-libs-2.8.57.14-3.25.3.noarch", product_id: "spacewalk-backend-xml-export-libs-2.8.57.14-3.25.3.noarch", }, }, { category: "product_version", name: "spacewalk-backend-xmlrpc-2.8.57.14-3.25.3.noarch", product: { name: "spacewalk-backend-xmlrpc-2.8.57.14-3.25.3.noarch", product_id: "spacewalk-backend-xmlrpc-2.8.57.14-3.25.3.noarch", }, }, { category: "product_version", name: "spacewalk-base-2.8.7.15-3.24.3.noarch", product: { name: "spacewalk-base-2.8.7.15-3.24.3.noarch", product_id: "spacewalk-base-2.8.7.15-3.24.3.noarch", }, }, { category: "product_version", name: "spacewalk-base-minimal-2.8.7.15-3.24.3.noarch", product: { name: "spacewalk-base-minimal-2.8.7.15-3.24.3.noarch", product_id: "spacewalk-base-minimal-2.8.7.15-3.24.3.noarch", }, }, { category: "product_version", name: "spacewalk-base-minimal-config-2.8.7.15-3.24.3.noarch", product: { name: "spacewalk-base-minimal-config-2.8.7.15-3.24.3.noarch", product_id: "spacewalk-base-minimal-config-2.8.7.15-3.24.3.noarch", }, }, { category: "product_version", name: "spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", product: { name: "spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", product_id: "spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", }, }, { category: "product_version", name: "spacewalk-dobby-2.8.7.15-3.24.3.noarch", product: { name: "spacewalk-dobby-2.8.7.15-3.24.3.noarch", product_id: "spacewalk-dobby-2.8.7.15-3.24.3.noarch", }, }, { category: "product_version", name: "spacewalk-html-2.8.7.15-3.24.3.noarch", product: { name: "spacewalk-html-2.8.7.15-3.24.3.noarch", product_id: "spacewalk-html-2.8.7.15-3.24.3.noarch", }, }, { category: "product_version", name: "spacewalk-java-2.8.78.21-3.29.1.noarch", product: { name: "spacewalk-java-2.8.78.21-3.29.1.noarch", product_id: "spacewalk-java-2.8.78.21-3.29.1.noarch", }, }, { category: "product_version", name: "spacewalk-java-apidoc-sources-2.8.78.21-3.29.1.noarch", product: { name: "spacewalk-java-apidoc-sources-2.8.78.21-3.29.1.noarch", product_id: "spacewalk-java-apidoc-sources-2.8.78.21-3.29.1.noarch", }, }, { category: "product_version", name: "spacewalk-java-config-2.8.78.21-3.29.1.noarch", product: { name: "spacewalk-java-config-2.8.78.21-3.29.1.noarch", product_id: "spacewalk-java-config-2.8.78.21-3.29.1.noarch", }, }, { category: "product_version", name: "spacewalk-java-lib-2.8.78.21-3.29.1.noarch", product: { name: "spacewalk-java-lib-2.8.78.21-3.29.1.noarch", product_id: "spacewalk-java-lib-2.8.78.21-3.29.1.noarch", }, }, { category: "product_version", name: "spacewalk-java-oracle-2.8.78.21-3.29.1.noarch", product: { name: "spacewalk-java-oracle-2.8.78.21-3.29.1.noarch", product_id: "spacewalk-java-oracle-2.8.78.21-3.29.1.noarch", }, }, { category: "product_version", name: "spacewalk-java-postgresql-2.8.78.21-3.29.1.noarch", product: { name: "spacewalk-java-postgresql-2.8.78.21-3.29.1.noarch", product_id: "spacewalk-java-postgresql-2.8.78.21-3.29.1.noarch", }, }, { category: "product_version", name: "spacewalk-taskomatic-2.8.78.21-3.29.1.noarch", product: { name: "spacewalk-taskomatic-2.8.78.21-3.29.1.noarch", product_id: "spacewalk-taskomatic-2.8.78.21-3.29.1.noarch", }, }, { category: "product_version", name: "subscription-matcher-0.23-4.12.3.noarch", product: { name: "subscription-matcher-0.23-4.12.3.noarch", product_id: "subscription-matcher-0.23-4.12.3.noarch", }, }, { category: "product_version", name: "subscription-matcher-kit-2979e7aee24b9d228be76dc33d0f2f52ba6310c3-3.3.3.noarch", product: { name: "subscription-matcher-kit-2979e7aee24b9d228be76dc33d0f2f52ba6310c3-3.3.3.noarch", product_id: "subscription-matcher-kit-2979e7aee24b9d228be76dc33d0f2f52ba6310c3-3.3.3.noarch", }, }, { category: "product_version", name: "susemanager-schema-3.2.18-3.22.3.noarch", product: { name: "susemanager-schema-3.2.18-3.22.3.noarch", product_id: "susemanager-schema-3.2.18-3.22.3.noarch", }, }, { category: "product_version", name: "susemanager-schema-sanity-3.2.18-3.22.3.noarch", product: { name: "susemanager-schema-sanity-3.2.18-3.22.3.noarch", product_id: "susemanager-schema-sanity-3.2.18-3.22.3.noarch", }, }, { category: "product_version", name: "susemanager-sls-3.2.23-3.26.3.noarch", product: { name: "susemanager-sls-3.2.23-3.26.3.noarch", product_id: "susemanager-sls-3.2.23-3.26.3.noarch", }, }, { category: "product_version", name: "susemanager-sync-data-3.2.14-3.20.3.noarch", product: { name: "susemanager-sync-data-3.2.14-3.20.3.noarch", product_id: "susemanager-sync-data-3.2.14-3.20.3.noarch", }, }, { category: "product_version", name: "susemanager-web-libs-2.8.7.15-3.24.3.noarch", product: { name: "susemanager-web-libs-2.8.7.15-3.24.3.noarch", product_id: "susemanager-web-libs-2.8.7.15-3.24.3.noarch", }, }, { category: "product_version", name: "xstream-1.4.10-4.3.3.noarch", product: { name: "xstream-1.4.10-4.3.3.noarch", product_id: "xstream-1.4.10-4.3.3.noarch", }, }, { category: "product_version", name: "xstream-kit-e119e06fe95639ebcaaa1d03678754e7858b130e-3.3.3.noarch", product: { name: "xstream-kit-e119e06fe95639ebcaaa1d03678754e7858b130e-3.3.3.noarch", product_id: "xstream-kit-e119e06fe95639ebcaaa1d03678754e7858b130e-3.3.3.noarch", }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_version", name: "reprepro-5.3.0-2.3.3.ppc64le", product: { name: "reprepro-5.3.0-2.3.3.ppc64le", product_id: "reprepro-5.3.0-2.3.3.ppc64le", }, }, { category: "product_version", name: "smdba-1.6.4-0.3.9.3.ppc64le", product: { name: "smdba-1.6.4-0.3.9.3.ppc64le", product_id: "smdba-1.6.4-0.3.9.3.ppc64le", }, }, { category: "product_version", name: "spacewalk-branding-2.8.5.15-3.19.3.ppc64le", product: { name: "spacewalk-branding-2.8.5.15-3.19.3.ppc64le", product_id: "spacewalk-branding-2.8.5.15-3.19.3.ppc64le", }, }, { category: "product_version", name: "spacewalk-branding-devel-2.8.5.15-3.19.3.ppc64le", product: { name: "spacewalk-branding-devel-2.8.5.15-3.19.3.ppc64le", product_id: "spacewalk-branding-devel-2.8.5.15-3.19.3.ppc64le", }, }, { category: "product_version", name: "susemanager-3.2.17-3.22.4.ppc64le", product: { name: "susemanager-3.2.17-3.22.4.ppc64le", product_id: "susemanager-3.2.17-3.22.4.ppc64le", }, }, { category: "product_version", name: "susemanager-tools-3.2.17-3.22.4.ppc64le", product: { name: "susemanager-tools-3.2.17-3.22.4.ppc64le", product_id: "susemanager-tools-3.2.17-3.22.4.ppc64le", }, }, ], category: "architecture", name: "ppc64le", }, { branches: [ { category: "product_version", name: "reprepro-5.3.0-2.3.3.s390x", product: { name: "reprepro-5.3.0-2.3.3.s390x", product_id: "reprepro-5.3.0-2.3.3.s390x", }, }, { category: "product_version", name: "smdba-1.6.4-0.3.9.3.s390x", product: { name: "smdba-1.6.4-0.3.9.3.s390x", product_id: "smdba-1.6.4-0.3.9.3.s390x", }, }, { category: "product_version", name: "spacewalk-branding-2.8.5.15-3.19.3.s390x", product: { name: "spacewalk-branding-2.8.5.15-3.19.3.s390x", product_id: "spacewalk-branding-2.8.5.15-3.19.3.s390x", }, }, { category: "product_version", name: "spacewalk-branding-devel-2.8.5.15-3.19.3.s390x", product: { name: "spacewalk-branding-devel-2.8.5.15-3.19.3.s390x", product_id: "spacewalk-branding-devel-2.8.5.15-3.19.3.s390x", }, }, { category: "product_version", name: "susemanager-3.2.17-3.22.4.s390x", product: { name: "susemanager-3.2.17-3.22.4.s390x", product_id: "susemanager-3.2.17-3.22.4.s390x", }, }, { category: "product_version", name: "susemanager-tools-3.2.17-3.22.4.s390x", product: { name: "susemanager-tools-3.2.17-3.22.4.s390x", product_id: "susemanager-tools-3.2.17-3.22.4.s390x", }, }, ], category: "architecture", name: "s390x", }, { branches: [ { category: "product_version", name: "reprepro-5.3.0-2.3.3.x86_64", product: { name: "reprepro-5.3.0-2.3.3.x86_64", product_id: "reprepro-5.3.0-2.3.3.x86_64", }, }, { category: "product_version", name: "smdba-1.6.4-0.3.9.3.x86_64", product: { name: "smdba-1.6.4-0.3.9.3.x86_64", product_id: "smdba-1.6.4-0.3.9.3.x86_64", }, }, { category: "product_version", name: "spacewalk-branding-2.8.5.15-3.19.3.x86_64", product: { name: "spacewalk-branding-2.8.5.15-3.19.3.x86_64", product_id: "spacewalk-branding-2.8.5.15-3.19.3.x86_64", }, }, { category: "product_version", name: "spacewalk-branding-devel-2.8.5.15-3.19.3.x86_64", product: { name: "spacewalk-branding-devel-2.8.5.15-3.19.3.x86_64", product_id: "spacewalk-branding-devel-2.8.5.15-3.19.3.x86_64", }, }, { category: "product_version", name: "susemanager-3.2.17-3.22.4.x86_64", product: { name: "susemanager-3.2.17-3.22.4.x86_64", product_id: "susemanager-3.2.17-3.22.4.x86_64", }, }, { category: "product_version", name: "susemanager-tools-3.2.17-3.22.4.x86_64", product: { name: "susemanager-tools-3.2.17-3.22.4.x86_64", product_id: "susemanager-tools-3.2.17-3.22.4.x86_64", }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_name", name: "SUSE Manager Proxy 3.2", product: { name: "SUSE Manager Proxy 3.2", product_id: "SUSE Manager Proxy 3.2", product_identification_helper: { cpe: "cpe:/o:suse:suse-manager-proxy:3.2", }, }, }, { category: "product_name", name: "SUSE Manager Server 3.2", product: { name: "SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2", product_identification_helper: { cpe: "cpe:/o:suse:suse-manager-server:3.2", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "python2-spacewalk-certs-tools-2.8.8.7-3.6.3.noarch as component of SUSE Manager Proxy 3.2", product_id: "SUSE Manager Proxy 3.2:python2-spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", }, product_reference: "python2-spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", relates_to_product_reference: "SUSE Manager Proxy 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-2.8.57.14-3.25.3.noarch as component of SUSE Manager Proxy 3.2", product_id: "SUSE Manager Proxy 3.2:spacewalk-backend-2.8.57.14-3.25.3.noarch", }, product_reference: "spacewalk-backend-2.8.57.14-3.25.3.noarch", relates_to_product_reference: "SUSE Manager Proxy 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-libs-2.8.57.14-3.25.3.noarch as component of SUSE Manager Proxy 3.2", product_id: "SUSE Manager Proxy 3.2:spacewalk-backend-libs-2.8.57.14-3.25.3.noarch", }, product_reference: "spacewalk-backend-libs-2.8.57.14-3.25.3.noarch", relates_to_product_reference: "SUSE Manager Proxy 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-base-minimal-2.8.7.15-3.24.3.noarch as component of SUSE Manager Proxy 3.2", product_id: "SUSE Manager Proxy 3.2:spacewalk-base-minimal-2.8.7.15-3.24.3.noarch", }, product_reference: "spacewalk-base-minimal-2.8.7.15-3.24.3.noarch", relates_to_product_reference: "SUSE Manager Proxy 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-base-minimal-config-2.8.7.15-3.24.3.noarch as component of SUSE Manager Proxy 3.2", product_id: "SUSE Manager Proxy 3.2:spacewalk-base-minimal-config-2.8.7.15-3.24.3.noarch", }, product_reference: "spacewalk-base-minimal-config-2.8.7.15-3.24.3.noarch", relates_to_product_reference: "SUSE Manager Proxy 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-certs-tools-2.8.8.7-3.6.3.noarch as component of SUSE Manager Proxy 3.2", product_id: "SUSE Manager Proxy 3.2:spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", }, product_reference: "spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", relates_to_product_reference: "SUSE Manager Proxy 3.2", }, { category: "default_component_of", full_product_name: { name: "susemanager-web-libs-2.8.7.15-3.24.3.noarch as component of SUSE Manager Proxy 3.2", product_id: "SUSE Manager Proxy 3.2:susemanager-web-libs-2.8.7.15-3.24.3.noarch", }, product_reference: "susemanager-web-libs-2.8.7.15-3.24.3.noarch", relates_to_product_reference: "SUSE Manager Proxy 3.2", }, { category: "default_component_of", full_product_name: { name: "apache-commons-lang3-3.4-3.3.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:apache-commons-lang3-3.4-3.3.3.noarch", }, product_reference: "apache-commons-lang3-3.4-3.3.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "cobbler-2.6.6-6.16.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:cobbler-2.6.6-6.16.3.noarch", }, product_reference: "cobbler-2.6.6-6.16.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "drools-7.17.0-3.3.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:drools-7.17.0-3.3.3.noarch", }, product_reference: "drools-7.17.0-3.3.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "guava-27.0.1-3.3.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:guava-27.0.1-3.3.3.noarch", }, product_reference: "guava-27.0.1-3.3.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "jade4j-1.0.7-3.3.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:jade4j-1.0.7-3.3.3.noarch", }, product_reference: "jade4j-1.0.7-3.3.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "kie-api-7.17.0-3.3.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:kie-api-7.17.0-3.3.3.noarch", }, product_reference: "kie-api-7.17.0-3.3.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "kie-soup-7.17.0.Final-2.3.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:kie-soup-7.17.0.Final-2.3.3.noarch", }, product_reference: "kie-soup-7.17.0.Final-2.3.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "optaplanner-7.17.0-3.3.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:optaplanner-7.17.0-3.3.3.noarch", }, product_reference: "optaplanner-7.17.0-3.3.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "py26-compat-salt-2016.11.10-6.21.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:py26-compat-salt-2016.11.10-6.21.3.noarch", }, product_reference: "py26-compat-salt-2016.11.10-6.21.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "python2-spacewalk-certs-tools-2.8.8.7-3.6.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:python2-spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", }, product_reference: "python2-spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "reprepro-5.3.0-2.3.3.ppc64le as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:reprepro-5.3.0-2.3.3.ppc64le", }, product_reference: "reprepro-5.3.0-2.3.3.ppc64le", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "reprepro-5.3.0-2.3.3.s390x as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:reprepro-5.3.0-2.3.3.s390x", }, product_reference: "reprepro-5.3.0-2.3.3.s390x", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "reprepro-5.3.0-2.3.3.x86_64 as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:reprepro-5.3.0-2.3.3.x86_64", }, product_reference: "reprepro-5.3.0-2.3.3.x86_64", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "smdba-1.6.4-0.3.9.3.ppc64le as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:smdba-1.6.4-0.3.9.3.ppc64le", }, product_reference: "smdba-1.6.4-0.3.9.3.ppc64le", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "smdba-1.6.4-0.3.9.3.s390x as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:smdba-1.6.4-0.3.9.3.s390x", }, product_reference: "smdba-1.6.4-0.3.9.3.s390x", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "smdba-1.6.4-0.3.9.3.x86_64 as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:smdba-1.6.4-0.3.9.3.x86_64", }, product_reference: "smdba-1.6.4-0.3.9.3.x86_64", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacecmd-2.8.25.10-3.20.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacecmd-2.8.25.10-3.20.3.noarch", }, product_reference: "spacecmd-2.8.25.10-3.20.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-admin-2.8.4.4-3.6.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-admin-2.8.4.4-3.6.3.noarch", }, product_reference: "spacewalk-admin-2.8.4.4-3.6.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-2.8.57.14-3.25.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-backend-2.8.57.14-3.25.3.noarch", }, product_reference: "spacewalk-backend-2.8.57.14-3.25.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-app-2.8.57.14-3.25.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-backend-app-2.8.57.14-3.25.3.noarch", }, product_reference: "spacewalk-backend-app-2.8.57.14-3.25.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-applet-2.8.57.14-3.25.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-backend-applet-2.8.57.14-3.25.3.noarch", }, product_reference: "spacewalk-backend-applet-2.8.57.14-3.25.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-config-files-2.8.57.14-3.25.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-backend-config-files-2.8.57.14-3.25.3.noarch", }, product_reference: "spacewalk-backend-config-files-2.8.57.14-3.25.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-config-files-common-2.8.57.14-3.25.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-backend-config-files-common-2.8.57.14-3.25.3.noarch", }, product_reference: "spacewalk-backend-config-files-common-2.8.57.14-3.25.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-config-files-tool-2.8.57.14-3.25.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-backend-config-files-tool-2.8.57.14-3.25.3.noarch", }, product_reference: "spacewalk-backend-config-files-tool-2.8.57.14-3.25.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-iss-2.8.57.14-3.25.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-backend-iss-2.8.57.14-3.25.3.noarch", }, product_reference: "spacewalk-backend-iss-2.8.57.14-3.25.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-iss-export-2.8.57.14-3.25.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-backend-iss-export-2.8.57.14-3.25.3.noarch", }, product_reference: "spacewalk-backend-iss-export-2.8.57.14-3.25.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-libs-2.8.57.14-3.25.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-backend-libs-2.8.57.14-3.25.3.noarch", }, product_reference: "spacewalk-backend-libs-2.8.57.14-3.25.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-package-push-server-2.8.57.14-3.25.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-backend-package-push-server-2.8.57.14-3.25.3.noarch", }, product_reference: "spacewalk-backend-package-push-server-2.8.57.14-3.25.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-server-2.8.57.14-3.25.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-backend-server-2.8.57.14-3.25.3.noarch", }, product_reference: "spacewalk-backend-server-2.8.57.14-3.25.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-sql-2.8.57.14-3.25.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-backend-sql-2.8.57.14-3.25.3.noarch", }, product_reference: "spacewalk-backend-sql-2.8.57.14-3.25.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-sql-oracle-2.8.57.14-3.25.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-backend-sql-oracle-2.8.57.14-3.25.3.noarch", }, product_reference: "spacewalk-backend-sql-oracle-2.8.57.14-3.25.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-sql-postgresql-2.8.57.14-3.25.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-backend-sql-postgresql-2.8.57.14-3.25.3.noarch", }, product_reference: "spacewalk-backend-sql-postgresql-2.8.57.14-3.25.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-tools-2.8.57.14-3.25.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-backend-tools-2.8.57.14-3.25.3.noarch", }, product_reference: "spacewalk-backend-tools-2.8.57.14-3.25.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-xml-export-libs-2.8.57.14-3.25.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-backend-xml-export-libs-2.8.57.14-3.25.3.noarch", }, product_reference: "spacewalk-backend-xml-export-libs-2.8.57.14-3.25.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-xmlrpc-2.8.57.14-3.25.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-backend-xmlrpc-2.8.57.14-3.25.3.noarch", }, product_reference: "spacewalk-backend-xmlrpc-2.8.57.14-3.25.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-base-2.8.7.15-3.24.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-base-2.8.7.15-3.24.3.noarch", }, product_reference: "spacewalk-base-2.8.7.15-3.24.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-base-minimal-2.8.7.15-3.24.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-base-minimal-2.8.7.15-3.24.3.noarch", }, product_reference: "spacewalk-base-minimal-2.8.7.15-3.24.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-base-minimal-config-2.8.7.15-3.24.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-base-minimal-config-2.8.7.15-3.24.3.noarch", }, product_reference: "spacewalk-base-minimal-config-2.8.7.15-3.24.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-branding-2.8.5.15-3.19.3.ppc64le as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-branding-2.8.5.15-3.19.3.ppc64le", }, product_reference: "spacewalk-branding-2.8.5.15-3.19.3.ppc64le", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-branding-2.8.5.15-3.19.3.s390x as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-branding-2.8.5.15-3.19.3.s390x", }, product_reference: "spacewalk-branding-2.8.5.15-3.19.3.s390x", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-branding-2.8.5.15-3.19.3.x86_64 as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-branding-2.8.5.15-3.19.3.x86_64", }, product_reference: "spacewalk-branding-2.8.5.15-3.19.3.x86_64", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-certs-tools-2.8.8.7-3.6.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", }, product_reference: "spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-html-2.8.7.15-3.24.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-html-2.8.7.15-3.24.3.noarch", }, product_reference: "spacewalk-html-2.8.7.15-3.24.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-java-2.8.78.21-3.29.1.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-java-2.8.78.21-3.29.1.noarch", }, product_reference: "spacewalk-java-2.8.78.21-3.29.1.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-java-config-2.8.78.21-3.29.1.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-java-config-2.8.78.21-3.29.1.noarch", }, product_reference: "spacewalk-java-config-2.8.78.21-3.29.1.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-java-lib-2.8.78.21-3.29.1.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-java-lib-2.8.78.21-3.29.1.noarch", }, product_reference: "spacewalk-java-lib-2.8.78.21-3.29.1.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-java-oracle-2.8.78.21-3.29.1.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-java-oracle-2.8.78.21-3.29.1.noarch", }, product_reference: "spacewalk-java-oracle-2.8.78.21-3.29.1.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-java-postgresql-2.8.78.21-3.29.1.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-java-postgresql-2.8.78.21-3.29.1.noarch", }, product_reference: "spacewalk-java-postgresql-2.8.78.21-3.29.1.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "spacewalk-taskomatic-2.8.78.21-3.29.1.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:spacewalk-taskomatic-2.8.78.21-3.29.1.noarch", }, product_reference: "spacewalk-taskomatic-2.8.78.21-3.29.1.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "subscription-matcher-0.23-4.12.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:subscription-matcher-0.23-4.12.3.noarch", }, product_reference: "subscription-matcher-0.23-4.12.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "susemanager-3.2.17-3.22.4.ppc64le as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:susemanager-3.2.17-3.22.4.ppc64le", }, product_reference: "susemanager-3.2.17-3.22.4.ppc64le", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "susemanager-3.2.17-3.22.4.s390x as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:susemanager-3.2.17-3.22.4.s390x", }, product_reference: "susemanager-3.2.17-3.22.4.s390x", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "susemanager-3.2.17-3.22.4.x86_64 as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:susemanager-3.2.17-3.22.4.x86_64", }, product_reference: "susemanager-3.2.17-3.22.4.x86_64", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "susemanager-schema-3.2.18-3.22.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:susemanager-schema-3.2.18-3.22.3.noarch", }, product_reference: "susemanager-schema-3.2.18-3.22.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "susemanager-sls-3.2.23-3.26.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:susemanager-sls-3.2.23-3.26.3.noarch", }, product_reference: "susemanager-sls-3.2.23-3.26.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "susemanager-sync-data-3.2.14-3.20.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:susemanager-sync-data-3.2.14-3.20.3.noarch", }, product_reference: "susemanager-sync-data-3.2.14-3.20.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "susemanager-tools-3.2.17-3.22.4.ppc64le as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:susemanager-tools-3.2.17-3.22.4.ppc64le", }, product_reference: "susemanager-tools-3.2.17-3.22.4.ppc64le", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "susemanager-tools-3.2.17-3.22.4.s390x as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:susemanager-tools-3.2.17-3.22.4.s390x", }, product_reference: "susemanager-tools-3.2.17-3.22.4.s390x", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "susemanager-tools-3.2.17-3.22.4.x86_64 as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:susemanager-tools-3.2.17-3.22.4.x86_64", }, product_reference: "susemanager-tools-3.2.17-3.22.4.x86_64", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "susemanager-web-libs-2.8.7.15-3.24.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:susemanager-web-libs-2.8.7.15-3.24.3.noarch", }, product_reference: "susemanager-web-libs-2.8.7.15-3.24.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, { category: "default_component_of", full_product_name: { name: "xstream-1.4.10-4.3.3.noarch as component of SUSE Manager Server 3.2", product_id: "SUSE Manager Server 3.2:xstream-1.4.10-4.3.3.noarch", }, product_reference: "xstream-1.4.10-4.3.3.noarch", relates_to_product_reference: "SUSE Manager Server 3.2", }, ], }, vulnerabilities: [ { cve: "CVE-2017-7957", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2017-7957", }, ], notes: [ { category: "general", text: "XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML(\"<void/>\") call.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Manager Proxy 3.2:python2-spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", "SUSE Manager Proxy 3.2:spacewalk-backend-2.8.57.14-3.25.3.noarch", "SUSE Manager Proxy 3.2:spacewalk-backend-libs-2.8.57.14-3.25.3.noarch", "SUSE Manager Proxy 3.2:spacewalk-base-minimal-2.8.7.15-3.24.3.noarch", "SUSE Manager Proxy 3.2:spacewalk-base-minimal-config-2.8.7.15-3.24.3.noarch", "SUSE Manager Proxy 3.2:spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", "SUSE Manager Proxy 3.2:susemanager-web-libs-2.8.7.15-3.24.3.noarch", "SUSE Manager Server 3.2:apache-commons-lang3-3.4-3.3.3.noarch", "SUSE Manager Server 3.2:cobbler-2.6.6-6.16.3.noarch", "SUSE Manager Server 3.2:drools-7.17.0-3.3.3.noarch", "SUSE Manager Server 3.2:guava-27.0.1-3.3.3.noarch", "SUSE Manager Server 3.2:jade4j-1.0.7-3.3.3.noarch", "SUSE Manager Server 3.2:kie-api-7.17.0-3.3.3.noarch", "SUSE Manager Server 3.2:kie-soup-7.17.0.Final-2.3.3.noarch", "SUSE Manager Server 3.2:optaplanner-7.17.0-3.3.3.noarch", "SUSE Manager Server 3.2:py26-compat-salt-2016.11.10-6.21.3.noarch", "SUSE Manager Server 3.2:python2-spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", "SUSE Manager Server 3.2:reprepro-5.3.0-2.3.3.ppc64le", "SUSE Manager Server 3.2:reprepro-5.3.0-2.3.3.s390x", "SUSE Manager Server 3.2:reprepro-5.3.0-2.3.3.x86_64", "SUSE Manager Server 3.2:smdba-1.6.4-0.3.9.3.ppc64le", "SUSE Manager Server 3.2:smdba-1.6.4-0.3.9.3.s390x", "SUSE Manager Server 3.2:smdba-1.6.4-0.3.9.3.x86_64", "SUSE Manager Server 3.2:spacecmd-2.8.25.10-3.20.3.noarch", "SUSE Manager Server 3.2:spacewalk-admin-2.8.4.4-3.6.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-app-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-applet-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-config-files-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-config-files-common-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-config-files-tool-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-iss-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-iss-export-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-libs-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-package-push-server-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-server-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-sql-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-sql-oracle-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-sql-postgresql-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-tools-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-xml-export-libs-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-xmlrpc-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-base-2.8.7.15-3.24.3.noarch", "SUSE Manager Server 3.2:spacewalk-base-minimal-2.8.7.15-3.24.3.noarch", "SUSE Manager Server 3.2:spacewalk-base-minimal-config-2.8.7.15-3.24.3.noarch", "SUSE Manager Server 3.2:spacewalk-branding-2.8.5.15-3.19.3.ppc64le", "SUSE Manager Server 3.2:spacewalk-branding-2.8.5.15-3.19.3.s390x", "SUSE Manager Server 3.2:spacewalk-branding-2.8.5.15-3.19.3.x86_64", "SUSE Manager Server 3.2:spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", "SUSE Manager Server 3.2:spacewalk-html-2.8.7.15-3.24.3.noarch", "SUSE Manager Server 3.2:spacewalk-java-2.8.78.21-3.29.1.noarch", "SUSE Manager Server 3.2:spacewalk-java-config-2.8.78.21-3.29.1.noarch", "SUSE Manager Server 3.2:spacewalk-java-lib-2.8.78.21-3.29.1.noarch", "SUSE Manager Server 3.2:spacewalk-java-oracle-2.8.78.21-3.29.1.noarch", "SUSE Manager Server 3.2:spacewalk-java-postgresql-2.8.78.21-3.29.1.noarch", "SUSE Manager Server 3.2:spacewalk-taskomatic-2.8.78.21-3.29.1.noarch", "SUSE Manager Server 3.2:subscription-matcher-0.23-4.12.3.noarch", "SUSE Manager Server 3.2:susemanager-3.2.17-3.22.4.ppc64le", "SUSE Manager Server 3.2:susemanager-3.2.17-3.22.4.s390x", "SUSE Manager Server 3.2:susemanager-3.2.17-3.22.4.x86_64", "SUSE Manager Server 3.2:susemanager-schema-3.2.18-3.22.3.noarch", "SUSE Manager Server 3.2:susemanager-sls-3.2.23-3.26.3.noarch", "SUSE Manager Server 3.2:susemanager-sync-data-3.2.14-3.20.3.noarch", "SUSE Manager Server 3.2:susemanager-tools-3.2.17-3.22.4.ppc64le", "SUSE Manager Server 3.2:susemanager-tools-3.2.17-3.22.4.s390x", "SUSE Manager Server 3.2:susemanager-tools-3.2.17-3.22.4.x86_64", "SUSE Manager Server 3.2:susemanager-web-libs-2.8.7.15-3.24.3.noarch", "SUSE Manager Server 3.2:xstream-1.4.10-4.3.3.noarch", ], }, references: [ { category: "external", summary: "CVE-2017-7957", url: "https://www.suse.com/security/cve/CVE-2017-7957", }, { category: "external", summary: "SUSE Bug 1070731 for CVE-2017-7957", url: "https://bugzilla.suse.com/1070731", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Manager Proxy 3.2:python2-spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", "SUSE Manager Proxy 3.2:spacewalk-backend-2.8.57.14-3.25.3.noarch", "SUSE Manager Proxy 3.2:spacewalk-backend-libs-2.8.57.14-3.25.3.noarch", "SUSE Manager Proxy 3.2:spacewalk-base-minimal-2.8.7.15-3.24.3.noarch", "SUSE Manager Proxy 3.2:spacewalk-base-minimal-config-2.8.7.15-3.24.3.noarch", "SUSE Manager Proxy 3.2:spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", "SUSE Manager Proxy 3.2:susemanager-web-libs-2.8.7.15-3.24.3.noarch", "SUSE Manager Server 3.2:apache-commons-lang3-3.4-3.3.3.noarch", "SUSE Manager Server 3.2:cobbler-2.6.6-6.16.3.noarch", "SUSE Manager Server 3.2:drools-7.17.0-3.3.3.noarch", "SUSE Manager Server 3.2:guava-27.0.1-3.3.3.noarch", "SUSE Manager Server 3.2:jade4j-1.0.7-3.3.3.noarch", "SUSE Manager Server 3.2:kie-api-7.17.0-3.3.3.noarch", "SUSE Manager Server 3.2:kie-soup-7.17.0.Final-2.3.3.noarch", "SUSE Manager Server 3.2:optaplanner-7.17.0-3.3.3.noarch", "SUSE Manager Server 3.2:py26-compat-salt-2016.11.10-6.21.3.noarch", "SUSE Manager Server 3.2:python2-spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", "SUSE Manager Server 3.2:reprepro-5.3.0-2.3.3.ppc64le", "SUSE Manager Server 3.2:reprepro-5.3.0-2.3.3.s390x", "SUSE Manager Server 3.2:reprepro-5.3.0-2.3.3.x86_64", "SUSE Manager Server 3.2:smdba-1.6.4-0.3.9.3.ppc64le", "SUSE Manager Server 3.2:smdba-1.6.4-0.3.9.3.s390x", "SUSE Manager Server 3.2:smdba-1.6.4-0.3.9.3.x86_64", "SUSE Manager Server 3.2:spacecmd-2.8.25.10-3.20.3.noarch", "SUSE Manager Server 3.2:spacewalk-admin-2.8.4.4-3.6.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-app-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-applet-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-config-files-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-config-files-common-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-config-files-tool-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-iss-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-iss-export-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-libs-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-package-push-server-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-server-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-sql-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-sql-oracle-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-sql-postgresql-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-tools-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-xml-export-libs-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-xmlrpc-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-base-2.8.7.15-3.24.3.noarch", "SUSE Manager Server 3.2:spacewalk-base-minimal-2.8.7.15-3.24.3.noarch", "SUSE Manager Server 3.2:spacewalk-base-minimal-config-2.8.7.15-3.24.3.noarch", "SUSE Manager Server 3.2:spacewalk-branding-2.8.5.15-3.19.3.ppc64le", "SUSE Manager Server 3.2:spacewalk-branding-2.8.5.15-3.19.3.s390x", "SUSE Manager Server 3.2:spacewalk-branding-2.8.5.15-3.19.3.x86_64", "SUSE Manager Server 3.2:spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", "SUSE Manager Server 3.2:spacewalk-html-2.8.7.15-3.24.3.noarch", "SUSE Manager Server 3.2:spacewalk-java-2.8.78.21-3.29.1.noarch", "SUSE Manager Server 3.2:spacewalk-java-config-2.8.78.21-3.29.1.noarch", "SUSE Manager Server 3.2:spacewalk-java-lib-2.8.78.21-3.29.1.noarch", "SUSE Manager Server 3.2:spacewalk-java-oracle-2.8.78.21-3.29.1.noarch", "SUSE Manager Server 3.2:spacewalk-java-postgresql-2.8.78.21-3.29.1.noarch", "SUSE Manager Server 3.2:spacewalk-taskomatic-2.8.78.21-3.29.1.noarch", "SUSE Manager Server 3.2:subscription-matcher-0.23-4.12.3.noarch", "SUSE Manager Server 3.2:susemanager-3.2.17-3.22.4.ppc64le", "SUSE Manager Server 3.2:susemanager-3.2.17-3.22.4.s390x", "SUSE Manager Server 3.2:susemanager-3.2.17-3.22.4.x86_64", "SUSE Manager Server 3.2:susemanager-schema-3.2.18-3.22.3.noarch", "SUSE Manager Server 3.2:susemanager-sls-3.2.23-3.26.3.noarch", "SUSE Manager Server 3.2:susemanager-sync-data-3.2.14-3.20.3.noarch", "SUSE Manager Server 3.2:susemanager-tools-3.2.17-3.22.4.ppc64le", "SUSE Manager Server 3.2:susemanager-tools-3.2.17-3.22.4.s390x", "SUSE Manager Server 3.2:susemanager-tools-3.2.17-3.22.4.x86_64", "SUSE Manager Server 3.2:susemanager-web-libs-2.8.7.15-3.24.3.noarch", "SUSE Manager Server 3.2:xstream-1.4.10-4.3.3.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "SUSE Manager Proxy 3.2:python2-spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", "SUSE Manager Proxy 3.2:spacewalk-backend-2.8.57.14-3.25.3.noarch", "SUSE Manager Proxy 3.2:spacewalk-backend-libs-2.8.57.14-3.25.3.noarch", "SUSE Manager Proxy 3.2:spacewalk-base-minimal-2.8.7.15-3.24.3.noarch", "SUSE Manager Proxy 3.2:spacewalk-base-minimal-config-2.8.7.15-3.24.3.noarch", "SUSE Manager Proxy 3.2:spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", "SUSE Manager Proxy 3.2:susemanager-web-libs-2.8.7.15-3.24.3.noarch", "SUSE Manager Server 3.2:apache-commons-lang3-3.4-3.3.3.noarch", "SUSE Manager Server 3.2:cobbler-2.6.6-6.16.3.noarch", "SUSE Manager Server 3.2:drools-7.17.0-3.3.3.noarch", "SUSE Manager Server 3.2:guava-27.0.1-3.3.3.noarch", "SUSE Manager Server 3.2:jade4j-1.0.7-3.3.3.noarch", "SUSE Manager Server 3.2:kie-api-7.17.0-3.3.3.noarch", "SUSE Manager Server 3.2:kie-soup-7.17.0.Final-2.3.3.noarch", "SUSE Manager Server 3.2:optaplanner-7.17.0-3.3.3.noarch", "SUSE Manager Server 3.2:py26-compat-salt-2016.11.10-6.21.3.noarch", "SUSE Manager Server 3.2:python2-spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", "SUSE Manager Server 3.2:reprepro-5.3.0-2.3.3.ppc64le", "SUSE Manager Server 3.2:reprepro-5.3.0-2.3.3.s390x", "SUSE Manager Server 3.2:reprepro-5.3.0-2.3.3.x86_64", "SUSE Manager Server 3.2:smdba-1.6.4-0.3.9.3.ppc64le", "SUSE Manager Server 3.2:smdba-1.6.4-0.3.9.3.s390x", "SUSE Manager Server 3.2:smdba-1.6.4-0.3.9.3.x86_64", "SUSE Manager Server 3.2:spacecmd-2.8.25.10-3.20.3.noarch", "SUSE Manager Server 3.2:spacewalk-admin-2.8.4.4-3.6.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-app-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-applet-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-config-files-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-config-files-common-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-config-files-tool-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-iss-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-iss-export-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-libs-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-package-push-server-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-server-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-sql-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-sql-oracle-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-sql-postgresql-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-tools-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-xml-export-libs-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-backend-xmlrpc-2.8.57.14-3.25.3.noarch", "SUSE Manager Server 3.2:spacewalk-base-2.8.7.15-3.24.3.noarch", "SUSE Manager Server 3.2:spacewalk-base-minimal-2.8.7.15-3.24.3.noarch", "SUSE Manager Server 3.2:spacewalk-base-minimal-config-2.8.7.15-3.24.3.noarch", "SUSE Manager Server 3.2:spacewalk-branding-2.8.5.15-3.19.3.ppc64le", "SUSE Manager Server 3.2:spacewalk-branding-2.8.5.15-3.19.3.s390x", "SUSE Manager Server 3.2:spacewalk-branding-2.8.5.15-3.19.3.x86_64", "SUSE Manager Server 3.2:spacewalk-certs-tools-2.8.8.7-3.6.3.noarch", "SUSE Manager Server 3.2:spacewalk-html-2.8.7.15-3.24.3.noarch", "SUSE Manager Server 3.2:spacewalk-java-2.8.78.21-3.29.1.noarch", "SUSE Manager Server 3.2:spacewalk-java-config-2.8.78.21-3.29.1.noarch", "SUSE Manager Server 3.2:spacewalk-java-lib-2.8.78.21-3.29.1.noarch", "SUSE Manager Server 3.2:spacewalk-java-oracle-2.8.78.21-3.29.1.noarch", "SUSE Manager Server 3.2:spacewalk-java-postgresql-2.8.78.21-3.29.1.noarch", "SUSE Manager Server 3.2:spacewalk-taskomatic-2.8.78.21-3.29.1.noarch", "SUSE Manager Server 3.2:subscription-matcher-0.23-4.12.3.noarch", "SUSE Manager Server 3.2:susemanager-3.2.17-3.22.4.ppc64le", "SUSE Manager Server 3.2:susemanager-3.2.17-3.22.4.s390x", "SUSE Manager Server 3.2:susemanager-3.2.17-3.22.4.x86_64", "SUSE Manager Server 3.2:susemanager-schema-3.2.18-3.22.3.noarch", "SUSE Manager Server 3.2:susemanager-sls-3.2.23-3.26.3.noarch", "SUSE Manager Server 3.2:susemanager-sync-data-3.2.14-3.20.3.noarch", "SUSE Manager Server 3.2:susemanager-tools-3.2.17-3.22.4.ppc64le", "SUSE Manager Server 3.2:susemanager-tools-3.2.17-3.22.4.s390x", "SUSE Manager Server 3.2:susemanager-tools-3.2.17-3.22.4.x86_64", "SUSE Manager Server 3.2:susemanager-web-libs-2.8.7.15-3.24.3.noarch", "SUSE Manager Server 3.2:xstream-1.4.10-4.3.3.noarch", ], }, ], threats: [ { category: "impact", date: "2019-04-24T10:06:34Z", details: "important", }, ], title: "CVE-2017-7957", }, ], }
suse-su-2017:3389-1
Vulnerability from csaf_suse
Published
2017-12-20 16:03
Modified
2017-12-20 16:03
Summary
Security update for xstream
Notes
Title of the patch
Security update for xstream
Description of the patch
This update for xstream fixes the following issues:
- CVE-2017-7957: XStream could cause a Denial of Service when unmarshalling void. (bsc#1070731)
Patchnames
SUSE-SUSE-Manager-Server-3.0-2017-2124
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Security update for xstream", title: "Title of the patch", }, { category: "description", text: "This update for xstream fixes the following issues:\n\n- CVE-2017-7957: XStream could cause a Denial of Service when unmarshalling void. (bsc#1070731)\n", title: "Description of the patch", }, { category: "details", text: "SUSE-SUSE-Manager-Server-3.0-2017-2124", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2017_3389-1.json", }, { category: "self", summary: "URL for SUSE-SU-2017:3389-1", url: "https://www.suse.com/support/update/announcement/2017/suse-su-20173389-1/", }, { category: "self", summary: "E-Mail link for SUSE-SU-2017:3389-1", url: "https://lists.suse.com/pipermail/sle-security-updates/2017-December/003545.html", }, { category: "self", summary: "SUSE Bug 1070731", url: "https://bugzilla.suse.com/1070731", }, { category: "self", summary: "SUSE CVE CVE-2017-7957 page", url: "https://www.suse.com/security/cve/CVE-2017-7957/", }, ], title: "Security update for xstream", tracking: { current_release_date: "2017-12-20T16:03:16Z", generator: { date: "2017-12-20T16:03:16Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "SUSE-SU-2017:3389-1", initial_release_date: "2017-12-20T16:03:16Z", revision_history: [ { date: "2017-12-20T16:03:16Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "xstream-1.4.9-4.3.1.noarch", product: { name: "xstream-1.4.9-4.3.1.noarch", product_id: "xstream-1.4.9-4.3.1.noarch", }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_name", name: "SUSE Manager Server 3.0", product: { name: "SUSE Manager Server 3.0", product_id: "SUSE Manager Server 3.0", product_identification_helper: { cpe: "cpe:/o:suse:suse-manager-server:3.0", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "xstream-1.4.9-4.3.1.noarch as component of SUSE Manager Server 3.0", product_id: "SUSE Manager Server 3.0:xstream-1.4.9-4.3.1.noarch", }, product_reference: "xstream-1.4.9-4.3.1.noarch", relates_to_product_reference: "SUSE Manager Server 3.0", }, ], }, vulnerabilities: [ { cve: "CVE-2017-7957", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2017-7957", }, ], notes: [ { category: "general", text: "XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML(\"<void/>\") call.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Manager Server 3.0:xstream-1.4.9-4.3.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2017-7957", url: "https://www.suse.com/security/cve/CVE-2017-7957", }, { category: "external", summary: "SUSE Bug 1070731 for CVE-2017-7957", url: "https://bugzilla.suse.com/1070731", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Manager Server 3.0:xstream-1.4.9-4.3.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "SUSE Manager Server 3.0:xstream-1.4.9-4.3.1.noarch", ], }, ], threats: [ { category: "impact", date: "2017-12-20T16:03:16Z", details: "important", }, ], title: "CVE-2017-7957", }, ], }
wid-sec-w-2024-0094
Vulnerability from csaf_certbund
Published
2024-01-15 23:00
Modified
2024-01-15 23:00
Summary
Atlassian Bamboo: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Bamboo ist ein Werkzeug zur kontinuierlichen Integration und Bereitstellung, das automatisierte Builds, Tests und Freigaben in einem einzigen Arbeitsablauf verbindet.
Angriff
Ein entfernter Angreifer kann mehrere Schwachstellen in Atlassian Bamboo ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen, beliebigen Code auszuführen, vertrauliche Informationen offenzulegen oder einen Request Smuggling-Angriff durchzuführen.
Betroffene Betriebssysteme
- Linux
- Windows
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Bamboo ist ein Werkzeug zur kontinuierlichen Integration und Bereitstellung, das automatisierte Builds, Tests und Freigaben in einem einzigen Arbeitsablauf verbindet.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter Angreifer kann mehrere Schwachstellen in Atlassian Bamboo ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen, beliebigen Code auszuführen, vertrauliche Informationen offenzulegen oder einen Request Smuggling-Angriff durchzuführen.", title: "Angriff", }, { category: "general", text: "- Linux\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2024-0094 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0094.json", }, { category: "self", summary: "WID-SEC-2024-0094 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0094", }, { category: "external", summary: "Atlassian Security Advisory vom 2024-01-15", url: "https://jira.atlassian.com/browse/BAM-25623", }, { category: "external", summary: "Atlassian Security Advisory vom 2024-01-15", url: "https://jira.atlassian.com/browse/BAM-25622", }, { category: "external", summary: "Atlassian Security Advisory vom 2024-01-15", url: "https://jira.atlassian.com/browse/BAM-25614", }, { category: "external", summary: "Atlassian Security Advisory vom 2024-01-15", url: "https://jira.atlassian.com/browse/BAM-25613", }, { category: "external", summary: "Atlassian Security Advisory vom 2024-01-15", url: "https://jira.atlassian.com/browse/BAM-25612", }, { category: "external", summary: "Atlassian Security Advisory vom 2024-01-15", url: "https://jira.atlassian.com/browse/BAM-25609", }, { category: "external", summary: "Atlassian Security Advisory vom 2024-01-15", url: "https://jira.atlassian.com/browse/BAM-25607", }, { category: "external", summary: "Atlassian Security Advisory vom 2024-01-15", url: "https://jira.atlassian.com/browse/BAM-25606", }, { category: "external", summary: "Atlassian Security Advisory vom 2024-01-15", url: "https://jira.atlassian.com/browse/BAM-25640", }, ], source_lang: "en-US", title: "Atlassian Bamboo: Mehrere Schwachstellen", tracking: { current_release_date: "2024-01-15T23:00:00.000+00:00", generator: { date: "2024-08-15T18:03:40.850+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2024-0094", initial_release_date: "2024-01-15T23:00:00.000+00:00", revision_history: [ { date: "2024-01-15T23:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Atlassian Bamboo < 9.4.2", product: { name: "Atlassian Bamboo < 9.4.2", product_id: "T032060", product_identification_helper: { cpe: "cpe:/a:atlassian:bamboo:9.4.2", }, }, }, { category: "product_name", name: "Atlassian Bamboo < 9.3.6", product: { name: "Atlassian Bamboo < 9.3.6", product_id: "T032061", product_identification_helper: { cpe: "cpe:/a:atlassian:bamboo:9.3.6", }, }, }, { category: "product_name", name: "Atlassian Bamboo < 9.2.8", product: { name: "Atlassian Bamboo < 9.2.8", product_id: "T032062", product_identification_helper: { cpe: "cpe:/a:atlassian:bamboo:9.2.8", }, }, }, { category: "product_name", name: "Atlassian Bamboo < 9.2.9", product: { name: "Atlassian Bamboo < 9.2.9", product_id: "T032064", product_identification_helper: { cpe: "cpe:/a:atlassian:bamboo:9.2.9", }, }, }, ], category: "product_name", name: "Bamboo", }, ], category: "vendor", name: "Atlassian", }, ], }, vulnerabilities: [ { cve: "CVE-2023-5072", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in Atlassian Bamboo. Diese Fehler bestehen in Eclipse Jetty, Apache Avro Java SDK, Woodstox, JSON-Java und in den XStream-Komponenten von Drittanbietern aufgrund eines Integer-Überlaufs, einer unsachgemäßen Neutralisierung von Benutzereingaben und einer fehlerhaften Behandlung von primitiven Typen. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen.", }, ], release_date: "2024-01-15T23:00:00.000+00:00", title: "CVE-2023-5072", }, { cve: "CVE-2023-39410", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in Atlassian Bamboo. Diese Fehler bestehen in Eclipse Jetty, Apache Avro Java SDK, Woodstox, JSON-Java und in den XStream-Komponenten von Drittanbietern aufgrund eines Integer-Überlaufs, einer unsachgemäßen Neutralisierung von Benutzereingaben und einer fehlerhaften Behandlung von primitiven Typen. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen.", }, ], release_date: "2024-01-15T23:00:00.000+00:00", title: "CVE-2023-39410", }, { cve: "CVE-2023-36478", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in Atlassian Bamboo. Diese Fehler bestehen in Eclipse Jetty, Apache Avro Java SDK, Woodstox, JSON-Java und in den XStream-Komponenten von Drittanbietern aufgrund eines Integer-Überlaufs, einer unsachgemäßen Neutralisierung von Benutzereingaben und einer fehlerhaften Behandlung von primitiven Typen. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen.", }, ], release_date: "2024-01-15T23:00:00.000+00:00", title: "CVE-2023-36478", }, { cve: "CVE-2022-40152", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in Atlassian Bamboo. Diese Fehler bestehen in Eclipse Jetty, Apache Avro Java SDK, Woodstox, JSON-Java und in den XStream-Komponenten von Drittanbietern aufgrund eines Integer-Überlaufs, einer unsachgemäßen Neutralisierung von Benutzereingaben und einer fehlerhaften Behandlung von primitiven Typen. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen.", }, ], release_date: "2024-01-15T23:00:00.000+00:00", title: "CVE-2022-40152", }, { cve: "CVE-2017-7957", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in Atlassian Bamboo. Diese Fehler bestehen in Eclipse Jetty, Apache Avro Java SDK, Woodstox, JSON-Java und in den XStream-Komponenten von Drittanbietern aufgrund eines Integer-Überlaufs, einer unsachgemäßen Neutralisierung von Benutzereingaben und einer fehlerhaften Behandlung von primitiven Typen. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen.", }, ], release_date: "2024-01-15T23:00:00.000+00:00", title: "CVE-2017-7957", }, { cve: "CVE-2020-26217", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in Atlassian Bamboo. Diese Fehler bestehen im XStream und in der H2-Datenbank. Ein entfernter, authentifizierter Angreifer kann diese Schwachstellen zur Ausführung von beliebigem Code ausnutzen.", }, ], release_date: "2024-01-15T23:00:00.000+00:00", title: "CVE-2020-26217", }, { cve: "CVE-2018-10054", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in Atlassian Bamboo. Diese Fehler bestehen im XStream und in der H2-Datenbank. Ein entfernter, authentifizierter Angreifer kann diese Schwachstellen zur Ausführung von beliebigem Code ausnutzen.", }, ], release_date: "2024-01-15T23:00:00.000+00:00", title: "CVE-2018-10054", }, { cve: "CVE-2023-46589", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in Atlassian Bamboo. Diese Fehler bestehen im Codeplex-Codehaus und in den Apache Tomcat-Komponenten aufgrund eines Path Traversal und eines Improper Input Validation Problems. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen und einen Request Smuggling Angriff durchzuführen.", }, ], release_date: "2024-01-15T23:00:00.000+00:00", title: "CVE-2023-46589", }, { cve: "CVE-2022-4244", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in Atlassian Bamboo. Diese Fehler bestehen im Codeplex-Codehaus und in den Apache Tomcat-Komponenten aufgrund eines Path Traversal und eines Improper Input Validation Problems. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen und einen Request Smuggling Angriff durchzuführen.", }, ], release_date: "2024-01-15T23:00:00.000+00:00", title: "CVE-2022-4244", }, ], }
wid-sec-w-2022-1375
Vulnerability from csaf_certbund
Published
2022-09-11 22:00
Modified
2023-09-14 22:00
Summary
JFrog Artifactory: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
JFrog Artifactory ist eine universelle DevOps-Lösung.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in JFrog Artifactory ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen.
Betroffene Betriebssysteme
- UNIX
- Linux
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "JFrog Artifactory ist eine universelle DevOps-Lösung.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in JFrog Artifactory ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen.", title: "Angriff", }, { category: "general", text: "- UNIX\n- Linux", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2022-1375 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2022-1375.json", }, { category: "self", summary: "WID-SEC-2022-1375 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1375", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:5165 vom 2023-09-14", url: "https://access.redhat.com/errata/RHSA-2023:5165", }, { category: "external", summary: "JFrog Fixed Security Vulnerabilities vom 2022-09-11", url: "https://www.jfrog.com/confluence/display/JFROG/Fixed+Security+Vulnerabilities", }, { category: "external", summary: "JFrog Fixed Security Vulnerabilities", url: "https://www.jfrog.com/confluence/display/JFROG/Fixed+Security+Vulnerabilities", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2022:6782 vom 2022-10-04", url: "https://access.redhat.com/errata/RHSA-2022:6782", }, { category: "external", summary: "Ubuntu Security Notice USN-5776-1 vom 2022-12-13", url: "https://ubuntu.com/security/notices/USN-5776-1", }, ], source_lang: "en-US", title: "JFrog Artifactory: Mehrere Schwachstellen", tracking: { current_release_date: "2023-09-14T22:00:00.000+00:00", generator: { date: "2024-08-15T17:34:59.214+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2022-1375", initial_release_date: "2022-09-11T22:00:00.000+00:00", revision_history: [ { date: "2022-09-11T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2022-10-03T22:00:00.000+00:00", number: "2", summary: "Neue Updates aufgenommen", }, { date: "2022-10-04T22:00:00.000+00:00", number: "3", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2022-12-12T23:00:00.000+00:00", number: "4", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2022-12-20T23:00:00.000+00:00", number: "5", summary: "Referenz(en) aufgenommen: FEDORA-2022-DB674BAFD9, FEDORA-2022-7E327A20BE", }, { date: "2023-09-14T22:00:00.000+00:00", number: "6", summary: "Neue Updates von Red Hat aufgenommen", }, ], status: "final", version: "6", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "JFrog Artifactory", product: { name: "JFrog Artifactory", product_id: "T024527", product_identification_helper: { cpe: "cpe:/a:jfrog:artifactory:-", }, }, }, { category: "product_name", name: "JFrog Artifactory < 7.46.3", product: { name: "JFrog Artifactory < 7.46.3", product_id: "T024764", product_identification_helper: { cpe: "cpe:/a:jfrog:artifactory:7.46.3", }, }, }, ], category: "product_name", name: "Artifactory", }, ], category: "vendor", name: "JFrog", }, { branches: [ { category: "product_name", name: "Red Hat Enterprise Linux", product: { name: "Red Hat Enterprise Linux", product_id: "67646", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:-", }, }, }, ], category: "vendor", name: "Red Hat", }, { branches: [ { category: "product_name", name: "Ubuntu Linux", product: { name: "Ubuntu Linux", product_id: "T000126", product_identification_helper: { cpe: "cpe:/o:canonical:ubuntu_linux:-", }, }, }, ], category: "vendor", name: "Ubuntu", }, ], }, vulnerabilities: [ { cve: "CVE-2013-4517", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2013-4517", }, { cve: "CVE-2013-7285", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2013-7285", }, { cve: "CVE-2014-0107", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2014-0107", }, { cve: "CVE-2014-0114", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2014-0114", }, { cve: "CVE-2014-3577", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2014-3577", }, { cve: "CVE-2014-3623", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2014-3623", }, { cve: "CVE-2015-0227", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2015-0227", }, { cve: "CVE-2015-2575", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2015-2575", }, { cve: "CVE-2015-3253", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2015-3253", }, { cve: "CVE-2015-4852", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2015-4852", }, { cve: "CVE-2015-7940", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2015-7940", }, { cve: "CVE-2016-10750", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2016-10750", }, { cve: "CVE-2016-3092", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2016-3092", }, { cve: "CVE-2016-3674", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2016-3674", }, { cve: "CVE-2016-6501", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2016-6501", }, { cve: "CVE-2016-8735", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2016-8735", }, { cve: "CVE-2016-8745", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2016-8745", }, { cve: "CVE-2017-1000487", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-1000487", }, { cve: "CVE-2017-15095", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-15095", }, { cve: "CVE-2017-17485", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-17485", }, { cve: "CVE-2017-18214", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-18214", }, { cve: "CVE-2017-18640", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-18640", }, { cve: "CVE-2017-7525", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-7525", }, { cve: "CVE-2017-7657", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-7657", }, { cve: "CVE-2017-7957", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-7957", }, { cve: "CVE-2017-9506", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-9506", }, { cve: "CVE-2018-1000206", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2018-1000206", }, { cve: "CVE-2018-9116", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2018-9116", }, { cve: "CVE-2019-10219", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2019-10219", }, { cve: "CVE-2019-12402", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2019-12402", }, { cve: "CVE-2019-17359", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2019-17359", }, { cve: "CVE-2019-17571", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2019-17571", }, { cve: "CVE-2019-20104", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2019-20104", }, { cve: "CVE-2020-11996", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-11996", }, { cve: "CVE-2020-13934", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-13934", }, { cve: "CVE-2020-13935", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-13935", }, { cve: "CVE-2020-13949", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-13949", }, { cve: "CVE-2020-14340", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-14340", }, { cve: "CVE-2020-15586", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-15586", }, { cve: "CVE-2020-1745", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-1745", }, { cve: "CVE-2020-17521", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-17521", }, { cve: "CVE-2020-25649", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-25649", }, { cve: "CVE-2020-28500", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-28500", }, { cve: "CVE-2020-29582", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-29582", }, { cve: "CVE-2020-36518", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-36518", }, { cve: "CVE-2020-7226", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-7226", }, { cve: "CVE-2020-7692", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-7692", }, { cve: "CVE-2020-8203", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-8203", }, { cve: "CVE-2021-13936", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-13936", }, { cve: "CVE-2021-21290", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-21290", }, { cve: "CVE-2021-22060", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-22060", }, { cve: "CVE-2021-22112", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-22112", }, { cve: "CVE-2021-22119", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-22119", }, { cve: "CVE-2021-22147", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-22147", }, { cve: "CVE-2021-22148", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-22148", }, { cve: "CVE-2021-22149", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-22149", }, { cve: "CVE-2021-22573", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-22573", }, { cve: "CVE-2021-23337", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-23337", }, { cve: "CVE-2021-25122", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-25122", }, { cve: "CVE-2021-26291", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-26291", }, { cve: "CVE-2021-27568", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-27568", }, { cve: "CVE-2021-29505", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-29505", }, { cve: "CVE-2021-30129", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-30129", }, { cve: "CVE-2021-33037", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-33037", }, { cve: "CVE-2021-35550", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35550", }, { cve: "CVE-2021-35556", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35556", }, { cve: "CVE-2021-35560", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35560", }, { cve: "CVE-2021-35561", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35561", }, { cve: "CVE-2021-35564", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35564", }, { cve: "CVE-2021-35565", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35565", }, { cve: "CVE-2021-35567", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35567", }, { cve: "CVE-2021-35578", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35578", }, { cve: "CVE-2021-35586", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35586", }, { cve: "CVE-2021-35588", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35588", }, { cve: "CVE-2021-35603", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35603", }, { cve: "CVE-2021-36374", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-36374", }, { cve: "CVE-2021-3765", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-3765", }, { cve: "CVE-2021-3807", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-3807", }, { cve: "CVE-2021-38561", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-38561", }, { cve: "CVE-2021-3859", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-3859", }, { cve: "CVE-2021-41090", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-41090", }, { cve: "CVE-2021-41091", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-41091", }, { cve: "CVE-2021-42340", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-42340", }, { cve: "CVE-2021-42550", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-42550", }, { cve: "CVE-2021-43797", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-43797", }, { cve: "CVE-2022-0536", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-0536", }, { cve: "CVE-2022-22963", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-22963", }, { cve: "CVE-2022-23632", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-23632", }, { cve: "CVE-2022-23648", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-23648", }, { cve: "CVE-2022-23806", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-23806", }, { cve: "CVE-2022-24769", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-24769", }, { cve: "CVE-2022-24823", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-24823", }, { cve: "CVE-2022-27191", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-27191", }, { cve: "CVE-2022-29153", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-29153", }, { cve: "CVE-2022-32212", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-32212", }, { cve: "CVE-2022-32213", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-32213", }, { cve: "CVE-2022-32214", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-32214", }, { cve: "CVE-2022-32215", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-32215", }, { cve: "CVE-2022-32223", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-32223", }, ], }
WID-SEC-W-2022-1375
Vulnerability from csaf_certbund
Published
2022-09-11 22:00
Modified
2023-09-14 22:00
Summary
JFrog Artifactory: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
JFrog Artifactory ist eine universelle DevOps-Lösung.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in JFrog Artifactory ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen.
Betroffene Betriebssysteme
- UNIX
- Linux
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "JFrog Artifactory ist eine universelle DevOps-Lösung.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in JFrog Artifactory ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen.", title: "Angriff", }, { category: "general", text: "- UNIX\n- Linux", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2022-1375 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2022-1375.json", }, { category: "self", summary: "WID-SEC-2022-1375 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1375", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:5165 vom 2023-09-14", url: "https://access.redhat.com/errata/RHSA-2023:5165", }, { category: "external", summary: "JFrog Fixed Security Vulnerabilities vom 2022-09-11", url: "https://www.jfrog.com/confluence/display/JFROG/Fixed+Security+Vulnerabilities", }, { category: "external", summary: "JFrog Fixed Security Vulnerabilities", url: "https://www.jfrog.com/confluence/display/JFROG/Fixed+Security+Vulnerabilities", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2022:6782 vom 2022-10-04", url: "https://access.redhat.com/errata/RHSA-2022:6782", }, { category: "external", summary: "Ubuntu Security Notice USN-5776-1 vom 2022-12-13", url: "https://ubuntu.com/security/notices/USN-5776-1", }, ], source_lang: "en-US", title: "JFrog Artifactory: Mehrere Schwachstellen", tracking: { current_release_date: "2023-09-14T22:00:00.000+00:00", generator: { date: "2024-08-15T17:34:59.214+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2022-1375", initial_release_date: "2022-09-11T22:00:00.000+00:00", revision_history: [ { date: "2022-09-11T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2022-10-03T22:00:00.000+00:00", number: "2", summary: "Neue Updates aufgenommen", }, { date: "2022-10-04T22:00:00.000+00:00", number: "3", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2022-12-12T23:00:00.000+00:00", number: "4", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2022-12-20T23:00:00.000+00:00", number: "5", summary: "Referenz(en) aufgenommen: FEDORA-2022-DB674BAFD9, FEDORA-2022-7E327A20BE", }, { date: "2023-09-14T22:00:00.000+00:00", number: "6", summary: "Neue Updates von Red Hat aufgenommen", }, ], status: "final", version: "6", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "JFrog Artifactory", product: { name: "JFrog Artifactory", product_id: "T024527", product_identification_helper: { cpe: "cpe:/a:jfrog:artifactory:-", }, }, }, { category: "product_name", name: "JFrog Artifactory < 7.46.3", product: { name: "JFrog Artifactory < 7.46.3", product_id: "T024764", product_identification_helper: { cpe: "cpe:/a:jfrog:artifactory:7.46.3", }, }, }, ], category: "product_name", name: "Artifactory", }, ], category: "vendor", name: "JFrog", }, { branches: [ { category: "product_name", name: "Red Hat Enterprise Linux", product: { name: "Red Hat Enterprise Linux", product_id: "67646", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:-", }, }, }, ], category: "vendor", name: "Red Hat", }, { branches: [ { category: "product_name", name: "Ubuntu Linux", product: { name: "Ubuntu Linux", product_id: "T000126", product_identification_helper: { cpe: "cpe:/o:canonical:ubuntu_linux:-", }, }, }, ], category: "vendor", name: "Ubuntu", }, ], }, vulnerabilities: [ { cve: "CVE-2013-4517", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2013-4517", }, { cve: "CVE-2013-7285", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2013-7285", }, { cve: "CVE-2014-0107", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2014-0107", }, { cve: "CVE-2014-0114", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2014-0114", }, { cve: "CVE-2014-3577", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2014-3577", }, { cve: "CVE-2014-3623", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2014-3623", }, { cve: "CVE-2015-0227", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2015-0227", }, { cve: "CVE-2015-2575", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2015-2575", }, { cve: "CVE-2015-3253", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2015-3253", }, { cve: "CVE-2015-4852", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2015-4852", }, { cve: "CVE-2015-7940", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2015-7940", }, { cve: "CVE-2016-10750", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2016-10750", }, { cve: "CVE-2016-3092", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2016-3092", }, { cve: "CVE-2016-3674", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2016-3674", }, { cve: "CVE-2016-6501", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2016-6501", }, { cve: "CVE-2016-8735", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2016-8735", }, { cve: "CVE-2016-8745", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2016-8745", }, { cve: "CVE-2017-1000487", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-1000487", }, { cve: "CVE-2017-15095", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-15095", }, { cve: "CVE-2017-17485", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-17485", }, { cve: "CVE-2017-18214", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-18214", }, { cve: "CVE-2017-18640", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-18640", }, { cve: "CVE-2017-7525", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-7525", }, { cve: "CVE-2017-7657", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-7657", }, { cve: "CVE-2017-7957", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-7957", }, { cve: "CVE-2017-9506", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-9506", }, { cve: "CVE-2018-1000206", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2018-1000206", }, { cve: "CVE-2018-9116", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2018-9116", }, { cve: "CVE-2019-10219", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2019-10219", }, { cve: "CVE-2019-12402", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2019-12402", }, { cve: "CVE-2019-17359", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2019-17359", }, { cve: "CVE-2019-17571", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2019-17571", }, { cve: "CVE-2019-20104", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2019-20104", }, { cve: "CVE-2020-11996", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-11996", }, { cve: "CVE-2020-13934", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-13934", }, { cve: "CVE-2020-13935", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-13935", }, { cve: "CVE-2020-13949", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-13949", }, { cve: "CVE-2020-14340", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-14340", }, { cve: "CVE-2020-15586", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-15586", }, { cve: "CVE-2020-1745", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-1745", }, { cve: "CVE-2020-17521", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-17521", }, { cve: "CVE-2020-25649", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-25649", }, { cve: "CVE-2020-28500", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-28500", }, { cve: "CVE-2020-29582", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-29582", }, { cve: "CVE-2020-36518", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-36518", }, { cve: "CVE-2020-7226", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-7226", }, { cve: "CVE-2020-7692", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-7692", }, { cve: "CVE-2020-8203", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-8203", }, { cve: "CVE-2021-13936", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-13936", }, { cve: "CVE-2021-21290", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-21290", }, { cve: "CVE-2021-22060", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-22060", }, { cve: "CVE-2021-22112", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-22112", }, { cve: "CVE-2021-22119", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-22119", }, { cve: "CVE-2021-22147", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-22147", }, { cve: "CVE-2021-22148", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-22148", }, { cve: "CVE-2021-22149", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-22149", }, { cve: "CVE-2021-22573", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-22573", }, { cve: "CVE-2021-23337", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-23337", }, { cve: "CVE-2021-25122", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-25122", }, { cve: "CVE-2021-26291", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-26291", }, { cve: "CVE-2021-27568", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-27568", }, { cve: "CVE-2021-29505", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-29505", }, { cve: "CVE-2021-30129", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-30129", }, { cve: "CVE-2021-33037", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-33037", }, { cve: "CVE-2021-35550", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35550", }, { cve: "CVE-2021-35556", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35556", }, { cve: "CVE-2021-35560", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35560", }, { cve: "CVE-2021-35561", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35561", }, { cve: "CVE-2021-35564", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35564", }, { cve: "CVE-2021-35565", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35565", }, { cve: "CVE-2021-35567", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35567", }, { cve: "CVE-2021-35578", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35578", }, { cve: "CVE-2021-35586", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35586", }, { cve: "CVE-2021-35588", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35588", }, { cve: "CVE-2021-35603", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35603", }, { cve: "CVE-2021-36374", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-36374", }, { cve: "CVE-2021-3765", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-3765", }, { cve: "CVE-2021-3807", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-3807", }, { cve: "CVE-2021-38561", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-38561", }, { cve: "CVE-2021-3859", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-3859", }, { cve: "CVE-2021-41090", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-41090", }, { cve: "CVE-2021-41091", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-41091", }, { cve: "CVE-2021-42340", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-42340", }, { cve: "CVE-2021-42550", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-42550", }, { cve: "CVE-2021-43797", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-43797", }, { cve: "CVE-2022-0536", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-0536", }, { cve: "CVE-2022-22963", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-22963", }, { cve: "CVE-2022-23632", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-23632", }, { cve: "CVE-2022-23648", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-23648", }, { cve: "CVE-2022-23806", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-23806", }, { cve: "CVE-2022-24769", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-24769", }, { cve: "CVE-2022-24823", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-24823", }, { cve: "CVE-2022-27191", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-27191", }, { cve: "CVE-2022-29153", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-29153", }, { cve: "CVE-2022-32212", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-32212", }, { cve: "CVE-2022-32213", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-32213", }, { cve: "CVE-2022-32214", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-32214", }, { cve: "CVE-2022-32215", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-32215", }, { cve: "CVE-2022-32223", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-32223", }, ], }
WID-SEC-W-2024-0094
Vulnerability from csaf_certbund
Published
2024-01-15 23:00
Modified
2024-01-15 23:00
Summary
Atlassian Bamboo: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Bamboo ist ein Werkzeug zur kontinuierlichen Integration und Bereitstellung, das automatisierte Builds, Tests und Freigaben in einem einzigen Arbeitsablauf verbindet.
Angriff
Ein entfernter Angreifer kann mehrere Schwachstellen in Atlassian Bamboo ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen, beliebigen Code auszuführen, vertrauliche Informationen offenzulegen oder einen Request Smuggling-Angriff durchzuführen.
Betroffene Betriebssysteme
- Linux
- Windows
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Bamboo ist ein Werkzeug zur kontinuierlichen Integration und Bereitstellung, das automatisierte Builds, Tests und Freigaben in einem einzigen Arbeitsablauf verbindet.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter Angreifer kann mehrere Schwachstellen in Atlassian Bamboo ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen, beliebigen Code auszuführen, vertrauliche Informationen offenzulegen oder einen Request Smuggling-Angriff durchzuführen.", title: "Angriff", }, { category: "general", text: "- Linux\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2024-0094 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0094.json", }, { category: "self", summary: "WID-SEC-2024-0094 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0094", }, { category: "external", summary: "Atlassian Security Advisory vom 2024-01-15", url: "https://jira.atlassian.com/browse/BAM-25623", }, { category: "external", summary: "Atlassian Security Advisory vom 2024-01-15", url: "https://jira.atlassian.com/browse/BAM-25622", }, { category: "external", summary: "Atlassian Security Advisory vom 2024-01-15", url: "https://jira.atlassian.com/browse/BAM-25614", }, { category: "external", summary: "Atlassian Security Advisory vom 2024-01-15", url: "https://jira.atlassian.com/browse/BAM-25613", }, { category: "external", summary: "Atlassian Security Advisory vom 2024-01-15", url: "https://jira.atlassian.com/browse/BAM-25612", }, { category: "external", summary: "Atlassian Security Advisory vom 2024-01-15", url: "https://jira.atlassian.com/browse/BAM-25609", }, { category: "external", summary: "Atlassian Security Advisory vom 2024-01-15", url: "https://jira.atlassian.com/browse/BAM-25607", }, { category: "external", summary: "Atlassian Security Advisory vom 2024-01-15", url: "https://jira.atlassian.com/browse/BAM-25606", }, { category: "external", summary: "Atlassian Security Advisory vom 2024-01-15", url: "https://jira.atlassian.com/browse/BAM-25640", }, ], source_lang: "en-US", title: "Atlassian Bamboo: Mehrere Schwachstellen", tracking: { current_release_date: "2024-01-15T23:00:00.000+00:00", generator: { date: "2024-08-15T18:03:40.850+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2024-0094", initial_release_date: "2024-01-15T23:00:00.000+00:00", revision_history: [ { date: "2024-01-15T23:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Atlassian Bamboo < 9.4.2", product: { name: "Atlassian Bamboo < 9.4.2", product_id: "T032060", product_identification_helper: { cpe: "cpe:/a:atlassian:bamboo:9.4.2", }, }, }, { category: "product_name", name: "Atlassian Bamboo < 9.3.6", product: { name: "Atlassian Bamboo < 9.3.6", product_id: "T032061", product_identification_helper: { cpe: "cpe:/a:atlassian:bamboo:9.3.6", }, }, }, { category: "product_name", name: "Atlassian Bamboo < 9.2.8", product: { name: "Atlassian Bamboo < 9.2.8", product_id: "T032062", product_identification_helper: { cpe: "cpe:/a:atlassian:bamboo:9.2.8", }, }, }, { category: "product_name", name: "Atlassian Bamboo < 9.2.9", product: { name: "Atlassian Bamboo < 9.2.9", product_id: "T032064", product_identification_helper: { cpe: "cpe:/a:atlassian:bamboo:9.2.9", }, }, }, ], category: "product_name", name: "Bamboo", }, ], category: "vendor", name: "Atlassian", }, ], }, vulnerabilities: [ { cve: "CVE-2023-5072", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in Atlassian Bamboo. Diese Fehler bestehen in Eclipse Jetty, Apache Avro Java SDK, Woodstox, JSON-Java und in den XStream-Komponenten von Drittanbietern aufgrund eines Integer-Überlaufs, einer unsachgemäßen Neutralisierung von Benutzereingaben und einer fehlerhaften Behandlung von primitiven Typen. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen.", }, ], release_date: "2024-01-15T23:00:00.000+00:00", title: "CVE-2023-5072", }, { cve: "CVE-2023-39410", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in Atlassian Bamboo. Diese Fehler bestehen in Eclipse Jetty, Apache Avro Java SDK, Woodstox, JSON-Java und in den XStream-Komponenten von Drittanbietern aufgrund eines Integer-Überlaufs, einer unsachgemäßen Neutralisierung von Benutzereingaben und einer fehlerhaften Behandlung von primitiven Typen. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen.", }, ], release_date: "2024-01-15T23:00:00.000+00:00", title: "CVE-2023-39410", }, { cve: "CVE-2023-36478", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in Atlassian Bamboo. Diese Fehler bestehen in Eclipse Jetty, Apache Avro Java SDK, Woodstox, JSON-Java und in den XStream-Komponenten von Drittanbietern aufgrund eines Integer-Überlaufs, einer unsachgemäßen Neutralisierung von Benutzereingaben und einer fehlerhaften Behandlung von primitiven Typen. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen.", }, ], release_date: "2024-01-15T23:00:00.000+00:00", title: "CVE-2023-36478", }, { cve: "CVE-2022-40152", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in Atlassian Bamboo. Diese Fehler bestehen in Eclipse Jetty, Apache Avro Java SDK, Woodstox, JSON-Java und in den XStream-Komponenten von Drittanbietern aufgrund eines Integer-Überlaufs, einer unsachgemäßen Neutralisierung von Benutzereingaben und einer fehlerhaften Behandlung von primitiven Typen. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen.", }, ], release_date: "2024-01-15T23:00:00.000+00:00", title: "CVE-2022-40152", }, { cve: "CVE-2017-7957", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in Atlassian Bamboo. Diese Fehler bestehen in Eclipse Jetty, Apache Avro Java SDK, Woodstox, JSON-Java und in den XStream-Komponenten von Drittanbietern aufgrund eines Integer-Überlaufs, einer unsachgemäßen Neutralisierung von Benutzereingaben und einer fehlerhaften Behandlung von primitiven Typen. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen.", }, ], release_date: "2024-01-15T23:00:00.000+00:00", title: "CVE-2017-7957", }, { cve: "CVE-2020-26217", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in Atlassian Bamboo. Diese Fehler bestehen im XStream und in der H2-Datenbank. Ein entfernter, authentifizierter Angreifer kann diese Schwachstellen zur Ausführung von beliebigem Code ausnutzen.", }, ], release_date: "2024-01-15T23:00:00.000+00:00", title: "CVE-2020-26217", }, { cve: "CVE-2018-10054", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in Atlassian Bamboo. Diese Fehler bestehen im XStream und in der H2-Datenbank. Ein entfernter, authentifizierter Angreifer kann diese Schwachstellen zur Ausführung von beliebigem Code ausnutzen.", }, ], release_date: "2024-01-15T23:00:00.000+00:00", title: "CVE-2018-10054", }, { cve: "CVE-2023-46589", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in Atlassian Bamboo. Diese Fehler bestehen im Codeplex-Codehaus und in den Apache Tomcat-Komponenten aufgrund eines Path Traversal und eines Improper Input Validation Problems. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen und einen Request Smuggling Angriff durchzuführen.", }, ], release_date: "2024-01-15T23:00:00.000+00:00", title: "CVE-2023-46589", }, { cve: "CVE-2022-4244", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in Atlassian Bamboo. Diese Fehler bestehen im Codeplex-Codehaus und in den Apache Tomcat-Komponenten aufgrund eines Path Traversal und eines Improper Input Validation Problems. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um vertrauliche Informationen offenzulegen und einen Request Smuggling Angriff durchzuführen.", }, ], release_date: "2024-01-15T23:00:00.000+00:00", title: "CVE-2022-4244", }, ], }
fkie_cve-2017-7957
Vulnerability from fkie_nvd
Published
2017-04-29 19:59
Modified
2024-11-21 03:33
Severity ?
Summary
XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("<void/>") call.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| xstream_project | xstream | * | |
| debian | debian_linux | 8.0 | |
| debian | debian_linux | 9.0 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:*", matchCriteriaId: "09F03F13-9D82-4AC4-805E-330346A0A37A", versionEndIncluding: "1.4.9", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", vulnerable: true, }, { criteria: "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", matchCriteriaId: "DEECE5FC-CACF-4496-A3E7-164736409252", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML(\"<void/>\") call.", }, { lang: "es", value: "XStream a través de 1.4.9, cuando no se utiliza una solución de denyTypes, mishandles intenta crear una instancia del tipo primitivo 'void' durante unmarshalling, dando lugar a un fallo de aplicación remota, como lo demuestra una llamda a xstream.fromXML (\" > \").", }, ], id: "CVE-2017-7957", lastModified: "2024-11-21T03:33:02.627", metrics: { cvssMetricV2: [ { acInsufInfo: true, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2017-04-29T19:59:00.167", references: [ { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "http://www.debian.org/security/2017/dsa-3841", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/100687", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securitytracker.com/id/1039499", }, { source: "cve@mitre.org", tags: [ "Vendor Advisory", ], url: "http://x-stream.github.io/CVE-2017-7957.html", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:1832", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:2888", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:2889", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", "VDB Entry", ], url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/125800", }, { source: "cve@mitre.org", tags: [ "Permissions Required", ], url: "https://www-prd-trops.events.ibm.com/node/715749", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "http://www.debian.org/security/2017/dsa-3841", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/100687", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securitytracker.com/id/1039499", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "http://x-stream.github.io/CVE-2017-7957.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:1832", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:2888", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:2889", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/125800", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", ], url: "https://www-prd-trops.events.ibm.com/node/715749", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-20", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
opensuse-su-2024:10592-1
Vulnerability from csaf_opensuse
Published
2024-06-15 00:00
Modified
2024-06-15 00:00
Summary
xstream-1.4.18-1.1 on GA media
Notes
Title of the patch
xstream-1.4.18-1.1 on GA media
Description of the patch
These are all security issues fixed in the xstream-1.4.18-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-10592
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "xstream-1.4.18-1.1 on GA media", title: "Title of the patch", }, { category: "description", text: "These are all security issues fixed in the xstream-1.4.18-1.1 package on the GA media of openSUSE Tumbleweed.", title: "Description of the patch", }, { category: "details", text: "openSUSE-Tumbleweed-2024-10592", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_10592-1.json", }, { category: "self", summary: "SUSE CVE CVE-2016-3674 page", url: "https://www.suse.com/security/cve/CVE-2016-3674/", }, { category: "self", summary: "SUSE CVE CVE-2017-7957 page", url: "https://www.suse.com/security/cve/CVE-2017-7957/", }, { category: "self", summary: "SUSE CVE CVE-2020-26217 page", url: "https://www.suse.com/security/cve/CVE-2020-26217/", }, { category: "self", summary: "SUSE CVE CVE-2020-26258 page", url: "https://www.suse.com/security/cve/CVE-2020-26258/", }, { category: "self", summary: "SUSE CVE CVE-2020-26259 page", url: "https://www.suse.com/security/cve/CVE-2020-26259/", }, { category: "self", summary: "SUSE CVE CVE-2021-21341 page", url: "https://www.suse.com/security/cve/CVE-2021-21341/", }, { category: "self", summary: "SUSE CVE CVE-2021-21342 page", url: "https://www.suse.com/security/cve/CVE-2021-21342/", }, { category: "self", summary: "SUSE CVE CVE-2021-21343 page", url: "https://www.suse.com/security/cve/CVE-2021-21343/", }, { category: "self", summary: "SUSE CVE CVE-2021-21344 page", url: "https://www.suse.com/security/cve/CVE-2021-21344/", }, { category: "self", summary: "SUSE CVE CVE-2021-21345 page", url: "https://www.suse.com/security/cve/CVE-2021-21345/", }, { category: "self", summary: "SUSE CVE CVE-2021-21346 page", url: "https://www.suse.com/security/cve/CVE-2021-21346/", }, { category: "self", summary: "SUSE CVE CVE-2021-21347 page", url: "https://www.suse.com/security/cve/CVE-2021-21347/", }, { category: "self", summary: "SUSE CVE CVE-2021-21348 page", url: "https://www.suse.com/security/cve/CVE-2021-21348/", }, { category: "self", summary: "SUSE CVE CVE-2021-21349 page", url: "https://www.suse.com/security/cve/CVE-2021-21349/", }, { category: "self", summary: "SUSE CVE CVE-2021-21350 page", url: "https://www.suse.com/security/cve/CVE-2021-21350/", }, { category: "self", summary: "SUSE CVE CVE-2021-21351 page", url: "https://www.suse.com/security/cve/CVE-2021-21351/", }, { category: "self", summary: "SUSE CVE CVE-2021-29505 page", url: "https://www.suse.com/security/cve/CVE-2021-29505/", }, { category: "self", summary: "SUSE CVE CVE-2021-39139 page", url: "https://www.suse.com/security/cve/CVE-2021-39139/", }, { category: "self", summary: "SUSE CVE CVE-2021-39144 page", url: "https://www.suse.com/security/cve/CVE-2021-39144/", }, { category: "self", summary: "SUSE CVE CVE-2021-39147 page", url: "https://www.suse.com/security/cve/CVE-2021-39147/", }, { category: "self", summary: "SUSE CVE CVE-2021-39150 page", url: "https://www.suse.com/security/cve/CVE-2021-39150/", }, { category: "self", summary: "SUSE CVE CVE-2021-39153 page", url: "https://www.suse.com/security/cve/CVE-2021-39153/", }, ], title: "xstream-1.4.18-1.1 on GA media", tracking: { current_release_date: "2024-06-15T00:00:00Z", generator: { date: "2024-06-15T00:00:00Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "openSUSE-SU-2024:10592-1", initial_release_date: "2024-06-15T00:00:00Z", revision_history: [ { date: "2024-06-15T00:00:00Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "xstream-1.4.18-1.1.aarch64", product: { name: "xstream-1.4.18-1.1.aarch64", product_id: "xstream-1.4.18-1.1.aarch64", }, }, { category: "product_version", name: "xstream-benchmark-1.4.18-1.1.aarch64", product: { name: "xstream-benchmark-1.4.18-1.1.aarch64", product_id: "xstream-benchmark-1.4.18-1.1.aarch64", }, }, { category: "product_version", name: "xstream-javadoc-1.4.18-1.1.aarch64", product: { name: "xstream-javadoc-1.4.18-1.1.aarch64", product_id: "xstream-javadoc-1.4.18-1.1.aarch64", }, }, { category: "product_version", name: "xstream-parent-1.4.18-1.1.aarch64", product: { name: "xstream-parent-1.4.18-1.1.aarch64", product_id: "xstream-parent-1.4.18-1.1.aarch64", }, }, ], category: "architecture", name: "aarch64", }, { branches: [ { category: "product_version", name: "xstream-1.4.18-1.1.ppc64le", product: { name: "xstream-1.4.18-1.1.ppc64le", product_id: "xstream-1.4.18-1.1.ppc64le", }, }, { category: "product_version", name: "xstream-benchmark-1.4.18-1.1.ppc64le", product: { name: "xstream-benchmark-1.4.18-1.1.ppc64le", product_id: "xstream-benchmark-1.4.18-1.1.ppc64le", }, }, { category: "product_version", name: "xstream-javadoc-1.4.18-1.1.ppc64le", product: { name: "xstream-javadoc-1.4.18-1.1.ppc64le", product_id: "xstream-javadoc-1.4.18-1.1.ppc64le", }, }, { category: "product_version", name: "xstream-parent-1.4.18-1.1.ppc64le", product: { name: "xstream-parent-1.4.18-1.1.ppc64le", product_id: "xstream-parent-1.4.18-1.1.ppc64le", }, }, ], category: "architecture", name: "ppc64le", }, { branches: [ { category: "product_version", name: "xstream-1.4.18-1.1.s390x", product: { name: "xstream-1.4.18-1.1.s390x", product_id: "xstream-1.4.18-1.1.s390x", }, }, { category: "product_version", name: "xstream-benchmark-1.4.18-1.1.s390x", product: { name: "xstream-benchmark-1.4.18-1.1.s390x", product_id: "xstream-benchmark-1.4.18-1.1.s390x", }, }, { category: "product_version", name: "xstream-javadoc-1.4.18-1.1.s390x", product: { name: "xstream-javadoc-1.4.18-1.1.s390x", product_id: "xstream-javadoc-1.4.18-1.1.s390x", }, }, { category: "product_version", name: "xstream-parent-1.4.18-1.1.s390x", product: { name: "xstream-parent-1.4.18-1.1.s390x", product_id: "xstream-parent-1.4.18-1.1.s390x", }, }, ], category: "architecture", name: "s390x", }, { branches: [ { category: "product_version", name: "xstream-1.4.18-1.1.x86_64", product: { name: "xstream-1.4.18-1.1.x86_64", product_id: "xstream-1.4.18-1.1.x86_64", }, }, { category: "product_version", name: "xstream-benchmark-1.4.18-1.1.x86_64", product: { name: "xstream-benchmark-1.4.18-1.1.x86_64", product_id: "xstream-benchmark-1.4.18-1.1.x86_64", }, }, { category: "product_version", name: "xstream-javadoc-1.4.18-1.1.x86_64", product: { name: "xstream-javadoc-1.4.18-1.1.x86_64", product_id: "xstream-javadoc-1.4.18-1.1.x86_64", }, }, { category: "product_version", name: "xstream-parent-1.4.18-1.1.x86_64", product: { name: "xstream-parent-1.4.18-1.1.x86_64", product_id: "xstream-parent-1.4.18-1.1.x86_64", }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_name", name: "openSUSE Tumbleweed", product: { name: "openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed", product_identification_helper: { cpe: "cpe:/o:opensuse:tumbleweed", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "xstream-1.4.18-1.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", }, product_reference: "xstream-1.4.18-1.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "xstream-1.4.18-1.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", }, product_reference: "xstream-1.4.18-1.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "xstream-1.4.18-1.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", }, product_reference: "xstream-1.4.18-1.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "xstream-1.4.18-1.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", }, product_reference: "xstream-1.4.18-1.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "xstream-benchmark-1.4.18-1.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", }, product_reference: "xstream-benchmark-1.4.18-1.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "xstream-benchmark-1.4.18-1.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", }, product_reference: "xstream-benchmark-1.4.18-1.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "xstream-benchmark-1.4.18-1.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", }, product_reference: "xstream-benchmark-1.4.18-1.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "xstream-benchmark-1.4.18-1.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", }, product_reference: "xstream-benchmark-1.4.18-1.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "xstream-javadoc-1.4.18-1.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", }, product_reference: "xstream-javadoc-1.4.18-1.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "xstream-javadoc-1.4.18-1.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", }, product_reference: "xstream-javadoc-1.4.18-1.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "xstream-javadoc-1.4.18-1.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", }, product_reference: "xstream-javadoc-1.4.18-1.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "xstream-javadoc-1.4.18-1.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", }, product_reference: "xstream-javadoc-1.4.18-1.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "xstream-parent-1.4.18-1.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", }, product_reference: "xstream-parent-1.4.18-1.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "xstream-parent-1.4.18-1.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", }, product_reference: "xstream-parent-1.4.18-1.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "xstream-parent-1.4.18-1.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", }, product_reference: "xstream-parent-1.4.18-1.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "xstream-parent-1.4.18-1.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", }, product_reference: "xstream-parent-1.4.18-1.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, ], }, vulnerabilities: [ { cve: "CVE-2016-3674", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2016-3674", }, ], notes: [ { category: "general", text: "Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2016-3674", url: "https://www.suse.com/security/cve/CVE-2016-3674", }, { category: "external", summary: "SUSE Bug 972950 for CVE-2016-3674", url: "https://bugzilla.suse.com/972950", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2016-3674", }, { cve: "CVE-2017-7957", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2017-7957", }, ], notes: [ { category: "general", text: "XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML(\"<void/>\") call.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2017-7957", url: "https://www.suse.com/security/cve/CVE-2017-7957", }, { category: "external", summary: "SUSE Bug 1070731 for CVE-2017-7957", url: "https://bugzilla.suse.com/1070731", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2017-7957", }, { cve: "CVE-2020-26217", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-26217", }, ], notes: [ { category: "general", text: "XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-26217", url: "https://www.suse.com/security/cve/CVE-2020-26217", }, { category: "external", summary: "SUSE Bug 1180994 for CVE-2020-26217", url: "https://bugzilla.suse.com/1180994", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 8.1, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2020-26217", }, { cve: "CVE-2020-26258", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-26258", }, ], notes: [ { category: "general", text: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist if running Java 15 or higher. No user is affected who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-26258", url: "https://www.suse.com/security/cve/CVE-2020-26258", }, { category: "external", summary: "SUSE Bug 1180146 for CVE-2020-26258", url: "https://bugzilla.suse.com/1180146", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 4.3, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2020-26258", }, { cve: "CVE-2020-26259", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-26259", }, ], notes: [ { category: "general", text: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist running Java 15 or higher. No user is affected, who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-26259", url: "https://www.suse.com/security/cve/CVE-2020-26259", }, { category: "external", summary: "SUSE Bug 1180145 for CVE-2020-26259", url: "https://bugzilla.suse.com/1180145", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.4, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", version: "3.1", }, products: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2020-26259", }, { cve: "CVE-2021-21341", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-21341", }, ], notes: [ { category: "general", text: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-21341", url: "https://www.suse.com/security/cve/CVE-2021-21341", }, { category: "external", summary: "SUSE Bug 1184377 for CVE-2021-21341", url: "https://bugzilla.suse.com/1184377", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.9, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2021-21341", }, { cve: "CVE-2021-21342", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-21342", }, ], notes: [ { category: "general", text: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-21342", url: "https://www.suse.com/security/cve/CVE-2021-21342", }, { category: "external", summary: "SUSE Bug 1184379 for CVE-2021-21342", url: "https://bugzilla.suse.com/1184379", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.4, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2021-21342", }, { cve: "CVE-2021-21343", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-21343", }, ], notes: [ { category: "general", text: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in the deletion of a file on the local host. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-21343", url: "https://www.suse.com/security/cve/CVE-2021-21343", }, { category: "external", summary: "SUSE Bug 1184376 for CVE-2021-21343", url: "https://bugzilla.suse.com/1184376", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.9, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2021-21343", }, { cve: "CVE-2021-21344", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-21344", }, ], notes: [ { category: "general", text: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-21344", url: "https://www.suse.com/security/cve/CVE-2021-21344", }, { category: "external", summary: "SUSE Bug 1184375 for CVE-2021-21344", url: "https://bugzilla.suse.com/1184375", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.3, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", version: "3.1", }, products: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2021-21344", }, { cve: "CVE-2021-21345", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-21345", }, ], notes: [ { category: "general", text: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-21345", url: "https://www.suse.com/security/cve/CVE-2021-21345", }, { category: "external", summary: "SUSE Bug 1184372 for CVE-2021-21345", url: "https://bugzilla.suse.com/1184372", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 8.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2021-21345", }, { cve: "CVE-2021-21346", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-21346", }, ], notes: [ { category: "general", text: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-21346", url: "https://www.suse.com/security/cve/CVE-2021-21346", }, { category: "external", summary: "SUSE Bug 1184373 for CVE-2021-21346", url: "https://bugzilla.suse.com/1184373", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 8.1, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2021-21346", }, { cve: "CVE-2021-21347", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-21347", }, ], notes: [ { category: "general", text: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-21347", url: "https://www.suse.com/security/cve/CVE-2021-21347", }, { category: "external", summary: "SUSE Bug 1184378 for CVE-2021-21347", url: "https://bugzilla.suse.com/1184378", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 8.1, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2021-21347", }, { cve: "CVE-2021-21348", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-21348", }, ], notes: [ { category: "general", text: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-21348", url: "https://www.suse.com/security/cve/CVE-2021-21348", }, { category: "external", summary: "SUSE Bug 1184374 for CVE-2021-21348", url: "https://bugzilla.suse.com/1184374", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.9, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2021-21348", }, { cve: "CVE-2021-21349", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-21349", }, ], notes: [ { category: "general", text: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-21349", url: "https://www.suse.com/security/cve/CVE-2021-21349", }, { category: "external", summary: "SUSE Bug 1184797 for CVE-2021-21349", url: "https://bugzilla.suse.com/1184797", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.9, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2021-21349", }, { cve: "CVE-2021-21350", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-21350", }, ], notes: [ { category: "general", text: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-21350", url: "https://www.suse.com/security/cve/CVE-2021-21350", }, { category: "external", summary: "SUSE Bug 1184380 for CVE-2021-21350", url: "https://bugzilla.suse.com/1184380", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 8.1, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2021-21350", }, { cve: "CVE-2021-21351", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-21351", }, ], notes: [ { category: "general", text: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-21351", url: "https://www.suse.com/security/cve/CVE-2021-21351", }, { category: "external", summary: "SUSE Bug 1184796 for CVE-2021-21351", url: "https://bugzilla.suse.com/1184796", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 8, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2021-21351", }, { cve: "CVE-2021-29505", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-29505", }, ], notes: [ { category: "general", text: "XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-29505", url: "https://www.suse.com/security/cve/CVE-2021-29505", }, { category: "external", summary: "SUSE Bug 1186651 for CVE-2021-29505", url: "https://bugzilla.suse.com/1186651", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 8.1, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2021-29505", }, { cve: "CVE-2021-39139", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-39139", }, ], notes: [ { category: "general", text: "XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-39139", url: "https://www.suse.com/security/cve/CVE-2021-39139", }, { category: "external", summary: "SUSE Bug 1189798 for CVE-2021-39139", url: "https://bugzilla.suse.com/1189798", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 8.1, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2021-39139", }, { cve: "CVE-2021-39144", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-39144", }, ], notes: [ { category: "general", text: "XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-39144", url: "https://www.suse.com/security/cve/CVE-2021-39144", }, { category: "external", summary: "SUSE Bug 1189798 for CVE-2021-39144", url: "https://bugzilla.suse.com/1189798", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 8.1, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2021-39144", }, { cve: "CVE-2021-39147", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-39147", }, ], notes: [ { category: "general", text: "XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-39147", url: "https://www.suse.com/security/cve/CVE-2021-39147", }, { category: "external", summary: "SUSE Bug 1189798 for CVE-2021-39147", url: "https://bugzilla.suse.com/1189798", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 8.1, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2021-39147", }, { cve: "CVE-2021-39150", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-39150", }, ], notes: [ { category: "general", text: "XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-39150", url: "https://www.suse.com/security/cve/CVE-2021-39150", }, { category: "external", summary: "SUSE Bug 1189798 for CVE-2021-39150", url: "https://bugzilla.suse.com/1189798", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.3, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2021-39150", }, { cve: "CVE-2021-39153", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-39153", }, ], notes: [ { category: "general", text: "XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream, if using the version out of the box with Java runtime version 14 to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-39153", url: "https://www.suse.com/security/cve/CVE-2021-39153", }, { category: "external", summary: "SUSE Bug 1189798 for CVE-2021-39153", url: "https://bugzilla.suse.com/1189798", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 8.1, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:xstream-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.18-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.18-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2021-39153", }, ], }
gsd-2017-7957
Vulnerability from gsd
Modified
2023-12-13 01:21
Details
XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("<void/>") call.
Aliases
Aliases
{ GSD: { alias: "CVE-2017-7957", description: "XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML(\"<void/>\") call.", id: "GSD-2017-7957", references: [ "https://www.suse.com/security/cve/CVE-2017-7957.html", "https://www.debian.org/security/2017/dsa-3841", "https://access.redhat.com/errata/RHSA-2017:2889", "https://access.redhat.com/errata/RHSA-2017:2888", "https://access.redhat.com/errata/RHSA-2017:1832", ], }, gsd: { metadata: { exploitCode: "unknown", remediation: "unknown", reportConfidence: "confirmed", type: "vulnerability", }, osvSchema: { aliases: [ "CVE-2017-7957", ], details: "XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML(\"<void/>\") call.", id: "GSD-2017-7957", modified: "2023-12-13T01:21:06.929744Z", schema_version: "1.4.0", }, }, namespaces: { "cve.org": { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2017-7957", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML(\"<void/>\") call.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "RHSA-2017:2888", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:2888", }, { name: "RHSA-2017:1832", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:1832", }, { name: "RHSA-2017:2889", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:2889", }, { name: "1039499", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1039499", }, { name: "https://www-prd-trops.events.ibm.com/node/715749", refsource: "CONFIRM", url: "https://www-prd-trops.events.ibm.com/node/715749", }, { name: "xstream-cve20177957-dos(125800)", refsource: "XF", url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/125800", }, { name: "DSA-3841", refsource: "DEBIAN", url: "http://www.debian.org/security/2017/dsa-3841", }, { name: "http://x-stream.github.io/CVE-2017-7957.html", refsource: "CONFIRM", url: "http://x-stream.github.io/CVE-2017-7957.html", }, { name: "100687", refsource: "BID", url: "http://www.securityfocus.com/bid/100687", }, ], }, }, "gitlab.com": { advisories: [ { affected_range: "(,1.4.9]", affected_versions: "All versions up to 1.4.9", cvss_v2: "AV:N/AC:L/Au:N/C:N/I:N/A:P", cvss_v3: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", cwe_ids: [ "CWE-1035", "CWE-20", "CWE-937", ], date: "2019-03-26", description: "XStream, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML(\"<void/>\") call.", fixed_versions: [ "1.4.10", ], identifier: "CVE-2017-7957", identifiers: [ "CVE-2017-7957", ], not_impacted: "All versions after 1.4.9", package_slug: "maven/com.thoughtworks.xstream/xstream", pubdate: "2017-04-29", solution: "Upgrade to version 1.4.10 or above.", title: "Denial of Service", urls: [ "http://x-stream.github.io/CVE-2017-7957.html", "https://access.redhat.com/security/cve/cve-2017-7957", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7957", "https://security-tracker.debian.org/tracker/CVE-2017-7957", ], uuid: "3e5ded16-5dd3-4776-987c-f3b5912beb26", }, { affected_range: "(,1.4.9]", affected_versions: "All versions up to 1.4.9", cvss_v2: "AV:N/AC:L/Au:N/C:N/I:N/A:P", cvss_v3: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", cwe_ids: [ "CWE-1035", "CWE-20", "CWE-937", ], date: "2019-03-26", description: "When a certain `denyTypes` workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an `xstream.fromXML(<void/>)` call.", fixed_versions: [ "1.4.10", ], identifier: "CVE-2017-7957", identifiers: [ "CVE-2017-7957", ], not_impacted: "All versions after 1.4.9", package_slug: "maven/xstream/xstream", pubdate: "2017-04-29", solution: "Upgrade to version 1.4.10 or above.", title: "Improper Input Validation", urls: [ "http://x-stream.github.io/CVE-2017-7957.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7957", "https://access.redhat.com/security/cve/cve-2017-7957", "https://security-tracker.debian.org/tracker/CVE-2017-7957", ], uuid: "a30b9c56-a9cb-4462-98fc-1e52bdea5348", }, ], }, "nvd.nist.gov": { configurations: { CVE_data_version: "4.0", nodes: [ { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:*", cpe_name: [], versionEndIncluding: "1.4.9", vulnerable: true, }, ], operator: "OR", }, { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, ], operator: "OR", }, ], }, cve: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2017-7957", }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "en", value: "XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML(\"<void/>\") call.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "en", value: "CWE-20", }, ], }, ], }, references: { reference_data: [ { name: "http://x-stream.github.io/CVE-2017-7957.html", refsource: "CONFIRM", tags: [ "Vendor Advisory", ], url: "http://x-stream.github.io/CVE-2017-7957.html", }, { name: "100687", refsource: "BID", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/100687", }, { name: "1039499", refsource: "SECTRACK", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securitytracker.com/id/1039499", }, { name: "DSA-3841", refsource: "DEBIAN", tags: [ "Third Party Advisory", ], url: "http://www.debian.org/security/2017/dsa-3841", }, { name: "RHSA-2017:2889", refsource: "REDHAT", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:2889", }, { name: "RHSA-2017:2888", refsource: "REDHAT", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:2888", }, { name: "RHSA-2017:1832", refsource: "REDHAT", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:1832", }, { name: "https://www-prd-trops.events.ibm.com/node/715749", refsource: "CONFIRM", tags: [ "Permissions Required", ], url: "https://www-prd-trops.events.ibm.com/node/715749", }, { name: "xstream-cve20177957-dos(125800)", refsource: "XF", tags: [ "Third Party Advisory", "VDB Entry", ], url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/125800", }, ], }, }, impact: { baseMetricV2: { acInsufInfo: true, cvssV2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, severity: "MEDIUM", userInteractionRequired: false, }, baseMetricV3: { cvssV3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, exploitabilityScore: 3.9, impactScore: 3.6, }, }, lastModifiedDate: "2019-03-26T17:15Z", publishedDate: "2017-04-29T19:59Z", }, }, }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.