Action not permitted
Modal body text goes here.
cve-2023-45648
Vulnerability from cvelistv5
Published
2023-10-10 18:38
Modified
2024-11-12 19:19
Severity ?
EPSS score ?
Summary
Apache Tomcat: Trailer header parsing too lenient
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache Tomcat |
Version: 11.0.0-M1 ≤ 11.0.0-M11 Version: 10.1.0-M1 ≤ 10.1.13 Version: 9.0.0-M1 ≤ 9.0.81 Version: 8.5.0 ≤ 8.5.93 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T20:21:16.919Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.apache.org/thread/2pv8yz1pyp088tsxfb7ogltk9msk0jdp" }, { "tags": [ "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2023/10/10/10" }, { "tags": [ "x_transferred" ], "url": "https://www.debian.org/security/2023/dsa-5522" }, { "tags": [ "x_transferred" ], "url": "https://www.debian.org/security/2023/dsa-5521" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20231103-0007/" } ], "title": "CVE Program Container" }, { "affected": [ { "cpes": [ "cpe:2.3:a:apache:tomcat:-:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "tomcat", "vendor": "apache", "versions": [ { "lessThanOrEqual": "11.0.0-m11", "status": "affected", "version": "11.0.0-m1", "versionType": "semver" }, { "lessThanOrEqual": "10.1.13", "status": "affected", "version": "10.1.0-m1", "versionType": "semver" }, { "lessThanOrEqual": "9.0.81", "status": "affected", "version": "9.0.0-m1", "versionType": "semver" }, { "lessThanOrEqual": "8.5.93", "status": "affected", "version": "8.5.0", "versionType": "semver" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2023-45648", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-18T16:17:04.147109Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-11-12T19:19:28.733Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Apache Tomcat", "vendor": "Apache Software Foundation", "versions": [ { "lessThanOrEqual": "11.0.0-M11", "status": "affected", "version": "11.0.0-M1", "versionType": "semver" }, { "lessThanOrEqual": "10.1.13", "status": "affected", "version": "10.1.0-M1", "versionType": "semver" }, { "lessThanOrEqual": "9.0.81", "status": "affected", "version": "9.0.0-M1", "versionType": "semver" }, { "lessThanOrEqual": "8.5.93", "status": "affected", "version": "8.5.0", "versionType": "semver" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Keran Mu and Jianjun Chen from Tsinghua University and Zhongguancun Laboratory" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "Improper Input Validation vulnerability in Apache Tomcat.\u003cp\u003eTomcat\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003efrom 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93\u003c/span\u003e did not correctly parse HTTP trailer headers. A specially \ncrafted, invalid trailer header could cause Tomcat to treat a single \nrequest as multiple requests leading to the possibility of request \nsmuggling when behind a reverse proxy.\u003cbr\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eUsers are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.\u003c/span\u003e\u003cbr\u003e\u003c/p\u003e" } ], "value": "Improper Input Validation vulnerability in Apache Tomcat.Tomcat\u00a0from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially \ncrafted, invalid trailer header could cause Tomcat to treat a single \nrequest as multiple requests leading to the possibility of request \nsmuggling when behind a reverse proxy.\n\nUsers are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.\n\n" } ], "metrics": [ { "other": { "content": { "text": "important" }, "type": "Textual description of severity" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-10-10T18:38:34.097Z", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "vendor-advisory" ], "url": "https://lists.apache.org/thread/2pv8yz1pyp088tsxfb7ogltk9msk0jdp" }, { "url": "http://www.openwall.com/lists/oss-security/2023/10/10/10" }, { "url": "https://www.debian.org/security/2023/dsa-5522" }, { "url": "https://www.debian.org/security/2023/dsa-5521" }, { "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html" }, { "url": "https://security.netapp.com/advisory/ntap-20231103-0007/" } ], "source": { "discovery": "EXTERNAL" }, "title": "Apache Tomcat: Trailer header parsing too lenient", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2023-45648", "datePublished": "2023-10-10T18:38:34.097Z", "dateReserved": "2023-10-10T11:31:15.664Z", "dateUpdated": "2024-11-12T19:19:28.733Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2023-45648\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2023-10-10T19:15:09.690\",\"lastModified\":\"2024-11-21T08:27:08.117\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Improper Input Validation vulnerability in Apache Tomcat.Tomcat\u00a0from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially \\ncrafted, invalid trailer header could cause Tomcat to treat a single \\nrequest as multiple requests leading to the possibility of request \\nsmuggling when behind a reverse proxy.\\n\\nUsers are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.\\n\\n\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de validaci\u00f3n de entrada incorrecta en Apache Tomcat.Tomcat desde 11.0.0-M1 hasta 11.0.0-M11, desde 10.1.0-M1 hasta 10.1.13, desde 9.0.0-M1 hasta 9.0.81 y desde 8.5.0 hasta 8.5 .93 no analizaron correctamente los encabezados de las colas HTTP. Un encabezado de avance no v\u00e1lido y especialmente manipulado podr\u00eda hacer que Tomcat trate una sola solicitud como solicitudes m\u00faltiples, lo que genera la posibilidad de contrabando de solicitudes cuando est\u00e1 detr\u00e1s de un proxy inverso. Se recomienda a los usuarios actualizar a la versi\u00f3n 11.0.0-M12 en adelante, 10.1.14 en adelante, 9.0.81 en adelante o 8.5.94 en adelante, que solucionan el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.5.0\",\"versionEndExcluding\":\"8.5.94\",\"matchCriteriaId\":\"FE1F7111-22BD-489A-B2C9-E67E0D601824\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.0.1\",\"versionEndExcluding\":\"9.0.81\",\"matchCriteriaId\":\"37FCE624-DD65-4AC5-A602-BB66E0E54CFC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"10.1.1\",\"versionEndExcluding\":\"10.1.14\",\"matchCriteriaId\":\"0995DE67-7E3B-4CFE-AB96-E2243F994755\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*\",\"matchCriteriaId\":\"9D0689FE-4BC0-4F53-8C79-34B21F9B86C2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*\",\"matchCriteriaId\":\"89B129B2-FB6F-4EF9-BF12-E589A87996CF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*\",\"matchCriteriaId\":\"8B6787B6-54A8-475E-BA1C-AB99334B2535\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*\",\"matchCriteriaId\":\"EABB6FBC-7486-44D5-A6AD-FFF1D3F677E1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*\",\"matchCriteriaId\":\"E10C03BC-EE6B-45B2-83AE-9E8DFB58D7DB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*\",\"matchCriteriaId\":\"8A6DA0BE-908C-4DA8-A191-A0113235E99A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*\",\"matchCriteriaId\":\"39029C72-28B4-46A4-BFF5-EC822CFB2A4C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*\",\"matchCriteriaId\":\"1A2E05A3-014F-4C4D-81E5-88E725FBD6AD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*\",\"matchCriteriaId\":\"166C533C-0833-41D5-99B6-17A4FAB3CAF0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*\",\"matchCriteriaId\":\"D3768C60-21FA-4B92-B98C-C3A2602D1BC4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*\",\"matchCriteriaId\":\"DDD510FA-A2E4-4BAF-A0DE-F4E5777E9325\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*\",\"matchCriteriaId\":\"9F542E12-6BA8-4504-A494-DA83E7E19BD5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*\",\"matchCriteriaId\":\"C2409CC7-6A85-4A66-A457-0D62B9895DC1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*\",\"matchCriteriaId\":\"B392A7E5-4455-4B1C-8FAC-AE6DDC70689E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:*\",\"matchCriteriaId\":\"EF411DDA-2601-449A-9046-D250419A0E1A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*\",\"matchCriteriaId\":\"D7D8F2F4-AFE2-47EA-A3FD-79B54324DE02\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*\",\"matchCriteriaId\":\"1B4FBF97-DE16-4E5E-BE19-471E01818D40\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*\",\"matchCriteriaId\":\"3B266B1E-24B5-47EE-A421-E0E3CC0C7471\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*\",\"matchCriteriaId\":\"29614C3A-6FB3-41C7-B56E-9CC3F45B04F0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*\",\"matchCriteriaId\":\"C6AB156C-8FF6-4727-AF75-590D0DCB3F9D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*\",\"matchCriteriaId\":\"C0C5F004-F7D8-45DB-B173-351C50B0EC16\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*\",\"matchCriteriaId\":\"D1902D2E-1896-4D3D-9E1C-3A675255072C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*\",\"matchCriteriaId\":\"49AAF4DF-F61D-47A8-8788-A21E317A145D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*\",\"matchCriteriaId\":\"454211D0-60A2-4661-AECA-4C0121413FEB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*\",\"matchCriteriaId\":\"0686F977-889F-4960-8E0B-7784B73A7F2D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*\",\"matchCriteriaId\":\"558703AE-DB5E-4DFF-B497-C36694DD7B24\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*\",\"matchCriteriaId\":\"ED6273F2-1165-47A4-8DD7-9E9B2472941B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:10.1.0:milestone1:*:*:*:*:*:*\",\"matchCriteriaId\":\"6D402B5D-5901-43EB-8E6A-ECBD512CE367\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:10.1.0:milestone10:*:*:*:*:*:*\",\"matchCriteriaId\":\"33C71AE1-B38E-4783-BAC2-3CDA7B4D9EBA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:10.1.0:milestone11:*:*:*:*:*:*\",\"matchCriteriaId\":\"F6BD4180-D3E8-42AB-96B1-3869ECF47F6C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:10.1.0:milestone12:*:*:*:*:*:*\",\"matchCriteriaId\":\"64668CCF-DBC9-442D-9E0F-FD40E1D0DDB7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:10.1.0:milestone13:*:*:*:*:*:*\",\"matchCriteriaId\":\"FC64BB57-4912-481E-AE8D-C8FCD36142BB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:10.1.0:milestone14:*:*:*:*:*:*\",\"matchCriteriaId\":\"49B43BFD-6B6C-4E6D-A9D8-308709DDFB44\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:10.1.0:milestone15:*:*:*:*:*:*\",\"matchCriteriaId\":\"919C16BD-79A7-4597-8D23-2CBDED2EF615\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:10.1.0:milestone16:*:*:*:*:*:*\",\"matchCriteriaId\":\"81B27C03-D626-42EC-AE4E-1E66624908E3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:10.1.0:milestone17:*:*:*:*:*:*\",\"matchCriteriaId\":\"BD81405D-81A5-4683-A355-B39C912DAD2D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:10.1.0:milestone18:*:*:*:*:*:*\",\"matchCriteriaId\":\"2DCE3576-86BC-4BB8-A5FB-1274744DFD7F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:10.1.0:milestone19:*:*:*:*:*:*\",\"matchCriteriaId\":\"5571F54A-2EAC-41B6-BDA9-7D33CFE97F70\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:10.1.0:milestone2:*:*:*:*:*:*\",\"matchCriteriaId\":\"9846609D-51FC-4CDD-97B3-8C6E07108F14\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:10.1.0:milestone20:*:*:*:*:*:*\",\"matchCriteriaId\":\"ED30E850-C475-4133-BDE3-74CB3768D787\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:10.1.0:milestone3:*:*:*:*:*:*\",\"matchCriteriaId\":\"2E321FB4-0B0C-497A-BB75-909D888C93CB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:10.1.0:milestone4:*:*:*:*:*:*\",\"matchCriteriaId\":\"3B0CAE57-AF7A-40E6-9519-F5C9F422C1BE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:10.1.0:milestone5:*:*:*:*:*:*\",\"matchCriteriaId\":\"7CB9D150-EED6-4AE9-BCBE-48932E50035E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:10.1.0:milestone6:*:*:*:*:*:*\",\"matchCriteriaId\":\"D334103F-F64E-4869-BCC8-670A5AFCC76C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:10.1.0:milestone7:*:*:*:*:*:*\",\"matchCriteriaId\":\"941FCF7B-FFB6-4967-95C7-BB3D32C73DAF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:10.1.0:milestone8:*:*:*:*:*:*\",\"matchCriteriaId\":\"CE1A9030-B397-4BA6-8E13-DA1503872DDB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:10.1.0:milestone9:*:*:*:*:*:*\",\"matchCriteriaId\":\"6284B74A-1051-40A7-9D74-380FEEEC3F88\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:11.0.0:milestone1:*:*:*:*:*:*\",\"matchCriteriaId\":\"D1AA7FF6-E8E7-4BF6-983E-0A99B0183008\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:11.0.0:milestone10:*:*:*:*:*:*\",\"matchCriteriaId\":\"57088BDD-A136-45EF-A8A1-2EBF79CEC2CE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:11.0.0:milestone11:*:*:*:*:*:*\",\"matchCriteriaId\":\"B32D1D7A-A04F-444E-8F45-BB9A9E4B0199\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:11.0.0:milestone2:*:*:*:*:*:*\",\"matchCriteriaId\":\"2AAD52CE-94F5-4F98-A027-9A7E68818CB6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:11.0.0:milestone3:*:*:*:*:*:*\",\"matchCriteriaId\":\"F1F981F5-035A-4EDD-8A9F-481EE8BC7FF7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:11.0.0:milestone4:*:*:*:*:*:*\",\"matchCriteriaId\":\"03A171AF-2EC8-4422-912C-547CDB58CAAA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:11.0.0:milestone5:*:*:*:*:*:*\",\"matchCriteriaId\":\"538E68C4-0BA4-495F-AEF8-4EF6EE7963CF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:11.0.0:milestone6:*:*:*:*:*:*\",\"matchCriteriaId\":\"49350A6E-5E1D-45B2-A874-3B8601B3ADCC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:11.0.0:milestone7:*:*:*:*:*:*\",\"matchCriteriaId\":\"5F50942F-DF54-46C0-8371-9A476DD3EEA3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:11.0.0:milestone8:*:*:*:*:*:*\",\"matchCriteriaId\":\"D12C2C95-B79F-4AA4-8CE3-99A3EE7991AB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:11.0.0:milestone9:*:*:*:*:*:*\",\"matchCriteriaId\":\"98792138-DD56-42DF-9612-3BDC65EEC117\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FA6FEEC2-9F11-4643-8827-749718254FED\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"46D69DCC-AE4D-4EA5-861C-D60951444C6C\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2023/10/10/10\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread/2pv8yz1pyp088tsxfb7ogltk9msk0jdp\",\"source\":\"security@apache.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20231103-0007/\",\"source\":\"security@apache.org\"},{\"url\":\"https://www.debian.org/security/2023/dsa-5521\",\"source\":\"security@apache.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2023/dsa-5522\",\"source\":\"security@apache.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2023/10/10/10\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread/2pv8yz1pyp088tsxfb7ogltk9msk0jdp\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20231103-0007/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.debian.org/security/2023/dsa-5521\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2023/dsa-5522\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}" } }
rhsa-2024_0474
Vulnerability from csaf_redhat
Published
2024-01-25 10:59
Modified
2024-12-10 16:41
Summary
Red Hat Security Advisory: tomcat security update
Notes
Topic
An update for tomcat is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.
Security Fix(es):
* tomcat: Open Redirect vulnerability in FORM authentication (CVE-2023-41080)
* tomcat: FileUpload: DoS due to accumulation of temporary files on Windows (CVE-2023-42794)
* tomcat: improper cleaning of recycled objects could lead to information leak (CVE-2023-42795)
* tomcat: incorrectly parsed http trailer headers can cause request smuggling (CVE-2023-45648)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for tomcat is now available for Red Hat Enterprise Linux 9.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.\n\nSecurity Fix(es):\n\n* tomcat: Open Redirect vulnerability in FORM authentication (CVE-2023-41080)\n\n* tomcat: FileUpload: DoS due to accumulation of temporary files on Windows (CVE-2023-42794)\n\n* tomcat: improper cleaning of recycled objects could lead to information leak (CVE-2023-42795)\n\n* tomcat: incorrectly parsed http trailer headers can cause request smuggling (CVE-2023-45648)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2024:0474", "url": "https://access.redhat.com/errata/RHSA-2024:0474" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "2235370", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2235370" }, { "category": "external", "summary": "2243749", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243749" }, { "category": "external", "summary": "2243751", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243751" }, { "category": "external", "summary": "2243752", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243752" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_0474.json" } ], "title": "Red Hat Security Advisory: tomcat security update", "tracking": { "current_release_date": "2024-12-10T16:41:56+00:00", "generator": { "date": "2024-12-10T16:41:56+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.3" } }, "id": "RHSA-2024:0474", "initial_release_date": "2024-01-25T10:59:50+00:00", "revision_history": [ { "date": "2024-01-25T10:59:50+00:00", "number": "1", "summary": "Initial version" }, { "date": "2024-01-25T10:59:50+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-12-10T16:41:56+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux AppStream (v. 9)", "product": { "name": "Red Hat Enterprise Linux AppStream (v. 9)", "product_id": "AppStream-9.3.0.Z.MAIN", "product_identification_helper": { "cpe": "cpe:/a:redhat:enterprise_linux:9::appstream" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux" }, { "branches": [ { "category": "product_version", "name": "tomcat-1:9.0.62-37.el9_3.1.src", "product": { "name": "tomcat-1:9.0.62-37.el9_3.1.src", "product_id": "tomcat-1:9.0.62-37.el9_3.1.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat@9.0.62-37.el9_3.1?arch=src\u0026epoch=1" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "tomcat-1:9.0.62-37.el9_3.1.noarch", "product": { "name": "tomcat-1:9.0.62-37.el9_3.1.noarch", "product_id": "tomcat-1:9.0.62-37.el9_3.1.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat@9.0.62-37.el9_3.1?arch=noarch\u0026epoch=1" } } }, { "category": "product_version", "name": "tomcat-admin-webapps-1:9.0.62-37.el9_3.1.noarch", "product": { "name": "tomcat-admin-webapps-1:9.0.62-37.el9_3.1.noarch", "product_id": "tomcat-admin-webapps-1:9.0.62-37.el9_3.1.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat-admin-webapps@9.0.62-37.el9_3.1?arch=noarch\u0026epoch=1" } } }, { "category": "product_version", "name": "tomcat-docs-webapp-1:9.0.62-37.el9_3.1.noarch", "product": { "name": "tomcat-docs-webapp-1:9.0.62-37.el9_3.1.noarch", "product_id": "tomcat-docs-webapp-1:9.0.62-37.el9_3.1.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat-docs-webapp@9.0.62-37.el9_3.1?arch=noarch\u0026epoch=1" } } }, { "category": "product_version", "name": "tomcat-el-3.0-api-1:9.0.62-37.el9_3.1.noarch", "product": { "name": "tomcat-el-3.0-api-1:9.0.62-37.el9_3.1.noarch", "product_id": "tomcat-el-3.0-api-1:9.0.62-37.el9_3.1.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat-el-3.0-api@9.0.62-37.el9_3.1?arch=noarch\u0026epoch=1" } } }, { "category": "product_version", "name": "tomcat-jsp-2.3-api-1:9.0.62-37.el9_3.1.noarch", "product": { "name": "tomcat-jsp-2.3-api-1:9.0.62-37.el9_3.1.noarch", "product_id": "tomcat-jsp-2.3-api-1:9.0.62-37.el9_3.1.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat-jsp-2.3-api@9.0.62-37.el9_3.1?arch=noarch\u0026epoch=1" } } }, { "category": "product_version", "name": "tomcat-lib-1:9.0.62-37.el9_3.1.noarch", "product": { "name": "tomcat-lib-1:9.0.62-37.el9_3.1.noarch", "product_id": "tomcat-lib-1:9.0.62-37.el9_3.1.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat-lib@9.0.62-37.el9_3.1?arch=noarch\u0026epoch=1" } } }, { "category": "product_version", "name": "tomcat-servlet-4.0-api-1:9.0.62-37.el9_3.1.noarch", "product": { "name": "tomcat-servlet-4.0-api-1:9.0.62-37.el9_3.1.noarch", "product_id": "tomcat-servlet-4.0-api-1:9.0.62-37.el9_3.1.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat-servlet-4.0-api@9.0.62-37.el9_3.1?arch=noarch\u0026epoch=1" } } }, { "category": "product_version", "name": "tomcat-webapps-1:9.0.62-37.el9_3.1.noarch", "product": { "name": "tomcat-webapps-1:9.0.62-37.el9_3.1.noarch", "product_id": "tomcat-webapps-1:9.0.62-37.el9_3.1.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat-webapps@9.0.62-37.el9_3.1?arch=noarch\u0026epoch=1" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "tomcat-1:9.0.62-37.el9_3.1.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)", "product_id": "AppStream-9.3.0.Z.MAIN:tomcat-1:9.0.62-37.el9_3.1.noarch" }, "product_reference": "tomcat-1:9.0.62-37.el9_3.1.noarch", "relates_to_product_reference": "AppStream-9.3.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-1:9.0.62-37.el9_3.1.src as a component of Red Hat Enterprise Linux AppStream (v. 9)", "product_id": "AppStream-9.3.0.Z.MAIN:tomcat-1:9.0.62-37.el9_3.1.src" }, "product_reference": "tomcat-1:9.0.62-37.el9_3.1.src", "relates_to_product_reference": "AppStream-9.3.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-admin-webapps-1:9.0.62-37.el9_3.1.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)", "product_id": "AppStream-9.3.0.Z.MAIN:tomcat-admin-webapps-1:9.0.62-37.el9_3.1.noarch" }, "product_reference": "tomcat-admin-webapps-1:9.0.62-37.el9_3.1.noarch", "relates_to_product_reference": "AppStream-9.3.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-docs-webapp-1:9.0.62-37.el9_3.1.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)", "product_id": "AppStream-9.3.0.Z.MAIN:tomcat-docs-webapp-1:9.0.62-37.el9_3.1.noarch" }, "product_reference": "tomcat-docs-webapp-1:9.0.62-37.el9_3.1.noarch", "relates_to_product_reference": "AppStream-9.3.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-el-3.0-api-1:9.0.62-37.el9_3.1.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)", "product_id": "AppStream-9.3.0.Z.MAIN:tomcat-el-3.0-api-1:9.0.62-37.el9_3.1.noarch" }, "product_reference": "tomcat-el-3.0-api-1:9.0.62-37.el9_3.1.noarch", "relates_to_product_reference": "AppStream-9.3.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-jsp-2.3-api-1:9.0.62-37.el9_3.1.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)", "product_id": "AppStream-9.3.0.Z.MAIN:tomcat-jsp-2.3-api-1:9.0.62-37.el9_3.1.noarch" }, "product_reference": "tomcat-jsp-2.3-api-1:9.0.62-37.el9_3.1.noarch", "relates_to_product_reference": "AppStream-9.3.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-lib-1:9.0.62-37.el9_3.1.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)", "product_id": "AppStream-9.3.0.Z.MAIN:tomcat-lib-1:9.0.62-37.el9_3.1.noarch" }, "product_reference": "tomcat-lib-1:9.0.62-37.el9_3.1.noarch", "relates_to_product_reference": "AppStream-9.3.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-servlet-4.0-api-1:9.0.62-37.el9_3.1.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)", "product_id": "AppStream-9.3.0.Z.MAIN:tomcat-servlet-4.0-api-1:9.0.62-37.el9_3.1.noarch" }, "product_reference": "tomcat-servlet-4.0-api-1:9.0.62-37.el9_3.1.noarch", "relates_to_product_reference": "AppStream-9.3.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-webapps-1:9.0.62-37.el9_3.1.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)", "product_id": "AppStream-9.3.0.Z.MAIN:tomcat-webapps-1:9.0.62-37.el9_3.1.noarch" }, "product_reference": "tomcat-webapps-1:9.0.62-37.el9_3.1.noarch", "relates_to_product_reference": "AppStream-9.3.0.Z.MAIN" } ] }, "vulnerabilities": [ { "cve": "CVE-2023-41080", "cwe": { "id": "CWE-601", "name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)" }, "discovery_date": "2023-08-28T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2235370" } ], "notes": [ { "category": "description", "text": "A flaw was found in Apache Tomcat if the default web application is configured with FormAuthenticator. This issue allows a specially crafted URL to trigger a redirect to an arbitrary URL.", "title": "Vulnerability description" }, { "category": "summary", "text": "tomcat: Open Redirect vulnerability in FORM authentication", "title": "Vulnerability summary" }, { "category": "other", "text": "The pki-servlet-engine package has been obsoleted by the Tomcat package. Therefore, this issue will be fixed in the Tomcat package rather than the pki-serlvet-engine package. Please follow the RHEL Tomcat trackers instead for the updates.\n\nRed Hat Satellite is not directly impacted by this issue, since it does not embed the dependency on their offer deliveries. However, end users of Red Hat Satellite are using Tomcat via RHEL channels, which provides Tomcat dependency needed by candlepin to function in Satellite.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-9.3.0.Z.MAIN:tomcat-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-1:9.0.62-37.el9_3.1.src", "AppStream-9.3.0.Z.MAIN:tomcat-admin-webapps-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-docs-webapp-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-el-3.0-api-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-jsp-2.3-api-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-lib-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-servlet-4.0-api-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-webapps-1:9.0.62-37.el9_3.1.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-41080" }, { "category": "external", "summary": "RHBZ#2235370", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2235370" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-41080", "url": "https://www.cve.org/CVERecord?id=CVE-2023-41080" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-41080", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41080" }, { "category": "external", "summary": "https://lists.apache.org/thread/71wvwprtx2j2m54fovq9zr7gbm2wow2f", "url": "https://lists.apache.org/thread/71wvwprtx2j2m54fovq9zr7gbm2wow2f" } ], "release_date": "2023-08-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-01-25T10:59:50+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-9.3.0.Z.MAIN:tomcat-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-1:9.0.62-37.el9_3.1.src", "AppStream-9.3.0.Z.MAIN:tomcat-admin-webapps-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-docs-webapp-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-el-3.0-api-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-jsp-2.3-api-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-lib-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-servlet-4.0-api-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-webapps-1:9.0.62-37.el9_3.1.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:0474" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "AppStream-9.3.0.Z.MAIN:tomcat-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-1:9.0.62-37.el9_3.1.src", "AppStream-9.3.0.Z.MAIN:tomcat-admin-webapps-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-docs-webapp-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-el-3.0-api-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-jsp-2.3-api-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-lib-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-servlet-4.0-api-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-webapps-1:9.0.62-37.el9_3.1.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "tomcat: Open Redirect vulnerability in FORM authentication" }, { "cve": "CVE-2023-42794", "cwe": { "id": "CWE-459", "name": "Incomplete Cleanup" }, "discovery_date": "2023-10-12T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2243751" } ], "notes": [ { "category": "description", "text": "A flaw was found in Apache Tomcat. An incomplete cleanup vulnerability with the internal fork of the Commons FileUpload package exposed a potential denial of service on Windows if a web application opened a stream for an uploaded file but failed to close the stream. The file would never be deleted from the disk, potentially leading to a denial of service due to the disk being full.", "title": "Vulnerability description" }, { "category": "summary", "text": "tomcat: FileUpload: DoS due to accumulation of temporary files on Windows", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat rates this flaw as a Moderate impact as this would depend on how much information an attacker has over the environment (version and disk for example, increasing the Attack Complexity) as there is no guarantee the attack is successful. \nThis may affect only scenarios where running an application on Windows.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-9.3.0.Z.MAIN:tomcat-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-1:9.0.62-37.el9_3.1.src", "AppStream-9.3.0.Z.MAIN:tomcat-admin-webapps-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-docs-webapp-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-el-3.0-api-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-jsp-2.3-api-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-lib-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-servlet-4.0-api-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-webapps-1:9.0.62-37.el9_3.1.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-42794" }, { "category": "external", "summary": "RHBZ#2243751", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243751" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-42794", "url": "https://www.cve.org/CVERecord?id=CVE-2023-42794" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-42794", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42794" }, { "category": "external", "summary": "http://www.openwall.com/lists/oss-security/2023/10/10/8", "url": "http://www.openwall.com/lists/oss-security/2023/10/10/8" }, { "category": "external", "summary": "https://lists.apache.org/thread/vvbr2ms7lockj1hlhz5q3wmxb2mwcw82", "url": "https://lists.apache.org/thread/vvbr2ms7lockj1hlhz5q3wmxb2mwcw82" } ], "release_date": "2023-10-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-01-25T10:59:50+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-9.3.0.Z.MAIN:tomcat-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-1:9.0.62-37.el9_3.1.src", "AppStream-9.3.0.Z.MAIN:tomcat-admin-webapps-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-docs-webapp-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-el-3.0-api-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-jsp-2.3-api-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-lib-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-servlet-4.0-api-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-webapps-1:9.0.62-37.el9_3.1.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:0474" }, { "category": "workaround", "details": "No mitigation is currently available for this flaw.", "product_ids": [ "AppStream-9.3.0.Z.MAIN:tomcat-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-1:9.0.62-37.el9_3.1.src", "AppStream-9.3.0.Z.MAIN:tomcat-admin-webapps-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-docs-webapp-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-el-3.0-api-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-jsp-2.3-api-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-lib-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-servlet-4.0-api-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-webapps-1:9.0.62-37.el9_3.1.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "AppStream-9.3.0.Z.MAIN:tomcat-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-1:9.0.62-37.el9_3.1.src", "AppStream-9.3.0.Z.MAIN:tomcat-admin-webapps-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-docs-webapp-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-el-3.0-api-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-jsp-2.3-api-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-lib-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-servlet-4.0-api-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-webapps-1:9.0.62-37.el9_3.1.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "tomcat: FileUpload: DoS due to accumulation of temporary files on Windows" }, { "cve": "CVE-2023-42795", "cwe": { "id": "CWE-459", "name": "Incomplete Cleanup" }, "discovery_date": "2023-10-12T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2243752" } ], "notes": [ { "category": "description", "text": "A flaw was found in Apache Tomcat. Tomcat may skip, after an error, the recycling of the internal objects that the next request/response process might use, resulting in information leaking from one request to the next. This flaw allows a malicious user to have access to this information.", "title": "Vulnerability description" }, { "category": "summary", "text": "tomcat: improper cleaning of recycled objects could lead to information leak", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat rates this as a Moderate impact as the confidentiality is not fully compromised and the malicious user does not have confirmation over the scenario to replicate the error and capture the possible jeopardizing response.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-9.3.0.Z.MAIN:tomcat-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-1:9.0.62-37.el9_3.1.src", "AppStream-9.3.0.Z.MAIN:tomcat-admin-webapps-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-docs-webapp-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-el-3.0-api-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-jsp-2.3-api-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-lib-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-servlet-4.0-api-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-webapps-1:9.0.62-37.el9_3.1.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-42795" }, { "category": "external", "summary": "RHBZ#2243752", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243752" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-42795", "url": "https://www.cve.org/CVERecord?id=CVE-2023-42795" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-42795", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42795" }, { "category": "external", "summary": "http://www.openwall.com/lists/oss-security/2023/10/10/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/10/9" }, { "category": "external", "summary": "https://lists.apache.org/thread/065jfyo583490r9j2v73nhpyxdob56lw", "url": "https://lists.apache.org/thread/065jfyo583490r9j2v73nhpyxdob56lw" } ], "release_date": "2023-10-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-01-25T10:59:50+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-9.3.0.Z.MAIN:tomcat-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-1:9.0.62-37.el9_3.1.src", "AppStream-9.3.0.Z.MAIN:tomcat-admin-webapps-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-docs-webapp-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-el-3.0-api-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-jsp-2.3-api-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-lib-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-servlet-4.0-api-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-webapps-1:9.0.62-37.el9_3.1.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:0474" }, { "category": "workaround", "details": "No mitigation is currently available for this flaw.", "product_ids": [ "AppStream-9.3.0.Z.MAIN:tomcat-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-1:9.0.62-37.el9_3.1.src", "AppStream-9.3.0.Z.MAIN:tomcat-admin-webapps-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-docs-webapp-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-el-3.0-api-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-jsp-2.3-api-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-lib-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-servlet-4.0-api-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-webapps-1:9.0.62-37.el9_3.1.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, "products": [ "AppStream-9.3.0.Z.MAIN:tomcat-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-1:9.0.62-37.el9_3.1.src", "AppStream-9.3.0.Z.MAIN:tomcat-admin-webapps-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-docs-webapp-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-el-3.0-api-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-jsp-2.3-api-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-lib-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-servlet-4.0-api-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-webapps-1:9.0.62-37.el9_3.1.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "tomcat: improper cleaning of recycled objects could lead to information leak" }, { "cve": "CVE-2023-45648", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2023-10-12T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2243749" } ], "notes": [ { "category": "description", "text": "A flaw was found in Apache Tomcat, where an improper input validation can occur. This flaw allows a malicious user to send a crafted request containing an invalid trailer header, which could be treated as multiple requests, potentially leading to request smuggling when behind a reverse proxy.", "title": "Vulnerability description" }, { "category": "summary", "text": "tomcat: incorrectly parsed http trailer headers can cause request smuggling", "title": "Vulnerability summary" }, { "category": "other", "text": "The request smuggling is not guaranteed to have relevant information within every request and the scenario behind a reverse proxy which fails to handle the request too is necessary, hence the Moderate impact.\n\nThe Red Hat AMQ Broker team removed any tomcat dependencies in version 7.11.3. Please refer to https://errata.devel.redhat.com/advisory/121941.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-9.3.0.Z.MAIN:tomcat-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-1:9.0.62-37.el9_3.1.src", "AppStream-9.3.0.Z.MAIN:tomcat-admin-webapps-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-docs-webapp-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-el-3.0-api-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-jsp-2.3-api-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-lib-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-servlet-4.0-api-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-webapps-1:9.0.62-37.el9_3.1.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-45648" }, { "category": "external", "summary": "RHBZ#2243749", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243749" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-45648", "url": "https://www.cve.org/CVERecord?id=CVE-2023-45648" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-45648", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45648" }, { "category": "external", "summary": "http://www.openwall.com/lists/oss-security/2023/10/10/10", "url": "http://www.openwall.com/lists/oss-security/2023/10/10/10" }, { "category": "external", "summary": "https://lists.apache.org/thread/2pv8yz1pyp088tsxfb7ogltk9msk0jdp", "url": "https://lists.apache.org/thread/2pv8yz1pyp088tsxfb7ogltk9msk0jdp" } ], "release_date": "2023-10-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-01-25T10:59:50+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-9.3.0.Z.MAIN:tomcat-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-1:9.0.62-37.el9_3.1.src", "AppStream-9.3.0.Z.MAIN:tomcat-admin-webapps-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-docs-webapp-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-el-3.0-api-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-jsp-2.3-api-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-lib-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-servlet-4.0-api-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-webapps-1:9.0.62-37.el9_3.1.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:0474" }, { "category": "workaround", "details": "No mitigation is currently available for this flaw.", "product_ids": [ "AppStream-9.3.0.Z.MAIN:tomcat-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-1:9.0.62-37.el9_3.1.src", "AppStream-9.3.0.Z.MAIN:tomcat-admin-webapps-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-docs-webapp-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-el-3.0-api-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-jsp-2.3-api-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-lib-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-servlet-4.0-api-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-webapps-1:9.0.62-37.el9_3.1.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1" }, "products": [ "AppStream-9.3.0.Z.MAIN:tomcat-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-1:9.0.62-37.el9_3.1.src", "AppStream-9.3.0.Z.MAIN:tomcat-admin-webapps-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-docs-webapp-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-el-3.0-api-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-jsp-2.3-api-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-lib-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-servlet-4.0-api-1:9.0.62-37.el9_3.1.noarch", "AppStream-9.3.0.Z.MAIN:tomcat-webapps-1:9.0.62-37.el9_3.1.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "tomcat: incorrectly parsed http trailer headers can cause request smuggling" } ] }
rhsa-2024_4631
Vulnerability from csaf_redhat
Published
2024-07-18 17:11
Modified
2024-12-12 04:09
Summary
Red Hat Security Advisory: Red Hat OpenShift Dev Spaces 3.15.0 release
Notes
Topic
Red Hat OpenShift Dev Spaces 3.15 has been released.
All containers have been updated to include feature enhancements, bug fixes and CVE fixes.
Following the Red Hat Product Security standards this update is rated as having a security impact of Important. The Common Vulnerability Scoring System (CVSS) base score is available for every fixed CVE in the references section.
Details
Red Hat OpenShift Dev Spaces provides a cloud developer workspace server and a browser-based IDE built for teams and organizations. Dev Spaces runs in OpenShift and is well-suited for container-based development.
The 3.15 release is based on Eclipse Che 7.88 and uses the DevWorkspace engine to provide support for workspaces based on devfile v2.1 and v2.2.
Users still using the v1 standard should migrate as soon as possible.
https://devfile.io/docs/2.2.0/migrating-to-devfile-v2
Dev Spaces releases support the latest two OpenShift 4 EUS releases. Users are expected to update to newer OpenShift releases in order to continue to get Dev Spaces updates.
https://access.redhat.com/support/policy/updates/openshift#crw
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat OpenShift Dev Spaces 3.15 has been released.\n\nAll containers have been updated to include feature enhancements, bug fixes and CVE fixes.\n\nFollowing the Red Hat Product Security standards this update is rated as having a security impact of Important. The Common Vulnerability Scoring System (CVSS) base score is available for every fixed CVE in the references section.", "title": "Topic" }, { "category": "general", "text": "Red Hat OpenShift Dev Spaces provides a cloud developer workspace server and a browser-based IDE built for teams and organizations. Dev Spaces runs in OpenShift and is well-suited for container-based development.\n\nThe 3.15 release is based on Eclipse Che 7.88 and uses the DevWorkspace engine to provide support for workspaces based on devfile v2.1 and v2.2.\n\nUsers still using the v1 standard should migrate as soon as possible.\n\nhttps://devfile.io/docs/2.2.0/migrating-to-devfile-v2\n\nDev Spaces releases support the latest two OpenShift 4 EUS releases. Users are expected to update to newer OpenShift releases in order to continue to get Dev Spaces updates. \n\nhttps://access.redhat.com/support/policy/updates/openshift#crw", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2024:4631", "url": "https://access.redhat.com/errata/RHSA-2024:4631" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_openshift_dev_spaces/3.15/html/administration_guide/installing-devspaces", "url": "https://access.redhat.com/documentation/en-us/red_hat_openshift_dev_spaces/3.15/html/administration_guide/installing-devspaces" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2022-3064", "url": "https://access.redhat.com/security/cve/CVE-2022-3064" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2022-21698", "url": "https://access.redhat.com/security/cve/CVE-2022-21698" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2022-28948", "url": "https://access.redhat.com/security/cve/CVE-2022-28948" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2022-46175", "url": "https://access.redhat.com/security/cve/CVE-2022-46175" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2023-6378", "url": "https://access.redhat.com/security/cve/CVE-2023-6378" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2023-39325", "url": "https://access.redhat.com/security/cve/CVE-2023-39325" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2023-41080", "url": "https://access.redhat.com/security/cve/CVE-2023-41080" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2023-44487", "url": "https://access.redhat.com/security/cve/CVE-2023-44487" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2023-45288", "url": "https://access.redhat.com/security/cve/CVE-2023-45288" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2023-45648", "url": "https://access.redhat.com/security/cve/CVE-2023-45648" }, { "category": "external", "summary": "CRW-6593", "url": "https://issues.redhat.com/browse/CRW-6593" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_4631.json" } ], "title": "Red Hat Security Advisory: Red Hat OpenShift Dev Spaces 3.15.0 release", "tracking": { "current_release_date": "2024-12-12T04:09:27+00:00", "generator": { "date": "2024-12-12T04:09:27+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.3" } }, "id": "RHSA-2024:4631", "initial_release_date": "2024-07-18T17:11:22+00:00", "revision_history": [ { "date": "2024-07-18T17:11:22+00:00", "number": "1", "summary": "Initial version" }, { "date": "2024-07-18T17:11:22+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-12-12T04:09:27+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift Dev Spaces 3", "product": { "name": "Red Hat OpenShift Dev Spaces 3", "product_id": "8Base-RHOSDS-3", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift_devspaces:3::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Dev Spaces" }, { "branches": [ { "category": "product_version", "name": "devspaces/code-rhel8@sha256:be39b6b16ef2a5e88d4650b0f2cb1e8e4c3cacbdb67a59b443255e857460b885_amd64", "product": { "name": "devspaces/code-rhel8@sha256:be39b6b16ef2a5e88d4650b0f2cb1e8e4c3cacbdb67a59b443255e857460b885_amd64", "product_id": "devspaces/code-rhel8@sha256:be39b6b16ef2a5e88d4650b0f2cb1e8e4c3cacbdb67a59b443255e857460b885_amd64", "product_identification_helper": { "purl": "pkg:oci/code-rhel8@sha256:be39b6b16ef2a5e88d4650b0f2cb1e8e4c3cacbdb67a59b443255e857460b885?arch=amd64\u0026repository_url=registry.redhat.io/devspaces/code-rhel8\u0026tag=3.15-4" } } }, { "category": "product_version", "name": "devspaces/configbump-rhel8@sha256:7ad719f34df4ff6ca4afc67610c616f1ab5961be60a7e80d7e35af3374dc2a2e_amd64", "product": { "name": "devspaces/configbump-rhel8@sha256:7ad719f34df4ff6ca4afc67610c616f1ab5961be60a7e80d7e35af3374dc2a2e_amd64", "product_id": "devspaces/configbump-rhel8@sha256:7ad719f34df4ff6ca4afc67610c616f1ab5961be60a7e80d7e35af3374dc2a2e_amd64", "product_identification_helper": { "purl": "pkg:oci/configbump-rhel8@sha256:7ad719f34df4ff6ca4afc67610c616f1ab5961be60a7e80d7e35af3374dc2a2e?arch=amd64\u0026repository_url=registry.redhat.io/devspaces/configbump-rhel8\u0026tag=3.15-2" } } }, { "category": "product_version", "name": "devspaces/dashboard-rhel8@sha256:f227e2cef7b8cd6b937db379b4dc5463fa73e511400ad64f010081be577d809c_amd64", "product": { "name": "devspaces/dashboard-rhel8@sha256:f227e2cef7b8cd6b937db379b4dc5463fa73e511400ad64f010081be577d809c_amd64", "product_id": "devspaces/dashboard-rhel8@sha256:f227e2cef7b8cd6b937db379b4dc5463fa73e511400ad64f010081be577d809c_amd64", "product_identification_helper": { "purl": "pkg:oci/dashboard-rhel8@sha256:f227e2cef7b8cd6b937db379b4dc5463fa73e511400ad64f010081be577d809c?arch=amd64\u0026repository_url=registry.redhat.io/devspaces/dashboard-rhel8\u0026tag=3.15-6" } } }, { "category": "product_version", "name": "devspaces/devfileregistry-rhel8@sha256:762b66d0ee13db9d168a022e31180145dd4ec20eb5cdbfcb48510e44173f8553_amd64", "product": { "name": "devspaces/devfileregistry-rhel8@sha256:762b66d0ee13db9d168a022e31180145dd4ec20eb5cdbfcb48510e44173f8553_amd64", "product_id": "devspaces/devfileregistry-rhel8@sha256:762b66d0ee13db9d168a022e31180145dd4ec20eb5cdbfcb48510e44173f8553_amd64", "product_identification_helper": { "purl": "pkg:oci/devfileregistry-rhel8@sha256:762b66d0ee13db9d168a022e31180145dd4ec20eb5cdbfcb48510e44173f8553?arch=amd64\u0026repository_url=registry.redhat.io/devspaces/devfileregistry-rhel8\u0026tag=3.15-15" } } }, { "category": "product_version", "name": "devspaces/idea-rhel8@sha256:5ac4fdd00b0d1436115f2fda0a777b9f4ae99866cbf8fa99dddaad21888eeb18_amd64", "product": { "name": "devspaces/idea-rhel8@sha256:5ac4fdd00b0d1436115f2fda0a777b9f4ae99866cbf8fa99dddaad21888eeb18_amd64", "product_id": "devspaces/idea-rhel8@sha256:5ac4fdd00b0d1436115f2fda0a777b9f4ae99866cbf8fa99dddaad21888eeb18_amd64", "product_identification_helper": { "purl": "pkg:oci/idea-rhel8@sha256:5ac4fdd00b0d1436115f2fda0a777b9f4ae99866cbf8fa99dddaad21888eeb18?arch=amd64\u0026repository_url=registry.redhat.io/devspaces/idea-rhel8\u0026tag=3.15-5" } } }, { "category": "product_version", "name": "devspaces/imagepuller-rhel8@sha256:760021d9a555390d69e76f6dab0ce0c2694001aef3a8b44384bd8e9bf96171e1_amd64", "product": { "name": "devspaces/imagepuller-rhel8@sha256:760021d9a555390d69e76f6dab0ce0c2694001aef3a8b44384bd8e9bf96171e1_amd64", "product_id": "devspaces/imagepuller-rhel8@sha256:760021d9a555390d69e76f6dab0ce0c2694001aef3a8b44384bd8e9bf96171e1_amd64", "product_identification_helper": { "purl": "pkg:oci/imagepuller-rhel8@sha256:760021d9a555390d69e76f6dab0ce0c2694001aef3a8b44384bd8e9bf96171e1?arch=amd64\u0026repository_url=registry.redhat.io/devspaces/imagepuller-rhel8\u0026tag=3.15-2" } } }, { "category": "product_version", "name": "devspaces/machineexec-rhel8@sha256:f6852cf501751523954574a97e68c543b16c58b77fc6061954fc95e94977d2bf_amd64", "product": { "name": "devspaces/machineexec-rhel8@sha256:f6852cf501751523954574a97e68c543b16c58b77fc6061954fc95e94977d2bf_amd64", "product_id": "devspaces/machineexec-rhel8@sha256:f6852cf501751523954574a97e68c543b16c58b77fc6061954fc95e94977d2bf_amd64", "product_identification_helper": { "purl": "pkg:oci/machineexec-rhel8@sha256:f6852cf501751523954574a97e68c543b16c58b77fc6061954fc95e94977d2bf?arch=amd64\u0026repository_url=registry.redhat.io/devspaces/machineexec-rhel8\u0026tag=3.15-2" } } }, { "category": "product_version", "name": "devspaces/devspaces-operator-bundle@sha256:2a2f31bacc803a8260da6cd3a61ad71cbb00cf2e521854def145b3d0bec0b055_amd64", "product": { "name": "devspaces/devspaces-operator-bundle@sha256:2a2f31bacc803a8260da6cd3a61ad71cbb00cf2e521854def145b3d0bec0b055_amd64", "product_id": "devspaces/devspaces-operator-bundle@sha256:2a2f31bacc803a8260da6cd3a61ad71cbb00cf2e521854def145b3d0bec0b055_amd64", "product_identification_helper": { "purl": "pkg:oci/devspaces-operator-bundle@sha256:2a2f31bacc803a8260da6cd3a61ad71cbb00cf2e521854def145b3d0bec0b055?arch=amd64\u0026repository_url=registry.redhat.io/devspaces/devspaces-operator-bundle\u0026tag=3.15-26" } } }, { "category": "product_version", "name": "devspaces/pluginregistry-rhel8@sha256:06a15178e2f20d56fac5e13cad9fcc1ae7316789e34115a2504c4a07580f19f5_amd64", "product": { "name": "devspaces/pluginregistry-rhel8@sha256:06a15178e2f20d56fac5e13cad9fcc1ae7316789e34115a2504c4a07580f19f5_amd64", "product_id": "devspaces/pluginregistry-rhel8@sha256:06a15178e2f20d56fac5e13cad9fcc1ae7316789e34115a2504c4a07580f19f5_amd64", "product_identification_helper": { "purl": "pkg:oci/pluginregistry-rhel8@sha256:06a15178e2f20d56fac5e13cad9fcc1ae7316789e34115a2504c4a07580f19f5?arch=amd64\u0026repository_url=registry.redhat.io/devspaces/pluginregistry-rhel8\u0026tag=3.15-4" } } }, { "category": "product_version", "name": "devspaces/devspaces-rhel8-operator@sha256:9781322614ad47a9d75dc7c87581dd3789f78992ec9eb91833e86061e7ea1f91_amd64", "product": { "name": "devspaces/devspaces-rhel8-operator@sha256:9781322614ad47a9d75dc7c87581dd3789f78992ec9eb91833e86061e7ea1f91_amd64", "product_id": "devspaces/devspaces-rhel8-operator@sha256:9781322614ad47a9d75dc7c87581dd3789f78992ec9eb91833e86061e7ea1f91_amd64", "product_identification_helper": { "purl": "pkg:oci/devspaces-rhel8-operator@sha256:9781322614ad47a9d75dc7c87581dd3789f78992ec9eb91833e86061e7ea1f91?arch=amd64\u0026repository_url=registry.redhat.io/devspaces/devspaces-rhel8-operator\u0026tag=3.15-10" } } }, { "category": "product_version", "name": "devspaces/server-rhel8@sha256:b6912aa0c1717be5d0e69c31e94e834abe1307d5e8132345af89a923d5b687ce_amd64", "product": { "name": "devspaces/server-rhel8@sha256:b6912aa0c1717be5d0e69c31e94e834abe1307d5e8132345af89a923d5b687ce_amd64", "product_id": "devspaces/server-rhel8@sha256:b6912aa0c1717be5d0e69c31e94e834abe1307d5e8132345af89a923d5b687ce_amd64", "product_identification_helper": { "purl": "pkg:oci/server-rhel8@sha256:b6912aa0c1717be5d0e69c31e94e834abe1307d5e8132345af89a923d5b687ce?arch=amd64\u0026repository_url=registry.redhat.io/devspaces/server-rhel8\u0026tag=3.15-3" } } }, { "category": "product_version", "name": "devspaces/traefik-rhel8@sha256:9fada42916b4e04c8c8ff7bb3cd8ce0976862d15de7c7225ee41366f790338a1_amd64", "product": { "name": "devspaces/traefik-rhel8@sha256:9fada42916b4e04c8c8ff7bb3cd8ce0976862d15de7c7225ee41366f790338a1_amd64", "product_id": "devspaces/traefik-rhel8@sha256:9fada42916b4e04c8c8ff7bb3cd8ce0976862d15de7c7225ee41366f790338a1_amd64", "product_identification_helper": { "purl": "pkg:oci/traefik-rhel8@sha256:9fada42916b4e04c8c8ff7bb3cd8ce0976862d15de7c7225ee41366f790338a1?arch=amd64\u0026repository_url=registry.redhat.io/devspaces/traefik-rhel8\u0026tag=3.15-2" } } }, { "category": "product_version", "name": "devspaces/udi-rhel8@sha256:d407cd42cfe5c6100d67552bcb39923bb665a17e7c5004d387a59bfef9a1bb83_amd64", "product": { "name": "devspaces/udi-rhel8@sha256:d407cd42cfe5c6100d67552bcb39923bb665a17e7c5004d387a59bfef9a1bb83_amd64", "product_id": "devspaces/udi-rhel8@sha256:d407cd42cfe5c6100d67552bcb39923bb665a17e7c5004d387a59bfef9a1bb83_amd64", "product_identification_helper": { "purl": "pkg:oci/udi-rhel8@sha256:d407cd42cfe5c6100d67552bcb39923bb665a17e7c5004d387a59bfef9a1bb83?arch=amd64\u0026repository_url=registry.redhat.io/devspaces/udi-rhel8\u0026tag=3.15-5" } } } ], "category": "architecture", "name": "amd64" }, { "branches": [ { "category": "product_version", "name": "devspaces/code-rhel8@sha256:dd6aafc88aeab0ee3c7ee706540d4022a6d860c68b4cbec1bdf3990092b2bcbf_s390x", "product": { "name": "devspaces/code-rhel8@sha256:dd6aafc88aeab0ee3c7ee706540d4022a6d860c68b4cbec1bdf3990092b2bcbf_s390x", "product_id": "devspaces/code-rhel8@sha256:dd6aafc88aeab0ee3c7ee706540d4022a6d860c68b4cbec1bdf3990092b2bcbf_s390x", "product_identification_helper": { "purl": "pkg:oci/code-rhel8@sha256:dd6aafc88aeab0ee3c7ee706540d4022a6d860c68b4cbec1bdf3990092b2bcbf?arch=s390x\u0026repository_url=registry.redhat.io/devspaces/code-rhel8\u0026tag=3.15-4" } } }, { "category": "product_version", "name": "devspaces/configbump-rhel8@sha256:1e109e2572b3db1610ae07c1580837fc03813927ab8230f06a452ea51e4ea1fd_s390x", "product": { "name": "devspaces/configbump-rhel8@sha256:1e109e2572b3db1610ae07c1580837fc03813927ab8230f06a452ea51e4ea1fd_s390x", "product_id": "devspaces/configbump-rhel8@sha256:1e109e2572b3db1610ae07c1580837fc03813927ab8230f06a452ea51e4ea1fd_s390x", "product_identification_helper": { "purl": "pkg:oci/configbump-rhel8@sha256:1e109e2572b3db1610ae07c1580837fc03813927ab8230f06a452ea51e4ea1fd?arch=s390x\u0026repository_url=registry.redhat.io/devspaces/configbump-rhel8\u0026tag=3.15-2" } } }, { "category": "product_version", "name": "devspaces/dashboard-rhel8@sha256:0c402a60f316d48868cfb3d5459ed56222fd56a10562a4db6c09155f9e2be2ea_s390x", "product": { "name": "devspaces/dashboard-rhel8@sha256:0c402a60f316d48868cfb3d5459ed56222fd56a10562a4db6c09155f9e2be2ea_s390x", "product_id": "devspaces/dashboard-rhel8@sha256:0c402a60f316d48868cfb3d5459ed56222fd56a10562a4db6c09155f9e2be2ea_s390x", "product_identification_helper": { "purl": "pkg:oci/dashboard-rhel8@sha256:0c402a60f316d48868cfb3d5459ed56222fd56a10562a4db6c09155f9e2be2ea?arch=s390x\u0026repository_url=registry.redhat.io/devspaces/dashboard-rhel8\u0026tag=3.15-6" } } }, { "category": "product_version", "name": "devspaces/devfileregistry-rhel8@sha256:ef41ab671a633299a1db5d5f3bc72c59f4d8b6e126c8635be5e650c8547b4eae_s390x", "product": { "name": "devspaces/devfileregistry-rhel8@sha256:ef41ab671a633299a1db5d5f3bc72c59f4d8b6e126c8635be5e650c8547b4eae_s390x", "product_id": "devspaces/devfileregistry-rhel8@sha256:ef41ab671a633299a1db5d5f3bc72c59f4d8b6e126c8635be5e650c8547b4eae_s390x", "product_identification_helper": { "purl": "pkg:oci/devfileregistry-rhel8@sha256:ef41ab671a633299a1db5d5f3bc72c59f4d8b6e126c8635be5e650c8547b4eae?arch=s390x\u0026repository_url=registry.redhat.io/devspaces/devfileregistry-rhel8\u0026tag=3.15-15" } } }, { "category": "product_version", "name": "devspaces/imagepuller-rhel8@sha256:a02ae8ff331b3be77e6f48a5faa0e1c13b1203242edca7e4a2e1cfb83df3e6da_s390x", "product": { "name": "devspaces/imagepuller-rhel8@sha256:a02ae8ff331b3be77e6f48a5faa0e1c13b1203242edca7e4a2e1cfb83df3e6da_s390x", "product_id": "devspaces/imagepuller-rhel8@sha256:a02ae8ff331b3be77e6f48a5faa0e1c13b1203242edca7e4a2e1cfb83df3e6da_s390x", "product_identification_helper": { "purl": "pkg:oci/imagepuller-rhel8@sha256:a02ae8ff331b3be77e6f48a5faa0e1c13b1203242edca7e4a2e1cfb83df3e6da?arch=s390x\u0026repository_url=registry.redhat.io/devspaces/imagepuller-rhel8\u0026tag=3.15-2" } } }, { "category": "product_version", "name": "devspaces/machineexec-rhel8@sha256:9f9d815327b731738f690d65c89b86c3128457c2d4447141a0e4f42bd52096fd_s390x", "product": { "name": "devspaces/machineexec-rhel8@sha256:9f9d815327b731738f690d65c89b86c3128457c2d4447141a0e4f42bd52096fd_s390x", "product_id": "devspaces/machineexec-rhel8@sha256:9f9d815327b731738f690d65c89b86c3128457c2d4447141a0e4f42bd52096fd_s390x", "product_identification_helper": { "purl": "pkg:oci/machineexec-rhel8@sha256:9f9d815327b731738f690d65c89b86c3128457c2d4447141a0e4f42bd52096fd?arch=s390x\u0026repository_url=registry.redhat.io/devspaces/machineexec-rhel8\u0026tag=3.15-2" } } }, { "category": "product_version", "name": "devspaces/devspaces-operator-bundle@sha256:aaf36bb82765cd95324c84442cd9deb54c27469d6726ca248f1aeef7b3f06fab_s390x", "product": { "name": "devspaces/devspaces-operator-bundle@sha256:aaf36bb82765cd95324c84442cd9deb54c27469d6726ca248f1aeef7b3f06fab_s390x", "product_id": "devspaces/devspaces-operator-bundle@sha256:aaf36bb82765cd95324c84442cd9deb54c27469d6726ca248f1aeef7b3f06fab_s390x", "product_identification_helper": { "purl": "pkg:oci/devspaces-operator-bundle@sha256:aaf36bb82765cd95324c84442cd9deb54c27469d6726ca248f1aeef7b3f06fab?arch=s390x\u0026repository_url=registry.redhat.io/devspaces/devspaces-operator-bundle\u0026tag=3.15-26" } } }, { "category": "product_version", "name": "devspaces/pluginregistry-rhel8@sha256:e23dc02966b044bf52d27d98e4ed4873dbfb2a5ce92c6d82e98a6c45fa298b39_s390x", "product": { "name": "devspaces/pluginregistry-rhel8@sha256:e23dc02966b044bf52d27d98e4ed4873dbfb2a5ce92c6d82e98a6c45fa298b39_s390x", "product_id": "devspaces/pluginregistry-rhel8@sha256:e23dc02966b044bf52d27d98e4ed4873dbfb2a5ce92c6d82e98a6c45fa298b39_s390x", "product_identification_helper": { "purl": "pkg:oci/pluginregistry-rhel8@sha256:e23dc02966b044bf52d27d98e4ed4873dbfb2a5ce92c6d82e98a6c45fa298b39?arch=s390x\u0026repository_url=registry.redhat.io/devspaces/pluginregistry-rhel8\u0026tag=3.15-4" } } }, { "category": "product_version", "name": "devspaces/devspaces-rhel8-operator@sha256:75b1429db0482dfe108a7fbbed1abefb24f4cd7b35e4bb0d57f32c1973ec883b_s390x", "product": { "name": "devspaces/devspaces-rhel8-operator@sha256:75b1429db0482dfe108a7fbbed1abefb24f4cd7b35e4bb0d57f32c1973ec883b_s390x", "product_id": "devspaces/devspaces-rhel8-operator@sha256:75b1429db0482dfe108a7fbbed1abefb24f4cd7b35e4bb0d57f32c1973ec883b_s390x", "product_identification_helper": { "purl": "pkg:oci/devspaces-rhel8-operator@sha256:75b1429db0482dfe108a7fbbed1abefb24f4cd7b35e4bb0d57f32c1973ec883b?arch=s390x\u0026repository_url=registry.redhat.io/devspaces/devspaces-rhel8-operator\u0026tag=3.15-10" } } }, { "category": "product_version", "name": "devspaces/server-rhel8@sha256:3be3bc2226f6719f8227709ea13626bee7135d1dc0d64aa4d8ee4ef6e8bb60df_s390x", "product": { "name": "devspaces/server-rhel8@sha256:3be3bc2226f6719f8227709ea13626bee7135d1dc0d64aa4d8ee4ef6e8bb60df_s390x", "product_id": "devspaces/server-rhel8@sha256:3be3bc2226f6719f8227709ea13626bee7135d1dc0d64aa4d8ee4ef6e8bb60df_s390x", "product_identification_helper": { "purl": "pkg:oci/server-rhel8@sha256:3be3bc2226f6719f8227709ea13626bee7135d1dc0d64aa4d8ee4ef6e8bb60df?arch=s390x\u0026repository_url=registry.redhat.io/devspaces/server-rhel8\u0026tag=3.15-3" } } }, { "category": "product_version", "name": "devspaces/traefik-rhel8@sha256:a5d8bb3e4fbdda212ae48e298f47daf9b02cd78ccf6ce85087b62e96ee80cb6d_s390x", "product": { "name": "devspaces/traefik-rhel8@sha256:a5d8bb3e4fbdda212ae48e298f47daf9b02cd78ccf6ce85087b62e96ee80cb6d_s390x", "product_id": "devspaces/traefik-rhel8@sha256:a5d8bb3e4fbdda212ae48e298f47daf9b02cd78ccf6ce85087b62e96ee80cb6d_s390x", "product_identification_helper": { "purl": "pkg:oci/traefik-rhel8@sha256:a5d8bb3e4fbdda212ae48e298f47daf9b02cd78ccf6ce85087b62e96ee80cb6d?arch=s390x\u0026repository_url=registry.redhat.io/devspaces/traefik-rhel8\u0026tag=3.15-2" } } }, { "category": "product_version", "name": "devspaces/udi-rhel8@sha256:b4112466adc8ec304859d4ed70fbe7c51d77abce884c19f742356b4d64f3c3ee_s390x", "product": { "name": "devspaces/udi-rhel8@sha256:b4112466adc8ec304859d4ed70fbe7c51d77abce884c19f742356b4d64f3c3ee_s390x", "product_id": "devspaces/udi-rhel8@sha256:b4112466adc8ec304859d4ed70fbe7c51d77abce884c19f742356b4d64f3c3ee_s390x", "product_identification_helper": { "purl": "pkg:oci/udi-rhel8@sha256:b4112466adc8ec304859d4ed70fbe7c51d77abce884c19f742356b4d64f3c3ee?arch=s390x\u0026repository_url=registry.redhat.io/devspaces/udi-rhel8\u0026tag=3.15-5" } } } ], "category": "architecture", "name": "s390x" }, { "branches": [ { "category": "product_version", "name": "devspaces/code-rhel8@sha256:14df338acf7e3bbdcbb79bd66b063900a655d5dc920862e0fe67262e457bfae8_ppc64le", "product": { "name": "devspaces/code-rhel8@sha256:14df338acf7e3bbdcbb79bd66b063900a655d5dc920862e0fe67262e457bfae8_ppc64le", "product_id": "devspaces/code-rhel8@sha256:14df338acf7e3bbdcbb79bd66b063900a655d5dc920862e0fe67262e457bfae8_ppc64le", "product_identification_helper": { "purl": "pkg:oci/code-rhel8@sha256:14df338acf7e3bbdcbb79bd66b063900a655d5dc920862e0fe67262e457bfae8?arch=ppc64le\u0026repository_url=registry.redhat.io/devspaces/code-rhel8\u0026tag=3.15-4" } } }, { "category": "product_version", "name": "devspaces/configbump-rhel8@sha256:f0cf2be9026fed74449daf382907d5014cc72998be0edb32a3aeb150754030ea_ppc64le", "product": { "name": "devspaces/configbump-rhel8@sha256:f0cf2be9026fed74449daf382907d5014cc72998be0edb32a3aeb150754030ea_ppc64le", "product_id": "devspaces/configbump-rhel8@sha256:f0cf2be9026fed74449daf382907d5014cc72998be0edb32a3aeb150754030ea_ppc64le", "product_identification_helper": { "purl": "pkg:oci/configbump-rhel8@sha256:f0cf2be9026fed74449daf382907d5014cc72998be0edb32a3aeb150754030ea?arch=ppc64le\u0026repository_url=registry.redhat.io/devspaces/configbump-rhel8\u0026tag=3.15-2" } } }, { "category": "product_version", "name": "devspaces/dashboard-rhel8@sha256:aa078d91d3c80ab437ccb49b8470947abc9b66bf98b77e7e0ecf5271a6e075ab_ppc64le", "product": { "name": "devspaces/dashboard-rhel8@sha256:aa078d91d3c80ab437ccb49b8470947abc9b66bf98b77e7e0ecf5271a6e075ab_ppc64le", "product_id": "devspaces/dashboard-rhel8@sha256:aa078d91d3c80ab437ccb49b8470947abc9b66bf98b77e7e0ecf5271a6e075ab_ppc64le", "product_identification_helper": { "purl": "pkg:oci/dashboard-rhel8@sha256:aa078d91d3c80ab437ccb49b8470947abc9b66bf98b77e7e0ecf5271a6e075ab?arch=ppc64le\u0026repository_url=registry.redhat.io/devspaces/dashboard-rhel8\u0026tag=3.15-6" } } }, { "category": "product_version", "name": "devspaces/devfileregistry-rhel8@sha256:8d07c15f234a996673c6910ecd93adc9289b7e0d85de664713b958b4150b3852_ppc64le", "product": { "name": "devspaces/devfileregistry-rhel8@sha256:8d07c15f234a996673c6910ecd93adc9289b7e0d85de664713b958b4150b3852_ppc64le", "product_id": "devspaces/devfileregistry-rhel8@sha256:8d07c15f234a996673c6910ecd93adc9289b7e0d85de664713b958b4150b3852_ppc64le", "product_identification_helper": { "purl": "pkg:oci/devfileregistry-rhel8@sha256:8d07c15f234a996673c6910ecd93adc9289b7e0d85de664713b958b4150b3852?arch=ppc64le\u0026repository_url=registry.redhat.io/devspaces/devfileregistry-rhel8\u0026tag=3.15-15" } } }, { "category": "product_version", "name": "devspaces/imagepuller-rhel8@sha256:8101bdc3676ad5a1f832a46179a0225349af8cdab2a1a285ab173192082d93ae_ppc64le", "product": { "name": "devspaces/imagepuller-rhel8@sha256:8101bdc3676ad5a1f832a46179a0225349af8cdab2a1a285ab173192082d93ae_ppc64le", "product_id": "devspaces/imagepuller-rhel8@sha256:8101bdc3676ad5a1f832a46179a0225349af8cdab2a1a285ab173192082d93ae_ppc64le", "product_identification_helper": { "purl": "pkg:oci/imagepuller-rhel8@sha256:8101bdc3676ad5a1f832a46179a0225349af8cdab2a1a285ab173192082d93ae?arch=ppc64le\u0026repository_url=registry.redhat.io/devspaces/imagepuller-rhel8\u0026tag=3.15-2" } } }, { "category": "product_version", "name": "devspaces/machineexec-rhel8@sha256:7d367fef16f3968243fc47927515a0ee1313ac5169c5a7769b701d47409bec88_ppc64le", "product": { "name": "devspaces/machineexec-rhel8@sha256:7d367fef16f3968243fc47927515a0ee1313ac5169c5a7769b701d47409bec88_ppc64le", "product_id": "devspaces/machineexec-rhel8@sha256:7d367fef16f3968243fc47927515a0ee1313ac5169c5a7769b701d47409bec88_ppc64le", "product_identification_helper": { "purl": "pkg:oci/machineexec-rhel8@sha256:7d367fef16f3968243fc47927515a0ee1313ac5169c5a7769b701d47409bec88?arch=ppc64le\u0026repository_url=registry.redhat.io/devspaces/machineexec-rhel8\u0026tag=3.15-2" } } }, { "category": "product_version", "name": "devspaces/devspaces-operator-bundle@sha256:7d92439b4f42e8a320d6bf6fe923370082a92c8a183bdecbef8038b07a00c283_ppc64le", "product": { "name": "devspaces/devspaces-operator-bundle@sha256:7d92439b4f42e8a320d6bf6fe923370082a92c8a183bdecbef8038b07a00c283_ppc64le", "product_id": "devspaces/devspaces-operator-bundle@sha256:7d92439b4f42e8a320d6bf6fe923370082a92c8a183bdecbef8038b07a00c283_ppc64le", "product_identification_helper": { "purl": "pkg:oci/devspaces-operator-bundle@sha256:7d92439b4f42e8a320d6bf6fe923370082a92c8a183bdecbef8038b07a00c283?arch=ppc64le\u0026repository_url=registry.redhat.io/devspaces/devspaces-operator-bundle\u0026tag=3.15-26" } } }, { "category": "product_version", "name": "devspaces/pluginregistry-rhel8@sha256:4141f892f6cd45a9e85f6a4ed7e63e061749ee0ae283b02447be603cafedacad_ppc64le", "product": { "name": "devspaces/pluginregistry-rhel8@sha256:4141f892f6cd45a9e85f6a4ed7e63e061749ee0ae283b02447be603cafedacad_ppc64le", "product_id": "devspaces/pluginregistry-rhel8@sha256:4141f892f6cd45a9e85f6a4ed7e63e061749ee0ae283b02447be603cafedacad_ppc64le", "product_identification_helper": { "purl": "pkg:oci/pluginregistry-rhel8@sha256:4141f892f6cd45a9e85f6a4ed7e63e061749ee0ae283b02447be603cafedacad?arch=ppc64le\u0026repository_url=registry.redhat.io/devspaces/pluginregistry-rhel8\u0026tag=3.15-4" } } }, { "category": "product_version", "name": "devspaces/devspaces-rhel8-operator@sha256:948252e9ecb6a058a7ba116f7e018134f0a9548e5dacffc10d4248050268d5b3_ppc64le", "product": { "name": "devspaces/devspaces-rhel8-operator@sha256:948252e9ecb6a058a7ba116f7e018134f0a9548e5dacffc10d4248050268d5b3_ppc64le", "product_id": "devspaces/devspaces-rhel8-operator@sha256:948252e9ecb6a058a7ba116f7e018134f0a9548e5dacffc10d4248050268d5b3_ppc64le", "product_identification_helper": { "purl": "pkg:oci/devspaces-rhel8-operator@sha256:948252e9ecb6a058a7ba116f7e018134f0a9548e5dacffc10d4248050268d5b3?arch=ppc64le\u0026repository_url=registry.redhat.io/devspaces/devspaces-rhel8-operator\u0026tag=3.15-10" } } }, { "category": "product_version", "name": "devspaces/server-rhel8@sha256:d0ae2f24410876f45670107480e10d98b59e08cac3561095f86dfdda1d759b78_ppc64le", "product": { "name": "devspaces/server-rhel8@sha256:d0ae2f24410876f45670107480e10d98b59e08cac3561095f86dfdda1d759b78_ppc64le", "product_id": "devspaces/server-rhel8@sha256:d0ae2f24410876f45670107480e10d98b59e08cac3561095f86dfdda1d759b78_ppc64le", "product_identification_helper": { "purl": "pkg:oci/server-rhel8@sha256:d0ae2f24410876f45670107480e10d98b59e08cac3561095f86dfdda1d759b78?arch=ppc64le\u0026repository_url=registry.redhat.io/devspaces/server-rhel8\u0026tag=3.15-3" } } }, { "category": "product_version", "name": "devspaces/traefik-rhel8@sha256:c9e21c99f25869dcf79aa5844499492f21b98905fcb1f1832470acc445c28c87_ppc64le", "product": { "name": "devspaces/traefik-rhel8@sha256:c9e21c99f25869dcf79aa5844499492f21b98905fcb1f1832470acc445c28c87_ppc64le", "product_id": "devspaces/traefik-rhel8@sha256:c9e21c99f25869dcf79aa5844499492f21b98905fcb1f1832470acc445c28c87_ppc64le", "product_identification_helper": { "purl": "pkg:oci/traefik-rhel8@sha256:c9e21c99f25869dcf79aa5844499492f21b98905fcb1f1832470acc445c28c87?arch=ppc64le\u0026repository_url=registry.redhat.io/devspaces/traefik-rhel8\u0026tag=3.15-2" } } }, { "category": "product_version", "name": "devspaces/udi-rhel8@sha256:fa9863eac8f11e6dd6685cd7b5ab28bb6ca3f708c874724ed894b49d4a267179_ppc64le", "product": { "name": "devspaces/udi-rhel8@sha256:fa9863eac8f11e6dd6685cd7b5ab28bb6ca3f708c874724ed894b49d4a267179_ppc64le", "product_id": "devspaces/udi-rhel8@sha256:fa9863eac8f11e6dd6685cd7b5ab28bb6ca3f708c874724ed894b49d4a267179_ppc64le", "product_identification_helper": { "purl": "pkg:oci/udi-rhel8@sha256:fa9863eac8f11e6dd6685cd7b5ab28bb6ca3f708c874724ed894b49d4a267179?arch=ppc64le\u0026repository_url=registry.redhat.io/devspaces/udi-rhel8\u0026tag=3.15-5" } } } ], "category": "architecture", "name": "ppc64le" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "devspaces/code-rhel8@sha256:14df338acf7e3bbdcbb79bd66b063900a655d5dc920862e0fe67262e457bfae8_ppc64le as a component of Red Hat OpenShift Dev Spaces 3", "product_id": "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:14df338acf7e3bbdcbb79bd66b063900a655d5dc920862e0fe67262e457bfae8_ppc64le" }, "product_reference": "devspaces/code-rhel8@sha256:14df338acf7e3bbdcbb79bd66b063900a655d5dc920862e0fe67262e457bfae8_ppc64le", "relates_to_product_reference": "8Base-RHOSDS-3" }, { "category": "default_component_of", "full_product_name": { "name": "devspaces/code-rhel8@sha256:be39b6b16ef2a5e88d4650b0f2cb1e8e4c3cacbdb67a59b443255e857460b885_amd64 as a component of Red Hat OpenShift Dev Spaces 3", "product_id": "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:be39b6b16ef2a5e88d4650b0f2cb1e8e4c3cacbdb67a59b443255e857460b885_amd64" }, "product_reference": "devspaces/code-rhel8@sha256:be39b6b16ef2a5e88d4650b0f2cb1e8e4c3cacbdb67a59b443255e857460b885_amd64", "relates_to_product_reference": "8Base-RHOSDS-3" }, { "category": "default_component_of", "full_product_name": { "name": "devspaces/code-rhel8@sha256:dd6aafc88aeab0ee3c7ee706540d4022a6d860c68b4cbec1bdf3990092b2bcbf_s390x as a component of Red Hat OpenShift Dev Spaces 3", "product_id": "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:dd6aafc88aeab0ee3c7ee706540d4022a6d860c68b4cbec1bdf3990092b2bcbf_s390x" }, "product_reference": "devspaces/code-rhel8@sha256:dd6aafc88aeab0ee3c7ee706540d4022a6d860c68b4cbec1bdf3990092b2bcbf_s390x", "relates_to_product_reference": "8Base-RHOSDS-3" }, { "category": "default_component_of", "full_product_name": { "name": "devspaces/configbump-rhel8@sha256:1e109e2572b3db1610ae07c1580837fc03813927ab8230f06a452ea51e4ea1fd_s390x as a component of Red Hat OpenShift Dev Spaces 3", "product_id": "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:1e109e2572b3db1610ae07c1580837fc03813927ab8230f06a452ea51e4ea1fd_s390x" }, "product_reference": "devspaces/configbump-rhel8@sha256:1e109e2572b3db1610ae07c1580837fc03813927ab8230f06a452ea51e4ea1fd_s390x", "relates_to_product_reference": "8Base-RHOSDS-3" }, { "category": "default_component_of", "full_product_name": { "name": "devspaces/configbump-rhel8@sha256:7ad719f34df4ff6ca4afc67610c616f1ab5961be60a7e80d7e35af3374dc2a2e_amd64 as a component of Red Hat OpenShift Dev Spaces 3", "product_id": "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:7ad719f34df4ff6ca4afc67610c616f1ab5961be60a7e80d7e35af3374dc2a2e_amd64" }, "product_reference": "devspaces/configbump-rhel8@sha256:7ad719f34df4ff6ca4afc67610c616f1ab5961be60a7e80d7e35af3374dc2a2e_amd64", "relates_to_product_reference": "8Base-RHOSDS-3" }, { "category": "default_component_of", "full_product_name": { "name": "devspaces/configbump-rhel8@sha256:f0cf2be9026fed74449daf382907d5014cc72998be0edb32a3aeb150754030ea_ppc64le as a component of Red Hat OpenShift Dev Spaces 3", "product_id": "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:f0cf2be9026fed74449daf382907d5014cc72998be0edb32a3aeb150754030ea_ppc64le" }, "product_reference": "devspaces/configbump-rhel8@sha256:f0cf2be9026fed74449daf382907d5014cc72998be0edb32a3aeb150754030ea_ppc64le", "relates_to_product_reference": "8Base-RHOSDS-3" }, { "category": "default_component_of", "full_product_name": { "name": "devspaces/dashboard-rhel8@sha256:0c402a60f316d48868cfb3d5459ed56222fd56a10562a4db6c09155f9e2be2ea_s390x as a component of Red Hat OpenShift Dev Spaces 3", "product_id": "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:0c402a60f316d48868cfb3d5459ed56222fd56a10562a4db6c09155f9e2be2ea_s390x" }, "product_reference": "devspaces/dashboard-rhel8@sha256:0c402a60f316d48868cfb3d5459ed56222fd56a10562a4db6c09155f9e2be2ea_s390x", "relates_to_product_reference": "8Base-RHOSDS-3" }, { "category": "default_component_of", "full_product_name": { "name": "devspaces/dashboard-rhel8@sha256:aa078d91d3c80ab437ccb49b8470947abc9b66bf98b77e7e0ecf5271a6e075ab_ppc64le as a component of Red Hat OpenShift Dev Spaces 3", "product_id": "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:aa078d91d3c80ab437ccb49b8470947abc9b66bf98b77e7e0ecf5271a6e075ab_ppc64le" }, "product_reference": "devspaces/dashboard-rhel8@sha256:aa078d91d3c80ab437ccb49b8470947abc9b66bf98b77e7e0ecf5271a6e075ab_ppc64le", "relates_to_product_reference": "8Base-RHOSDS-3" }, { "category": "default_component_of", "full_product_name": { "name": "devspaces/dashboard-rhel8@sha256:f227e2cef7b8cd6b937db379b4dc5463fa73e511400ad64f010081be577d809c_amd64 as a component of Red Hat OpenShift Dev Spaces 3", "product_id": "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:f227e2cef7b8cd6b937db379b4dc5463fa73e511400ad64f010081be577d809c_amd64" }, "product_reference": "devspaces/dashboard-rhel8@sha256:f227e2cef7b8cd6b937db379b4dc5463fa73e511400ad64f010081be577d809c_amd64", "relates_to_product_reference": "8Base-RHOSDS-3" }, { "category": "default_component_of", "full_product_name": { "name": "devspaces/devfileregistry-rhel8@sha256:762b66d0ee13db9d168a022e31180145dd4ec20eb5cdbfcb48510e44173f8553_amd64 as a component of Red Hat OpenShift Dev Spaces 3", "product_id": "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:762b66d0ee13db9d168a022e31180145dd4ec20eb5cdbfcb48510e44173f8553_amd64" }, "product_reference": "devspaces/devfileregistry-rhel8@sha256:762b66d0ee13db9d168a022e31180145dd4ec20eb5cdbfcb48510e44173f8553_amd64", "relates_to_product_reference": "8Base-RHOSDS-3" }, { "category": "default_component_of", "full_product_name": { "name": "devspaces/devfileregistry-rhel8@sha256:8d07c15f234a996673c6910ecd93adc9289b7e0d85de664713b958b4150b3852_ppc64le as a component of Red Hat OpenShift Dev Spaces 3", "product_id": "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:8d07c15f234a996673c6910ecd93adc9289b7e0d85de664713b958b4150b3852_ppc64le" }, "product_reference": "devspaces/devfileregistry-rhel8@sha256:8d07c15f234a996673c6910ecd93adc9289b7e0d85de664713b958b4150b3852_ppc64le", "relates_to_product_reference": "8Base-RHOSDS-3" }, { "category": "default_component_of", "full_product_name": { "name": "devspaces/devfileregistry-rhel8@sha256:ef41ab671a633299a1db5d5f3bc72c59f4d8b6e126c8635be5e650c8547b4eae_s390x as a component of Red Hat OpenShift Dev Spaces 3", "product_id": "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:ef41ab671a633299a1db5d5f3bc72c59f4d8b6e126c8635be5e650c8547b4eae_s390x" }, "product_reference": "devspaces/devfileregistry-rhel8@sha256:ef41ab671a633299a1db5d5f3bc72c59f4d8b6e126c8635be5e650c8547b4eae_s390x", "relates_to_product_reference": "8Base-RHOSDS-3" }, { "category": "default_component_of", "full_product_name": { "name": "devspaces/devspaces-operator-bundle@sha256:2a2f31bacc803a8260da6cd3a61ad71cbb00cf2e521854def145b3d0bec0b055_amd64 as a component of Red Hat OpenShift Dev Spaces 3", "product_id": "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:2a2f31bacc803a8260da6cd3a61ad71cbb00cf2e521854def145b3d0bec0b055_amd64" }, "product_reference": "devspaces/devspaces-operator-bundle@sha256:2a2f31bacc803a8260da6cd3a61ad71cbb00cf2e521854def145b3d0bec0b055_amd64", "relates_to_product_reference": "8Base-RHOSDS-3" }, { "category": "default_component_of", "full_product_name": { "name": "devspaces/devspaces-operator-bundle@sha256:7d92439b4f42e8a320d6bf6fe923370082a92c8a183bdecbef8038b07a00c283_ppc64le as a component of Red Hat OpenShift Dev Spaces 3", "product_id": "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:7d92439b4f42e8a320d6bf6fe923370082a92c8a183bdecbef8038b07a00c283_ppc64le" }, "product_reference": "devspaces/devspaces-operator-bundle@sha256:7d92439b4f42e8a320d6bf6fe923370082a92c8a183bdecbef8038b07a00c283_ppc64le", "relates_to_product_reference": "8Base-RHOSDS-3" }, { "category": "default_component_of", "full_product_name": { "name": "devspaces/devspaces-operator-bundle@sha256:aaf36bb82765cd95324c84442cd9deb54c27469d6726ca248f1aeef7b3f06fab_s390x as a component of Red Hat OpenShift Dev Spaces 3", "product_id": "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:aaf36bb82765cd95324c84442cd9deb54c27469d6726ca248f1aeef7b3f06fab_s390x" }, "product_reference": "devspaces/devspaces-operator-bundle@sha256:aaf36bb82765cd95324c84442cd9deb54c27469d6726ca248f1aeef7b3f06fab_s390x", "relates_to_product_reference": "8Base-RHOSDS-3" }, { "category": "default_component_of", "full_product_name": { "name": "devspaces/devspaces-rhel8-operator@sha256:75b1429db0482dfe108a7fbbed1abefb24f4cd7b35e4bb0d57f32c1973ec883b_s390x as a component of Red Hat OpenShift Dev Spaces 3", "product_id": "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:75b1429db0482dfe108a7fbbed1abefb24f4cd7b35e4bb0d57f32c1973ec883b_s390x" }, "product_reference": "devspaces/devspaces-rhel8-operator@sha256:75b1429db0482dfe108a7fbbed1abefb24f4cd7b35e4bb0d57f32c1973ec883b_s390x", "relates_to_product_reference": "8Base-RHOSDS-3" }, { "category": "default_component_of", "full_product_name": { "name": "devspaces/devspaces-rhel8-operator@sha256:948252e9ecb6a058a7ba116f7e018134f0a9548e5dacffc10d4248050268d5b3_ppc64le as a component of Red Hat OpenShift Dev Spaces 3", "product_id": "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:948252e9ecb6a058a7ba116f7e018134f0a9548e5dacffc10d4248050268d5b3_ppc64le" }, "product_reference": "devspaces/devspaces-rhel8-operator@sha256:948252e9ecb6a058a7ba116f7e018134f0a9548e5dacffc10d4248050268d5b3_ppc64le", "relates_to_product_reference": "8Base-RHOSDS-3" }, { "category": "default_component_of", "full_product_name": { "name": "devspaces/devspaces-rhel8-operator@sha256:9781322614ad47a9d75dc7c87581dd3789f78992ec9eb91833e86061e7ea1f91_amd64 as a component of Red Hat OpenShift Dev Spaces 3", "product_id": "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:9781322614ad47a9d75dc7c87581dd3789f78992ec9eb91833e86061e7ea1f91_amd64" }, "product_reference": "devspaces/devspaces-rhel8-operator@sha256:9781322614ad47a9d75dc7c87581dd3789f78992ec9eb91833e86061e7ea1f91_amd64", "relates_to_product_reference": "8Base-RHOSDS-3" }, { "category": "default_component_of", "full_product_name": { "name": "devspaces/idea-rhel8@sha256:5ac4fdd00b0d1436115f2fda0a777b9f4ae99866cbf8fa99dddaad21888eeb18_amd64 as a component of Red Hat OpenShift Dev Spaces 3", "product_id": "8Base-RHOSDS-3:devspaces/idea-rhel8@sha256:5ac4fdd00b0d1436115f2fda0a777b9f4ae99866cbf8fa99dddaad21888eeb18_amd64" }, "product_reference": "devspaces/idea-rhel8@sha256:5ac4fdd00b0d1436115f2fda0a777b9f4ae99866cbf8fa99dddaad21888eeb18_amd64", "relates_to_product_reference": "8Base-RHOSDS-3" }, { "category": "default_component_of", "full_product_name": { "name": "devspaces/imagepuller-rhel8@sha256:760021d9a555390d69e76f6dab0ce0c2694001aef3a8b44384bd8e9bf96171e1_amd64 as a component of Red Hat OpenShift Dev Spaces 3", "product_id": "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:760021d9a555390d69e76f6dab0ce0c2694001aef3a8b44384bd8e9bf96171e1_amd64" }, "product_reference": "devspaces/imagepuller-rhel8@sha256:760021d9a555390d69e76f6dab0ce0c2694001aef3a8b44384bd8e9bf96171e1_amd64", "relates_to_product_reference": "8Base-RHOSDS-3" }, { "category": "default_component_of", "full_product_name": { "name": "devspaces/imagepuller-rhel8@sha256:8101bdc3676ad5a1f832a46179a0225349af8cdab2a1a285ab173192082d93ae_ppc64le as a component of Red Hat OpenShift Dev Spaces 3", "product_id": "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:8101bdc3676ad5a1f832a46179a0225349af8cdab2a1a285ab173192082d93ae_ppc64le" }, "product_reference": "devspaces/imagepuller-rhel8@sha256:8101bdc3676ad5a1f832a46179a0225349af8cdab2a1a285ab173192082d93ae_ppc64le", "relates_to_product_reference": "8Base-RHOSDS-3" }, { "category": "default_component_of", "full_product_name": { "name": "devspaces/imagepuller-rhel8@sha256:a02ae8ff331b3be77e6f48a5faa0e1c13b1203242edca7e4a2e1cfb83df3e6da_s390x as a component of Red Hat OpenShift Dev Spaces 3", "product_id": "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:a02ae8ff331b3be77e6f48a5faa0e1c13b1203242edca7e4a2e1cfb83df3e6da_s390x" }, "product_reference": "devspaces/imagepuller-rhel8@sha256:a02ae8ff331b3be77e6f48a5faa0e1c13b1203242edca7e4a2e1cfb83df3e6da_s390x", "relates_to_product_reference": "8Base-RHOSDS-3" }, { "category": "default_component_of", "full_product_name": { "name": "devspaces/machineexec-rhel8@sha256:7d367fef16f3968243fc47927515a0ee1313ac5169c5a7769b701d47409bec88_ppc64le as a component of Red Hat OpenShift Dev Spaces 3", "product_id": "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:7d367fef16f3968243fc47927515a0ee1313ac5169c5a7769b701d47409bec88_ppc64le" }, "product_reference": "devspaces/machineexec-rhel8@sha256:7d367fef16f3968243fc47927515a0ee1313ac5169c5a7769b701d47409bec88_ppc64le", "relates_to_product_reference": "8Base-RHOSDS-3" }, { "category": "default_component_of", "full_product_name": { "name": "devspaces/machineexec-rhel8@sha256:9f9d815327b731738f690d65c89b86c3128457c2d4447141a0e4f42bd52096fd_s390x as a component of Red Hat OpenShift Dev Spaces 3", "product_id": "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:9f9d815327b731738f690d65c89b86c3128457c2d4447141a0e4f42bd52096fd_s390x" }, "product_reference": "devspaces/machineexec-rhel8@sha256:9f9d815327b731738f690d65c89b86c3128457c2d4447141a0e4f42bd52096fd_s390x", "relates_to_product_reference": "8Base-RHOSDS-3" }, { "category": "default_component_of", "full_product_name": { "name": "devspaces/machineexec-rhel8@sha256:f6852cf501751523954574a97e68c543b16c58b77fc6061954fc95e94977d2bf_amd64 as a component of Red Hat OpenShift Dev Spaces 3", "product_id": "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:f6852cf501751523954574a97e68c543b16c58b77fc6061954fc95e94977d2bf_amd64" }, "product_reference": "devspaces/machineexec-rhel8@sha256:f6852cf501751523954574a97e68c543b16c58b77fc6061954fc95e94977d2bf_amd64", "relates_to_product_reference": "8Base-RHOSDS-3" }, { "category": "default_component_of", "full_product_name": { "name": "devspaces/pluginregistry-rhel8@sha256:06a15178e2f20d56fac5e13cad9fcc1ae7316789e34115a2504c4a07580f19f5_amd64 as a component of Red Hat OpenShift Dev Spaces 3", "product_id": "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:06a15178e2f20d56fac5e13cad9fcc1ae7316789e34115a2504c4a07580f19f5_amd64" }, "product_reference": "devspaces/pluginregistry-rhel8@sha256:06a15178e2f20d56fac5e13cad9fcc1ae7316789e34115a2504c4a07580f19f5_amd64", "relates_to_product_reference": "8Base-RHOSDS-3" }, { "category": "default_component_of", "full_product_name": { "name": "devspaces/pluginregistry-rhel8@sha256:4141f892f6cd45a9e85f6a4ed7e63e061749ee0ae283b02447be603cafedacad_ppc64le as a component of Red Hat OpenShift Dev Spaces 3", "product_id": "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:4141f892f6cd45a9e85f6a4ed7e63e061749ee0ae283b02447be603cafedacad_ppc64le" }, "product_reference": "devspaces/pluginregistry-rhel8@sha256:4141f892f6cd45a9e85f6a4ed7e63e061749ee0ae283b02447be603cafedacad_ppc64le", "relates_to_product_reference": "8Base-RHOSDS-3" }, { "category": "default_component_of", "full_product_name": { "name": "devspaces/pluginregistry-rhel8@sha256:e23dc02966b044bf52d27d98e4ed4873dbfb2a5ce92c6d82e98a6c45fa298b39_s390x as a component of Red Hat OpenShift Dev Spaces 3", "product_id": "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:e23dc02966b044bf52d27d98e4ed4873dbfb2a5ce92c6d82e98a6c45fa298b39_s390x" }, "product_reference": "devspaces/pluginregistry-rhel8@sha256:e23dc02966b044bf52d27d98e4ed4873dbfb2a5ce92c6d82e98a6c45fa298b39_s390x", "relates_to_product_reference": "8Base-RHOSDS-3" }, { "category": "default_component_of", "full_product_name": { "name": "devspaces/server-rhel8@sha256:3be3bc2226f6719f8227709ea13626bee7135d1dc0d64aa4d8ee4ef6e8bb60df_s390x as a component of Red Hat OpenShift Dev Spaces 3", "product_id": "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:3be3bc2226f6719f8227709ea13626bee7135d1dc0d64aa4d8ee4ef6e8bb60df_s390x" }, "product_reference": "devspaces/server-rhel8@sha256:3be3bc2226f6719f8227709ea13626bee7135d1dc0d64aa4d8ee4ef6e8bb60df_s390x", "relates_to_product_reference": "8Base-RHOSDS-3" }, { "category": "default_component_of", "full_product_name": { "name": "devspaces/server-rhel8@sha256:b6912aa0c1717be5d0e69c31e94e834abe1307d5e8132345af89a923d5b687ce_amd64 as a component of Red Hat OpenShift Dev Spaces 3", "product_id": "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:b6912aa0c1717be5d0e69c31e94e834abe1307d5e8132345af89a923d5b687ce_amd64" }, "product_reference": "devspaces/server-rhel8@sha256:b6912aa0c1717be5d0e69c31e94e834abe1307d5e8132345af89a923d5b687ce_amd64", "relates_to_product_reference": "8Base-RHOSDS-3" }, { "category": "default_component_of", "full_product_name": { "name": "devspaces/server-rhel8@sha256:d0ae2f24410876f45670107480e10d98b59e08cac3561095f86dfdda1d759b78_ppc64le as a component of Red Hat OpenShift Dev Spaces 3", "product_id": "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:d0ae2f24410876f45670107480e10d98b59e08cac3561095f86dfdda1d759b78_ppc64le" }, "product_reference": "devspaces/server-rhel8@sha256:d0ae2f24410876f45670107480e10d98b59e08cac3561095f86dfdda1d759b78_ppc64le", "relates_to_product_reference": "8Base-RHOSDS-3" }, { "category": "default_component_of", "full_product_name": { "name": "devspaces/traefik-rhel8@sha256:9fada42916b4e04c8c8ff7bb3cd8ce0976862d15de7c7225ee41366f790338a1_amd64 as a component of Red Hat OpenShift Dev Spaces 3", "product_id": "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:9fada42916b4e04c8c8ff7bb3cd8ce0976862d15de7c7225ee41366f790338a1_amd64" }, "product_reference": "devspaces/traefik-rhel8@sha256:9fada42916b4e04c8c8ff7bb3cd8ce0976862d15de7c7225ee41366f790338a1_amd64", "relates_to_product_reference": "8Base-RHOSDS-3" }, { "category": "default_component_of", "full_product_name": { "name": "devspaces/traefik-rhel8@sha256:a5d8bb3e4fbdda212ae48e298f47daf9b02cd78ccf6ce85087b62e96ee80cb6d_s390x as a component of Red Hat OpenShift Dev Spaces 3", "product_id": "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:a5d8bb3e4fbdda212ae48e298f47daf9b02cd78ccf6ce85087b62e96ee80cb6d_s390x" }, "product_reference": "devspaces/traefik-rhel8@sha256:a5d8bb3e4fbdda212ae48e298f47daf9b02cd78ccf6ce85087b62e96ee80cb6d_s390x", "relates_to_product_reference": "8Base-RHOSDS-3" }, { "category": "default_component_of", "full_product_name": { "name": "devspaces/traefik-rhel8@sha256:c9e21c99f25869dcf79aa5844499492f21b98905fcb1f1832470acc445c28c87_ppc64le as a component of Red Hat OpenShift Dev Spaces 3", "product_id": "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:c9e21c99f25869dcf79aa5844499492f21b98905fcb1f1832470acc445c28c87_ppc64le" }, "product_reference": "devspaces/traefik-rhel8@sha256:c9e21c99f25869dcf79aa5844499492f21b98905fcb1f1832470acc445c28c87_ppc64le", "relates_to_product_reference": "8Base-RHOSDS-3" }, { "category": "default_component_of", "full_product_name": { "name": "devspaces/udi-rhel8@sha256:b4112466adc8ec304859d4ed70fbe7c51d77abce884c19f742356b4d64f3c3ee_s390x as a component of Red Hat OpenShift Dev Spaces 3", "product_id": "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:b4112466adc8ec304859d4ed70fbe7c51d77abce884c19f742356b4d64f3c3ee_s390x" }, "product_reference": "devspaces/udi-rhel8@sha256:b4112466adc8ec304859d4ed70fbe7c51d77abce884c19f742356b4d64f3c3ee_s390x", "relates_to_product_reference": "8Base-RHOSDS-3" }, { "category": "default_component_of", "full_product_name": { "name": "devspaces/udi-rhel8@sha256:d407cd42cfe5c6100d67552bcb39923bb665a17e7c5004d387a59bfef9a1bb83_amd64 as a component of Red Hat OpenShift Dev Spaces 3", "product_id": "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:d407cd42cfe5c6100d67552bcb39923bb665a17e7c5004d387a59bfef9a1bb83_amd64" }, "product_reference": "devspaces/udi-rhel8@sha256:d407cd42cfe5c6100d67552bcb39923bb665a17e7c5004d387a59bfef9a1bb83_amd64", "relates_to_product_reference": "8Base-RHOSDS-3" }, { "category": "default_component_of", "full_product_name": { "name": "devspaces/udi-rhel8@sha256:fa9863eac8f11e6dd6685cd7b5ab28bb6ca3f708c874724ed894b49d4a267179_ppc64le as a component of Red Hat OpenShift Dev Spaces 3", "product_id": "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:fa9863eac8f11e6dd6685cd7b5ab28bb6ca3f708c874724ed894b49d4a267179_ppc64le" }, "product_reference": "devspaces/udi-rhel8@sha256:fa9863eac8f11e6dd6685cd7b5ab28bb6ca3f708c874724ed894b49d4a267179_ppc64le", "relates_to_product_reference": "8Base-RHOSDS-3" } ] }, "vulnerabilities": [ { "cve": "CVE-2022-3064", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2023-01-23T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:14df338acf7e3bbdcbb79bd66b063900a655d5dc920862e0fe67262e457bfae8_ppc64le", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:be39b6b16ef2a5e88d4650b0f2cb1e8e4c3cacbdb67a59b443255e857460b885_amd64", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:dd6aafc88aeab0ee3c7ee706540d4022a6d860c68b4cbec1bdf3990092b2bcbf_s390x", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:0c402a60f316d48868cfb3d5459ed56222fd56a10562a4db6c09155f9e2be2ea_s390x", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:aa078d91d3c80ab437ccb49b8470947abc9b66bf98b77e7e0ecf5271a6e075ab_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:f227e2cef7b8cd6b937db379b4dc5463fa73e511400ad64f010081be577d809c_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:762b66d0ee13db9d168a022e31180145dd4ec20eb5cdbfcb48510e44173f8553_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:8d07c15f234a996673c6910ecd93adc9289b7e0d85de664713b958b4150b3852_ppc64le", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:ef41ab671a633299a1db5d5f3bc72c59f4d8b6e126c8635be5e650c8547b4eae_s390x", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:2a2f31bacc803a8260da6cd3a61ad71cbb00cf2e521854def145b3d0bec0b055_amd64", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:7d92439b4f42e8a320d6bf6fe923370082a92c8a183bdecbef8038b07a00c283_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:aaf36bb82765cd95324c84442cd9deb54c27469d6726ca248f1aeef7b3f06fab_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:75b1429db0482dfe108a7fbbed1abefb24f4cd7b35e4bb0d57f32c1973ec883b_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:948252e9ecb6a058a7ba116f7e018134f0a9548e5dacffc10d4248050268d5b3_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:9781322614ad47a9d75dc7c87581dd3789f78992ec9eb91833e86061e7ea1f91_amd64", "8Base-RHOSDS-3:devspaces/idea-rhel8@sha256:5ac4fdd00b0d1436115f2fda0a777b9f4ae99866cbf8fa99dddaad21888eeb18_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:760021d9a555390d69e76f6dab0ce0c2694001aef3a8b44384bd8e9bf96171e1_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:8101bdc3676ad5a1f832a46179a0225349af8cdab2a1a285ab173192082d93ae_ppc64le", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:a02ae8ff331b3be77e6f48a5faa0e1c13b1203242edca7e4a2e1cfb83df3e6da_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:7d367fef16f3968243fc47927515a0ee1313ac5169c5a7769b701d47409bec88_ppc64le", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:9f9d815327b731738f690d65c89b86c3128457c2d4447141a0e4f42bd52096fd_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:f6852cf501751523954574a97e68c543b16c58b77fc6061954fc95e94977d2bf_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:06a15178e2f20d56fac5e13cad9fcc1ae7316789e34115a2504c4a07580f19f5_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:4141f892f6cd45a9e85f6a4ed7e63e061749ee0ae283b02447be603cafedacad_ppc64le", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:e23dc02966b044bf52d27d98e4ed4873dbfb2a5ce92c6d82e98a6c45fa298b39_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:3be3bc2226f6719f8227709ea13626bee7135d1dc0d64aa4d8ee4ef6e8bb60df_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:b6912aa0c1717be5d0e69c31e94e834abe1307d5e8132345af89a923d5b687ce_amd64", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:d0ae2f24410876f45670107480e10d98b59e08cac3561095f86dfdda1d759b78_ppc64le", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:9fada42916b4e04c8c8ff7bb3cd8ce0976862d15de7c7225ee41366f790338a1_amd64", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:a5d8bb3e4fbdda212ae48e298f47daf9b02cd78ccf6ce85087b62e96ee80cb6d_s390x", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:c9e21c99f25869dcf79aa5844499492f21b98905fcb1f1832470acc445c28c87_ppc64le", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:b4112466adc8ec304859d4ed70fbe7c51d77abce884c19f742356b4d64f3c3ee_s390x", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:d407cd42cfe5c6100d67552bcb39923bb665a17e7c5004d387a59bfef9a1bb83_amd64", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:fa9863eac8f11e6dd6685cd7b5ab28bb6ca3f708c874724ed894b49d4a267179_ppc64le" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2163037" } ], "notes": [ { "category": "description", "text": "A flaw was found in go-yaml. This issue causes the consumption of excessive amounts of CPU or memory when attempting to parse a large or maliciously crafted YAML document.", "title": "Vulnerability description" }, { "category": "summary", "text": "go-yaml: Improve heuristics preventing CPU/memory abuse by parsing malicious or large YAML documents", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:1e109e2572b3db1610ae07c1580837fc03813927ab8230f06a452ea51e4ea1fd_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:7ad719f34df4ff6ca4afc67610c616f1ab5961be60a7e80d7e35af3374dc2a2e_amd64", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:f0cf2be9026fed74449daf382907d5014cc72998be0edb32a3aeb150754030ea_ppc64le" ], "known_not_affected": [ "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:14df338acf7e3bbdcbb79bd66b063900a655d5dc920862e0fe67262e457bfae8_ppc64le", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:be39b6b16ef2a5e88d4650b0f2cb1e8e4c3cacbdb67a59b443255e857460b885_amd64", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:dd6aafc88aeab0ee3c7ee706540d4022a6d860c68b4cbec1bdf3990092b2bcbf_s390x", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:0c402a60f316d48868cfb3d5459ed56222fd56a10562a4db6c09155f9e2be2ea_s390x", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:aa078d91d3c80ab437ccb49b8470947abc9b66bf98b77e7e0ecf5271a6e075ab_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:f227e2cef7b8cd6b937db379b4dc5463fa73e511400ad64f010081be577d809c_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:762b66d0ee13db9d168a022e31180145dd4ec20eb5cdbfcb48510e44173f8553_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:8d07c15f234a996673c6910ecd93adc9289b7e0d85de664713b958b4150b3852_ppc64le", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:ef41ab671a633299a1db5d5f3bc72c59f4d8b6e126c8635be5e650c8547b4eae_s390x", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:2a2f31bacc803a8260da6cd3a61ad71cbb00cf2e521854def145b3d0bec0b055_amd64", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:7d92439b4f42e8a320d6bf6fe923370082a92c8a183bdecbef8038b07a00c283_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:aaf36bb82765cd95324c84442cd9deb54c27469d6726ca248f1aeef7b3f06fab_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:75b1429db0482dfe108a7fbbed1abefb24f4cd7b35e4bb0d57f32c1973ec883b_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:948252e9ecb6a058a7ba116f7e018134f0a9548e5dacffc10d4248050268d5b3_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:9781322614ad47a9d75dc7c87581dd3789f78992ec9eb91833e86061e7ea1f91_amd64", "8Base-RHOSDS-3:devspaces/idea-rhel8@sha256:5ac4fdd00b0d1436115f2fda0a777b9f4ae99866cbf8fa99dddaad21888eeb18_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:760021d9a555390d69e76f6dab0ce0c2694001aef3a8b44384bd8e9bf96171e1_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:8101bdc3676ad5a1f832a46179a0225349af8cdab2a1a285ab173192082d93ae_ppc64le", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:a02ae8ff331b3be77e6f48a5faa0e1c13b1203242edca7e4a2e1cfb83df3e6da_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:7d367fef16f3968243fc47927515a0ee1313ac5169c5a7769b701d47409bec88_ppc64le", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:9f9d815327b731738f690d65c89b86c3128457c2d4447141a0e4f42bd52096fd_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:f6852cf501751523954574a97e68c543b16c58b77fc6061954fc95e94977d2bf_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:06a15178e2f20d56fac5e13cad9fcc1ae7316789e34115a2504c4a07580f19f5_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:4141f892f6cd45a9e85f6a4ed7e63e061749ee0ae283b02447be603cafedacad_ppc64le", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:e23dc02966b044bf52d27d98e4ed4873dbfb2a5ce92c6d82e98a6c45fa298b39_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:3be3bc2226f6719f8227709ea13626bee7135d1dc0d64aa4d8ee4ef6e8bb60df_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:b6912aa0c1717be5d0e69c31e94e834abe1307d5e8132345af89a923d5b687ce_amd64", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:d0ae2f24410876f45670107480e10d98b59e08cac3561095f86dfdda1d759b78_ppc64le", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:9fada42916b4e04c8c8ff7bb3cd8ce0976862d15de7c7225ee41366f790338a1_amd64", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:a5d8bb3e4fbdda212ae48e298f47daf9b02cd78ccf6ce85087b62e96ee80cb6d_s390x", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:c9e21c99f25869dcf79aa5844499492f21b98905fcb1f1832470acc445c28c87_ppc64le", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:b4112466adc8ec304859d4ed70fbe7c51d77abce884c19f742356b4d64f3c3ee_s390x", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:d407cd42cfe5c6100d67552bcb39923bb665a17e7c5004d387a59bfef9a1bb83_amd64", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:fa9863eac8f11e6dd6685cd7b5ab28bb6ca3f708c874724ed894b49d4a267179_ppc64le" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-3064" }, { "category": "external", "summary": "RHBZ#2163037", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2163037" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-3064", "url": "https://www.cve.org/CVERecord?id=CVE-2022-3064" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3064", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3064" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-6q6q-88xp-6f2r", "url": "https://github.com/advisories/GHSA-6q6q-88xp-6f2r" }, { "category": "external", "summary": "https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5", "url": "https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5" }, { "category": "external", "summary": "https://github.com/go-yaml/yaml/releases/tag/v2.2.4", "url": "https://github.com/go-yaml/yaml/releases/tag/v2.2.4" }, { "category": "external", "summary": "https://pkg.go.dev/vuln/GO-2022-0956", "url": "https://pkg.go.dev/vuln/GO-2022-0956" } ], "release_date": "2022-08-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-07-18T17:11:22+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:1e109e2572b3db1610ae07c1580837fc03813927ab8230f06a452ea51e4ea1fd_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:7ad719f34df4ff6ca4afc67610c616f1ab5961be60a7e80d7e35af3374dc2a2e_amd64", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:f0cf2be9026fed74449daf382907d5014cc72998be0edb32a3aeb150754030ea_ppc64le" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:4631" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:14df338acf7e3bbdcbb79bd66b063900a655d5dc920862e0fe67262e457bfae8_ppc64le", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:be39b6b16ef2a5e88d4650b0f2cb1e8e4c3cacbdb67a59b443255e857460b885_amd64", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:dd6aafc88aeab0ee3c7ee706540d4022a6d860c68b4cbec1bdf3990092b2bcbf_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:1e109e2572b3db1610ae07c1580837fc03813927ab8230f06a452ea51e4ea1fd_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:7ad719f34df4ff6ca4afc67610c616f1ab5961be60a7e80d7e35af3374dc2a2e_amd64", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:f0cf2be9026fed74449daf382907d5014cc72998be0edb32a3aeb150754030ea_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:0c402a60f316d48868cfb3d5459ed56222fd56a10562a4db6c09155f9e2be2ea_s390x", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:aa078d91d3c80ab437ccb49b8470947abc9b66bf98b77e7e0ecf5271a6e075ab_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:f227e2cef7b8cd6b937db379b4dc5463fa73e511400ad64f010081be577d809c_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:762b66d0ee13db9d168a022e31180145dd4ec20eb5cdbfcb48510e44173f8553_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:8d07c15f234a996673c6910ecd93adc9289b7e0d85de664713b958b4150b3852_ppc64le", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:ef41ab671a633299a1db5d5f3bc72c59f4d8b6e126c8635be5e650c8547b4eae_s390x", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:2a2f31bacc803a8260da6cd3a61ad71cbb00cf2e521854def145b3d0bec0b055_amd64", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:7d92439b4f42e8a320d6bf6fe923370082a92c8a183bdecbef8038b07a00c283_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:aaf36bb82765cd95324c84442cd9deb54c27469d6726ca248f1aeef7b3f06fab_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:75b1429db0482dfe108a7fbbed1abefb24f4cd7b35e4bb0d57f32c1973ec883b_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:948252e9ecb6a058a7ba116f7e018134f0a9548e5dacffc10d4248050268d5b3_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:9781322614ad47a9d75dc7c87581dd3789f78992ec9eb91833e86061e7ea1f91_amd64", "8Base-RHOSDS-3:devspaces/idea-rhel8@sha256:5ac4fdd00b0d1436115f2fda0a777b9f4ae99866cbf8fa99dddaad21888eeb18_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:760021d9a555390d69e76f6dab0ce0c2694001aef3a8b44384bd8e9bf96171e1_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:8101bdc3676ad5a1f832a46179a0225349af8cdab2a1a285ab173192082d93ae_ppc64le", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:a02ae8ff331b3be77e6f48a5faa0e1c13b1203242edca7e4a2e1cfb83df3e6da_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:7d367fef16f3968243fc47927515a0ee1313ac5169c5a7769b701d47409bec88_ppc64le", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:9f9d815327b731738f690d65c89b86c3128457c2d4447141a0e4f42bd52096fd_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:f6852cf501751523954574a97e68c543b16c58b77fc6061954fc95e94977d2bf_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:06a15178e2f20d56fac5e13cad9fcc1ae7316789e34115a2504c4a07580f19f5_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:4141f892f6cd45a9e85f6a4ed7e63e061749ee0ae283b02447be603cafedacad_ppc64le", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:e23dc02966b044bf52d27d98e4ed4873dbfb2a5ce92c6d82e98a6c45fa298b39_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:3be3bc2226f6719f8227709ea13626bee7135d1dc0d64aa4d8ee4ef6e8bb60df_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:b6912aa0c1717be5d0e69c31e94e834abe1307d5e8132345af89a923d5b687ce_amd64", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:d0ae2f24410876f45670107480e10d98b59e08cac3561095f86dfdda1d759b78_ppc64le", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:9fada42916b4e04c8c8ff7bb3cd8ce0976862d15de7c7225ee41366f790338a1_amd64", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:a5d8bb3e4fbdda212ae48e298f47daf9b02cd78ccf6ce85087b62e96ee80cb6d_s390x", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:c9e21c99f25869dcf79aa5844499492f21b98905fcb1f1832470acc445c28c87_ppc64le", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:b4112466adc8ec304859d4ed70fbe7c51d77abce884c19f742356b4d64f3c3ee_s390x", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:d407cd42cfe5c6100d67552bcb39923bb665a17e7c5004d387a59bfef9a1bb83_amd64", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:fa9863eac8f11e6dd6685cd7b5ab28bb6ca3f708c874724ed894b49d4a267179_ppc64le" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "go-yaml: Improve heuristics preventing CPU/memory abuse by parsing malicious or large YAML documents" }, { "cve": "CVE-2022-21698", "cwe": { "id": "CWE-772", "name": "Missing Release of Resource after Effective Lifetime" }, "discovery_date": "2022-01-19T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:14df338acf7e3bbdcbb79bd66b063900a655d5dc920862e0fe67262e457bfae8_ppc64le", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:be39b6b16ef2a5e88d4650b0f2cb1e8e4c3cacbdb67a59b443255e857460b885_amd64", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:dd6aafc88aeab0ee3c7ee706540d4022a6d860c68b4cbec1bdf3990092b2bcbf_s390x", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:0c402a60f316d48868cfb3d5459ed56222fd56a10562a4db6c09155f9e2be2ea_s390x", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:aa078d91d3c80ab437ccb49b8470947abc9b66bf98b77e7e0ecf5271a6e075ab_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:f227e2cef7b8cd6b937db379b4dc5463fa73e511400ad64f010081be577d809c_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:762b66d0ee13db9d168a022e31180145dd4ec20eb5cdbfcb48510e44173f8553_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:8d07c15f234a996673c6910ecd93adc9289b7e0d85de664713b958b4150b3852_ppc64le", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:ef41ab671a633299a1db5d5f3bc72c59f4d8b6e126c8635be5e650c8547b4eae_s390x", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:2a2f31bacc803a8260da6cd3a61ad71cbb00cf2e521854def145b3d0bec0b055_amd64", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:7d92439b4f42e8a320d6bf6fe923370082a92c8a183bdecbef8038b07a00c283_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:aaf36bb82765cd95324c84442cd9deb54c27469d6726ca248f1aeef7b3f06fab_s390x", "8Base-RHOSDS-3:devspaces/idea-rhel8@sha256:5ac4fdd00b0d1436115f2fda0a777b9f4ae99866cbf8fa99dddaad21888eeb18_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:760021d9a555390d69e76f6dab0ce0c2694001aef3a8b44384bd8e9bf96171e1_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:8101bdc3676ad5a1f832a46179a0225349af8cdab2a1a285ab173192082d93ae_ppc64le", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:a02ae8ff331b3be77e6f48a5faa0e1c13b1203242edca7e4a2e1cfb83df3e6da_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:7d367fef16f3968243fc47927515a0ee1313ac5169c5a7769b701d47409bec88_ppc64le", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:9f9d815327b731738f690d65c89b86c3128457c2d4447141a0e4f42bd52096fd_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:f6852cf501751523954574a97e68c543b16c58b77fc6061954fc95e94977d2bf_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:06a15178e2f20d56fac5e13cad9fcc1ae7316789e34115a2504c4a07580f19f5_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:4141f892f6cd45a9e85f6a4ed7e63e061749ee0ae283b02447be603cafedacad_ppc64le", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:e23dc02966b044bf52d27d98e4ed4873dbfb2a5ce92c6d82e98a6c45fa298b39_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:3be3bc2226f6719f8227709ea13626bee7135d1dc0d64aa4d8ee4ef6e8bb60df_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:b6912aa0c1717be5d0e69c31e94e834abe1307d5e8132345af89a923d5b687ce_amd64", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:d0ae2f24410876f45670107480e10d98b59e08cac3561095f86dfdda1d759b78_ppc64le", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:9fada42916b4e04c8c8ff7bb3cd8ce0976862d15de7c7225ee41366f790338a1_amd64", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:a5d8bb3e4fbdda212ae48e298f47daf9b02cd78ccf6ce85087b62e96ee80cb6d_s390x", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:c9e21c99f25869dcf79aa5844499492f21b98905fcb1f1832470acc445c28c87_ppc64le", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:b4112466adc8ec304859d4ed70fbe7c51d77abce884c19f742356b4d64f3c3ee_s390x", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:d407cd42cfe5c6100d67552bcb39923bb665a17e7c5004d387a59bfef9a1bb83_amd64", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:fa9863eac8f11e6dd6685cd7b5ab28bb6ca3f708c874724ed894b49d4a267179_ppc64le" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2045880" } ], "notes": [ { "category": "description", "text": "A denial of service attack was found in prometheus/client_golang. This flaw allows an attacker to produce a denial of service attack on an HTTP server by exploiting the InstrumentHandlerCounter function in the version below 1.11.1, resulting in a loss of availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "prometheus/client_golang: Denial of service using InstrumentHandlerCounter", "title": "Vulnerability summary" }, { "category": "other", "text": "This flaw has been rated as having a moderate impact for two main reasons. The opportunity for a Denial of Service is limited to the golang runtime. In the case of OpenShift Container Platform, this would be restricted within each individual container. Additionally, this is in alignment with upstream\u0027s (the Prometheus project) impact rating.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:1e109e2572b3db1610ae07c1580837fc03813927ab8230f06a452ea51e4ea1fd_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:7ad719f34df4ff6ca4afc67610c616f1ab5961be60a7e80d7e35af3374dc2a2e_amd64", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:f0cf2be9026fed74449daf382907d5014cc72998be0edb32a3aeb150754030ea_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:75b1429db0482dfe108a7fbbed1abefb24f4cd7b35e4bb0d57f32c1973ec883b_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:948252e9ecb6a058a7ba116f7e018134f0a9548e5dacffc10d4248050268d5b3_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:9781322614ad47a9d75dc7c87581dd3789f78992ec9eb91833e86061e7ea1f91_amd64" ], "known_not_affected": [ "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:14df338acf7e3bbdcbb79bd66b063900a655d5dc920862e0fe67262e457bfae8_ppc64le", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:be39b6b16ef2a5e88d4650b0f2cb1e8e4c3cacbdb67a59b443255e857460b885_amd64", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:dd6aafc88aeab0ee3c7ee706540d4022a6d860c68b4cbec1bdf3990092b2bcbf_s390x", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:0c402a60f316d48868cfb3d5459ed56222fd56a10562a4db6c09155f9e2be2ea_s390x", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:aa078d91d3c80ab437ccb49b8470947abc9b66bf98b77e7e0ecf5271a6e075ab_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:f227e2cef7b8cd6b937db379b4dc5463fa73e511400ad64f010081be577d809c_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:762b66d0ee13db9d168a022e31180145dd4ec20eb5cdbfcb48510e44173f8553_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:8d07c15f234a996673c6910ecd93adc9289b7e0d85de664713b958b4150b3852_ppc64le", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:ef41ab671a633299a1db5d5f3bc72c59f4d8b6e126c8635be5e650c8547b4eae_s390x", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:2a2f31bacc803a8260da6cd3a61ad71cbb00cf2e521854def145b3d0bec0b055_amd64", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:7d92439b4f42e8a320d6bf6fe923370082a92c8a183bdecbef8038b07a00c283_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:aaf36bb82765cd95324c84442cd9deb54c27469d6726ca248f1aeef7b3f06fab_s390x", "8Base-RHOSDS-3:devspaces/idea-rhel8@sha256:5ac4fdd00b0d1436115f2fda0a777b9f4ae99866cbf8fa99dddaad21888eeb18_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:760021d9a555390d69e76f6dab0ce0c2694001aef3a8b44384bd8e9bf96171e1_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:8101bdc3676ad5a1f832a46179a0225349af8cdab2a1a285ab173192082d93ae_ppc64le", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:a02ae8ff331b3be77e6f48a5faa0e1c13b1203242edca7e4a2e1cfb83df3e6da_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:7d367fef16f3968243fc47927515a0ee1313ac5169c5a7769b701d47409bec88_ppc64le", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:9f9d815327b731738f690d65c89b86c3128457c2d4447141a0e4f42bd52096fd_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:f6852cf501751523954574a97e68c543b16c58b77fc6061954fc95e94977d2bf_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:06a15178e2f20d56fac5e13cad9fcc1ae7316789e34115a2504c4a07580f19f5_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:4141f892f6cd45a9e85f6a4ed7e63e061749ee0ae283b02447be603cafedacad_ppc64le", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:e23dc02966b044bf52d27d98e4ed4873dbfb2a5ce92c6d82e98a6c45fa298b39_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:3be3bc2226f6719f8227709ea13626bee7135d1dc0d64aa4d8ee4ef6e8bb60df_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:b6912aa0c1717be5d0e69c31e94e834abe1307d5e8132345af89a923d5b687ce_amd64", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:d0ae2f24410876f45670107480e10d98b59e08cac3561095f86dfdda1d759b78_ppc64le", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:9fada42916b4e04c8c8ff7bb3cd8ce0976862d15de7c7225ee41366f790338a1_amd64", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:a5d8bb3e4fbdda212ae48e298f47daf9b02cd78ccf6ce85087b62e96ee80cb6d_s390x", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:c9e21c99f25869dcf79aa5844499492f21b98905fcb1f1832470acc445c28c87_ppc64le", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:b4112466adc8ec304859d4ed70fbe7c51d77abce884c19f742356b4d64f3c3ee_s390x", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:d407cd42cfe5c6100d67552bcb39923bb665a17e7c5004d387a59bfef9a1bb83_amd64", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:fa9863eac8f11e6dd6685cd7b5ab28bb6ca3f708c874724ed894b49d4a267179_ppc64le" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-21698" }, { "category": "external", "summary": "RHBZ#2045880", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2045880" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-21698", "url": "https://www.cve.org/CVERecord?id=CVE-2022-21698" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-21698", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21698" }, { "category": "external", "summary": "https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p", "url": "https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p" } ], "release_date": "2022-02-15T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-07-18T17:11:22+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:1e109e2572b3db1610ae07c1580837fc03813927ab8230f06a452ea51e4ea1fd_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:7ad719f34df4ff6ca4afc67610c616f1ab5961be60a7e80d7e35af3374dc2a2e_amd64", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:f0cf2be9026fed74449daf382907d5014cc72998be0edb32a3aeb150754030ea_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:75b1429db0482dfe108a7fbbed1abefb24f4cd7b35e4bb0d57f32c1973ec883b_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:948252e9ecb6a058a7ba116f7e018134f0a9548e5dacffc10d4248050268d5b3_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:9781322614ad47a9d75dc7c87581dd3789f78992ec9eb91833e86061e7ea1f91_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:4631" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:14df338acf7e3bbdcbb79bd66b063900a655d5dc920862e0fe67262e457bfae8_ppc64le", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:be39b6b16ef2a5e88d4650b0f2cb1e8e4c3cacbdb67a59b443255e857460b885_amd64", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:dd6aafc88aeab0ee3c7ee706540d4022a6d860c68b4cbec1bdf3990092b2bcbf_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:1e109e2572b3db1610ae07c1580837fc03813927ab8230f06a452ea51e4ea1fd_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:7ad719f34df4ff6ca4afc67610c616f1ab5961be60a7e80d7e35af3374dc2a2e_amd64", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:f0cf2be9026fed74449daf382907d5014cc72998be0edb32a3aeb150754030ea_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:0c402a60f316d48868cfb3d5459ed56222fd56a10562a4db6c09155f9e2be2ea_s390x", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:aa078d91d3c80ab437ccb49b8470947abc9b66bf98b77e7e0ecf5271a6e075ab_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:f227e2cef7b8cd6b937db379b4dc5463fa73e511400ad64f010081be577d809c_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:762b66d0ee13db9d168a022e31180145dd4ec20eb5cdbfcb48510e44173f8553_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:8d07c15f234a996673c6910ecd93adc9289b7e0d85de664713b958b4150b3852_ppc64le", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:ef41ab671a633299a1db5d5f3bc72c59f4d8b6e126c8635be5e650c8547b4eae_s390x", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:2a2f31bacc803a8260da6cd3a61ad71cbb00cf2e521854def145b3d0bec0b055_amd64", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:7d92439b4f42e8a320d6bf6fe923370082a92c8a183bdecbef8038b07a00c283_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:aaf36bb82765cd95324c84442cd9deb54c27469d6726ca248f1aeef7b3f06fab_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:75b1429db0482dfe108a7fbbed1abefb24f4cd7b35e4bb0d57f32c1973ec883b_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:948252e9ecb6a058a7ba116f7e018134f0a9548e5dacffc10d4248050268d5b3_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:9781322614ad47a9d75dc7c87581dd3789f78992ec9eb91833e86061e7ea1f91_amd64", "8Base-RHOSDS-3:devspaces/idea-rhel8@sha256:5ac4fdd00b0d1436115f2fda0a777b9f4ae99866cbf8fa99dddaad21888eeb18_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:760021d9a555390d69e76f6dab0ce0c2694001aef3a8b44384bd8e9bf96171e1_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:8101bdc3676ad5a1f832a46179a0225349af8cdab2a1a285ab173192082d93ae_ppc64le", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:a02ae8ff331b3be77e6f48a5faa0e1c13b1203242edca7e4a2e1cfb83df3e6da_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:7d367fef16f3968243fc47927515a0ee1313ac5169c5a7769b701d47409bec88_ppc64le", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:9f9d815327b731738f690d65c89b86c3128457c2d4447141a0e4f42bd52096fd_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:f6852cf501751523954574a97e68c543b16c58b77fc6061954fc95e94977d2bf_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:06a15178e2f20d56fac5e13cad9fcc1ae7316789e34115a2504c4a07580f19f5_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:4141f892f6cd45a9e85f6a4ed7e63e061749ee0ae283b02447be603cafedacad_ppc64le", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:e23dc02966b044bf52d27d98e4ed4873dbfb2a5ce92c6d82e98a6c45fa298b39_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:3be3bc2226f6719f8227709ea13626bee7135d1dc0d64aa4d8ee4ef6e8bb60df_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:b6912aa0c1717be5d0e69c31e94e834abe1307d5e8132345af89a923d5b687ce_amd64", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:d0ae2f24410876f45670107480e10d98b59e08cac3561095f86dfdda1d759b78_ppc64le", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:9fada42916b4e04c8c8ff7bb3cd8ce0976862d15de7c7225ee41366f790338a1_amd64", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:a5d8bb3e4fbdda212ae48e298f47daf9b02cd78ccf6ce85087b62e96ee80cb6d_s390x", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:c9e21c99f25869dcf79aa5844499492f21b98905fcb1f1832470acc445c28c87_ppc64le", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:b4112466adc8ec304859d4ed70fbe7c51d77abce884c19f742356b4d64f3c3ee_s390x", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:d407cd42cfe5c6100d67552bcb39923bb665a17e7c5004d387a59bfef9a1bb83_amd64", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:fa9863eac8f11e6dd6685cd7b5ab28bb6ca3f708c874724ed894b49d4a267179_ppc64le" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "prometheus/client_golang: Denial of service using InstrumentHandlerCounter" }, { "cve": "CVE-2022-28948", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-05-20T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:14df338acf7e3bbdcbb79bd66b063900a655d5dc920862e0fe67262e457bfae8_ppc64le", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:be39b6b16ef2a5e88d4650b0f2cb1e8e4c3cacbdb67a59b443255e857460b885_amd64", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:dd6aafc88aeab0ee3c7ee706540d4022a6d860c68b4cbec1bdf3990092b2bcbf_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:1e109e2572b3db1610ae07c1580837fc03813927ab8230f06a452ea51e4ea1fd_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:7ad719f34df4ff6ca4afc67610c616f1ab5961be60a7e80d7e35af3374dc2a2e_amd64", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:f0cf2be9026fed74449daf382907d5014cc72998be0edb32a3aeb150754030ea_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:0c402a60f316d48868cfb3d5459ed56222fd56a10562a4db6c09155f9e2be2ea_s390x", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:aa078d91d3c80ab437ccb49b8470947abc9b66bf98b77e7e0ecf5271a6e075ab_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:f227e2cef7b8cd6b937db379b4dc5463fa73e511400ad64f010081be577d809c_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:762b66d0ee13db9d168a022e31180145dd4ec20eb5cdbfcb48510e44173f8553_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:8d07c15f234a996673c6910ecd93adc9289b7e0d85de664713b958b4150b3852_ppc64le", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:ef41ab671a633299a1db5d5f3bc72c59f4d8b6e126c8635be5e650c8547b4eae_s390x", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:2a2f31bacc803a8260da6cd3a61ad71cbb00cf2e521854def145b3d0bec0b055_amd64", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:7d92439b4f42e8a320d6bf6fe923370082a92c8a183bdecbef8038b07a00c283_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:aaf36bb82765cd95324c84442cd9deb54c27469d6726ca248f1aeef7b3f06fab_s390x", "8Base-RHOSDS-3:devspaces/idea-rhel8@sha256:5ac4fdd00b0d1436115f2fda0a777b9f4ae99866cbf8fa99dddaad21888eeb18_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:760021d9a555390d69e76f6dab0ce0c2694001aef3a8b44384bd8e9bf96171e1_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:8101bdc3676ad5a1f832a46179a0225349af8cdab2a1a285ab173192082d93ae_ppc64le", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:a02ae8ff331b3be77e6f48a5faa0e1c13b1203242edca7e4a2e1cfb83df3e6da_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:7d367fef16f3968243fc47927515a0ee1313ac5169c5a7769b701d47409bec88_ppc64le", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:9f9d815327b731738f690d65c89b86c3128457c2d4447141a0e4f42bd52096fd_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:f6852cf501751523954574a97e68c543b16c58b77fc6061954fc95e94977d2bf_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:06a15178e2f20d56fac5e13cad9fcc1ae7316789e34115a2504c4a07580f19f5_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:4141f892f6cd45a9e85f6a4ed7e63e061749ee0ae283b02447be603cafedacad_ppc64le", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:e23dc02966b044bf52d27d98e4ed4873dbfb2a5ce92c6d82e98a6c45fa298b39_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:3be3bc2226f6719f8227709ea13626bee7135d1dc0d64aa4d8ee4ef6e8bb60df_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:b6912aa0c1717be5d0e69c31e94e834abe1307d5e8132345af89a923d5b687ce_amd64", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:d0ae2f24410876f45670107480e10d98b59e08cac3561095f86dfdda1d759b78_ppc64le", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:9fada42916b4e04c8c8ff7bb3cd8ce0976862d15de7c7225ee41366f790338a1_amd64", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:a5d8bb3e4fbdda212ae48e298f47daf9b02cd78ccf6ce85087b62e96ee80cb6d_s390x", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:c9e21c99f25869dcf79aa5844499492f21b98905fcb1f1832470acc445c28c87_ppc64le", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:b4112466adc8ec304859d4ed70fbe7c51d77abce884c19f742356b4d64f3c3ee_s390x", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:d407cd42cfe5c6100d67552bcb39923bb665a17e7c5004d387a59bfef9a1bb83_amd64", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:fa9863eac8f11e6dd6685cd7b5ab28bb6ca3f708c874724ed894b49d4a267179_ppc64le" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2088748" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Unmarshal function in Go-Yaml. This vulnerability results in program crashes when attempting to convert (or deserialize) invalid input data, potentially impacting system stability and reliability.", "title": "Vulnerability description" }, { "category": "summary", "text": "golang-gopkg-yaml: crash when attempting to deserialize invalid input", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat has designated the CVE rating as \u0027moderate\u0027 as exploitation of Red Hat products is contingent upon the attacker being authenticated when sending the malicious XML payload.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:75b1429db0482dfe108a7fbbed1abefb24f4cd7b35e4bb0d57f32c1973ec883b_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:948252e9ecb6a058a7ba116f7e018134f0a9548e5dacffc10d4248050268d5b3_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:9781322614ad47a9d75dc7c87581dd3789f78992ec9eb91833e86061e7ea1f91_amd64" ], "known_not_affected": [ "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:14df338acf7e3bbdcbb79bd66b063900a655d5dc920862e0fe67262e457bfae8_ppc64le", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:be39b6b16ef2a5e88d4650b0f2cb1e8e4c3cacbdb67a59b443255e857460b885_amd64", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:dd6aafc88aeab0ee3c7ee706540d4022a6d860c68b4cbec1bdf3990092b2bcbf_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:1e109e2572b3db1610ae07c1580837fc03813927ab8230f06a452ea51e4ea1fd_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:7ad719f34df4ff6ca4afc67610c616f1ab5961be60a7e80d7e35af3374dc2a2e_amd64", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:f0cf2be9026fed74449daf382907d5014cc72998be0edb32a3aeb150754030ea_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:0c402a60f316d48868cfb3d5459ed56222fd56a10562a4db6c09155f9e2be2ea_s390x", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:aa078d91d3c80ab437ccb49b8470947abc9b66bf98b77e7e0ecf5271a6e075ab_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:f227e2cef7b8cd6b937db379b4dc5463fa73e511400ad64f010081be577d809c_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:762b66d0ee13db9d168a022e31180145dd4ec20eb5cdbfcb48510e44173f8553_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:8d07c15f234a996673c6910ecd93adc9289b7e0d85de664713b958b4150b3852_ppc64le", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:ef41ab671a633299a1db5d5f3bc72c59f4d8b6e126c8635be5e650c8547b4eae_s390x", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:2a2f31bacc803a8260da6cd3a61ad71cbb00cf2e521854def145b3d0bec0b055_amd64", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:7d92439b4f42e8a320d6bf6fe923370082a92c8a183bdecbef8038b07a00c283_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:aaf36bb82765cd95324c84442cd9deb54c27469d6726ca248f1aeef7b3f06fab_s390x", "8Base-RHOSDS-3:devspaces/idea-rhel8@sha256:5ac4fdd00b0d1436115f2fda0a777b9f4ae99866cbf8fa99dddaad21888eeb18_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:760021d9a555390d69e76f6dab0ce0c2694001aef3a8b44384bd8e9bf96171e1_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:8101bdc3676ad5a1f832a46179a0225349af8cdab2a1a285ab173192082d93ae_ppc64le", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:a02ae8ff331b3be77e6f48a5faa0e1c13b1203242edca7e4a2e1cfb83df3e6da_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:7d367fef16f3968243fc47927515a0ee1313ac5169c5a7769b701d47409bec88_ppc64le", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:9f9d815327b731738f690d65c89b86c3128457c2d4447141a0e4f42bd52096fd_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:f6852cf501751523954574a97e68c543b16c58b77fc6061954fc95e94977d2bf_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:06a15178e2f20d56fac5e13cad9fcc1ae7316789e34115a2504c4a07580f19f5_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:4141f892f6cd45a9e85f6a4ed7e63e061749ee0ae283b02447be603cafedacad_ppc64le", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:e23dc02966b044bf52d27d98e4ed4873dbfb2a5ce92c6d82e98a6c45fa298b39_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:3be3bc2226f6719f8227709ea13626bee7135d1dc0d64aa4d8ee4ef6e8bb60df_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:b6912aa0c1717be5d0e69c31e94e834abe1307d5e8132345af89a923d5b687ce_amd64", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:d0ae2f24410876f45670107480e10d98b59e08cac3561095f86dfdda1d759b78_ppc64le", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:9fada42916b4e04c8c8ff7bb3cd8ce0976862d15de7c7225ee41366f790338a1_amd64", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:a5d8bb3e4fbdda212ae48e298f47daf9b02cd78ccf6ce85087b62e96ee80cb6d_s390x", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:c9e21c99f25869dcf79aa5844499492f21b98905fcb1f1832470acc445c28c87_ppc64le", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:b4112466adc8ec304859d4ed70fbe7c51d77abce884c19f742356b4d64f3c3ee_s390x", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:d407cd42cfe5c6100d67552bcb39923bb665a17e7c5004d387a59bfef9a1bb83_amd64", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:fa9863eac8f11e6dd6685cd7b5ab28bb6ca3f708c874724ed894b49d4a267179_ppc64le" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-28948" }, { "category": "external", "summary": "RHBZ#2088748", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2088748" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-28948", "url": "https://www.cve.org/CVERecord?id=CVE-2022-28948" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-28948", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28948" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-hp87-p4gw-j4gq", "url": "https://github.com/advisories/GHSA-hp87-p4gw-j4gq" } ], "release_date": "2022-05-19T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-07-18T17:11:22+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:75b1429db0482dfe108a7fbbed1abefb24f4cd7b35e4bb0d57f32c1973ec883b_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:948252e9ecb6a058a7ba116f7e018134f0a9548e5dacffc10d4248050268d5b3_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:9781322614ad47a9d75dc7c87581dd3789f78992ec9eb91833e86061e7ea1f91_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:4631" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:14df338acf7e3bbdcbb79bd66b063900a655d5dc920862e0fe67262e457bfae8_ppc64le", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:be39b6b16ef2a5e88d4650b0f2cb1e8e4c3cacbdb67a59b443255e857460b885_amd64", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:dd6aafc88aeab0ee3c7ee706540d4022a6d860c68b4cbec1bdf3990092b2bcbf_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:1e109e2572b3db1610ae07c1580837fc03813927ab8230f06a452ea51e4ea1fd_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:7ad719f34df4ff6ca4afc67610c616f1ab5961be60a7e80d7e35af3374dc2a2e_amd64", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:f0cf2be9026fed74449daf382907d5014cc72998be0edb32a3aeb150754030ea_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:0c402a60f316d48868cfb3d5459ed56222fd56a10562a4db6c09155f9e2be2ea_s390x", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:aa078d91d3c80ab437ccb49b8470947abc9b66bf98b77e7e0ecf5271a6e075ab_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:f227e2cef7b8cd6b937db379b4dc5463fa73e511400ad64f010081be577d809c_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:762b66d0ee13db9d168a022e31180145dd4ec20eb5cdbfcb48510e44173f8553_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:8d07c15f234a996673c6910ecd93adc9289b7e0d85de664713b958b4150b3852_ppc64le", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:ef41ab671a633299a1db5d5f3bc72c59f4d8b6e126c8635be5e650c8547b4eae_s390x", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:2a2f31bacc803a8260da6cd3a61ad71cbb00cf2e521854def145b3d0bec0b055_amd64", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:7d92439b4f42e8a320d6bf6fe923370082a92c8a183bdecbef8038b07a00c283_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:aaf36bb82765cd95324c84442cd9deb54c27469d6726ca248f1aeef7b3f06fab_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:75b1429db0482dfe108a7fbbed1abefb24f4cd7b35e4bb0d57f32c1973ec883b_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:948252e9ecb6a058a7ba116f7e018134f0a9548e5dacffc10d4248050268d5b3_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:9781322614ad47a9d75dc7c87581dd3789f78992ec9eb91833e86061e7ea1f91_amd64", "8Base-RHOSDS-3:devspaces/idea-rhel8@sha256:5ac4fdd00b0d1436115f2fda0a777b9f4ae99866cbf8fa99dddaad21888eeb18_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:760021d9a555390d69e76f6dab0ce0c2694001aef3a8b44384bd8e9bf96171e1_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:8101bdc3676ad5a1f832a46179a0225349af8cdab2a1a285ab173192082d93ae_ppc64le", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:a02ae8ff331b3be77e6f48a5faa0e1c13b1203242edca7e4a2e1cfb83df3e6da_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:7d367fef16f3968243fc47927515a0ee1313ac5169c5a7769b701d47409bec88_ppc64le", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:9f9d815327b731738f690d65c89b86c3128457c2d4447141a0e4f42bd52096fd_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:f6852cf501751523954574a97e68c543b16c58b77fc6061954fc95e94977d2bf_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:06a15178e2f20d56fac5e13cad9fcc1ae7316789e34115a2504c4a07580f19f5_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:4141f892f6cd45a9e85f6a4ed7e63e061749ee0ae283b02447be603cafedacad_ppc64le", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:e23dc02966b044bf52d27d98e4ed4873dbfb2a5ce92c6d82e98a6c45fa298b39_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:3be3bc2226f6719f8227709ea13626bee7135d1dc0d64aa4d8ee4ef6e8bb60df_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:b6912aa0c1717be5d0e69c31e94e834abe1307d5e8132345af89a923d5b687ce_amd64", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:d0ae2f24410876f45670107480e10d98b59e08cac3561095f86dfdda1d759b78_ppc64le", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:9fada42916b4e04c8c8ff7bb3cd8ce0976862d15de7c7225ee41366f790338a1_amd64", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:a5d8bb3e4fbdda212ae48e298f47daf9b02cd78ccf6ce85087b62e96ee80cb6d_s390x", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:c9e21c99f25869dcf79aa5844499492f21b98905fcb1f1832470acc445c28c87_ppc64le", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:b4112466adc8ec304859d4ed70fbe7c51d77abce884c19f742356b4d64f3c3ee_s390x", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:d407cd42cfe5c6100d67552bcb39923bb665a17e7c5004d387a59bfef9a1bb83_amd64", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:fa9863eac8f11e6dd6685cd7b5ab28bb6ca3f708c874724ed894b49d4a267179_ppc64le" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "golang-gopkg-yaml: crash when attempting to deserialize invalid input" }, { "cve": "CVE-2022-46175", "cwe": { "id": "CWE-1321", "name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)" }, "discovery_date": "2022-12-26T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:14df338acf7e3bbdcbb79bd66b063900a655d5dc920862e0fe67262e457bfae8_ppc64le", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:be39b6b16ef2a5e88d4650b0f2cb1e8e4c3cacbdb67a59b443255e857460b885_amd64", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:dd6aafc88aeab0ee3c7ee706540d4022a6d860c68b4cbec1bdf3990092b2bcbf_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:1e109e2572b3db1610ae07c1580837fc03813927ab8230f06a452ea51e4ea1fd_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:7ad719f34df4ff6ca4afc67610c616f1ab5961be60a7e80d7e35af3374dc2a2e_amd64", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:f0cf2be9026fed74449daf382907d5014cc72998be0edb32a3aeb150754030ea_ppc64le", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:762b66d0ee13db9d168a022e31180145dd4ec20eb5cdbfcb48510e44173f8553_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:8d07c15f234a996673c6910ecd93adc9289b7e0d85de664713b958b4150b3852_ppc64le", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:ef41ab671a633299a1db5d5f3bc72c59f4d8b6e126c8635be5e650c8547b4eae_s390x", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:2a2f31bacc803a8260da6cd3a61ad71cbb00cf2e521854def145b3d0bec0b055_amd64", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:7d92439b4f42e8a320d6bf6fe923370082a92c8a183bdecbef8038b07a00c283_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:aaf36bb82765cd95324c84442cd9deb54c27469d6726ca248f1aeef7b3f06fab_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:75b1429db0482dfe108a7fbbed1abefb24f4cd7b35e4bb0d57f32c1973ec883b_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:948252e9ecb6a058a7ba116f7e018134f0a9548e5dacffc10d4248050268d5b3_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:9781322614ad47a9d75dc7c87581dd3789f78992ec9eb91833e86061e7ea1f91_amd64", "8Base-RHOSDS-3:devspaces/idea-rhel8@sha256:5ac4fdd00b0d1436115f2fda0a777b9f4ae99866cbf8fa99dddaad21888eeb18_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:760021d9a555390d69e76f6dab0ce0c2694001aef3a8b44384bd8e9bf96171e1_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:8101bdc3676ad5a1f832a46179a0225349af8cdab2a1a285ab173192082d93ae_ppc64le", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:a02ae8ff331b3be77e6f48a5faa0e1c13b1203242edca7e4a2e1cfb83df3e6da_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:7d367fef16f3968243fc47927515a0ee1313ac5169c5a7769b701d47409bec88_ppc64le", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:9f9d815327b731738f690d65c89b86c3128457c2d4447141a0e4f42bd52096fd_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:f6852cf501751523954574a97e68c543b16c58b77fc6061954fc95e94977d2bf_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:06a15178e2f20d56fac5e13cad9fcc1ae7316789e34115a2504c4a07580f19f5_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:4141f892f6cd45a9e85f6a4ed7e63e061749ee0ae283b02447be603cafedacad_ppc64le", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:e23dc02966b044bf52d27d98e4ed4873dbfb2a5ce92c6d82e98a6c45fa298b39_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:3be3bc2226f6719f8227709ea13626bee7135d1dc0d64aa4d8ee4ef6e8bb60df_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:b6912aa0c1717be5d0e69c31e94e834abe1307d5e8132345af89a923d5b687ce_amd64", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:d0ae2f24410876f45670107480e10d98b59e08cac3561095f86dfdda1d759b78_ppc64le", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:9fada42916b4e04c8c8ff7bb3cd8ce0976862d15de7c7225ee41366f790338a1_amd64", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:a5d8bb3e4fbdda212ae48e298f47daf9b02cd78ccf6ce85087b62e96ee80cb6d_s390x", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:c9e21c99f25869dcf79aa5844499492f21b98905fcb1f1832470acc445c28c87_ppc64le", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:b4112466adc8ec304859d4ed70fbe7c51d77abce884c19f742356b4d64f3c3ee_s390x", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:d407cd42cfe5c6100d67552bcb39923bb665a17e7c5004d387a59bfef9a1bb83_amd64", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:fa9863eac8f11e6dd6685cd7b5ab28bb6ca3f708c874724ed894b49d4a267179_ppc64le" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2156263" } ], "notes": [ { "category": "description", "text": "A flaw was found in the json5 package. The affected version of the json5 package could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse.", "title": "Vulnerability description" }, { "category": "summary", "text": "json5: Prototype Pollution in JSON5 via Parse Method", "title": "Vulnerability summary" }, { "category": "other", "text": "The json5 package is a build-time dependency in Red Hat products and is not used in production runtime. Hence, the impact is set to Moderate.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:0c402a60f316d48868cfb3d5459ed56222fd56a10562a4db6c09155f9e2be2ea_s390x", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:aa078d91d3c80ab437ccb49b8470947abc9b66bf98b77e7e0ecf5271a6e075ab_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:f227e2cef7b8cd6b937db379b4dc5463fa73e511400ad64f010081be577d809c_amd64" ], "known_not_affected": [ "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:14df338acf7e3bbdcbb79bd66b063900a655d5dc920862e0fe67262e457bfae8_ppc64le", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:be39b6b16ef2a5e88d4650b0f2cb1e8e4c3cacbdb67a59b443255e857460b885_amd64", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:dd6aafc88aeab0ee3c7ee706540d4022a6d860c68b4cbec1bdf3990092b2bcbf_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:1e109e2572b3db1610ae07c1580837fc03813927ab8230f06a452ea51e4ea1fd_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:7ad719f34df4ff6ca4afc67610c616f1ab5961be60a7e80d7e35af3374dc2a2e_amd64", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:f0cf2be9026fed74449daf382907d5014cc72998be0edb32a3aeb150754030ea_ppc64le", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:762b66d0ee13db9d168a022e31180145dd4ec20eb5cdbfcb48510e44173f8553_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:8d07c15f234a996673c6910ecd93adc9289b7e0d85de664713b958b4150b3852_ppc64le", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:ef41ab671a633299a1db5d5f3bc72c59f4d8b6e126c8635be5e650c8547b4eae_s390x", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:2a2f31bacc803a8260da6cd3a61ad71cbb00cf2e521854def145b3d0bec0b055_amd64", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:7d92439b4f42e8a320d6bf6fe923370082a92c8a183bdecbef8038b07a00c283_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:aaf36bb82765cd95324c84442cd9deb54c27469d6726ca248f1aeef7b3f06fab_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:75b1429db0482dfe108a7fbbed1abefb24f4cd7b35e4bb0d57f32c1973ec883b_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:948252e9ecb6a058a7ba116f7e018134f0a9548e5dacffc10d4248050268d5b3_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:9781322614ad47a9d75dc7c87581dd3789f78992ec9eb91833e86061e7ea1f91_amd64", "8Base-RHOSDS-3:devspaces/idea-rhel8@sha256:5ac4fdd00b0d1436115f2fda0a777b9f4ae99866cbf8fa99dddaad21888eeb18_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:760021d9a555390d69e76f6dab0ce0c2694001aef3a8b44384bd8e9bf96171e1_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:8101bdc3676ad5a1f832a46179a0225349af8cdab2a1a285ab173192082d93ae_ppc64le", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:a02ae8ff331b3be77e6f48a5faa0e1c13b1203242edca7e4a2e1cfb83df3e6da_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:7d367fef16f3968243fc47927515a0ee1313ac5169c5a7769b701d47409bec88_ppc64le", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:9f9d815327b731738f690d65c89b86c3128457c2d4447141a0e4f42bd52096fd_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:f6852cf501751523954574a97e68c543b16c58b77fc6061954fc95e94977d2bf_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:06a15178e2f20d56fac5e13cad9fcc1ae7316789e34115a2504c4a07580f19f5_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:4141f892f6cd45a9e85f6a4ed7e63e061749ee0ae283b02447be603cafedacad_ppc64le", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:e23dc02966b044bf52d27d98e4ed4873dbfb2a5ce92c6d82e98a6c45fa298b39_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:3be3bc2226f6719f8227709ea13626bee7135d1dc0d64aa4d8ee4ef6e8bb60df_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:b6912aa0c1717be5d0e69c31e94e834abe1307d5e8132345af89a923d5b687ce_amd64", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:d0ae2f24410876f45670107480e10d98b59e08cac3561095f86dfdda1d759b78_ppc64le", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:9fada42916b4e04c8c8ff7bb3cd8ce0976862d15de7c7225ee41366f790338a1_amd64", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:a5d8bb3e4fbdda212ae48e298f47daf9b02cd78ccf6ce85087b62e96ee80cb6d_s390x", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:c9e21c99f25869dcf79aa5844499492f21b98905fcb1f1832470acc445c28c87_ppc64le", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:b4112466adc8ec304859d4ed70fbe7c51d77abce884c19f742356b4d64f3c3ee_s390x", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:d407cd42cfe5c6100d67552bcb39923bb665a17e7c5004d387a59bfef9a1bb83_amd64", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:fa9863eac8f11e6dd6685cd7b5ab28bb6ca3f708c874724ed894b49d4a267179_ppc64le" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-46175" }, { "category": "external", "summary": "RHBZ#2156263", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-46175", "url": "https://www.cve.org/CVERecord?id=CVE-2022-46175" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175" }, { "category": "external", "summary": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h", "url": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h" } ], "release_date": "2022-12-24T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-07-18T17:11:22+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:0c402a60f316d48868cfb3d5459ed56222fd56a10562a4db6c09155f9e2be2ea_s390x", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:aa078d91d3c80ab437ccb49b8470947abc9b66bf98b77e7e0ecf5271a6e075ab_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:f227e2cef7b8cd6b937db379b4dc5463fa73e511400ad64f010081be577d809c_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:4631" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:14df338acf7e3bbdcbb79bd66b063900a655d5dc920862e0fe67262e457bfae8_ppc64le", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:be39b6b16ef2a5e88d4650b0f2cb1e8e4c3cacbdb67a59b443255e857460b885_amd64", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:dd6aafc88aeab0ee3c7ee706540d4022a6d860c68b4cbec1bdf3990092b2bcbf_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:1e109e2572b3db1610ae07c1580837fc03813927ab8230f06a452ea51e4ea1fd_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:7ad719f34df4ff6ca4afc67610c616f1ab5961be60a7e80d7e35af3374dc2a2e_amd64", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:f0cf2be9026fed74449daf382907d5014cc72998be0edb32a3aeb150754030ea_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:0c402a60f316d48868cfb3d5459ed56222fd56a10562a4db6c09155f9e2be2ea_s390x", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:aa078d91d3c80ab437ccb49b8470947abc9b66bf98b77e7e0ecf5271a6e075ab_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:f227e2cef7b8cd6b937db379b4dc5463fa73e511400ad64f010081be577d809c_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:762b66d0ee13db9d168a022e31180145dd4ec20eb5cdbfcb48510e44173f8553_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:8d07c15f234a996673c6910ecd93adc9289b7e0d85de664713b958b4150b3852_ppc64le", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:ef41ab671a633299a1db5d5f3bc72c59f4d8b6e126c8635be5e650c8547b4eae_s390x", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:2a2f31bacc803a8260da6cd3a61ad71cbb00cf2e521854def145b3d0bec0b055_amd64", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:7d92439b4f42e8a320d6bf6fe923370082a92c8a183bdecbef8038b07a00c283_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:aaf36bb82765cd95324c84442cd9deb54c27469d6726ca248f1aeef7b3f06fab_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:75b1429db0482dfe108a7fbbed1abefb24f4cd7b35e4bb0d57f32c1973ec883b_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:948252e9ecb6a058a7ba116f7e018134f0a9548e5dacffc10d4248050268d5b3_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:9781322614ad47a9d75dc7c87581dd3789f78992ec9eb91833e86061e7ea1f91_amd64", "8Base-RHOSDS-3:devspaces/idea-rhel8@sha256:5ac4fdd00b0d1436115f2fda0a777b9f4ae99866cbf8fa99dddaad21888eeb18_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:760021d9a555390d69e76f6dab0ce0c2694001aef3a8b44384bd8e9bf96171e1_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:8101bdc3676ad5a1f832a46179a0225349af8cdab2a1a285ab173192082d93ae_ppc64le", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:a02ae8ff331b3be77e6f48a5faa0e1c13b1203242edca7e4a2e1cfb83df3e6da_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:7d367fef16f3968243fc47927515a0ee1313ac5169c5a7769b701d47409bec88_ppc64le", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:9f9d815327b731738f690d65c89b86c3128457c2d4447141a0e4f42bd52096fd_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:f6852cf501751523954574a97e68c543b16c58b77fc6061954fc95e94977d2bf_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:06a15178e2f20d56fac5e13cad9fcc1ae7316789e34115a2504c4a07580f19f5_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:4141f892f6cd45a9e85f6a4ed7e63e061749ee0ae283b02447be603cafedacad_ppc64le", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:e23dc02966b044bf52d27d98e4ed4873dbfb2a5ce92c6d82e98a6c45fa298b39_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:3be3bc2226f6719f8227709ea13626bee7135d1dc0d64aa4d8ee4ef6e8bb60df_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:b6912aa0c1717be5d0e69c31e94e834abe1307d5e8132345af89a923d5b687ce_amd64", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:d0ae2f24410876f45670107480e10d98b59e08cac3561095f86dfdda1d759b78_ppc64le", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:9fada42916b4e04c8c8ff7bb3cd8ce0976862d15de7c7225ee41366f790338a1_amd64", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:a5d8bb3e4fbdda212ae48e298f47daf9b02cd78ccf6ce85087b62e96ee80cb6d_s390x", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:c9e21c99f25869dcf79aa5844499492f21b98905fcb1f1832470acc445c28c87_ppc64le", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:b4112466adc8ec304859d4ed70fbe7c51d77abce884c19f742356b4d64f3c3ee_s390x", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:d407cd42cfe5c6100d67552bcb39923bb665a17e7c5004d387a59bfef9a1bb83_amd64", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:fa9863eac8f11e6dd6685cd7b5ab28bb6ca3f708c874724ed894b49d4a267179_ppc64le" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "json5: Prototype Pollution in JSON5 via Parse Method" }, { "cve": "CVE-2023-6378", "cwe": { "id": "CWE-499", "name": "Serializable Class Containing Sensitive Data" }, "discovery_date": "2023-11-30T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:14df338acf7e3bbdcbb79bd66b063900a655d5dc920862e0fe67262e457bfae8_ppc64le", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:be39b6b16ef2a5e88d4650b0f2cb1e8e4c3cacbdb67a59b443255e857460b885_amd64", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:dd6aafc88aeab0ee3c7ee706540d4022a6d860c68b4cbec1bdf3990092b2bcbf_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:1e109e2572b3db1610ae07c1580837fc03813927ab8230f06a452ea51e4ea1fd_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:7ad719f34df4ff6ca4afc67610c616f1ab5961be60a7e80d7e35af3374dc2a2e_amd64", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:f0cf2be9026fed74449daf382907d5014cc72998be0edb32a3aeb150754030ea_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:0c402a60f316d48868cfb3d5459ed56222fd56a10562a4db6c09155f9e2be2ea_s390x", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:aa078d91d3c80ab437ccb49b8470947abc9b66bf98b77e7e0ecf5271a6e075ab_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:f227e2cef7b8cd6b937db379b4dc5463fa73e511400ad64f010081be577d809c_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:762b66d0ee13db9d168a022e31180145dd4ec20eb5cdbfcb48510e44173f8553_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:8d07c15f234a996673c6910ecd93adc9289b7e0d85de664713b958b4150b3852_ppc64le", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:ef41ab671a633299a1db5d5f3bc72c59f4d8b6e126c8635be5e650c8547b4eae_s390x", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:2a2f31bacc803a8260da6cd3a61ad71cbb00cf2e521854def145b3d0bec0b055_amd64", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:7d92439b4f42e8a320d6bf6fe923370082a92c8a183bdecbef8038b07a00c283_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:aaf36bb82765cd95324c84442cd9deb54c27469d6726ca248f1aeef7b3f06fab_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:75b1429db0482dfe108a7fbbed1abefb24f4cd7b35e4bb0d57f32c1973ec883b_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:948252e9ecb6a058a7ba116f7e018134f0a9548e5dacffc10d4248050268d5b3_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:9781322614ad47a9d75dc7c87581dd3789f78992ec9eb91833e86061e7ea1f91_amd64", "8Base-RHOSDS-3:devspaces/idea-rhel8@sha256:5ac4fdd00b0d1436115f2fda0a777b9f4ae99866cbf8fa99dddaad21888eeb18_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:760021d9a555390d69e76f6dab0ce0c2694001aef3a8b44384bd8e9bf96171e1_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:8101bdc3676ad5a1f832a46179a0225349af8cdab2a1a285ab173192082d93ae_ppc64le", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:a02ae8ff331b3be77e6f48a5faa0e1c13b1203242edca7e4a2e1cfb83df3e6da_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:7d367fef16f3968243fc47927515a0ee1313ac5169c5a7769b701d47409bec88_ppc64le", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:9f9d815327b731738f690d65c89b86c3128457c2d4447141a0e4f42bd52096fd_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:f6852cf501751523954574a97e68c543b16c58b77fc6061954fc95e94977d2bf_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:06a15178e2f20d56fac5e13cad9fcc1ae7316789e34115a2504c4a07580f19f5_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:4141f892f6cd45a9e85f6a4ed7e63e061749ee0ae283b02447be603cafedacad_ppc64le", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:e23dc02966b044bf52d27d98e4ed4873dbfb2a5ce92c6d82e98a6c45fa298b39_s390x", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:9fada42916b4e04c8c8ff7bb3cd8ce0976862d15de7c7225ee41366f790338a1_amd64", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:a5d8bb3e4fbdda212ae48e298f47daf9b02cd78ccf6ce85087b62e96ee80cb6d_s390x", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:c9e21c99f25869dcf79aa5844499492f21b98905fcb1f1832470acc445c28c87_ppc64le", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:b4112466adc8ec304859d4ed70fbe7c51d77abce884c19f742356b4d64f3c3ee_s390x", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:d407cd42cfe5c6100d67552bcb39923bb665a17e7c5004d387a59bfef9a1bb83_amd64", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:fa9863eac8f11e6dd6685cd7b5ab28bb6ca3f708c874724ed894b49d4a267179_ppc64le" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2252230" } ], "notes": [ { "category": "description", "text": "A flaw was found in the logback package, where it is vulnerable to a denial of service caused by a serialization flaw in the receiver component. By sending specially crafted poisoned data, a remote attacker can cause a denial of service condition.", "title": "Vulnerability description" }, { "category": "summary", "text": "logback: serialization vulnerability in logback receiver", "title": "Vulnerability summary" }, { "category": "other", "text": "The Logback package vulnerability, posing a risk of denial-of-service through a serialization flaw in its receiver component, is considered a moderate issue due to its potential impact on system availability. While denial-of-service vulnerabilities can be disruptive, the severity is tempered by the fact that they generally do not result in unauthorized access or data compromise.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:3be3bc2226f6719f8227709ea13626bee7135d1dc0d64aa4d8ee4ef6e8bb60df_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:b6912aa0c1717be5d0e69c31e94e834abe1307d5e8132345af89a923d5b687ce_amd64", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:d0ae2f24410876f45670107480e10d98b59e08cac3561095f86dfdda1d759b78_ppc64le" ], "known_not_affected": [ "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:14df338acf7e3bbdcbb79bd66b063900a655d5dc920862e0fe67262e457bfae8_ppc64le", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:be39b6b16ef2a5e88d4650b0f2cb1e8e4c3cacbdb67a59b443255e857460b885_amd64", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:dd6aafc88aeab0ee3c7ee706540d4022a6d860c68b4cbec1bdf3990092b2bcbf_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:1e109e2572b3db1610ae07c1580837fc03813927ab8230f06a452ea51e4ea1fd_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:7ad719f34df4ff6ca4afc67610c616f1ab5961be60a7e80d7e35af3374dc2a2e_amd64", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:f0cf2be9026fed74449daf382907d5014cc72998be0edb32a3aeb150754030ea_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:0c402a60f316d48868cfb3d5459ed56222fd56a10562a4db6c09155f9e2be2ea_s390x", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:aa078d91d3c80ab437ccb49b8470947abc9b66bf98b77e7e0ecf5271a6e075ab_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:f227e2cef7b8cd6b937db379b4dc5463fa73e511400ad64f010081be577d809c_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:762b66d0ee13db9d168a022e31180145dd4ec20eb5cdbfcb48510e44173f8553_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:8d07c15f234a996673c6910ecd93adc9289b7e0d85de664713b958b4150b3852_ppc64le", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:ef41ab671a633299a1db5d5f3bc72c59f4d8b6e126c8635be5e650c8547b4eae_s390x", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:2a2f31bacc803a8260da6cd3a61ad71cbb00cf2e521854def145b3d0bec0b055_amd64", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:7d92439b4f42e8a320d6bf6fe923370082a92c8a183bdecbef8038b07a00c283_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:aaf36bb82765cd95324c84442cd9deb54c27469d6726ca248f1aeef7b3f06fab_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:75b1429db0482dfe108a7fbbed1abefb24f4cd7b35e4bb0d57f32c1973ec883b_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:948252e9ecb6a058a7ba116f7e018134f0a9548e5dacffc10d4248050268d5b3_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:9781322614ad47a9d75dc7c87581dd3789f78992ec9eb91833e86061e7ea1f91_amd64", "8Base-RHOSDS-3:devspaces/idea-rhel8@sha256:5ac4fdd00b0d1436115f2fda0a777b9f4ae99866cbf8fa99dddaad21888eeb18_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:760021d9a555390d69e76f6dab0ce0c2694001aef3a8b44384bd8e9bf96171e1_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:8101bdc3676ad5a1f832a46179a0225349af8cdab2a1a285ab173192082d93ae_ppc64le", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:a02ae8ff331b3be77e6f48a5faa0e1c13b1203242edca7e4a2e1cfb83df3e6da_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:7d367fef16f3968243fc47927515a0ee1313ac5169c5a7769b701d47409bec88_ppc64le", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:9f9d815327b731738f690d65c89b86c3128457c2d4447141a0e4f42bd52096fd_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:f6852cf501751523954574a97e68c543b16c58b77fc6061954fc95e94977d2bf_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:06a15178e2f20d56fac5e13cad9fcc1ae7316789e34115a2504c4a07580f19f5_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:4141f892f6cd45a9e85f6a4ed7e63e061749ee0ae283b02447be603cafedacad_ppc64le", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:e23dc02966b044bf52d27d98e4ed4873dbfb2a5ce92c6d82e98a6c45fa298b39_s390x", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:9fada42916b4e04c8c8ff7bb3cd8ce0976862d15de7c7225ee41366f790338a1_amd64", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:a5d8bb3e4fbdda212ae48e298f47daf9b02cd78ccf6ce85087b62e96ee80cb6d_s390x", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:c9e21c99f25869dcf79aa5844499492f21b98905fcb1f1832470acc445c28c87_ppc64le", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:b4112466adc8ec304859d4ed70fbe7c51d77abce884c19f742356b4d64f3c3ee_s390x", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:d407cd42cfe5c6100d67552bcb39923bb665a17e7c5004d387a59bfef9a1bb83_amd64", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:fa9863eac8f11e6dd6685cd7b5ab28bb6ca3f708c874724ed894b49d4a267179_ppc64le" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-6378" }, { "category": "external", "summary": "RHBZ#2252230", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2252230" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-6378", "url": "https://www.cve.org/CVERecord?id=CVE-2023-6378" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-6378", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6378" } ], "release_date": "2023-11-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-07-18T17:11:22+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:3be3bc2226f6719f8227709ea13626bee7135d1dc0d64aa4d8ee4ef6e8bb60df_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:b6912aa0c1717be5d0e69c31e94e834abe1307d5e8132345af89a923d5b687ce_amd64", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:d0ae2f24410876f45670107480e10d98b59e08cac3561095f86dfdda1d759b78_ppc64le" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:4631" }, { "category": "workaround", "details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "product_ids": [ "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:14df338acf7e3bbdcbb79bd66b063900a655d5dc920862e0fe67262e457bfae8_ppc64le", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:be39b6b16ef2a5e88d4650b0f2cb1e8e4c3cacbdb67a59b443255e857460b885_amd64", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:dd6aafc88aeab0ee3c7ee706540d4022a6d860c68b4cbec1bdf3990092b2bcbf_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:1e109e2572b3db1610ae07c1580837fc03813927ab8230f06a452ea51e4ea1fd_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:7ad719f34df4ff6ca4afc67610c616f1ab5961be60a7e80d7e35af3374dc2a2e_amd64", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:f0cf2be9026fed74449daf382907d5014cc72998be0edb32a3aeb150754030ea_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:0c402a60f316d48868cfb3d5459ed56222fd56a10562a4db6c09155f9e2be2ea_s390x", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:aa078d91d3c80ab437ccb49b8470947abc9b66bf98b77e7e0ecf5271a6e075ab_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:f227e2cef7b8cd6b937db379b4dc5463fa73e511400ad64f010081be577d809c_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:762b66d0ee13db9d168a022e31180145dd4ec20eb5cdbfcb48510e44173f8553_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:8d07c15f234a996673c6910ecd93adc9289b7e0d85de664713b958b4150b3852_ppc64le", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:ef41ab671a633299a1db5d5f3bc72c59f4d8b6e126c8635be5e650c8547b4eae_s390x", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:2a2f31bacc803a8260da6cd3a61ad71cbb00cf2e521854def145b3d0bec0b055_amd64", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:7d92439b4f42e8a320d6bf6fe923370082a92c8a183bdecbef8038b07a00c283_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:aaf36bb82765cd95324c84442cd9deb54c27469d6726ca248f1aeef7b3f06fab_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:75b1429db0482dfe108a7fbbed1abefb24f4cd7b35e4bb0d57f32c1973ec883b_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:948252e9ecb6a058a7ba116f7e018134f0a9548e5dacffc10d4248050268d5b3_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:9781322614ad47a9d75dc7c87581dd3789f78992ec9eb91833e86061e7ea1f91_amd64", "8Base-RHOSDS-3:devspaces/idea-rhel8@sha256:5ac4fdd00b0d1436115f2fda0a777b9f4ae99866cbf8fa99dddaad21888eeb18_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:760021d9a555390d69e76f6dab0ce0c2694001aef3a8b44384bd8e9bf96171e1_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:8101bdc3676ad5a1f832a46179a0225349af8cdab2a1a285ab173192082d93ae_ppc64le", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:a02ae8ff331b3be77e6f48a5faa0e1c13b1203242edca7e4a2e1cfb83df3e6da_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:7d367fef16f3968243fc47927515a0ee1313ac5169c5a7769b701d47409bec88_ppc64le", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:9f9d815327b731738f690d65c89b86c3128457c2d4447141a0e4f42bd52096fd_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:f6852cf501751523954574a97e68c543b16c58b77fc6061954fc95e94977d2bf_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:06a15178e2f20d56fac5e13cad9fcc1ae7316789e34115a2504c4a07580f19f5_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:4141f892f6cd45a9e85f6a4ed7e63e061749ee0ae283b02447be603cafedacad_ppc64le", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:e23dc02966b044bf52d27d98e4ed4873dbfb2a5ce92c6d82e98a6c45fa298b39_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:3be3bc2226f6719f8227709ea13626bee7135d1dc0d64aa4d8ee4ef6e8bb60df_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:b6912aa0c1717be5d0e69c31e94e834abe1307d5e8132345af89a923d5b687ce_amd64", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:d0ae2f24410876f45670107480e10d98b59e08cac3561095f86dfdda1d759b78_ppc64le", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:9fada42916b4e04c8c8ff7bb3cd8ce0976862d15de7c7225ee41366f790338a1_amd64", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:a5d8bb3e4fbdda212ae48e298f47daf9b02cd78ccf6ce85087b62e96ee80cb6d_s390x", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:c9e21c99f25869dcf79aa5844499492f21b98905fcb1f1832470acc445c28c87_ppc64le", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:b4112466adc8ec304859d4ed70fbe7c51d77abce884c19f742356b4d64f3c3ee_s390x", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:d407cd42cfe5c6100d67552bcb39923bb665a17e7c5004d387a59bfef9a1bb83_amd64", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:fa9863eac8f11e6dd6685cd7b5ab28bb6ca3f708c874724ed894b49d4a267179_ppc64le" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:14df338acf7e3bbdcbb79bd66b063900a655d5dc920862e0fe67262e457bfae8_ppc64le", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:be39b6b16ef2a5e88d4650b0f2cb1e8e4c3cacbdb67a59b443255e857460b885_amd64", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:dd6aafc88aeab0ee3c7ee706540d4022a6d860c68b4cbec1bdf3990092b2bcbf_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:1e109e2572b3db1610ae07c1580837fc03813927ab8230f06a452ea51e4ea1fd_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:7ad719f34df4ff6ca4afc67610c616f1ab5961be60a7e80d7e35af3374dc2a2e_amd64", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:f0cf2be9026fed74449daf382907d5014cc72998be0edb32a3aeb150754030ea_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:0c402a60f316d48868cfb3d5459ed56222fd56a10562a4db6c09155f9e2be2ea_s390x", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:aa078d91d3c80ab437ccb49b8470947abc9b66bf98b77e7e0ecf5271a6e075ab_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:f227e2cef7b8cd6b937db379b4dc5463fa73e511400ad64f010081be577d809c_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:762b66d0ee13db9d168a022e31180145dd4ec20eb5cdbfcb48510e44173f8553_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:8d07c15f234a996673c6910ecd93adc9289b7e0d85de664713b958b4150b3852_ppc64le", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:ef41ab671a633299a1db5d5f3bc72c59f4d8b6e126c8635be5e650c8547b4eae_s390x", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:2a2f31bacc803a8260da6cd3a61ad71cbb00cf2e521854def145b3d0bec0b055_amd64", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:7d92439b4f42e8a320d6bf6fe923370082a92c8a183bdecbef8038b07a00c283_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:aaf36bb82765cd95324c84442cd9deb54c27469d6726ca248f1aeef7b3f06fab_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:75b1429db0482dfe108a7fbbed1abefb24f4cd7b35e4bb0d57f32c1973ec883b_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:948252e9ecb6a058a7ba116f7e018134f0a9548e5dacffc10d4248050268d5b3_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:9781322614ad47a9d75dc7c87581dd3789f78992ec9eb91833e86061e7ea1f91_amd64", "8Base-RHOSDS-3:devspaces/idea-rhel8@sha256:5ac4fdd00b0d1436115f2fda0a777b9f4ae99866cbf8fa99dddaad21888eeb18_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:760021d9a555390d69e76f6dab0ce0c2694001aef3a8b44384bd8e9bf96171e1_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:8101bdc3676ad5a1f832a46179a0225349af8cdab2a1a285ab173192082d93ae_ppc64le", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:a02ae8ff331b3be77e6f48a5faa0e1c13b1203242edca7e4a2e1cfb83df3e6da_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:7d367fef16f3968243fc47927515a0ee1313ac5169c5a7769b701d47409bec88_ppc64le", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:9f9d815327b731738f690d65c89b86c3128457c2d4447141a0e4f42bd52096fd_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:f6852cf501751523954574a97e68c543b16c58b77fc6061954fc95e94977d2bf_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:06a15178e2f20d56fac5e13cad9fcc1ae7316789e34115a2504c4a07580f19f5_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:4141f892f6cd45a9e85f6a4ed7e63e061749ee0ae283b02447be603cafedacad_ppc64le", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:e23dc02966b044bf52d27d98e4ed4873dbfb2a5ce92c6d82e98a6c45fa298b39_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:3be3bc2226f6719f8227709ea13626bee7135d1dc0d64aa4d8ee4ef6e8bb60df_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:b6912aa0c1717be5d0e69c31e94e834abe1307d5e8132345af89a923d5b687ce_amd64", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:d0ae2f24410876f45670107480e10d98b59e08cac3561095f86dfdda1d759b78_ppc64le", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:9fada42916b4e04c8c8ff7bb3cd8ce0976862d15de7c7225ee41366f790338a1_amd64", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:a5d8bb3e4fbdda212ae48e298f47daf9b02cd78ccf6ce85087b62e96ee80cb6d_s390x", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:c9e21c99f25869dcf79aa5844499492f21b98905fcb1f1832470acc445c28c87_ppc64le", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:b4112466adc8ec304859d4ed70fbe7c51d77abce884c19f742356b4d64f3c3ee_s390x", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:d407cd42cfe5c6100d67552bcb39923bb665a17e7c5004d387a59bfef9a1bb83_amd64", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:fa9863eac8f11e6dd6685cd7b5ab28bb6ca3f708c874724ed894b49d4a267179_ppc64le" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "logback: serialization vulnerability in logback receiver" }, { "cve": "CVE-2023-39325", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2023-10-10T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:14df338acf7e3bbdcbb79bd66b063900a655d5dc920862e0fe67262e457bfae8_ppc64le", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:be39b6b16ef2a5e88d4650b0f2cb1e8e4c3cacbdb67a59b443255e857460b885_amd64", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:dd6aafc88aeab0ee3c7ee706540d4022a6d860c68b4cbec1bdf3990092b2bcbf_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:1e109e2572b3db1610ae07c1580837fc03813927ab8230f06a452ea51e4ea1fd_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:7ad719f34df4ff6ca4afc67610c616f1ab5961be60a7e80d7e35af3374dc2a2e_amd64", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:f0cf2be9026fed74449daf382907d5014cc72998be0edb32a3aeb150754030ea_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:0c402a60f316d48868cfb3d5459ed56222fd56a10562a4db6c09155f9e2be2ea_s390x", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:aa078d91d3c80ab437ccb49b8470947abc9b66bf98b77e7e0ecf5271a6e075ab_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:f227e2cef7b8cd6b937db379b4dc5463fa73e511400ad64f010081be577d809c_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:762b66d0ee13db9d168a022e31180145dd4ec20eb5cdbfcb48510e44173f8553_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:8d07c15f234a996673c6910ecd93adc9289b7e0d85de664713b958b4150b3852_ppc64le", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:ef41ab671a633299a1db5d5f3bc72c59f4d8b6e126c8635be5e650c8547b4eae_s390x", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:2a2f31bacc803a8260da6cd3a61ad71cbb00cf2e521854def145b3d0bec0b055_amd64", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:7d92439b4f42e8a320d6bf6fe923370082a92c8a183bdecbef8038b07a00c283_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:aaf36bb82765cd95324c84442cd9deb54c27469d6726ca248f1aeef7b3f06fab_s390x", "8Base-RHOSDS-3:devspaces/idea-rhel8@sha256:5ac4fdd00b0d1436115f2fda0a777b9f4ae99866cbf8fa99dddaad21888eeb18_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:760021d9a555390d69e76f6dab0ce0c2694001aef3a8b44384bd8e9bf96171e1_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:8101bdc3676ad5a1f832a46179a0225349af8cdab2a1a285ab173192082d93ae_ppc64le", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:a02ae8ff331b3be77e6f48a5faa0e1c13b1203242edca7e4a2e1cfb83df3e6da_s390x", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:06a15178e2f20d56fac5e13cad9fcc1ae7316789e34115a2504c4a07580f19f5_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:4141f892f6cd45a9e85f6a4ed7e63e061749ee0ae283b02447be603cafedacad_ppc64le", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:e23dc02966b044bf52d27d98e4ed4873dbfb2a5ce92c6d82e98a6c45fa298b39_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:3be3bc2226f6719f8227709ea13626bee7135d1dc0d64aa4d8ee4ef6e8bb60df_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:b6912aa0c1717be5d0e69c31e94e834abe1307d5e8132345af89a923d5b687ce_amd64", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:d0ae2f24410876f45670107480e10d98b59e08cac3561095f86dfdda1d759b78_ppc64le" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2243296" } ], "notes": [ { "category": "description", "text": "A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. Red Hat has rated the severity of this flaw as \u0027Important\u0027 as the US Cybersecurity and Infrastructure Security Agency (CISA) declared this vulnerability an active exploit.\r\n\r\nCVE-2023-39325 was assigned for the `Rapid Reset Attack` in the Go language packages.", "title": "Vulnerability description" }, { "category": "summary", "text": "golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)", "title": "Vulnerability summary" }, { "category": "other", "text": "This CVE is related to CVE-2023-44487.\n\nThe majority of RHEL utilities are not long-running applications; instead, they are command-line tools. These tools utilize Golang package as build-time dependency, which is why they are classified as having a \"Moderate\" level of impact.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:75b1429db0482dfe108a7fbbed1abefb24f4cd7b35e4bb0d57f32c1973ec883b_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:948252e9ecb6a058a7ba116f7e018134f0a9548e5dacffc10d4248050268d5b3_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:9781322614ad47a9d75dc7c87581dd3789f78992ec9eb91833e86061e7ea1f91_amd64", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:7d367fef16f3968243fc47927515a0ee1313ac5169c5a7769b701d47409bec88_ppc64le", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:9f9d815327b731738f690d65c89b86c3128457c2d4447141a0e4f42bd52096fd_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:f6852cf501751523954574a97e68c543b16c58b77fc6061954fc95e94977d2bf_amd64", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:9fada42916b4e04c8c8ff7bb3cd8ce0976862d15de7c7225ee41366f790338a1_amd64", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:a5d8bb3e4fbdda212ae48e298f47daf9b02cd78ccf6ce85087b62e96ee80cb6d_s390x", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:c9e21c99f25869dcf79aa5844499492f21b98905fcb1f1832470acc445c28c87_ppc64le", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:b4112466adc8ec304859d4ed70fbe7c51d77abce884c19f742356b4d64f3c3ee_s390x", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:d407cd42cfe5c6100d67552bcb39923bb665a17e7c5004d387a59bfef9a1bb83_amd64", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:fa9863eac8f11e6dd6685cd7b5ab28bb6ca3f708c874724ed894b49d4a267179_ppc64le" ], "known_not_affected": [ "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:14df338acf7e3bbdcbb79bd66b063900a655d5dc920862e0fe67262e457bfae8_ppc64le", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:be39b6b16ef2a5e88d4650b0f2cb1e8e4c3cacbdb67a59b443255e857460b885_amd64", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:dd6aafc88aeab0ee3c7ee706540d4022a6d860c68b4cbec1bdf3990092b2bcbf_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:1e109e2572b3db1610ae07c1580837fc03813927ab8230f06a452ea51e4ea1fd_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:7ad719f34df4ff6ca4afc67610c616f1ab5961be60a7e80d7e35af3374dc2a2e_amd64", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:f0cf2be9026fed74449daf382907d5014cc72998be0edb32a3aeb150754030ea_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:0c402a60f316d48868cfb3d5459ed56222fd56a10562a4db6c09155f9e2be2ea_s390x", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:aa078d91d3c80ab437ccb49b8470947abc9b66bf98b77e7e0ecf5271a6e075ab_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:f227e2cef7b8cd6b937db379b4dc5463fa73e511400ad64f010081be577d809c_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:762b66d0ee13db9d168a022e31180145dd4ec20eb5cdbfcb48510e44173f8553_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:8d07c15f234a996673c6910ecd93adc9289b7e0d85de664713b958b4150b3852_ppc64le", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:ef41ab671a633299a1db5d5f3bc72c59f4d8b6e126c8635be5e650c8547b4eae_s390x", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:2a2f31bacc803a8260da6cd3a61ad71cbb00cf2e521854def145b3d0bec0b055_amd64", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:7d92439b4f42e8a320d6bf6fe923370082a92c8a183bdecbef8038b07a00c283_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:aaf36bb82765cd95324c84442cd9deb54c27469d6726ca248f1aeef7b3f06fab_s390x", "8Base-RHOSDS-3:devspaces/idea-rhel8@sha256:5ac4fdd00b0d1436115f2fda0a777b9f4ae99866cbf8fa99dddaad21888eeb18_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:760021d9a555390d69e76f6dab0ce0c2694001aef3a8b44384bd8e9bf96171e1_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:8101bdc3676ad5a1f832a46179a0225349af8cdab2a1a285ab173192082d93ae_ppc64le", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:a02ae8ff331b3be77e6f48a5faa0e1c13b1203242edca7e4a2e1cfb83df3e6da_s390x", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:06a15178e2f20d56fac5e13cad9fcc1ae7316789e34115a2504c4a07580f19f5_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:4141f892f6cd45a9e85f6a4ed7e63e061749ee0ae283b02447be603cafedacad_ppc64le", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:e23dc02966b044bf52d27d98e4ed4873dbfb2a5ce92c6d82e98a6c45fa298b39_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:3be3bc2226f6719f8227709ea13626bee7135d1dc0d64aa4d8ee4ef6e8bb60df_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:b6912aa0c1717be5d0e69c31e94e834abe1307d5e8132345af89a923d5b687ce_amd64", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:d0ae2f24410876f45670107480e10d98b59e08cac3561095f86dfdda1d759b78_ppc64le" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-39325" }, { "category": "external", "summary": "RHBZ#2243296", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243296" }, { "category": "external", "summary": "RHSB-2023-003", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-003" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-39325", "url": "https://www.cve.org/CVERecord?id=CVE-2023-39325" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-39325", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39325" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2023-44487", "url": "https://access.redhat.com/security/cve/CVE-2023-44487" }, { "category": "external", "summary": "https://go.dev/issue/63417", "url": "https://go.dev/issue/63417" }, { "category": "external", "summary": "https://pkg.go.dev/vuln/GO-2023-2102", "url": "https://pkg.go.dev/vuln/GO-2023-2102" }, { "category": "external", "summary": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487", "url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487" } ], "release_date": "2023-10-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-07-18T17:11:22+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:75b1429db0482dfe108a7fbbed1abefb24f4cd7b35e4bb0d57f32c1973ec883b_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:948252e9ecb6a058a7ba116f7e018134f0a9548e5dacffc10d4248050268d5b3_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:9781322614ad47a9d75dc7c87581dd3789f78992ec9eb91833e86061e7ea1f91_amd64", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:7d367fef16f3968243fc47927515a0ee1313ac5169c5a7769b701d47409bec88_ppc64le", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:9f9d815327b731738f690d65c89b86c3128457c2d4447141a0e4f42bd52096fd_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:f6852cf501751523954574a97e68c543b16c58b77fc6061954fc95e94977d2bf_amd64", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:9fada42916b4e04c8c8ff7bb3cd8ce0976862d15de7c7225ee41366f790338a1_amd64", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:a5d8bb3e4fbdda212ae48e298f47daf9b02cd78ccf6ce85087b62e96ee80cb6d_s390x", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:c9e21c99f25869dcf79aa5844499492f21b98905fcb1f1832470acc445c28c87_ppc64le", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:b4112466adc8ec304859d4ed70fbe7c51d77abce884c19f742356b4d64f3c3ee_s390x", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:d407cd42cfe5c6100d67552bcb39923bb665a17e7c5004d387a59bfef9a1bb83_amd64", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:fa9863eac8f11e6dd6685cd7b5ab28bb6ca3f708c874724ed894b49d4a267179_ppc64le" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:4631" }, { "category": "workaround", "details": "The default stream concurrency limit in golang is 250 streams (requests) per HTTP/2 connection. This value may be adjusted in the golang.org/x/net/http2 package using the Server.MaxConcurrentStreams setting and the ConfigureServer function which are available in golang.org/x/net/http2.", "product_ids": [ "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:14df338acf7e3bbdcbb79bd66b063900a655d5dc920862e0fe67262e457bfae8_ppc64le", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:be39b6b16ef2a5e88d4650b0f2cb1e8e4c3cacbdb67a59b443255e857460b885_amd64", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:dd6aafc88aeab0ee3c7ee706540d4022a6d860c68b4cbec1bdf3990092b2bcbf_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:1e109e2572b3db1610ae07c1580837fc03813927ab8230f06a452ea51e4ea1fd_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:7ad719f34df4ff6ca4afc67610c616f1ab5961be60a7e80d7e35af3374dc2a2e_amd64", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:f0cf2be9026fed74449daf382907d5014cc72998be0edb32a3aeb150754030ea_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:0c402a60f316d48868cfb3d5459ed56222fd56a10562a4db6c09155f9e2be2ea_s390x", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:aa078d91d3c80ab437ccb49b8470947abc9b66bf98b77e7e0ecf5271a6e075ab_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:f227e2cef7b8cd6b937db379b4dc5463fa73e511400ad64f010081be577d809c_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:762b66d0ee13db9d168a022e31180145dd4ec20eb5cdbfcb48510e44173f8553_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:8d07c15f234a996673c6910ecd93adc9289b7e0d85de664713b958b4150b3852_ppc64le", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:ef41ab671a633299a1db5d5f3bc72c59f4d8b6e126c8635be5e650c8547b4eae_s390x", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:2a2f31bacc803a8260da6cd3a61ad71cbb00cf2e521854def145b3d0bec0b055_amd64", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:7d92439b4f42e8a320d6bf6fe923370082a92c8a183bdecbef8038b07a00c283_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:aaf36bb82765cd95324c84442cd9deb54c27469d6726ca248f1aeef7b3f06fab_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:75b1429db0482dfe108a7fbbed1abefb24f4cd7b35e4bb0d57f32c1973ec883b_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:948252e9ecb6a058a7ba116f7e018134f0a9548e5dacffc10d4248050268d5b3_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:9781322614ad47a9d75dc7c87581dd3789f78992ec9eb91833e86061e7ea1f91_amd64", "8Base-RHOSDS-3:devspaces/idea-rhel8@sha256:5ac4fdd00b0d1436115f2fda0a777b9f4ae99866cbf8fa99dddaad21888eeb18_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:760021d9a555390d69e76f6dab0ce0c2694001aef3a8b44384bd8e9bf96171e1_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:8101bdc3676ad5a1f832a46179a0225349af8cdab2a1a285ab173192082d93ae_ppc64le", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:a02ae8ff331b3be77e6f48a5faa0e1c13b1203242edca7e4a2e1cfb83df3e6da_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:7d367fef16f3968243fc47927515a0ee1313ac5169c5a7769b701d47409bec88_ppc64le", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:9f9d815327b731738f690d65c89b86c3128457c2d4447141a0e4f42bd52096fd_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:f6852cf501751523954574a97e68c543b16c58b77fc6061954fc95e94977d2bf_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:06a15178e2f20d56fac5e13cad9fcc1ae7316789e34115a2504c4a07580f19f5_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:4141f892f6cd45a9e85f6a4ed7e63e061749ee0ae283b02447be603cafedacad_ppc64le", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:e23dc02966b044bf52d27d98e4ed4873dbfb2a5ce92c6d82e98a6c45fa298b39_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:3be3bc2226f6719f8227709ea13626bee7135d1dc0d64aa4d8ee4ef6e8bb60df_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:b6912aa0c1717be5d0e69c31e94e834abe1307d5e8132345af89a923d5b687ce_amd64", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:d0ae2f24410876f45670107480e10d98b59e08cac3561095f86dfdda1d759b78_ppc64le", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:9fada42916b4e04c8c8ff7bb3cd8ce0976862d15de7c7225ee41366f790338a1_amd64", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:a5d8bb3e4fbdda212ae48e298f47daf9b02cd78ccf6ce85087b62e96ee80cb6d_s390x", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:c9e21c99f25869dcf79aa5844499492f21b98905fcb1f1832470acc445c28c87_ppc64le", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:b4112466adc8ec304859d4ed70fbe7c51d77abce884c19f742356b4d64f3c3ee_s390x", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:d407cd42cfe5c6100d67552bcb39923bb665a17e7c5004d387a59bfef9a1bb83_amd64", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:fa9863eac8f11e6dd6685cd7b5ab28bb6ca3f708c874724ed894b49d4a267179_ppc64le" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:14df338acf7e3bbdcbb79bd66b063900a655d5dc920862e0fe67262e457bfae8_ppc64le", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:be39b6b16ef2a5e88d4650b0f2cb1e8e4c3cacbdb67a59b443255e857460b885_amd64", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:dd6aafc88aeab0ee3c7ee706540d4022a6d860c68b4cbec1bdf3990092b2bcbf_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:1e109e2572b3db1610ae07c1580837fc03813927ab8230f06a452ea51e4ea1fd_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:7ad719f34df4ff6ca4afc67610c616f1ab5961be60a7e80d7e35af3374dc2a2e_amd64", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:f0cf2be9026fed74449daf382907d5014cc72998be0edb32a3aeb150754030ea_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:0c402a60f316d48868cfb3d5459ed56222fd56a10562a4db6c09155f9e2be2ea_s390x", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:aa078d91d3c80ab437ccb49b8470947abc9b66bf98b77e7e0ecf5271a6e075ab_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:f227e2cef7b8cd6b937db379b4dc5463fa73e511400ad64f010081be577d809c_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:762b66d0ee13db9d168a022e31180145dd4ec20eb5cdbfcb48510e44173f8553_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:8d07c15f234a996673c6910ecd93adc9289b7e0d85de664713b958b4150b3852_ppc64le", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:ef41ab671a633299a1db5d5f3bc72c59f4d8b6e126c8635be5e650c8547b4eae_s390x", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:2a2f31bacc803a8260da6cd3a61ad71cbb00cf2e521854def145b3d0bec0b055_amd64", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:7d92439b4f42e8a320d6bf6fe923370082a92c8a183bdecbef8038b07a00c283_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:aaf36bb82765cd95324c84442cd9deb54c27469d6726ca248f1aeef7b3f06fab_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:75b1429db0482dfe108a7fbbed1abefb24f4cd7b35e4bb0d57f32c1973ec883b_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:948252e9ecb6a058a7ba116f7e018134f0a9548e5dacffc10d4248050268d5b3_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:9781322614ad47a9d75dc7c87581dd3789f78992ec9eb91833e86061e7ea1f91_amd64", "8Base-RHOSDS-3:devspaces/idea-rhel8@sha256:5ac4fdd00b0d1436115f2fda0a777b9f4ae99866cbf8fa99dddaad21888eeb18_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:760021d9a555390d69e76f6dab0ce0c2694001aef3a8b44384bd8e9bf96171e1_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:8101bdc3676ad5a1f832a46179a0225349af8cdab2a1a285ab173192082d93ae_ppc64le", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:a02ae8ff331b3be77e6f48a5faa0e1c13b1203242edca7e4a2e1cfb83df3e6da_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:7d367fef16f3968243fc47927515a0ee1313ac5169c5a7769b701d47409bec88_ppc64le", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:9f9d815327b731738f690d65c89b86c3128457c2d4447141a0e4f42bd52096fd_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:f6852cf501751523954574a97e68c543b16c58b77fc6061954fc95e94977d2bf_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:06a15178e2f20d56fac5e13cad9fcc1ae7316789e34115a2504c4a07580f19f5_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:4141f892f6cd45a9e85f6a4ed7e63e061749ee0ae283b02447be603cafedacad_ppc64le", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:e23dc02966b044bf52d27d98e4ed4873dbfb2a5ce92c6d82e98a6c45fa298b39_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:3be3bc2226f6719f8227709ea13626bee7135d1dc0d64aa4d8ee4ef6e8bb60df_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:b6912aa0c1717be5d0e69c31e94e834abe1307d5e8132345af89a923d5b687ce_amd64", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:d0ae2f24410876f45670107480e10d98b59e08cac3561095f86dfdda1d759b78_ppc64le", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:9fada42916b4e04c8c8ff7bb3cd8ce0976862d15de7c7225ee41366f790338a1_amd64", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:a5d8bb3e4fbdda212ae48e298f47daf9b02cd78ccf6ce85087b62e96ee80cb6d_s390x", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:c9e21c99f25869dcf79aa5844499492f21b98905fcb1f1832470acc445c28c87_ppc64le", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:b4112466adc8ec304859d4ed70fbe7c51d77abce884c19f742356b4d64f3c3ee_s390x", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:d407cd42cfe5c6100d67552bcb39923bb665a17e7c5004d387a59bfef9a1bb83_amd64", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:fa9863eac8f11e6dd6685cd7b5ab28bb6ca3f708c874724ed894b49d4a267179_ppc64le" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)" }, { "cve": "CVE-2023-41080", "cwe": { "id": "CWE-601", "name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)" }, "discovery_date": "2023-08-28T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:14df338acf7e3bbdcbb79bd66b063900a655d5dc920862e0fe67262e457bfae8_ppc64le", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:be39b6b16ef2a5e88d4650b0f2cb1e8e4c3cacbdb67a59b443255e857460b885_amd64", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:dd6aafc88aeab0ee3c7ee706540d4022a6d860c68b4cbec1bdf3990092b2bcbf_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:1e109e2572b3db1610ae07c1580837fc03813927ab8230f06a452ea51e4ea1fd_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:7ad719f34df4ff6ca4afc67610c616f1ab5961be60a7e80d7e35af3374dc2a2e_amd64", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:f0cf2be9026fed74449daf382907d5014cc72998be0edb32a3aeb150754030ea_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:0c402a60f316d48868cfb3d5459ed56222fd56a10562a4db6c09155f9e2be2ea_s390x", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:aa078d91d3c80ab437ccb49b8470947abc9b66bf98b77e7e0ecf5271a6e075ab_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:f227e2cef7b8cd6b937db379b4dc5463fa73e511400ad64f010081be577d809c_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:762b66d0ee13db9d168a022e31180145dd4ec20eb5cdbfcb48510e44173f8553_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:8d07c15f234a996673c6910ecd93adc9289b7e0d85de664713b958b4150b3852_ppc64le", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:ef41ab671a633299a1db5d5f3bc72c59f4d8b6e126c8635be5e650c8547b4eae_s390x", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:2a2f31bacc803a8260da6cd3a61ad71cbb00cf2e521854def145b3d0bec0b055_amd64", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:7d92439b4f42e8a320d6bf6fe923370082a92c8a183bdecbef8038b07a00c283_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:aaf36bb82765cd95324c84442cd9deb54c27469d6726ca248f1aeef7b3f06fab_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:75b1429db0482dfe108a7fbbed1abefb24f4cd7b35e4bb0d57f32c1973ec883b_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:948252e9ecb6a058a7ba116f7e018134f0a9548e5dacffc10d4248050268d5b3_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:9781322614ad47a9d75dc7c87581dd3789f78992ec9eb91833e86061e7ea1f91_amd64", "8Base-RHOSDS-3:devspaces/idea-rhel8@sha256:5ac4fdd00b0d1436115f2fda0a777b9f4ae99866cbf8fa99dddaad21888eeb18_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:760021d9a555390d69e76f6dab0ce0c2694001aef3a8b44384bd8e9bf96171e1_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:8101bdc3676ad5a1f832a46179a0225349af8cdab2a1a285ab173192082d93ae_ppc64le", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:a02ae8ff331b3be77e6f48a5faa0e1c13b1203242edca7e4a2e1cfb83df3e6da_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:7d367fef16f3968243fc47927515a0ee1313ac5169c5a7769b701d47409bec88_ppc64le", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:9f9d815327b731738f690d65c89b86c3128457c2d4447141a0e4f42bd52096fd_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:f6852cf501751523954574a97e68c543b16c58b77fc6061954fc95e94977d2bf_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:06a15178e2f20d56fac5e13cad9fcc1ae7316789e34115a2504c4a07580f19f5_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:4141f892f6cd45a9e85f6a4ed7e63e061749ee0ae283b02447be603cafedacad_ppc64le", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:e23dc02966b044bf52d27d98e4ed4873dbfb2a5ce92c6d82e98a6c45fa298b39_s390x", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:9fada42916b4e04c8c8ff7bb3cd8ce0976862d15de7c7225ee41366f790338a1_amd64", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:a5d8bb3e4fbdda212ae48e298f47daf9b02cd78ccf6ce85087b62e96ee80cb6d_s390x", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:c9e21c99f25869dcf79aa5844499492f21b98905fcb1f1832470acc445c28c87_ppc64le", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:b4112466adc8ec304859d4ed70fbe7c51d77abce884c19f742356b4d64f3c3ee_s390x", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:d407cd42cfe5c6100d67552bcb39923bb665a17e7c5004d387a59bfef9a1bb83_amd64", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:fa9863eac8f11e6dd6685cd7b5ab28bb6ca3f708c874724ed894b49d4a267179_ppc64le" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2235370" } ], "notes": [ { "category": "description", "text": "A flaw was found in Apache Tomcat if the default web application is configured with FormAuthenticator. This issue allows a specially crafted URL to trigger a redirect to an arbitrary URL.", "title": "Vulnerability description" }, { "category": "summary", "text": "tomcat: Open Redirect vulnerability in FORM authentication", "title": "Vulnerability summary" }, { "category": "other", "text": "The pki-servlet-engine package has been obsoleted by the Tomcat package. Therefore, this issue will be fixed in the Tomcat package rather than the pki-serlvet-engine package. Please follow the RHEL Tomcat trackers instead for the updates.\n\nRed Hat Satellite is not directly impacted by this issue, since it does not embed the dependency on their offer deliveries. However, end users of Red Hat Satellite are using Tomcat via RHEL channels, which provides Tomcat dependency needed by candlepin to function in Satellite.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:3be3bc2226f6719f8227709ea13626bee7135d1dc0d64aa4d8ee4ef6e8bb60df_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:b6912aa0c1717be5d0e69c31e94e834abe1307d5e8132345af89a923d5b687ce_amd64", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:d0ae2f24410876f45670107480e10d98b59e08cac3561095f86dfdda1d759b78_ppc64le" ], "known_not_affected": [ "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:14df338acf7e3bbdcbb79bd66b063900a655d5dc920862e0fe67262e457bfae8_ppc64le", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:be39b6b16ef2a5e88d4650b0f2cb1e8e4c3cacbdb67a59b443255e857460b885_amd64", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:dd6aafc88aeab0ee3c7ee706540d4022a6d860c68b4cbec1bdf3990092b2bcbf_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:1e109e2572b3db1610ae07c1580837fc03813927ab8230f06a452ea51e4ea1fd_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:7ad719f34df4ff6ca4afc67610c616f1ab5961be60a7e80d7e35af3374dc2a2e_amd64", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:f0cf2be9026fed74449daf382907d5014cc72998be0edb32a3aeb150754030ea_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:0c402a60f316d48868cfb3d5459ed56222fd56a10562a4db6c09155f9e2be2ea_s390x", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:aa078d91d3c80ab437ccb49b8470947abc9b66bf98b77e7e0ecf5271a6e075ab_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:f227e2cef7b8cd6b937db379b4dc5463fa73e511400ad64f010081be577d809c_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:762b66d0ee13db9d168a022e31180145dd4ec20eb5cdbfcb48510e44173f8553_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:8d07c15f234a996673c6910ecd93adc9289b7e0d85de664713b958b4150b3852_ppc64le", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:ef41ab671a633299a1db5d5f3bc72c59f4d8b6e126c8635be5e650c8547b4eae_s390x", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:2a2f31bacc803a8260da6cd3a61ad71cbb00cf2e521854def145b3d0bec0b055_amd64", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:7d92439b4f42e8a320d6bf6fe923370082a92c8a183bdecbef8038b07a00c283_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:aaf36bb82765cd95324c84442cd9deb54c27469d6726ca248f1aeef7b3f06fab_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:75b1429db0482dfe108a7fbbed1abefb24f4cd7b35e4bb0d57f32c1973ec883b_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:948252e9ecb6a058a7ba116f7e018134f0a9548e5dacffc10d4248050268d5b3_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:9781322614ad47a9d75dc7c87581dd3789f78992ec9eb91833e86061e7ea1f91_amd64", "8Base-RHOSDS-3:devspaces/idea-rhel8@sha256:5ac4fdd00b0d1436115f2fda0a777b9f4ae99866cbf8fa99dddaad21888eeb18_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:760021d9a555390d69e76f6dab0ce0c2694001aef3a8b44384bd8e9bf96171e1_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:8101bdc3676ad5a1f832a46179a0225349af8cdab2a1a285ab173192082d93ae_ppc64le", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:a02ae8ff331b3be77e6f48a5faa0e1c13b1203242edca7e4a2e1cfb83df3e6da_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:7d367fef16f3968243fc47927515a0ee1313ac5169c5a7769b701d47409bec88_ppc64le", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:9f9d815327b731738f690d65c89b86c3128457c2d4447141a0e4f42bd52096fd_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:f6852cf501751523954574a97e68c543b16c58b77fc6061954fc95e94977d2bf_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:06a15178e2f20d56fac5e13cad9fcc1ae7316789e34115a2504c4a07580f19f5_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:4141f892f6cd45a9e85f6a4ed7e63e061749ee0ae283b02447be603cafedacad_ppc64le", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:e23dc02966b044bf52d27d98e4ed4873dbfb2a5ce92c6d82e98a6c45fa298b39_s390x", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:9fada42916b4e04c8c8ff7bb3cd8ce0976862d15de7c7225ee41366f790338a1_amd64", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:a5d8bb3e4fbdda212ae48e298f47daf9b02cd78ccf6ce85087b62e96ee80cb6d_s390x", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:c9e21c99f25869dcf79aa5844499492f21b98905fcb1f1832470acc445c28c87_ppc64le", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:b4112466adc8ec304859d4ed70fbe7c51d77abce884c19f742356b4d64f3c3ee_s390x", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:d407cd42cfe5c6100d67552bcb39923bb665a17e7c5004d387a59bfef9a1bb83_amd64", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:fa9863eac8f11e6dd6685cd7b5ab28bb6ca3f708c874724ed894b49d4a267179_ppc64le" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-41080" }, { "category": "external", "summary": "RHBZ#2235370", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2235370" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-41080", "url": "https://www.cve.org/CVERecord?id=CVE-2023-41080" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-41080", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41080" }, { "category": "external", "summary": "https://lists.apache.org/thread/71wvwprtx2j2m54fovq9zr7gbm2wow2f", "url": "https://lists.apache.org/thread/71wvwprtx2j2m54fovq9zr7gbm2wow2f" } ], "release_date": "2023-08-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-07-18T17:11:22+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:3be3bc2226f6719f8227709ea13626bee7135d1dc0d64aa4d8ee4ef6e8bb60df_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:b6912aa0c1717be5d0e69c31e94e834abe1307d5e8132345af89a923d5b687ce_amd64", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:d0ae2f24410876f45670107480e10d98b59e08cac3561095f86dfdda1d759b78_ppc64le" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:4631" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:14df338acf7e3bbdcbb79bd66b063900a655d5dc920862e0fe67262e457bfae8_ppc64le", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:be39b6b16ef2a5e88d4650b0f2cb1e8e4c3cacbdb67a59b443255e857460b885_amd64", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:dd6aafc88aeab0ee3c7ee706540d4022a6d860c68b4cbec1bdf3990092b2bcbf_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:1e109e2572b3db1610ae07c1580837fc03813927ab8230f06a452ea51e4ea1fd_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:7ad719f34df4ff6ca4afc67610c616f1ab5961be60a7e80d7e35af3374dc2a2e_amd64", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:f0cf2be9026fed74449daf382907d5014cc72998be0edb32a3aeb150754030ea_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:0c402a60f316d48868cfb3d5459ed56222fd56a10562a4db6c09155f9e2be2ea_s390x", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:aa078d91d3c80ab437ccb49b8470947abc9b66bf98b77e7e0ecf5271a6e075ab_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:f227e2cef7b8cd6b937db379b4dc5463fa73e511400ad64f010081be577d809c_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:762b66d0ee13db9d168a022e31180145dd4ec20eb5cdbfcb48510e44173f8553_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:8d07c15f234a996673c6910ecd93adc9289b7e0d85de664713b958b4150b3852_ppc64le", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:ef41ab671a633299a1db5d5f3bc72c59f4d8b6e126c8635be5e650c8547b4eae_s390x", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:2a2f31bacc803a8260da6cd3a61ad71cbb00cf2e521854def145b3d0bec0b055_amd64", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:7d92439b4f42e8a320d6bf6fe923370082a92c8a183bdecbef8038b07a00c283_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:aaf36bb82765cd95324c84442cd9deb54c27469d6726ca248f1aeef7b3f06fab_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:75b1429db0482dfe108a7fbbed1abefb24f4cd7b35e4bb0d57f32c1973ec883b_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:948252e9ecb6a058a7ba116f7e018134f0a9548e5dacffc10d4248050268d5b3_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:9781322614ad47a9d75dc7c87581dd3789f78992ec9eb91833e86061e7ea1f91_amd64", "8Base-RHOSDS-3:devspaces/idea-rhel8@sha256:5ac4fdd00b0d1436115f2fda0a777b9f4ae99866cbf8fa99dddaad21888eeb18_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:760021d9a555390d69e76f6dab0ce0c2694001aef3a8b44384bd8e9bf96171e1_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:8101bdc3676ad5a1f832a46179a0225349af8cdab2a1a285ab173192082d93ae_ppc64le", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:a02ae8ff331b3be77e6f48a5faa0e1c13b1203242edca7e4a2e1cfb83df3e6da_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:7d367fef16f3968243fc47927515a0ee1313ac5169c5a7769b701d47409bec88_ppc64le", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:9f9d815327b731738f690d65c89b86c3128457c2d4447141a0e4f42bd52096fd_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:f6852cf501751523954574a97e68c543b16c58b77fc6061954fc95e94977d2bf_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:06a15178e2f20d56fac5e13cad9fcc1ae7316789e34115a2504c4a07580f19f5_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:4141f892f6cd45a9e85f6a4ed7e63e061749ee0ae283b02447be603cafedacad_ppc64le", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:e23dc02966b044bf52d27d98e4ed4873dbfb2a5ce92c6d82e98a6c45fa298b39_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:3be3bc2226f6719f8227709ea13626bee7135d1dc0d64aa4d8ee4ef6e8bb60df_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:b6912aa0c1717be5d0e69c31e94e834abe1307d5e8132345af89a923d5b687ce_amd64", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:d0ae2f24410876f45670107480e10d98b59e08cac3561095f86dfdda1d759b78_ppc64le", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:9fada42916b4e04c8c8ff7bb3cd8ce0976862d15de7c7225ee41366f790338a1_amd64", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:a5d8bb3e4fbdda212ae48e298f47daf9b02cd78ccf6ce85087b62e96ee80cb6d_s390x", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:c9e21c99f25869dcf79aa5844499492f21b98905fcb1f1832470acc445c28c87_ppc64le", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:b4112466adc8ec304859d4ed70fbe7c51d77abce884c19f742356b4d64f3c3ee_s390x", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:d407cd42cfe5c6100d67552bcb39923bb665a17e7c5004d387a59bfef9a1bb83_amd64", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:fa9863eac8f11e6dd6685cd7b5ab28bb6ca3f708c874724ed894b49d4a267179_ppc64le" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "tomcat: Open Redirect vulnerability in FORM authentication" }, { "cve": "CVE-2023-44487", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2023-10-09T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:14df338acf7e3bbdcbb79bd66b063900a655d5dc920862e0fe67262e457bfae8_ppc64le", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:be39b6b16ef2a5e88d4650b0f2cb1e8e4c3cacbdb67a59b443255e857460b885_amd64", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:dd6aafc88aeab0ee3c7ee706540d4022a6d860c68b4cbec1bdf3990092b2bcbf_s390x", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:0c402a60f316d48868cfb3d5459ed56222fd56a10562a4db6c09155f9e2be2ea_s390x", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:aa078d91d3c80ab437ccb49b8470947abc9b66bf98b77e7e0ecf5271a6e075ab_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:f227e2cef7b8cd6b937db379b4dc5463fa73e511400ad64f010081be577d809c_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:762b66d0ee13db9d168a022e31180145dd4ec20eb5cdbfcb48510e44173f8553_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:8d07c15f234a996673c6910ecd93adc9289b7e0d85de664713b958b4150b3852_ppc64le", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:ef41ab671a633299a1db5d5f3bc72c59f4d8b6e126c8635be5e650c8547b4eae_s390x", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:2a2f31bacc803a8260da6cd3a61ad71cbb00cf2e521854def145b3d0bec0b055_amd64", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:7d92439b4f42e8a320d6bf6fe923370082a92c8a183bdecbef8038b07a00c283_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:aaf36bb82765cd95324c84442cd9deb54c27469d6726ca248f1aeef7b3f06fab_s390x", "8Base-RHOSDS-3:devspaces/idea-rhel8@sha256:5ac4fdd00b0d1436115f2fda0a777b9f4ae99866cbf8fa99dddaad21888eeb18_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:760021d9a555390d69e76f6dab0ce0c2694001aef3a8b44384bd8e9bf96171e1_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:8101bdc3676ad5a1f832a46179a0225349af8cdab2a1a285ab173192082d93ae_ppc64le", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:a02ae8ff331b3be77e6f48a5faa0e1c13b1203242edca7e4a2e1cfb83df3e6da_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:7d367fef16f3968243fc47927515a0ee1313ac5169c5a7769b701d47409bec88_ppc64le", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:9f9d815327b731738f690d65c89b86c3128457c2d4447141a0e4f42bd52096fd_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:f6852cf501751523954574a97e68c543b16c58b77fc6061954fc95e94977d2bf_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:06a15178e2f20d56fac5e13cad9fcc1ae7316789e34115a2504c4a07580f19f5_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:4141f892f6cd45a9e85f6a4ed7e63e061749ee0ae283b02447be603cafedacad_ppc64le", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:e23dc02966b044bf52d27d98e4ed4873dbfb2a5ce92c6d82e98a6c45fa298b39_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:3be3bc2226f6719f8227709ea13626bee7135d1dc0d64aa4d8ee4ef6e8bb60df_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:b6912aa0c1717be5d0e69c31e94e834abe1307d5e8132345af89a923d5b687ce_amd64", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:d0ae2f24410876f45670107480e10d98b59e08cac3561095f86dfdda1d759b78_ppc64le" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2242803" } ], "notes": [ { "category": "description", "text": "A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. Red Hat has rated the severity of this flaw as \u0027Important\u0027 as the US Cybersecurity and Infrastructure Security Agency (CISA) declared this vulnerability an active exploit.\r\n\r\nCVE-2023-39325 was assigned for the Rapid Reset Attack in the Go language packages.\r\n\r\nSecurity Bulletin\r\nhttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003", "title": "Vulnerability description" }, { "category": "summary", "text": "HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)", "title": "Vulnerability summary" }, { "category": "other", "text": "NGINX has been marked as Moderate Impact because, for performance and resource consumption reasons, NGINX limits the number of concurrent streams to a default of 128. In addition, to optimally balance network and server performance, NGINX allows the client to persist HTTP connections for up to 1000 requests by default using an HTTP keepalive.\n\nThe majority of RHEL utilities are not long-running applications; instead, they are command-line tools. These tools utilize Golang package as build-time dependency, which is why they are classified as having a \"Moderate\" level of impact.\n\nrhc component is no longer impacted by CVE-2023-44487 \u0026 CVE-2023-39325.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:1e109e2572b3db1610ae07c1580837fc03813927ab8230f06a452ea51e4ea1fd_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:7ad719f34df4ff6ca4afc67610c616f1ab5961be60a7e80d7e35af3374dc2a2e_amd64", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:f0cf2be9026fed74449daf382907d5014cc72998be0edb32a3aeb150754030ea_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:75b1429db0482dfe108a7fbbed1abefb24f4cd7b35e4bb0d57f32c1973ec883b_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:948252e9ecb6a058a7ba116f7e018134f0a9548e5dacffc10d4248050268d5b3_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:9781322614ad47a9d75dc7c87581dd3789f78992ec9eb91833e86061e7ea1f91_amd64", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:9fada42916b4e04c8c8ff7bb3cd8ce0976862d15de7c7225ee41366f790338a1_amd64", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:a5d8bb3e4fbdda212ae48e298f47daf9b02cd78ccf6ce85087b62e96ee80cb6d_s390x", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:c9e21c99f25869dcf79aa5844499492f21b98905fcb1f1832470acc445c28c87_ppc64le", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:b4112466adc8ec304859d4ed70fbe7c51d77abce884c19f742356b4d64f3c3ee_s390x", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:d407cd42cfe5c6100d67552bcb39923bb665a17e7c5004d387a59bfef9a1bb83_amd64", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:fa9863eac8f11e6dd6685cd7b5ab28bb6ca3f708c874724ed894b49d4a267179_ppc64le" ], "known_not_affected": [ "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:14df338acf7e3bbdcbb79bd66b063900a655d5dc920862e0fe67262e457bfae8_ppc64le", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:be39b6b16ef2a5e88d4650b0f2cb1e8e4c3cacbdb67a59b443255e857460b885_amd64", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:dd6aafc88aeab0ee3c7ee706540d4022a6d860c68b4cbec1bdf3990092b2bcbf_s390x", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:0c402a60f316d48868cfb3d5459ed56222fd56a10562a4db6c09155f9e2be2ea_s390x", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:aa078d91d3c80ab437ccb49b8470947abc9b66bf98b77e7e0ecf5271a6e075ab_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:f227e2cef7b8cd6b937db379b4dc5463fa73e511400ad64f010081be577d809c_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:762b66d0ee13db9d168a022e31180145dd4ec20eb5cdbfcb48510e44173f8553_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:8d07c15f234a996673c6910ecd93adc9289b7e0d85de664713b958b4150b3852_ppc64le", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:ef41ab671a633299a1db5d5f3bc72c59f4d8b6e126c8635be5e650c8547b4eae_s390x", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:2a2f31bacc803a8260da6cd3a61ad71cbb00cf2e521854def145b3d0bec0b055_amd64", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:7d92439b4f42e8a320d6bf6fe923370082a92c8a183bdecbef8038b07a00c283_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:aaf36bb82765cd95324c84442cd9deb54c27469d6726ca248f1aeef7b3f06fab_s390x", "8Base-RHOSDS-3:devspaces/idea-rhel8@sha256:5ac4fdd00b0d1436115f2fda0a777b9f4ae99866cbf8fa99dddaad21888eeb18_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:760021d9a555390d69e76f6dab0ce0c2694001aef3a8b44384bd8e9bf96171e1_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:8101bdc3676ad5a1f832a46179a0225349af8cdab2a1a285ab173192082d93ae_ppc64le", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:a02ae8ff331b3be77e6f48a5faa0e1c13b1203242edca7e4a2e1cfb83df3e6da_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:7d367fef16f3968243fc47927515a0ee1313ac5169c5a7769b701d47409bec88_ppc64le", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:9f9d815327b731738f690d65c89b86c3128457c2d4447141a0e4f42bd52096fd_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:f6852cf501751523954574a97e68c543b16c58b77fc6061954fc95e94977d2bf_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:06a15178e2f20d56fac5e13cad9fcc1ae7316789e34115a2504c4a07580f19f5_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:4141f892f6cd45a9e85f6a4ed7e63e061749ee0ae283b02447be603cafedacad_ppc64le", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:e23dc02966b044bf52d27d98e4ed4873dbfb2a5ce92c6d82e98a6c45fa298b39_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:3be3bc2226f6719f8227709ea13626bee7135d1dc0d64aa4d8ee4ef6e8bb60df_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:b6912aa0c1717be5d0e69c31e94e834abe1307d5e8132345af89a923d5b687ce_amd64", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:d0ae2f24410876f45670107480e10d98b59e08cac3561095f86dfdda1d759b78_ppc64le" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-44487" }, { "category": "external", "summary": "RHBZ#2242803", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803" }, { "category": "external", "summary": "RHSB-2023-003", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-003" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-44487", "url": "https://www.cve.org/CVERecord?id=CVE-2023-44487" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487" }, { "category": "external", "summary": "https://github.com/dotnet/announcements/issues/277", "url": "https://github.com/dotnet/announcements/issues/277" }, { "category": "external", "summary": "https://pkg.go.dev/vuln/GO-2023-2102", "url": "https://pkg.go.dev/vuln/GO-2023-2102" }, { "category": "external", "summary": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487", "url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487" }, { "category": "external", "summary": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/", "url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2023-10-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-07-18T17:11:22+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:1e109e2572b3db1610ae07c1580837fc03813927ab8230f06a452ea51e4ea1fd_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:7ad719f34df4ff6ca4afc67610c616f1ab5961be60a7e80d7e35af3374dc2a2e_amd64", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:f0cf2be9026fed74449daf382907d5014cc72998be0edb32a3aeb150754030ea_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:75b1429db0482dfe108a7fbbed1abefb24f4cd7b35e4bb0d57f32c1973ec883b_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:948252e9ecb6a058a7ba116f7e018134f0a9548e5dacffc10d4248050268d5b3_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:9781322614ad47a9d75dc7c87581dd3789f78992ec9eb91833e86061e7ea1f91_amd64", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:9fada42916b4e04c8c8ff7bb3cd8ce0976862d15de7c7225ee41366f790338a1_amd64", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:a5d8bb3e4fbdda212ae48e298f47daf9b02cd78ccf6ce85087b62e96ee80cb6d_s390x", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:c9e21c99f25869dcf79aa5844499492f21b98905fcb1f1832470acc445c28c87_ppc64le", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:b4112466adc8ec304859d4ed70fbe7c51d77abce884c19f742356b4d64f3c3ee_s390x", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:d407cd42cfe5c6100d67552bcb39923bb665a17e7c5004d387a59bfef9a1bb83_amd64", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:fa9863eac8f11e6dd6685cd7b5ab28bb6ca3f708c874724ed894b49d4a267179_ppc64le" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:4631" }, { "category": "workaround", "details": "Users are strongly urged to update their software as soon as fixes are available. \nThere are several mitigation approaches for this flaw. \n\n1. If circumstances permit, users may disable http2 endpoints to circumvent the flaw altogether until a fix is available.\n2. IP-based blocking or flood protection and rate control tools may be used at network endpoints to filter incoming traffic.\n3. Several package specific mitigations are also available. \n a. nginx: https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/\n b. netty: https://github.com/netty/netty/security/advisories/GHSA-xpw8-rcwv-8f8p\n c. haproxy: https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487\n d. nghttp2: https://github.com/nghttp2/nghttp2/security/advisories/GHSA-vx74-f528-fxqg\n e. golang: The default stream concurrency limit in golang is 250 streams (requests) per HTTP/2 connection. This value may be adjusted in the golang.org/x/net/http2 package using the Server.MaxConcurrentStreams setting and the ConfigureServer function which are available in golang.org/x/net/http2.", "product_ids": [ "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:14df338acf7e3bbdcbb79bd66b063900a655d5dc920862e0fe67262e457bfae8_ppc64le", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:be39b6b16ef2a5e88d4650b0f2cb1e8e4c3cacbdb67a59b443255e857460b885_amd64", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:dd6aafc88aeab0ee3c7ee706540d4022a6d860c68b4cbec1bdf3990092b2bcbf_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:1e109e2572b3db1610ae07c1580837fc03813927ab8230f06a452ea51e4ea1fd_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:7ad719f34df4ff6ca4afc67610c616f1ab5961be60a7e80d7e35af3374dc2a2e_amd64", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:f0cf2be9026fed74449daf382907d5014cc72998be0edb32a3aeb150754030ea_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:0c402a60f316d48868cfb3d5459ed56222fd56a10562a4db6c09155f9e2be2ea_s390x", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:aa078d91d3c80ab437ccb49b8470947abc9b66bf98b77e7e0ecf5271a6e075ab_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:f227e2cef7b8cd6b937db379b4dc5463fa73e511400ad64f010081be577d809c_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:762b66d0ee13db9d168a022e31180145dd4ec20eb5cdbfcb48510e44173f8553_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:8d07c15f234a996673c6910ecd93adc9289b7e0d85de664713b958b4150b3852_ppc64le", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:ef41ab671a633299a1db5d5f3bc72c59f4d8b6e126c8635be5e650c8547b4eae_s390x", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:2a2f31bacc803a8260da6cd3a61ad71cbb00cf2e521854def145b3d0bec0b055_amd64", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:7d92439b4f42e8a320d6bf6fe923370082a92c8a183bdecbef8038b07a00c283_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:aaf36bb82765cd95324c84442cd9deb54c27469d6726ca248f1aeef7b3f06fab_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:75b1429db0482dfe108a7fbbed1abefb24f4cd7b35e4bb0d57f32c1973ec883b_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:948252e9ecb6a058a7ba116f7e018134f0a9548e5dacffc10d4248050268d5b3_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:9781322614ad47a9d75dc7c87581dd3789f78992ec9eb91833e86061e7ea1f91_amd64", "8Base-RHOSDS-3:devspaces/idea-rhel8@sha256:5ac4fdd00b0d1436115f2fda0a777b9f4ae99866cbf8fa99dddaad21888eeb18_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:760021d9a555390d69e76f6dab0ce0c2694001aef3a8b44384bd8e9bf96171e1_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:8101bdc3676ad5a1f832a46179a0225349af8cdab2a1a285ab173192082d93ae_ppc64le", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:a02ae8ff331b3be77e6f48a5faa0e1c13b1203242edca7e4a2e1cfb83df3e6da_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:7d367fef16f3968243fc47927515a0ee1313ac5169c5a7769b701d47409bec88_ppc64le", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:9f9d815327b731738f690d65c89b86c3128457c2d4447141a0e4f42bd52096fd_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:f6852cf501751523954574a97e68c543b16c58b77fc6061954fc95e94977d2bf_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:06a15178e2f20d56fac5e13cad9fcc1ae7316789e34115a2504c4a07580f19f5_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:4141f892f6cd45a9e85f6a4ed7e63e061749ee0ae283b02447be603cafedacad_ppc64le", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:e23dc02966b044bf52d27d98e4ed4873dbfb2a5ce92c6d82e98a6c45fa298b39_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:3be3bc2226f6719f8227709ea13626bee7135d1dc0d64aa4d8ee4ef6e8bb60df_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:b6912aa0c1717be5d0e69c31e94e834abe1307d5e8132345af89a923d5b687ce_amd64", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:d0ae2f24410876f45670107480e10d98b59e08cac3561095f86dfdda1d759b78_ppc64le", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:9fada42916b4e04c8c8ff7bb3cd8ce0976862d15de7c7225ee41366f790338a1_amd64", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:a5d8bb3e4fbdda212ae48e298f47daf9b02cd78ccf6ce85087b62e96ee80cb6d_s390x", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:c9e21c99f25869dcf79aa5844499492f21b98905fcb1f1832470acc445c28c87_ppc64le", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:b4112466adc8ec304859d4ed70fbe7c51d77abce884c19f742356b4d64f3c3ee_s390x", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:d407cd42cfe5c6100d67552bcb39923bb665a17e7c5004d387a59bfef9a1bb83_amd64", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:fa9863eac8f11e6dd6685cd7b5ab28bb6ca3f708c874724ed894b49d4a267179_ppc64le" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:14df338acf7e3bbdcbb79bd66b063900a655d5dc920862e0fe67262e457bfae8_ppc64le", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:be39b6b16ef2a5e88d4650b0f2cb1e8e4c3cacbdb67a59b443255e857460b885_amd64", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:dd6aafc88aeab0ee3c7ee706540d4022a6d860c68b4cbec1bdf3990092b2bcbf_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:1e109e2572b3db1610ae07c1580837fc03813927ab8230f06a452ea51e4ea1fd_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:7ad719f34df4ff6ca4afc67610c616f1ab5961be60a7e80d7e35af3374dc2a2e_amd64", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:f0cf2be9026fed74449daf382907d5014cc72998be0edb32a3aeb150754030ea_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:0c402a60f316d48868cfb3d5459ed56222fd56a10562a4db6c09155f9e2be2ea_s390x", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:aa078d91d3c80ab437ccb49b8470947abc9b66bf98b77e7e0ecf5271a6e075ab_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:f227e2cef7b8cd6b937db379b4dc5463fa73e511400ad64f010081be577d809c_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:762b66d0ee13db9d168a022e31180145dd4ec20eb5cdbfcb48510e44173f8553_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:8d07c15f234a996673c6910ecd93adc9289b7e0d85de664713b958b4150b3852_ppc64le", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:ef41ab671a633299a1db5d5f3bc72c59f4d8b6e126c8635be5e650c8547b4eae_s390x", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:2a2f31bacc803a8260da6cd3a61ad71cbb00cf2e521854def145b3d0bec0b055_amd64", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:7d92439b4f42e8a320d6bf6fe923370082a92c8a183bdecbef8038b07a00c283_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:aaf36bb82765cd95324c84442cd9deb54c27469d6726ca248f1aeef7b3f06fab_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:75b1429db0482dfe108a7fbbed1abefb24f4cd7b35e4bb0d57f32c1973ec883b_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:948252e9ecb6a058a7ba116f7e018134f0a9548e5dacffc10d4248050268d5b3_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:9781322614ad47a9d75dc7c87581dd3789f78992ec9eb91833e86061e7ea1f91_amd64", "8Base-RHOSDS-3:devspaces/idea-rhel8@sha256:5ac4fdd00b0d1436115f2fda0a777b9f4ae99866cbf8fa99dddaad21888eeb18_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:760021d9a555390d69e76f6dab0ce0c2694001aef3a8b44384bd8e9bf96171e1_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:8101bdc3676ad5a1f832a46179a0225349af8cdab2a1a285ab173192082d93ae_ppc64le", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:a02ae8ff331b3be77e6f48a5faa0e1c13b1203242edca7e4a2e1cfb83df3e6da_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:7d367fef16f3968243fc47927515a0ee1313ac5169c5a7769b701d47409bec88_ppc64le", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:9f9d815327b731738f690d65c89b86c3128457c2d4447141a0e4f42bd52096fd_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:f6852cf501751523954574a97e68c543b16c58b77fc6061954fc95e94977d2bf_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:06a15178e2f20d56fac5e13cad9fcc1ae7316789e34115a2504c4a07580f19f5_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:4141f892f6cd45a9e85f6a4ed7e63e061749ee0ae283b02447be603cafedacad_ppc64le", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:e23dc02966b044bf52d27d98e4ed4873dbfb2a5ce92c6d82e98a6c45fa298b39_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:3be3bc2226f6719f8227709ea13626bee7135d1dc0d64aa4d8ee4ef6e8bb60df_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:b6912aa0c1717be5d0e69c31e94e834abe1307d5e8132345af89a923d5b687ce_amd64", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:d0ae2f24410876f45670107480e10d98b59e08cac3561095f86dfdda1d759b78_ppc64le", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:9fada42916b4e04c8c8ff7bb3cd8ce0976862d15de7c7225ee41366f790338a1_amd64", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:a5d8bb3e4fbdda212ae48e298f47daf9b02cd78ccf6ce85087b62e96ee80cb6d_s390x", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:c9e21c99f25869dcf79aa5844499492f21b98905fcb1f1832470acc445c28c87_ppc64le", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:b4112466adc8ec304859d4ed70fbe7c51d77abce884c19f742356b4d64f3c3ee_s390x", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:d407cd42cfe5c6100d67552bcb39923bb665a17e7c5004d387a59bfef9a1bb83_amd64", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:fa9863eac8f11e6dd6685cd7b5ab28bb6ca3f708c874724ed894b49d4a267179_ppc64le" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-10-10T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Important" } ], "title": "HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)" }, { "acknowledgments": [ { "names": [ "Bartek Nowotarski" ], "organization": "nowotarski.info" } ], "cve": "CVE-2023-45288", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2024-03-06T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:14df338acf7e3bbdcbb79bd66b063900a655d5dc920862e0fe67262e457bfae8_ppc64le", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:be39b6b16ef2a5e88d4650b0f2cb1e8e4c3cacbdb67a59b443255e857460b885_amd64", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:dd6aafc88aeab0ee3c7ee706540d4022a6d860c68b4cbec1bdf3990092b2bcbf_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:1e109e2572b3db1610ae07c1580837fc03813927ab8230f06a452ea51e4ea1fd_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:7ad719f34df4ff6ca4afc67610c616f1ab5961be60a7e80d7e35af3374dc2a2e_amd64", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:f0cf2be9026fed74449daf382907d5014cc72998be0edb32a3aeb150754030ea_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:0c402a60f316d48868cfb3d5459ed56222fd56a10562a4db6c09155f9e2be2ea_s390x", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:aa078d91d3c80ab437ccb49b8470947abc9b66bf98b77e7e0ecf5271a6e075ab_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:f227e2cef7b8cd6b937db379b4dc5463fa73e511400ad64f010081be577d809c_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:762b66d0ee13db9d168a022e31180145dd4ec20eb5cdbfcb48510e44173f8553_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:8d07c15f234a996673c6910ecd93adc9289b7e0d85de664713b958b4150b3852_ppc64le", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:ef41ab671a633299a1db5d5f3bc72c59f4d8b6e126c8635be5e650c8547b4eae_s390x", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:2a2f31bacc803a8260da6cd3a61ad71cbb00cf2e521854def145b3d0bec0b055_amd64", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:7d92439b4f42e8a320d6bf6fe923370082a92c8a183bdecbef8038b07a00c283_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:aaf36bb82765cd95324c84442cd9deb54c27469d6726ca248f1aeef7b3f06fab_s390x", "8Base-RHOSDS-3:devspaces/idea-rhel8@sha256:5ac4fdd00b0d1436115f2fda0a777b9f4ae99866cbf8fa99dddaad21888eeb18_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:760021d9a555390d69e76f6dab0ce0c2694001aef3a8b44384bd8e9bf96171e1_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:8101bdc3676ad5a1f832a46179a0225349af8cdab2a1a285ab173192082d93ae_ppc64le", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:a02ae8ff331b3be77e6f48a5faa0e1c13b1203242edca7e4a2e1cfb83df3e6da_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:7d367fef16f3968243fc47927515a0ee1313ac5169c5a7769b701d47409bec88_ppc64le", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:9f9d815327b731738f690d65c89b86c3128457c2d4447141a0e4f42bd52096fd_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:f6852cf501751523954574a97e68c543b16c58b77fc6061954fc95e94977d2bf_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:06a15178e2f20d56fac5e13cad9fcc1ae7316789e34115a2504c4a07580f19f5_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:4141f892f6cd45a9e85f6a4ed7e63e061749ee0ae283b02447be603cafedacad_ppc64le", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:e23dc02966b044bf52d27d98e4ed4873dbfb2a5ce92c6d82e98a6c45fa298b39_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:3be3bc2226f6719f8227709ea13626bee7135d1dc0d64aa4d8ee4ef6e8bb60df_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:b6912aa0c1717be5d0e69c31e94e834abe1307d5e8132345af89a923d5b687ce_amd64", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:d0ae2f24410876f45670107480e10d98b59e08cac3561095f86dfdda1d759b78_ppc64le", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:9fada42916b4e04c8c8ff7bb3cd8ce0976862d15de7c7225ee41366f790338a1_amd64", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:a5d8bb3e4fbdda212ae48e298f47daf9b02cd78ccf6ce85087b62e96ee80cb6d_s390x", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:c9e21c99f25869dcf79aa5844499492f21b98905fcb1f1832470acc445c28c87_ppc64le", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:b4112466adc8ec304859d4ed70fbe7c51d77abce884c19f742356b4d64f3c3ee_s390x", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:d407cd42cfe5c6100d67552bcb39923bb665a17e7c5004d387a59bfef9a1bb83_amd64", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:fa9863eac8f11e6dd6685cd7b5ab28bb6ca3f708c874724ed894b49d4a267179_ppc64le" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2268273" } ], "notes": [ { "category": "description", "text": "A vulnerability was discovered with the implementation of the HTTP/2 protocol in the Go programming language. There were insufficient limitations on the amount of CONTINUATION frames sent within a single stream. An attacker could potentially exploit this to cause a Denial of Service (DoS) attack.", "title": "Vulnerability description" }, { "category": "summary", "text": "golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat rates the security impact of this vulnerability as Important due to the worst case scenario resulting in a denial of service. It is simple to exploit, could significantly impact availability, and there is not a suitable mitigation for all use cases. Once an attack has ended, the system should return to normal operations on its own.\n\nThis vulnerability only impacts servers which have HTTP/2 enabled. It stems from an imperfect definition of the protocol. As the Go programming language is widely utilized across nearly every major Red Hat offering, a full listing of impacted packages will not be provided. Therefore, the \u201cAffected Packages and Issued Red Hat Security Errata\u201d section contains a simplified list of what offerings need to remediate this vulnerability. Every impacted offering has at least one representative component listed, but potentially not all of them. Rest assured that Red Hat is committed to remediating this vulnerability across our entire portfolio.\n\nMany components are rated as Low impact due to configurations which reduce the attack surface or significantly increase the difficulty of exploitation. A summary of these scenarios are:\n* The container includes a package that provides a vulnerable webserver, but it is not used or running during operation\n* HTTP/2 is disabled by default and is not supported\n* Only a client implementation is provided, which is not vulnerable\n* A vulnerable module (either golang.org/net/http or golang.org/x/net/http2) is included, but disabled\n* Access to a vulnerable server is restricted within the container (loopback only connections)\n* Golang is available in the container but is not used\n\n\nWithin the Red Hat OpenShift Container Platform, the majority of vulnerable components are not externally accessible. This means an attacker must already have access to a container within your environment to exploit this vulnerability. However, the ose-hyperkube (openshift-enterprise-hyperkube) container is externally accessible, so there are less barriers to exploitation. Fixes for this specific container are already available.\n\nWithin Red Hat Ansible Automation Platform, the impacted component is Receptor. The impact has been reduced to Low as the vulnerable code is present, but not utilized. There are three potential exposures within this component:\n* Receptor utilizes QUIC a UDP based protocol which does not run over HTTP/2\n* Receptor utilizes the x/net/ipv4 and ipv6 packages, both of which are not affected", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:75b1429db0482dfe108a7fbbed1abefb24f4cd7b35e4bb0d57f32c1973ec883b_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:948252e9ecb6a058a7ba116f7e018134f0a9548e5dacffc10d4248050268d5b3_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:9781322614ad47a9d75dc7c87581dd3789f78992ec9eb91833e86061e7ea1f91_amd64" ], "known_not_affected": [ "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:14df338acf7e3bbdcbb79bd66b063900a655d5dc920862e0fe67262e457bfae8_ppc64le", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:be39b6b16ef2a5e88d4650b0f2cb1e8e4c3cacbdb67a59b443255e857460b885_amd64", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:dd6aafc88aeab0ee3c7ee706540d4022a6d860c68b4cbec1bdf3990092b2bcbf_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:1e109e2572b3db1610ae07c1580837fc03813927ab8230f06a452ea51e4ea1fd_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:7ad719f34df4ff6ca4afc67610c616f1ab5961be60a7e80d7e35af3374dc2a2e_amd64", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:f0cf2be9026fed74449daf382907d5014cc72998be0edb32a3aeb150754030ea_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:0c402a60f316d48868cfb3d5459ed56222fd56a10562a4db6c09155f9e2be2ea_s390x", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:aa078d91d3c80ab437ccb49b8470947abc9b66bf98b77e7e0ecf5271a6e075ab_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:f227e2cef7b8cd6b937db379b4dc5463fa73e511400ad64f010081be577d809c_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:762b66d0ee13db9d168a022e31180145dd4ec20eb5cdbfcb48510e44173f8553_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:8d07c15f234a996673c6910ecd93adc9289b7e0d85de664713b958b4150b3852_ppc64le", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:ef41ab671a633299a1db5d5f3bc72c59f4d8b6e126c8635be5e650c8547b4eae_s390x", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:2a2f31bacc803a8260da6cd3a61ad71cbb00cf2e521854def145b3d0bec0b055_amd64", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:7d92439b4f42e8a320d6bf6fe923370082a92c8a183bdecbef8038b07a00c283_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:aaf36bb82765cd95324c84442cd9deb54c27469d6726ca248f1aeef7b3f06fab_s390x", "8Base-RHOSDS-3:devspaces/idea-rhel8@sha256:5ac4fdd00b0d1436115f2fda0a777b9f4ae99866cbf8fa99dddaad21888eeb18_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:760021d9a555390d69e76f6dab0ce0c2694001aef3a8b44384bd8e9bf96171e1_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:8101bdc3676ad5a1f832a46179a0225349af8cdab2a1a285ab173192082d93ae_ppc64le", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:a02ae8ff331b3be77e6f48a5faa0e1c13b1203242edca7e4a2e1cfb83df3e6da_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:7d367fef16f3968243fc47927515a0ee1313ac5169c5a7769b701d47409bec88_ppc64le", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:9f9d815327b731738f690d65c89b86c3128457c2d4447141a0e4f42bd52096fd_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:f6852cf501751523954574a97e68c543b16c58b77fc6061954fc95e94977d2bf_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:06a15178e2f20d56fac5e13cad9fcc1ae7316789e34115a2504c4a07580f19f5_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:4141f892f6cd45a9e85f6a4ed7e63e061749ee0ae283b02447be603cafedacad_ppc64le", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:e23dc02966b044bf52d27d98e4ed4873dbfb2a5ce92c6d82e98a6c45fa298b39_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:3be3bc2226f6719f8227709ea13626bee7135d1dc0d64aa4d8ee4ef6e8bb60df_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:b6912aa0c1717be5d0e69c31e94e834abe1307d5e8132345af89a923d5b687ce_amd64", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:d0ae2f24410876f45670107480e10d98b59e08cac3561095f86dfdda1d759b78_ppc64le", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:9fada42916b4e04c8c8ff7bb3cd8ce0976862d15de7c7225ee41366f790338a1_amd64", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:a5d8bb3e4fbdda212ae48e298f47daf9b02cd78ccf6ce85087b62e96ee80cb6d_s390x", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:c9e21c99f25869dcf79aa5844499492f21b98905fcb1f1832470acc445c28c87_ppc64le", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:b4112466adc8ec304859d4ed70fbe7c51d77abce884c19f742356b4d64f3c3ee_s390x", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:d407cd42cfe5c6100d67552bcb39923bb665a17e7c5004d387a59bfef9a1bb83_amd64", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:fa9863eac8f11e6dd6685cd7b5ab28bb6ca3f708c874724ed894b49d4a267179_ppc64le" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-45288" }, { "category": "external", "summary": "RHBZ#2268273", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268273" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-45288", "url": "https://www.cve.org/CVERecord?id=CVE-2023-45288" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-45288", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45288" }, { "category": "external", "summary": "https://nowotarski.info/http2-continuation-flood/", "url": "https://nowotarski.info/http2-continuation-flood/" }, { "category": "external", "summary": "https://pkg.go.dev/vuln/GO-2024-2687", "url": "https://pkg.go.dev/vuln/GO-2024-2687" }, { "category": "external", "summary": "https://www.kb.cert.org/vuls/id/421644", "url": "https://www.kb.cert.org/vuls/id/421644" } ], "release_date": "2024-04-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-07-18T17:11:22+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:75b1429db0482dfe108a7fbbed1abefb24f4cd7b35e4bb0d57f32c1973ec883b_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:948252e9ecb6a058a7ba116f7e018134f0a9548e5dacffc10d4248050268d5b3_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:9781322614ad47a9d75dc7c87581dd3789f78992ec9eb91833e86061e7ea1f91_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:4631" }, { "category": "workaround", "details": "In some environments where http/2 support is not required, it may be possible to disable this feature to reduce risk.", "product_ids": [ "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:14df338acf7e3bbdcbb79bd66b063900a655d5dc920862e0fe67262e457bfae8_ppc64le", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:be39b6b16ef2a5e88d4650b0f2cb1e8e4c3cacbdb67a59b443255e857460b885_amd64", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:dd6aafc88aeab0ee3c7ee706540d4022a6d860c68b4cbec1bdf3990092b2bcbf_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:1e109e2572b3db1610ae07c1580837fc03813927ab8230f06a452ea51e4ea1fd_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:7ad719f34df4ff6ca4afc67610c616f1ab5961be60a7e80d7e35af3374dc2a2e_amd64", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:f0cf2be9026fed74449daf382907d5014cc72998be0edb32a3aeb150754030ea_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:0c402a60f316d48868cfb3d5459ed56222fd56a10562a4db6c09155f9e2be2ea_s390x", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:aa078d91d3c80ab437ccb49b8470947abc9b66bf98b77e7e0ecf5271a6e075ab_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:f227e2cef7b8cd6b937db379b4dc5463fa73e511400ad64f010081be577d809c_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:762b66d0ee13db9d168a022e31180145dd4ec20eb5cdbfcb48510e44173f8553_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:8d07c15f234a996673c6910ecd93adc9289b7e0d85de664713b958b4150b3852_ppc64le", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:ef41ab671a633299a1db5d5f3bc72c59f4d8b6e126c8635be5e650c8547b4eae_s390x", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:2a2f31bacc803a8260da6cd3a61ad71cbb00cf2e521854def145b3d0bec0b055_amd64", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:7d92439b4f42e8a320d6bf6fe923370082a92c8a183bdecbef8038b07a00c283_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:aaf36bb82765cd95324c84442cd9deb54c27469d6726ca248f1aeef7b3f06fab_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:75b1429db0482dfe108a7fbbed1abefb24f4cd7b35e4bb0d57f32c1973ec883b_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:948252e9ecb6a058a7ba116f7e018134f0a9548e5dacffc10d4248050268d5b3_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:9781322614ad47a9d75dc7c87581dd3789f78992ec9eb91833e86061e7ea1f91_amd64", "8Base-RHOSDS-3:devspaces/idea-rhel8@sha256:5ac4fdd00b0d1436115f2fda0a777b9f4ae99866cbf8fa99dddaad21888eeb18_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:760021d9a555390d69e76f6dab0ce0c2694001aef3a8b44384bd8e9bf96171e1_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:8101bdc3676ad5a1f832a46179a0225349af8cdab2a1a285ab173192082d93ae_ppc64le", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:a02ae8ff331b3be77e6f48a5faa0e1c13b1203242edca7e4a2e1cfb83df3e6da_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:7d367fef16f3968243fc47927515a0ee1313ac5169c5a7769b701d47409bec88_ppc64le", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:9f9d815327b731738f690d65c89b86c3128457c2d4447141a0e4f42bd52096fd_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:f6852cf501751523954574a97e68c543b16c58b77fc6061954fc95e94977d2bf_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:06a15178e2f20d56fac5e13cad9fcc1ae7316789e34115a2504c4a07580f19f5_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:4141f892f6cd45a9e85f6a4ed7e63e061749ee0ae283b02447be603cafedacad_ppc64le", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:e23dc02966b044bf52d27d98e4ed4873dbfb2a5ce92c6d82e98a6c45fa298b39_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:3be3bc2226f6719f8227709ea13626bee7135d1dc0d64aa4d8ee4ef6e8bb60df_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:b6912aa0c1717be5d0e69c31e94e834abe1307d5e8132345af89a923d5b687ce_amd64", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:d0ae2f24410876f45670107480e10d98b59e08cac3561095f86dfdda1d759b78_ppc64le", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:9fada42916b4e04c8c8ff7bb3cd8ce0976862d15de7c7225ee41366f790338a1_amd64", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:a5d8bb3e4fbdda212ae48e298f47daf9b02cd78ccf6ce85087b62e96ee80cb6d_s390x", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:c9e21c99f25869dcf79aa5844499492f21b98905fcb1f1832470acc445c28c87_ppc64le", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:b4112466adc8ec304859d4ed70fbe7c51d77abce884c19f742356b4d64f3c3ee_s390x", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:d407cd42cfe5c6100d67552bcb39923bb665a17e7c5004d387a59bfef9a1bb83_amd64", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:fa9863eac8f11e6dd6685cd7b5ab28bb6ca3f708c874724ed894b49d4a267179_ppc64le" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:14df338acf7e3bbdcbb79bd66b063900a655d5dc920862e0fe67262e457bfae8_ppc64le", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:be39b6b16ef2a5e88d4650b0f2cb1e8e4c3cacbdb67a59b443255e857460b885_amd64", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:dd6aafc88aeab0ee3c7ee706540d4022a6d860c68b4cbec1bdf3990092b2bcbf_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:1e109e2572b3db1610ae07c1580837fc03813927ab8230f06a452ea51e4ea1fd_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:7ad719f34df4ff6ca4afc67610c616f1ab5961be60a7e80d7e35af3374dc2a2e_amd64", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:f0cf2be9026fed74449daf382907d5014cc72998be0edb32a3aeb150754030ea_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:0c402a60f316d48868cfb3d5459ed56222fd56a10562a4db6c09155f9e2be2ea_s390x", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:aa078d91d3c80ab437ccb49b8470947abc9b66bf98b77e7e0ecf5271a6e075ab_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:f227e2cef7b8cd6b937db379b4dc5463fa73e511400ad64f010081be577d809c_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:762b66d0ee13db9d168a022e31180145dd4ec20eb5cdbfcb48510e44173f8553_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:8d07c15f234a996673c6910ecd93adc9289b7e0d85de664713b958b4150b3852_ppc64le", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:ef41ab671a633299a1db5d5f3bc72c59f4d8b6e126c8635be5e650c8547b4eae_s390x", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:2a2f31bacc803a8260da6cd3a61ad71cbb00cf2e521854def145b3d0bec0b055_amd64", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:7d92439b4f42e8a320d6bf6fe923370082a92c8a183bdecbef8038b07a00c283_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:aaf36bb82765cd95324c84442cd9deb54c27469d6726ca248f1aeef7b3f06fab_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:75b1429db0482dfe108a7fbbed1abefb24f4cd7b35e4bb0d57f32c1973ec883b_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:948252e9ecb6a058a7ba116f7e018134f0a9548e5dacffc10d4248050268d5b3_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:9781322614ad47a9d75dc7c87581dd3789f78992ec9eb91833e86061e7ea1f91_amd64", "8Base-RHOSDS-3:devspaces/idea-rhel8@sha256:5ac4fdd00b0d1436115f2fda0a777b9f4ae99866cbf8fa99dddaad21888eeb18_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:760021d9a555390d69e76f6dab0ce0c2694001aef3a8b44384bd8e9bf96171e1_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:8101bdc3676ad5a1f832a46179a0225349af8cdab2a1a285ab173192082d93ae_ppc64le", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:a02ae8ff331b3be77e6f48a5faa0e1c13b1203242edca7e4a2e1cfb83df3e6da_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:7d367fef16f3968243fc47927515a0ee1313ac5169c5a7769b701d47409bec88_ppc64le", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:9f9d815327b731738f690d65c89b86c3128457c2d4447141a0e4f42bd52096fd_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:f6852cf501751523954574a97e68c543b16c58b77fc6061954fc95e94977d2bf_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:06a15178e2f20d56fac5e13cad9fcc1ae7316789e34115a2504c4a07580f19f5_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:4141f892f6cd45a9e85f6a4ed7e63e061749ee0ae283b02447be603cafedacad_ppc64le", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:e23dc02966b044bf52d27d98e4ed4873dbfb2a5ce92c6d82e98a6c45fa298b39_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:3be3bc2226f6719f8227709ea13626bee7135d1dc0d64aa4d8ee4ef6e8bb60df_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:b6912aa0c1717be5d0e69c31e94e834abe1307d5e8132345af89a923d5b687ce_amd64", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:d0ae2f24410876f45670107480e10d98b59e08cac3561095f86dfdda1d759b78_ppc64le", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:9fada42916b4e04c8c8ff7bb3cd8ce0976862d15de7c7225ee41366f790338a1_amd64", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:a5d8bb3e4fbdda212ae48e298f47daf9b02cd78ccf6ce85087b62e96ee80cb6d_s390x", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:c9e21c99f25869dcf79aa5844499492f21b98905fcb1f1832470acc445c28c87_ppc64le", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:b4112466adc8ec304859d4ed70fbe7c51d77abce884c19f742356b4d64f3c3ee_s390x", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:d407cd42cfe5c6100d67552bcb39923bb665a17e7c5004d387a59bfef9a1bb83_amd64", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:fa9863eac8f11e6dd6685cd7b5ab28bb6ca3f708c874724ed894b49d4a267179_ppc64le" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS" }, { "cve": "CVE-2023-45648", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2023-10-12T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:14df338acf7e3bbdcbb79bd66b063900a655d5dc920862e0fe67262e457bfae8_ppc64le", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:be39b6b16ef2a5e88d4650b0f2cb1e8e4c3cacbdb67a59b443255e857460b885_amd64", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:dd6aafc88aeab0ee3c7ee706540d4022a6d860c68b4cbec1bdf3990092b2bcbf_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:1e109e2572b3db1610ae07c1580837fc03813927ab8230f06a452ea51e4ea1fd_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:7ad719f34df4ff6ca4afc67610c616f1ab5961be60a7e80d7e35af3374dc2a2e_amd64", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:f0cf2be9026fed74449daf382907d5014cc72998be0edb32a3aeb150754030ea_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:0c402a60f316d48868cfb3d5459ed56222fd56a10562a4db6c09155f9e2be2ea_s390x", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:aa078d91d3c80ab437ccb49b8470947abc9b66bf98b77e7e0ecf5271a6e075ab_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:f227e2cef7b8cd6b937db379b4dc5463fa73e511400ad64f010081be577d809c_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:762b66d0ee13db9d168a022e31180145dd4ec20eb5cdbfcb48510e44173f8553_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:8d07c15f234a996673c6910ecd93adc9289b7e0d85de664713b958b4150b3852_ppc64le", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:ef41ab671a633299a1db5d5f3bc72c59f4d8b6e126c8635be5e650c8547b4eae_s390x", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:2a2f31bacc803a8260da6cd3a61ad71cbb00cf2e521854def145b3d0bec0b055_amd64", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:7d92439b4f42e8a320d6bf6fe923370082a92c8a183bdecbef8038b07a00c283_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:aaf36bb82765cd95324c84442cd9deb54c27469d6726ca248f1aeef7b3f06fab_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:75b1429db0482dfe108a7fbbed1abefb24f4cd7b35e4bb0d57f32c1973ec883b_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:948252e9ecb6a058a7ba116f7e018134f0a9548e5dacffc10d4248050268d5b3_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:9781322614ad47a9d75dc7c87581dd3789f78992ec9eb91833e86061e7ea1f91_amd64", "8Base-RHOSDS-3:devspaces/idea-rhel8@sha256:5ac4fdd00b0d1436115f2fda0a777b9f4ae99866cbf8fa99dddaad21888eeb18_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:760021d9a555390d69e76f6dab0ce0c2694001aef3a8b44384bd8e9bf96171e1_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:8101bdc3676ad5a1f832a46179a0225349af8cdab2a1a285ab173192082d93ae_ppc64le", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:a02ae8ff331b3be77e6f48a5faa0e1c13b1203242edca7e4a2e1cfb83df3e6da_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:7d367fef16f3968243fc47927515a0ee1313ac5169c5a7769b701d47409bec88_ppc64le", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:9f9d815327b731738f690d65c89b86c3128457c2d4447141a0e4f42bd52096fd_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:f6852cf501751523954574a97e68c543b16c58b77fc6061954fc95e94977d2bf_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:06a15178e2f20d56fac5e13cad9fcc1ae7316789e34115a2504c4a07580f19f5_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:4141f892f6cd45a9e85f6a4ed7e63e061749ee0ae283b02447be603cafedacad_ppc64le", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:e23dc02966b044bf52d27d98e4ed4873dbfb2a5ce92c6d82e98a6c45fa298b39_s390x", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:9fada42916b4e04c8c8ff7bb3cd8ce0976862d15de7c7225ee41366f790338a1_amd64", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:a5d8bb3e4fbdda212ae48e298f47daf9b02cd78ccf6ce85087b62e96ee80cb6d_s390x", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:c9e21c99f25869dcf79aa5844499492f21b98905fcb1f1832470acc445c28c87_ppc64le", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:b4112466adc8ec304859d4ed70fbe7c51d77abce884c19f742356b4d64f3c3ee_s390x", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:d407cd42cfe5c6100d67552bcb39923bb665a17e7c5004d387a59bfef9a1bb83_amd64", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:fa9863eac8f11e6dd6685cd7b5ab28bb6ca3f708c874724ed894b49d4a267179_ppc64le" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2243749" } ], "notes": [ { "category": "description", "text": "A flaw was found in Apache Tomcat, where an improper input validation can occur. This flaw allows a malicious user to send a crafted request containing an invalid trailer header, which could be treated as multiple requests, potentially leading to request smuggling when behind a reverse proxy.", "title": "Vulnerability description" }, { "category": "summary", "text": "tomcat: incorrectly parsed http trailer headers can cause request smuggling", "title": "Vulnerability summary" }, { "category": "other", "text": "The request smuggling is not guaranteed to have relevant information within every request and the scenario behind a reverse proxy which fails to handle the request too is necessary, hence the Moderate impact.\n\nThe Red Hat AMQ Broker team removed any tomcat dependencies in version 7.11.3. Please refer to https://errata.devel.redhat.com/advisory/121941.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:3be3bc2226f6719f8227709ea13626bee7135d1dc0d64aa4d8ee4ef6e8bb60df_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:b6912aa0c1717be5d0e69c31e94e834abe1307d5e8132345af89a923d5b687ce_amd64", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:d0ae2f24410876f45670107480e10d98b59e08cac3561095f86dfdda1d759b78_ppc64le" ], "known_not_affected": [ "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:14df338acf7e3bbdcbb79bd66b063900a655d5dc920862e0fe67262e457bfae8_ppc64le", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:be39b6b16ef2a5e88d4650b0f2cb1e8e4c3cacbdb67a59b443255e857460b885_amd64", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:dd6aafc88aeab0ee3c7ee706540d4022a6d860c68b4cbec1bdf3990092b2bcbf_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:1e109e2572b3db1610ae07c1580837fc03813927ab8230f06a452ea51e4ea1fd_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:7ad719f34df4ff6ca4afc67610c616f1ab5961be60a7e80d7e35af3374dc2a2e_amd64", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:f0cf2be9026fed74449daf382907d5014cc72998be0edb32a3aeb150754030ea_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:0c402a60f316d48868cfb3d5459ed56222fd56a10562a4db6c09155f9e2be2ea_s390x", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:aa078d91d3c80ab437ccb49b8470947abc9b66bf98b77e7e0ecf5271a6e075ab_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:f227e2cef7b8cd6b937db379b4dc5463fa73e511400ad64f010081be577d809c_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:762b66d0ee13db9d168a022e31180145dd4ec20eb5cdbfcb48510e44173f8553_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:8d07c15f234a996673c6910ecd93adc9289b7e0d85de664713b958b4150b3852_ppc64le", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:ef41ab671a633299a1db5d5f3bc72c59f4d8b6e126c8635be5e650c8547b4eae_s390x", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:2a2f31bacc803a8260da6cd3a61ad71cbb00cf2e521854def145b3d0bec0b055_amd64", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:7d92439b4f42e8a320d6bf6fe923370082a92c8a183bdecbef8038b07a00c283_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:aaf36bb82765cd95324c84442cd9deb54c27469d6726ca248f1aeef7b3f06fab_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:75b1429db0482dfe108a7fbbed1abefb24f4cd7b35e4bb0d57f32c1973ec883b_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:948252e9ecb6a058a7ba116f7e018134f0a9548e5dacffc10d4248050268d5b3_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:9781322614ad47a9d75dc7c87581dd3789f78992ec9eb91833e86061e7ea1f91_amd64", "8Base-RHOSDS-3:devspaces/idea-rhel8@sha256:5ac4fdd00b0d1436115f2fda0a777b9f4ae99866cbf8fa99dddaad21888eeb18_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:760021d9a555390d69e76f6dab0ce0c2694001aef3a8b44384bd8e9bf96171e1_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:8101bdc3676ad5a1f832a46179a0225349af8cdab2a1a285ab173192082d93ae_ppc64le", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:a02ae8ff331b3be77e6f48a5faa0e1c13b1203242edca7e4a2e1cfb83df3e6da_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:7d367fef16f3968243fc47927515a0ee1313ac5169c5a7769b701d47409bec88_ppc64le", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:9f9d815327b731738f690d65c89b86c3128457c2d4447141a0e4f42bd52096fd_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:f6852cf501751523954574a97e68c543b16c58b77fc6061954fc95e94977d2bf_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:06a15178e2f20d56fac5e13cad9fcc1ae7316789e34115a2504c4a07580f19f5_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:4141f892f6cd45a9e85f6a4ed7e63e061749ee0ae283b02447be603cafedacad_ppc64le", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:e23dc02966b044bf52d27d98e4ed4873dbfb2a5ce92c6d82e98a6c45fa298b39_s390x", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:9fada42916b4e04c8c8ff7bb3cd8ce0976862d15de7c7225ee41366f790338a1_amd64", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:a5d8bb3e4fbdda212ae48e298f47daf9b02cd78ccf6ce85087b62e96ee80cb6d_s390x", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:c9e21c99f25869dcf79aa5844499492f21b98905fcb1f1832470acc445c28c87_ppc64le", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:b4112466adc8ec304859d4ed70fbe7c51d77abce884c19f742356b4d64f3c3ee_s390x", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:d407cd42cfe5c6100d67552bcb39923bb665a17e7c5004d387a59bfef9a1bb83_amd64", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:fa9863eac8f11e6dd6685cd7b5ab28bb6ca3f708c874724ed894b49d4a267179_ppc64le" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-45648" }, { "category": "external", "summary": "RHBZ#2243749", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243749" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-45648", "url": "https://www.cve.org/CVERecord?id=CVE-2023-45648" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-45648", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45648" }, { "category": "external", "summary": "http://www.openwall.com/lists/oss-security/2023/10/10/10", "url": "http://www.openwall.com/lists/oss-security/2023/10/10/10" }, { "category": "external", "summary": "https://lists.apache.org/thread/2pv8yz1pyp088tsxfb7ogltk9msk0jdp", "url": "https://lists.apache.org/thread/2pv8yz1pyp088tsxfb7ogltk9msk0jdp" } ], "release_date": "2023-10-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-07-18T17:11:22+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:3be3bc2226f6719f8227709ea13626bee7135d1dc0d64aa4d8ee4ef6e8bb60df_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:b6912aa0c1717be5d0e69c31e94e834abe1307d5e8132345af89a923d5b687ce_amd64", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:d0ae2f24410876f45670107480e10d98b59e08cac3561095f86dfdda1d759b78_ppc64le" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:4631" }, { "category": "workaround", "details": "No mitigation is currently available for this flaw.", "product_ids": [ "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:14df338acf7e3bbdcbb79bd66b063900a655d5dc920862e0fe67262e457bfae8_ppc64le", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:be39b6b16ef2a5e88d4650b0f2cb1e8e4c3cacbdb67a59b443255e857460b885_amd64", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:dd6aafc88aeab0ee3c7ee706540d4022a6d860c68b4cbec1bdf3990092b2bcbf_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:1e109e2572b3db1610ae07c1580837fc03813927ab8230f06a452ea51e4ea1fd_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:7ad719f34df4ff6ca4afc67610c616f1ab5961be60a7e80d7e35af3374dc2a2e_amd64", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:f0cf2be9026fed74449daf382907d5014cc72998be0edb32a3aeb150754030ea_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:0c402a60f316d48868cfb3d5459ed56222fd56a10562a4db6c09155f9e2be2ea_s390x", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:aa078d91d3c80ab437ccb49b8470947abc9b66bf98b77e7e0ecf5271a6e075ab_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:f227e2cef7b8cd6b937db379b4dc5463fa73e511400ad64f010081be577d809c_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:762b66d0ee13db9d168a022e31180145dd4ec20eb5cdbfcb48510e44173f8553_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:8d07c15f234a996673c6910ecd93adc9289b7e0d85de664713b958b4150b3852_ppc64le", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:ef41ab671a633299a1db5d5f3bc72c59f4d8b6e126c8635be5e650c8547b4eae_s390x", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:2a2f31bacc803a8260da6cd3a61ad71cbb00cf2e521854def145b3d0bec0b055_amd64", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:7d92439b4f42e8a320d6bf6fe923370082a92c8a183bdecbef8038b07a00c283_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:aaf36bb82765cd95324c84442cd9deb54c27469d6726ca248f1aeef7b3f06fab_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:75b1429db0482dfe108a7fbbed1abefb24f4cd7b35e4bb0d57f32c1973ec883b_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:948252e9ecb6a058a7ba116f7e018134f0a9548e5dacffc10d4248050268d5b3_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:9781322614ad47a9d75dc7c87581dd3789f78992ec9eb91833e86061e7ea1f91_amd64", "8Base-RHOSDS-3:devspaces/idea-rhel8@sha256:5ac4fdd00b0d1436115f2fda0a777b9f4ae99866cbf8fa99dddaad21888eeb18_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:760021d9a555390d69e76f6dab0ce0c2694001aef3a8b44384bd8e9bf96171e1_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:8101bdc3676ad5a1f832a46179a0225349af8cdab2a1a285ab173192082d93ae_ppc64le", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:a02ae8ff331b3be77e6f48a5faa0e1c13b1203242edca7e4a2e1cfb83df3e6da_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:7d367fef16f3968243fc47927515a0ee1313ac5169c5a7769b701d47409bec88_ppc64le", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:9f9d815327b731738f690d65c89b86c3128457c2d4447141a0e4f42bd52096fd_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:f6852cf501751523954574a97e68c543b16c58b77fc6061954fc95e94977d2bf_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:06a15178e2f20d56fac5e13cad9fcc1ae7316789e34115a2504c4a07580f19f5_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:4141f892f6cd45a9e85f6a4ed7e63e061749ee0ae283b02447be603cafedacad_ppc64le", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:e23dc02966b044bf52d27d98e4ed4873dbfb2a5ce92c6d82e98a6c45fa298b39_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:3be3bc2226f6719f8227709ea13626bee7135d1dc0d64aa4d8ee4ef6e8bb60df_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:b6912aa0c1717be5d0e69c31e94e834abe1307d5e8132345af89a923d5b687ce_amd64", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:d0ae2f24410876f45670107480e10d98b59e08cac3561095f86dfdda1d759b78_ppc64le", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:9fada42916b4e04c8c8ff7bb3cd8ce0976862d15de7c7225ee41366f790338a1_amd64", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:a5d8bb3e4fbdda212ae48e298f47daf9b02cd78ccf6ce85087b62e96ee80cb6d_s390x", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:c9e21c99f25869dcf79aa5844499492f21b98905fcb1f1832470acc445c28c87_ppc64le", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:b4112466adc8ec304859d4ed70fbe7c51d77abce884c19f742356b4d64f3c3ee_s390x", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:d407cd42cfe5c6100d67552bcb39923bb665a17e7c5004d387a59bfef9a1bb83_amd64", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:fa9863eac8f11e6dd6685cd7b5ab28bb6ca3f708c874724ed894b49d4a267179_ppc64le" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1" }, "products": [ "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:14df338acf7e3bbdcbb79bd66b063900a655d5dc920862e0fe67262e457bfae8_ppc64le", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:be39b6b16ef2a5e88d4650b0f2cb1e8e4c3cacbdb67a59b443255e857460b885_amd64", "8Base-RHOSDS-3:devspaces/code-rhel8@sha256:dd6aafc88aeab0ee3c7ee706540d4022a6d860c68b4cbec1bdf3990092b2bcbf_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:1e109e2572b3db1610ae07c1580837fc03813927ab8230f06a452ea51e4ea1fd_s390x", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:7ad719f34df4ff6ca4afc67610c616f1ab5961be60a7e80d7e35af3374dc2a2e_amd64", "8Base-RHOSDS-3:devspaces/configbump-rhel8@sha256:f0cf2be9026fed74449daf382907d5014cc72998be0edb32a3aeb150754030ea_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:0c402a60f316d48868cfb3d5459ed56222fd56a10562a4db6c09155f9e2be2ea_s390x", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:aa078d91d3c80ab437ccb49b8470947abc9b66bf98b77e7e0ecf5271a6e075ab_ppc64le", "8Base-RHOSDS-3:devspaces/dashboard-rhel8@sha256:f227e2cef7b8cd6b937db379b4dc5463fa73e511400ad64f010081be577d809c_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:762b66d0ee13db9d168a022e31180145dd4ec20eb5cdbfcb48510e44173f8553_amd64", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:8d07c15f234a996673c6910ecd93adc9289b7e0d85de664713b958b4150b3852_ppc64le", "8Base-RHOSDS-3:devspaces/devfileregistry-rhel8@sha256:ef41ab671a633299a1db5d5f3bc72c59f4d8b6e126c8635be5e650c8547b4eae_s390x", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:2a2f31bacc803a8260da6cd3a61ad71cbb00cf2e521854def145b3d0bec0b055_amd64", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:7d92439b4f42e8a320d6bf6fe923370082a92c8a183bdecbef8038b07a00c283_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-operator-bundle@sha256:aaf36bb82765cd95324c84442cd9deb54c27469d6726ca248f1aeef7b3f06fab_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:75b1429db0482dfe108a7fbbed1abefb24f4cd7b35e4bb0d57f32c1973ec883b_s390x", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:948252e9ecb6a058a7ba116f7e018134f0a9548e5dacffc10d4248050268d5b3_ppc64le", "8Base-RHOSDS-3:devspaces/devspaces-rhel8-operator@sha256:9781322614ad47a9d75dc7c87581dd3789f78992ec9eb91833e86061e7ea1f91_amd64", "8Base-RHOSDS-3:devspaces/idea-rhel8@sha256:5ac4fdd00b0d1436115f2fda0a777b9f4ae99866cbf8fa99dddaad21888eeb18_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:760021d9a555390d69e76f6dab0ce0c2694001aef3a8b44384bd8e9bf96171e1_amd64", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:8101bdc3676ad5a1f832a46179a0225349af8cdab2a1a285ab173192082d93ae_ppc64le", "8Base-RHOSDS-3:devspaces/imagepuller-rhel8@sha256:a02ae8ff331b3be77e6f48a5faa0e1c13b1203242edca7e4a2e1cfb83df3e6da_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:7d367fef16f3968243fc47927515a0ee1313ac5169c5a7769b701d47409bec88_ppc64le", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:9f9d815327b731738f690d65c89b86c3128457c2d4447141a0e4f42bd52096fd_s390x", "8Base-RHOSDS-3:devspaces/machineexec-rhel8@sha256:f6852cf501751523954574a97e68c543b16c58b77fc6061954fc95e94977d2bf_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:06a15178e2f20d56fac5e13cad9fcc1ae7316789e34115a2504c4a07580f19f5_amd64", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:4141f892f6cd45a9e85f6a4ed7e63e061749ee0ae283b02447be603cafedacad_ppc64le", "8Base-RHOSDS-3:devspaces/pluginregistry-rhel8@sha256:e23dc02966b044bf52d27d98e4ed4873dbfb2a5ce92c6d82e98a6c45fa298b39_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:3be3bc2226f6719f8227709ea13626bee7135d1dc0d64aa4d8ee4ef6e8bb60df_s390x", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:b6912aa0c1717be5d0e69c31e94e834abe1307d5e8132345af89a923d5b687ce_amd64", "8Base-RHOSDS-3:devspaces/server-rhel8@sha256:d0ae2f24410876f45670107480e10d98b59e08cac3561095f86dfdda1d759b78_ppc64le", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:9fada42916b4e04c8c8ff7bb3cd8ce0976862d15de7c7225ee41366f790338a1_amd64", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:a5d8bb3e4fbdda212ae48e298f47daf9b02cd78ccf6ce85087b62e96ee80cb6d_s390x", "8Base-RHOSDS-3:devspaces/traefik-rhel8@sha256:c9e21c99f25869dcf79aa5844499492f21b98905fcb1f1832470acc445c28c87_ppc64le", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:b4112466adc8ec304859d4ed70fbe7c51d77abce884c19f742356b4d64f3c3ee_s390x", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:d407cd42cfe5c6100d67552bcb39923bb665a17e7c5004d387a59bfef9a1bb83_amd64", "8Base-RHOSDS-3:devspaces/udi-rhel8@sha256:fa9863eac8f11e6dd6685cd7b5ab28bb6ca3f708c874724ed894b49d4a267179_ppc64le" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "tomcat: incorrectly parsed http trailer headers can cause request smuggling" } ] }
rhsa-2024_0125
Vulnerability from csaf_redhat
Published
2024-01-10 11:32
Modified
2024-12-10 16:41
Summary
Red Hat Security Advisory: tomcat security update
Notes
Topic
An update for tomcat is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.
Security Fix(es):
* tomcat: Open Redirect vulnerability in FORM authentication (CVE-2023-41080)
* tomcat: FileUpload: DoS due to accumulation of temporary files on Windows (CVE-2023-42794)
* tomcat: improper cleaning of recycled objects could lead to information leak (CVE-2023-42795)
* tomcat: incorrectly parsed http trailer headers can cause request smuggling (CVE-2023-45648)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for tomcat is now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.\n\nSecurity Fix(es):\n\n* tomcat: Open Redirect vulnerability in FORM authentication (CVE-2023-41080)\n\n* tomcat: FileUpload: DoS due to accumulation of temporary files on Windows (CVE-2023-42794)\n\n* tomcat: improper cleaning of recycled objects could lead to information leak (CVE-2023-42795)\n\n* tomcat: incorrectly parsed http trailer headers can cause request smuggling (CVE-2023-45648)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2024:0125", "url": "https://access.redhat.com/errata/RHSA-2024:0125" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "2235370", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2235370" }, { "category": "external", "summary": "2243749", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243749" }, { "category": "external", "summary": "2243751", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243751" }, { "category": "external", "summary": "2243752", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243752" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_0125.json" } ], "title": "Red Hat Security Advisory: tomcat security update", "tracking": { "current_release_date": "2024-12-10T16:41:52+00:00", "generator": { "date": "2024-12-10T16:41:52+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.3" } }, "id": "RHSA-2024:0125", "initial_release_date": "2024-01-10T11:32:48+00:00", "revision_history": [ { "date": "2024-01-10T11:32:48+00:00", "number": "1", "summary": "Initial version" }, { "date": "2024-01-10T11:32:48+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-12-10T16:41:52+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux AppStream (v. 8)", "product": { "name": "Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.9.0.Z.MAIN", "product_identification_helper": { "cpe": "cpe:/a:redhat:enterprise_linux:8::appstream" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux" }, { "branches": [ { "category": "product_version", "name": "tomcat-1:9.0.62-27.el8_9.2.src", "product": { "name": "tomcat-1:9.0.62-27.el8_9.2.src", "product_id": "tomcat-1:9.0.62-27.el8_9.2.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat@9.0.62-27.el8_9.2?arch=src\u0026epoch=1" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "tomcat-1:9.0.62-27.el8_9.2.noarch", "product": { "name": "tomcat-1:9.0.62-27.el8_9.2.noarch", "product_id": "tomcat-1:9.0.62-27.el8_9.2.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat@9.0.62-27.el8_9.2?arch=noarch\u0026epoch=1" } } }, { "category": "product_version", "name": "tomcat-admin-webapps-1:9.0.62-27.el8_9.2.noarch", "product": { "name": "tomcat-admin-webapps-1:9.0.62-27.el8_9.2.noarch", "product_id": "tomcat-admin-webapps-1:9.0.62-27.el8_9.2.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat-admin-webapps@9.0.62-27.el8_9.2?arch=noarch\u0026epoch=1" } } }, { "category": "product_version", "name": "tomcat-docs-webapp-1:9.0.62-27.el8_9.2.noarch", "product": { "name": "tomcat-docs-webapp-1:9.0.62-27.el8_9.2.noarch", "product_id": "tomcat-docs-webapp-1:9.0.62-27.el8_9.2.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat-docs-webapp@9.0.62-27.el8_9.2?arch=noarch\u0026epoch=1" } } }, { "category": "product_version", "name": "tomcat-el-3.0-api-1:9.0.62-27.el8_9.2.noarch", "product": { "name": "tomcat-el-3.0-api-1:9.0.62-27.el8_9.2.noarch", "product_id": "tomcat-el-3.0-api-1:9.0.62-27.el8_9.2.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat-el-3.0-api@9.0.62-27.el8_9.2?arch=noarch\u0026epoch=1" } } }, { "category": "product_version", "name": "tomcat-jsp-2.3-api-1:9.0.62-27.el8_9.2.noarch", "product": { "name": "tomcat-jsp-2.3-api-1:9.0.62-27.el8_9.2.noarch", "product_id": "tomcat-jsp-2.3-api-1:9.0.62-27.el8_9.2.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat-jsp-2.3-api@9.0.62-27.el8_9.2?arch=noarch\u0026epoch=1" } } }, { "category": "product_version", "name": "tomcat-lib-1:9.0.62-27.el8_9.2.noarch", "product": { "name": "tomcat-lib-1:9.0.62-27.el8_9.2.noarch", "product_id": "tomcat-lib-1:9.0.62-27.el8_9.2.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat-lib@9.0.62-27.el8_9.2?arch=noarch\u0026epoch=1" } } }, { "category": "product_version", "name": "tomcat-servlet-4.0-api-1:9.0.62-27.el8_9.2.noarch", "product": { "name": "tomcat-servlet-4.0-api-1:9.0.62-27.el8_9.2.noarch", "product_id": "tomcat-servlet-4.0-api-1:9.0.62-27.el8_9.2.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat-servlet-4.0-api@9.0.62-27.el8_9.2?arch=noarch\u0026epoch=1" } } }, { "category": "product_version", "name": "tomcat-webapps-1:9.0.62-27.el8_9.2.noarch", "product": { "name": "tomcat-webapps-1:9.0.62-27.el8_9.2.noarch", "product_id": "tomcat-webapps-1:9.0.62-27.el8_9.2.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat-webapps@9.0.62-27.el8_9.2?arch=noarch\u0026epoch=1" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "tomcat-1:9.0.62-27.el8_9.2.noarch as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.9.0.Z.MAIN:tomcat-1:9.0.62-27.el8_9.2.noarch" }, "product_reference": "tomcat-1:9.0.62-27.el8_9.2.noarch", "relates_to_product_reference": "AppStream-8.9.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-1:9.0.62-27.el8_9.2.src as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.9.0.Z.MAIN:tomcat-1:9.0.62-27.el8_9.2.src" }, "product_reference": "tomcat-1:9.0.62-27.el8_9.2.src", "relates_to_product_reference": "AppStream-8.9.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-admin-webapps-1:9.0.62-27.el8_9.2.noarch as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.9.0.Z.MAIN:tomcat-admin-webapps-1:9.0.62-27.el8_9.2.noarch" }, "product_reference": "tomcat-admin-webapps-1:9.0.62-27.el8_9.2.noarch", "relates_to_product_reference": "AppStream-8.9.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-docs-webapp-1:9.0.62-27.el8_9.2.noarch as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.9.0.Z.MAIN:tomcat-docs-webapp-1:9.0.62-27.el8_9.2.noarch" }, "product_reference": "tomcat-docs-webapp-1:9.0.62-27.el8_9.2.noarch", "relates_to_product_reference": "AppStream-8.9.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-el-3.0-api-1:9.0.62-27.el8_9.2.noarch as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.9.0.Z.MAIN:tomcat-el-3.0-api-1:9.0.62-27.el8_9.2.noarch" }, "product_reference": "tomcat-el-3.0-api-1:9.0.62-27.el8_9.2.noarch", "relates_to_product_reference": "AppStream-8.9.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-jsp-2.3-api-1:9.0.62-27.el8_9.2.noarch as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.9.0.Z.MAIN:tomcat-jsp-2.3-api-1:9.0.62-27.el8_9.2.noarch" }, "product_reference": "tomcat-jsp-2.3-api-1:9.0.62-27.el8_9.2.noarch", "relates_to_product_reference": "AppStream-8.9.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-lib-1:9.0.62-27.el8_9.2.noarch as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.9.0.Z.MAIN:tomcat-lib-1:9.0.62-27.el8_9.2.noarch" }, "product_reference": "tomcat-lib-1:9.0.62-27.el8_9.2.noarch", "relates_to_product_reference": "AppStream-8.9.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-servlet-4.0-api-1:9.0.62-27.el8_9.2.noarch as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.9.0.Z.MAIN:tomcat-servlet-4.0-api-1:9.0.62-27.el8_9.2.noarch" }, "product_reference": "tomcat-servlet-4.0-api-1:9.0.62-27.el8_9.2.noarch", "relates_to_product_reference": "AppStream-8.9.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-webapps-1:9.0.62-27.el8_9.2.noarch as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.9.0.Z.MAIN:tomcat-webapps-1:9.0.62-27.el8_9.2.noarch" }, "product_reference": "tomcat-webapps-1:9.0.62-27.el8_9.2.noarch", "relates_to_product_reference": "AppStream-8.9.0.Z.MAIN" } ] }, "vulnerabilities": [ { "cve": "CVE-2023-41080", "cwe": { "id": "CWE-601", "name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)" }, "discovery_date": "2023-08-28T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2235370" } ], "notes": [ { "category": "description", "text": "A flaw was found in Apache Tomcat if the default web application is configured with FormAuthenticator. This issue allows a specially crafted URL to trigger a redirect to an arbitrary URL.", "title": "Vulnerability description" }, { "category": "summary", "text": "tomcat: Open Redirect vulnerability in FORM authentication", "title": "Vulnerability summary" }, { "category": "other", "text": "The pki-servlet-engine package has been obsoleted by the Tomcat package. Therefore, this issue will be fixed in the Tomcat package rather than the pki-serlvet-engine package. Please follow the RHEL Tomcat trackers instead for the updates.\n\nRed Hat Satellite is not directly impacted by this issue, since it does not embed the dependency on their offer deliveries. However, end users of Red Hat Satellite are using Tomcat via RHEL channels, which provides Tomcat dependency needed by candlepin to function in Satellite.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.9.0.Z.MAIN:tomcat-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-1:9.0.62-27.el8_9.2.src", "AppStream-8.9.0.Z.MAIN:tomcat-admin-webapps-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-docs-webapp-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-el-3.0-api-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-jsp-2.3-api-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-lib-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-servlet-4.0-api-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-webapps-1:9.0.62-27.el8_9.2.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-41080" }, { "category": "external", "summary": "RHBZ#2235370", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2235370" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-41080", "url": "https://www.cve.org/CVERecord?id=CVE-2023-41080" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-41080", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41080" }, { "category": "external", "summary": "https://lists.apache.org/thread/71wvwprtx2j2m54fovq9zr7gbm2wow2f", "url": "https://lists.apache.org/thread/71wvwprtx2j2m54fovq9zr7gbm2wow2f" } ], "release_date": "2023-08-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-01-10T11:32:48+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.9.0.Z.MAIN:tomcat-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-1:9.0.62-27.el8_9.2.src", "AppStream-8.9.0.Z.MAIN:tomcat-admin-webapps-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-docs-webapp-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-el-3.0-api-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-jsp-2.3-api-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-lib-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-servlet-4.0-api-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-webapps-1:9.0.62-27.el8_9.2.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:0125" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "AppStream-8.9.0.Z.MAIN:tomcat-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-1:9.0.62-27.el8_9.2.src", "AppStream-8.9.0.Z.MAIN:tomcat-admin-webapps-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-docs-webapp-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-el-3.0-api-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-jsp-2.3-api-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-lib-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-servlet-4.0-api-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-webapps-1:9.0.62-27.el8_9.2.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "tomcat: Open Redirect vulnerability in FORM authentication" }, { "cve": "CVE-2023-42794", "cwe": { "id": "CWE-459", "name": "Incomplete Cleanup" }, "discovery_date": "2023-10-12T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2243751" } ], "notes": [ { "category": "description", "text": "A flaw was found in Apache Tomcat. An incomplete cleanup vulnerability with the internal fork of the Commons FileUpload package exposed a potential denial of service on Windows if a web application opened a stream for an uploaded file but failed to close the stream. The file would never be deleted from the disk, potentially leading to a denial of service due to the disk being full.", "title": "Vulnerability description" }, { "category": "summary", "text": "tomcat: FileUpload: DoS due to accumulation of temporary files on Windows", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat rates this flaw as a Moderate impact as this would depend on how much information an attacker has over the environment (version and disk for example, increasing the Attack Complexity) as there is no guarantee the attack is successful. \nThis may affect only scenarios where running an application on Windows.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.9.0.Z.MAIN:tomcat-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-1:9.0.62-27.el8_9.2.src", "AppStream-8.9.0.Z.MAIN:tomcat-admin-webapps-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-docs-webapp-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-el-3.0-api-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-jsp-2.3-api-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-lib-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-servlet-4.0-api-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-webapps-1:9.0.62-27.el8_9.2.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-42794" }, { "category": "external", "summary": "RHBZ#2243751", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243751" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-42794", "url": "https://www.cve.org/CVERecord?id=CVE-2023-42794" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-42794", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42794" }, { "category": "external", "summary": "http://www.openwall.com/lists/oss-security/2023/10/10/8", "url": "http://www.openwall.com/lists/oss-security/2023/10/10/8" }, { "category": "external", "summary": "https://lists.apache.org/thread/vvbr2ms7lockj1hlhz5q3wmxb2mwcw82", "url": "https://lists.apache.org/thread/vvbr2ms7lockj1hlhz5q3wmxb2mwcw82" } ], "release_date": "2023-10-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-01-10T11:32:48+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.9.0.Z.MAIN:tomcat-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-1:9.0.62-27.el8_9.2.src", "AppStream-8.9.0.Z.MAIN:tomcat-admin-webapps-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-docs-webapp-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-el-3.0-api-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-jsp-2.3-api-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-lib-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-servlet-4.0-api-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-webapps-1:9.0.62-27.el8_9.2.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:0125" }, { "category": "workaround", "details": "No mitigation is currently available for this flaw.", "product_ids": [ "AppStream-8.9.0.Z.MAIN:tomcat-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-1:9.0.62-27.el8_9.2.src", "AppStream-8.9.0.Z.MAIN:tomcat-admin-webapps-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-docs-webapp-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-el-3.0-api-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-jsp-2.3-api-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-lib-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-servlet-4.0-api-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-webapps-1:9.0.62-27.el8_9.2.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "AppStream-8.9.0.Z.MAIN:tomcat-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-1:9.0.62-27.el8_9.2.src", "AppStream-8.9.0.Z.MAIN:tomcat-admin-webapps-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-docs-webapp-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-el-3.0-api-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-jsp-2.3-api-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-lib-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-servlet-4.0-api-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-webapps-1:9.0.62-27.el8_9.2.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "tomcat: FileUpload: DoS due to accumulation of temporary files on Windows" }, { "cve": "CVE-2023-42795", "cwe": { "id": "CWE-459", "name": "Incomplete Cleanup" }, "discovery_date": "2023-10-12T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2243752" } ], "notes": [ { "category": "description", "text": "A flaw was found in Apache Tomcat. Tomcat may skip, after an error, the recycling of the internal objects that the next request/response process might use, resulting in information leaking from one request to the next. This flaw allows a malicious user to have access to this information.", "title": "Vulnerability description" }, { "category": "summary", "text": "tomcat: improper cleaning of recycled objects could lead to information leak", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat rates this as a Moderate impact as the confidentiality is not fully compromised and the malicious user does not have confirmation over the scenario to replicate the error and capture the possible jeopardizing response.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.9.0.Z.MAIN:tomcat-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-1:9.0.62-27.el8_9.2.src", "AppStream-8.9.0.Z.MAIN:tomcat-admin-webapps-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-docs-webapp-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-el-3.0-api-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-jsp-2.3-api-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-lib-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-servlet-4.0-api-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-webapps-1:9.0.62-27.el8_9.2.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-42795" }, { "category": "external", "summary": "RHBZ#2243752", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243752" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-42795", "url": "https://www.cve.org/CVERecord?id=CVE-2023-42795" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-42795", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42795" }, { "category": "external", "summary": "http://www.openwall.com/lists/oss-security/2023/10/10/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/10/9" }, { "category": "external", "summary": "https://lists.apache.org/thread/065jfyo583490r9j2v73nhpyxdob56lw", "url": "https://lists.apache.org/thread/065jfyo583490r9j2v73nhpyxdob56lw" } ], "release_date": "2023-10-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-01-10T11:32:48+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.9.0.Z.MAIN:tomcat-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-1:9.0.62-27.el8_9.2.src", "AppStream-8.9.0.Z.MAIN:tomcat-admin-webapps-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-docs-webapp-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-el-3.0-api-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-jsp-2.3-api-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-lib-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-servlet-4.0-api-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-webapps-1:9.0.62-27.el8_9.2.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:0125" }, { "category": "workaround", "details": "No mitigation is currently available for this flaw.", "product_ids": [ "AppStream-8.9.0.Z.MAIN:tomcat-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-1:9.0.62-27.el8_9.2.src", "AppStream-8.9.0.Z.MAIN:tomcat-admin-webapps-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-docs-webapp-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-el-3.0-api-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-jsp-2.3-api-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-lib-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-servlet-4.0-api-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-webapps-1:9.0.62-27.el8_9.2.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, "products": [ "AppStream-8.9.0.Z.MAIN:tomcat-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-1:9.0.62-27.el8_9.2.src", "AppStream-8.9.0.Z.MAIN:tomcat-admin-webapps-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-docs-webapp-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-el-3.0-api-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-jsp-2.3-api-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-lib-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-servlet-4.0-api-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-webapps-1:9.0.62-27.el8_9.2.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "tomcat: improper cleaning of recycled objects could lead to information leak" }, { "cve": "CVE-2023-45648", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2023-10-12T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2243749" } ], "notes": [ { "category": "description", "text": "A flaw was found in Apache Tomcat, where an improper input validation can occur. This flaw allows a malicious user to send a crafted request containing an invalid trailer header, which could be treated as multiple requests, potentially leading to request smuggling when behind a reverse proxy.", "title": "Vulnerability description" }, { "category": "summary", "text": "tomcat: incorrectly parsed http trailer headers can cause request smuggling", "title": "Vulnerability summary" }, { "category": "other", "text": "The request smuggling is not guaranteed to have relevant information within every request and the scenario behind a reverse proxy which fails to handle the request too is necessary, hence the Moderate impact.\n\nThe Red Hat AMQ Broker team removed any tomcat dependencies in version 7.11.3. Please refer to https://errata.devel.redhat.com/advisory/121941.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.9.0.Z.MAIN:tomcat-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-1:9.0.62-27.el8_9.2.src", "AppStream-8.9.0.Z.MAIN:tomcat-admin-webapps-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-docs-webapp-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-el-3.0-api-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-jsp-2.3-api-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-lib-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-servlet-4.0-api-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-webapps-1:9.0.62-27.el8_9.2.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-45648" }, { "category": "external", "summary": "RHBZ#2243749", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243749" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-45648", "url": "https://www.cve.org/CVERecord?id=CVE-2023-45648" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-45648", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45648" }, { "category": "external", "summary": "http://www.openwall.com/lists/oss-security/2023/10/10/10", "url": "http://www.openwall.com/lists/oss-security/2023/10/10/10" }, { "category": "external", "summary": "https://lists.apache.org/thread/2pv8yz1pyp088tsxfb7ogltk9msk0jdp", "url": "https://lists.apache.org/thread/2pv8yz1pyp088tsxfb7ogltk9msk0jdp" } ], "release_date": "2023-10-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-01-10T11:32:48+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.9.0.Z.MAIN:tomcat-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-1:9.0.62-27.el8_9.2.src", "AppStream-8.9.0.Z.MAIN:tomcat-admin-webapps-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-docs-webapp-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-el-3.0-api-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-jsp-2.3-api-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-lib-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-servlet-4.0-api-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-webapps-1:9.0.62-27.el8_9.2.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:0125" }, { "category": "workaround", "details": "No mitigation is currently available for this flaw.", "product_ids": [ "AppStream-8.9.0.Z.MAIN:tomcat-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-1:9.0.62-27.el8_9.2.src", "AppStream-8.9.0.Z.MAIN:tomcat-admin-webapps-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-docs-webapp-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-el-3.0-api-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-jsp-2.3-api-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-lib-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-servlet-4.0-api-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-webapps-1:9.0.62-27.el8_9.2.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1" }, "products": [ "AppStream-8.9.0.Z.MAIN:tomcat-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-1:9.0.62-27.el8_9.2.src", "AppStream-8.9.0.Z.MAIN:tomcat-admin-webapps-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-docs-webapp-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-el-3.0-api-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-jsp-2.3-api-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-lib-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-servlet-4.0-api-1:9.0.62-27.el8_9.2.noarch", "AppStream-8.9.0.Z.MAIN:tomcat-webapps-1:9.0.62-27.el8_9.2.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "tomcat: incorrectly parsed http trailer headers can cause request smuggling" } ] }
rhsa-2023_7247
Vulnerability from csaf_redhat
Published
2023-11-15 17:07
Modified
2024-12-10 16:38
Summary
Red Hat Security Advisory: Red Hat Fuse 7.12.1 release and security update
Notes
Topic
A minor version update (from 7.12 to 7.12.1) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release.
Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
This release of Red Hat Fuse 7.12.1 serves as a replacement for Red Hat Fuse 7.12 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.
Security Fix(es):
* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)
A Red Hat Security Bulletin which addresses further details about the Rapid Reset flaw is available in the References section.
* OpenWire Module: Unbounded deserialization causes ActiveMQ to be vulnerable to a remote code execution (RCE) attack (CVE-2023-46604)
* undertow: OutOfMemoryError due to @MultipartConfig handling (CVE-2023-3223)
* okio: GzipSource class improper exception handling (CVE-2023-3635)
* spring-security: spring-security-webflux: path wildcard leads to security bypass (CVE-2023-34034)
* http2-hpack: jetty: hpack header values cause denial of service in http/2 (CVE-2023-36478)
* avro: apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK (CVE-2023-39410)
* jetty: Improper validation of HTTP/1 content-length (CVE-2023-40167)
* tomcat: FileUpload: DoS due to accumulation of temporary files on Windows (CVE-2023-42794)
* tomcat: improper cleaning of recycled objects could lead to information leak (CVE-2023-42795)
* tomcat: incorrectly parsed http trailer headers can cause request smuggling (CVE-2023-45648)
* jetty: Improper addition of quotation marks to user inputs in CgiServlet (CVE-2023-36479)
* jetty: OpenId Revoked authentication allows one request (CVE-2023-41900)
For more details about the security issues, including the impact, CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A minor version update (from 7.12 to 7.12.1) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "This release of Red Hat Fuse 7.12.1 serves as a replacement for Red Hat Fuse 7.12 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.\n\nSecurity Fix(es):\n\n* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)\n\nA Red Hat Security Bulletin which addresses further details about the Rapid Reset flaw is available in the References section.\n\n* OpenWire Module: Unbounded deserialization causes ActiveMQ to be vulnerable to a remote code execution (RCE) attack (CVE-2023-46604)\n\n* undertow: OutOfMemoryError due to @MultipartConfig handling (CVE-2023-3223)\n\n* okio: GzipSource class improper exception handling (CVE-2023-3635)\n\n* spring-security: spring-security-webflux: path wildcard leads to security bypass (CVE-2023-34034)\n\n* http2-hpack: jetty: hpack header values cause denial of service in http/2 (CVE-2023-36478)\n\n* avro: apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK (CVE-2023-39410)\n\n* jetty: Improper validation of HTTP/1 content-length (CVE-2023-40167)\n\n* tomcat: FileUpload: DoS due to accumulation of temporary files on Windows (CVE-2023-42794)\n\n* tomcat: improper cleaning of recycled objects could lead to information leak (CVE-2023-42795)\n\n* tomcat: incorrectly parsed http trailer headers can cause request smuggling (CVE-2023-45648)\n\n* jetty: Improper addition of quotation marks to user inputs in CgiServlet (CVE-2023-36479)\n\n* jetty: OpenId Revoked authentication allows one request (CVE-2023-41900)\n\nFor more details about the security issues, including the impact, CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2023:7247", "url": "https://access.redhat.com/errata/RHSA-2023:7247" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#critical", "url": "https://access.redhat.com/security/updates/classification/#critical" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-003", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-003" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse\u0026downloadType=distributions\u0026version=7.12.1", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse\u0026downloadType=distributions\u0026version=7.12.1" }, { "category": "external", "summary": "2209689", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2209689" }, { "category": "external", "summary": "2229295", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2229295" }, { "category": "external", "summary": "2239630", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2239630" }, { "category": "external", "summary": "2239634", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2239634" }, { "category": "external", "summary": "2241271", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2241271" }, { "category": "external", "summary": "2242521", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242521" }, { "category": "external", "summary": "2242803", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803" }, { "category": "external", "summary": "2243123", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243123" }, { "category": "external", "summary": "2243749", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243749" }, { "category": "external", "summary": "2243751", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243751" }, { "category": "external", "summary": "2243752", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243752" }, { "category": "external", "summary": "2246645", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2246645" }, { "category": "external", "summary": "2247052", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2247052" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_7247.json" } ], "title": "Red Hat Security Advisory: Red Hat Fuse 7.12.1 release and security update", "tracking": { "current_release_date": "2024-12-10T16:38:40+00:00", "generator": { "date": "2024-12-10T16:38:40+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.3" } }, "id": "RHSA-2023:7247", "initial_release_date": "2023-11-15T17:07:49+00:00", "revision_history": [ { "date": "2023-11-15T17:07:49+00:00", "number": "1", "summary": "Initial version" }, { "date": "2023-11-15T17:07:49+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-12-10T16:38:40+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Fuse 7.12.1", "product": { "name": "Red Hat Fuse 7.12.1", "product_id": "Red Hat Fuse 7.12.1", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_fuse:7" } } } ], "category": "product_family", "name": "Red Hat JBoss Fuse" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "acknowledgments": [ { "names": [ "Keke Lian \u0026 Haoran Zhao" ], "organization": "System and Software Security Lab in Fudan University" } ], "cve": "CVE-2023-3223", "cwe": { "id": "CWE-789", "name": "Memory Allocation with Excessive Size Value" }, "discovery_date": "2023-05-24T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2209689" } ], "notes": [ { "category": "description", "text": "A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service (DoS) attack. If the server uses fileSizeThreshold to limit the file size, it\u0027s possible to bypass the limit by setting the file name in the request to null.", "title": "Vulnerability description" }, { "category": "summary", "text": "undertow: OutOfMemoryError due to @MultipartConfig handling", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse 7.12.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-3223" }, { "category": "external", "summary": "RHBZ#2209689", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2209689" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-3223", "url": "https://www.cve.org/CVERecord?id=CVE-2023-3223" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-3223", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3223" } ], "release_date": "2023-08-07T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-11-15T17:07:49+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Fuse 7.12.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:7247" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse 7.12.1" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "undertow: OutOfMemoryError due to @MultipartConfig handling" }, { "cve": "CVE-2023-3635", "cwe": { "id": "CWE-248", "name": "Uncaught Exception" }, "discovery_date": "2023-07-12T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2229295" } ], "notes": [ { "category": "description", "text": "A flaw was found in SquareUp Okio. A class GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This issue may allow a malicious user to start processing a malformed file, which can result in a Denial of Service (DoS).", "title": "Vulnerability description" }, { "category": "summary", "text": "okio: GzipSource class improper exception handling", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat JBoss Enterprise Application Platform XP does contain Okio package but is not using GzipSource.java, which is the affected class.\nRed Hat support for Spring Boot is considered low impact as it\u0027s used by Dekorate during compilation process and not included in the resulting Jar.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse 7.12.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-3635" }, { "category": "external", "summary": "RHBZ#2229295", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2229295" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-3635", "url": "https://www.cve.org/CVERecord?id=CVE-2023-3635" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-3635", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3635" } ], "release_date": "2023-07-12T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-11-15T17:07:49+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Fuse 7.12.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:7247" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse 7.12.1" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "okio: GzipSource class improper exception handling" }, { "cve": "CVE-2023-34034", "cwe": { "id": "CWE-145", "name": "Improper Neutralization of Section Delimiters" }, "discovery_date": "2023-09-28T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2241271" } ], "notes": [ { "category": "description", "text": "A flaw was found in Spring Security\u0027s WebFlux framework pattern matching, where it does not properly evaluate certain patterns. A server using path-based pattern matching in WebFlux could allow an attacker to bypass security settings for some request paths, potentially leading to information disclosure, access of functionality outside the user\u0027s permissions, or denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "spring-security-webflux: path wildcard leads to security bypass", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse 7.12.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-34034" }, { "category": "external", "summary": "RHBZ#2241271", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2241271" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-34034", "url": "https://www.cve.org/CVERecord?id=CVE-2023-34034" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-34034", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34034" }, { "category": "external", "summary": "https://spring.io/security/cve-2023-34034", "url": "https://spring.io/security/cve-2023-34034" } ], "release_date": "2023-07-19T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-11-15T17:07:49+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Fuse 7.12.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:7247" }, { "category": "workaround", "details": "Users of path-based URL determination should ensure that all their patterns have a slash prepended.\nexample:\n pathMatchers(\"home/**\") // vulnerable\n pathMatchers(\"/home/**\") // not vulnerable", "product_ids": [ "Red Hat Fuse 7.12.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse 7.12.1" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "spring-security-webflux: path wildcard leads to security bypass" }, { "cve": "CVE-2023-36478", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2023-10-10T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2243123" } ], "notes": [ { "category": "description", "text": "A flaw was found in Jetty http2-hpack and http3-qpack. If header values exceed the size limit and Huffman is the true`MetaDataBuilder.checkSize`, the multiplication will overflow, and the length will become negative, causing a large buffer allocation on the server, leading to a Denial of Service (DoS) attack.", "title": "Vulnerability description" }, { "category": "summary", "text": "jetty: hpack header values cause denial of service in http/2", "title": "Vulnerability summary" }, { "category": "other", "text": "This flaw requires a remote attacker to repeatedly send HTTP requests with HPACK, which could easily impact the server\u0027s performance or make it run out of memory. Hence, this vulnerability received an Important impact rating.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse 7.12.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-36478" }, { "category": "external", "summary": "RHBZ#2243123", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243123" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-36478", "url": "https://www.cve.org/CVERecord?id=CVE-2023-36478" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-36478", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36478" }, { "category": "external", "summary": "https://github.com/eclipse/jetty.project/pull/9634", "url": "https://github.com/eclipse/jetty.project/pull/9634" }, { "category": "external", "summary": "https://github.com/eclipse/jetty.project/releases/tag/jetty-10.0.16", "url": "https://github.com/eclipse/jetty.project/releases/tag/jetty-10.0.16" }, { "category": "external", "summary": "https://github.com/eclipse/jetty.project/releases/tag/jetty-11.0.16", "url": "https://github.com/eclipse/jetty.project/releases/tag/jetty-11.0.16" }, { "category": "external", "summary": "https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.53.v20231009", "url": "https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.53.v20231009" }, { "category": "external", "summary": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgh7-54f2-x98r", "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgh7-54f2-x98r" } ], "release_date": "2023-10-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-11-15T17:07:49+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Fuse 7.12.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:7247" }, { "category": "workaround", "details": "No mitigations are currently available for this vulnerability.", "product_ids": [ "Red Hat Fuse 7.12.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse 7.12.1" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jetty: hpack header values cause denial of service in http/2" }, { "cve": "CVE-2023-36479", "cwe": { "id": "CWE-149", "name": "Improper Neutralization of Quoting Syntax" }, "discovery_date": "2023-09-19T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2239630" } ], "notes": [ { "category": "description", "text": "A flaw was found in Jetty\u0027s CGI servlet which permits incorrect command execution in specific circumstances such as requests with certain characters in requested filenames. This issue could allow an attacker to run permitted commands other than the one requested.", "title": "Vulnerability description" }, { "category": "summary", "text": "jetty: Improper addition of quotation marks to user inputs in CgiServlet", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse 7.12.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-36479" }, { "category": "external", "summary": "RHBZ#2239630", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2239630" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-36479", "url": "https://www.cve.org/CVERecord?id=CVE-2023-36479" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-36479", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36479" } ], "release_date": "2023-09-19T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-11-15T17:07:49+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Fuse 7.12.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:7247" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N", "version": "3.1" }, "products": [ "Red Hat Fuse 7.12.1" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "jetty: Improper addition of quotation marks to user inputs in CgiServlet" }, { "cve": "CVE-2023-39410", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2023-10-06T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2242521" } ], "notes": [ { "category": "description", "text": "A flaw was found in apache-avro. When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints, leading to an out-of-memory error and a denial of service on the system.", "title": "Vulnerability description" }, { "category": "summary", "text": "apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse 7.12.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-39410" }, { "category": "external", "summary": "RHBZ#2242521", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242521" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-39410", "url": "https://www.cve.org/CVERecord?id=CVE-2023-39410" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-39410", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39410" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/AVRO-3819", "url": "https://issues.apache.org/jira/browse/AVRO-3819" } ], "release_date": "2023-09-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-11-15T17:07:49+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Fuse 7.12.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:7247" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse 7.12.1" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK" }, { "cve": "CVE-2023-40167", "cwe": { "id": "CWE-130", "name": "Improper Handling of Length Parameter Inconsistency" }, "discovery_date": "2023-09-19T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2239634" } ], "notes": [ { "category": "description", "text": "A flaw was found in Jetty that permits a plus sign (+) preceding the content-length value in a HTTP/1 header field, which is non-standard and more permissive than RFC. This issue could allow an attacker to request smuggling in conjunction with a server that does not close connections after 400 responses.", "title": "Vulnerability description" }, { "category": "summary", "text": "jetty: Improper validation of HTTP/1 content-length", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse 7.12.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-40167" }, { "category": "external", "summary": "RHBZ#2239634", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2239634" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-40167", "url": "https://www.cve.org/CVERecord?id=CVE-2023-40167" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-40167", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40167" }, { "category": "external", "summary": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-hmr7-m48g-48f6", "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-hmr7-m48g-48f6" }, { "category": "external", "summary": "https://www.rfc-editor.org/rfc/rfc9110#section-8.6", "url": "https://www.rfc-editor.org/rfc/rfc9110#section-8.6" } ], "release_date": "2023-09-19T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-11-15T17:07:49+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Fuse 7.12.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:7247" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1" }, "products": [ "Red Hat Fuse 7.12.1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jetty: Improper validation of HTTP/1 content-length" }, { "cve": "CVE-2023-41900", "cwe": { "id": "CWE-1390", "name": "Weak Authentication" }, "discovery_date": "2023-09-19T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2247052" } ], "notes": [ { "category": "description", "text": "Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This impacts usages of the jetty-openid which have configured a nested `LoginService` and where that `LoginService` will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and 11.0.16 have a patch for this issue.", "title": "Vulnerability description" }, { "category": "summary", "text": "jetty: OpenId Revoked authentication allows one request", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse 7.12.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-41900" }, { "category": "external", "summary": "RHBZ#2247052", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2247052" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-41900", "url": "https://www.cve.org/CVERecord?id=CVE-2023-41900" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-41900", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41900" } ], "release_date": "2023-09-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-11-15T17:07:49+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Fuse 7.12.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:7247" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1" }, "products": [ "Red Hat Fuse 7.12.1" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "jetty: OpenId Revoked authentication allows one request" }, { "cve": "CVE-2023-42794", "cwe": { "id": "CWE-459", "name": "Incomplete Cleanup" }, "discovery_date": "2023-10-12T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2243751" } ], "notes": [ { "category": "description", "text": "A flaw was found in Apache Tomcat. An incomplete cleanup vulnerability with the internal fork of the Commons FileUpload package exposed a potential denial of service on Windows if a web application opened a stream for an uploaded file but failed to close the stream. The file would never be deleted from the disk, potentially leading to a denial of service due to the disk being full.", "title": "Vulnerability description" }, { "category": "summary", "text": "tomcat: FileUpload: DoS due to accumulation of temporary files on Windows", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat rates this flaw as a Moderate impact as this would depend on how much information an attacker has over the environment (version and disk for example, increasing the Attack Complexity) as there is no guarantee the attack is successful. \nThis may affect only scenarios where running an application on Windows.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse 7.12.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-42794" }, { "category": "external", "summary": "RHBZ#2243751", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243751" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-42794", "url": "https://www.cve.org/CVERecord?id=CVE-2023-42794" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-42794", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42794" }, { "category": "external", "summary": "http://www.openwall.com/lists/oss-security/2023/10/10/8", "url": "http://www.openwall.com/lists/oss-security/2023/10/10/8" }, { "category": "external", "summary": "https://lists.apache.org/thread/vvbr2ms7lockj1hlhz5q3wmxb2mwcw82", "url": "https://lists.apache.org/thread/vvbr2ms7lockj1hlhz5q3wmxb2mwcw82" } ], "release_date": "2023-10-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-11-15T17:07:49+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Fuse 7.12.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:7247" }, { "category": "workaround", "details": "No mitigation is currently available for this flaw.", "product_ids": [ "Red Hat Fuse 7.12.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse 7.12.1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "tomcat: FileUpload: DoS due to accumulation of temporary files on Windows" }, { "cve": "CVE-2023-42795", "cwe": { "id": "CWE-459", "name": "Incomplete Cleanup" }, "discovery_date": "2023-10-12T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2243752" } ], "notes": [ { "category": "description", "text": "A flaw was found in Apache Tomcat. Tomcat may skip, after an error, the recycling of the internal objects that the next request/response process might use, resulting in information leaking from one request to the next. This flaw allows a malicious user to have access to this information.", "title": "Vulnerability description" }, { "category": "summary", "text": "tomcat: improper cleaning of recycled objects could lead to information leak", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat rates this as a Moderate impact as the confidentiality is not fully compromised and the malicious user does not have confirmation over the scenario to replicate the error and capture the possible jeopardizing response.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse 7.12.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-42795" }, { "category": "external", "summary": "RHBZ#2243752", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243752" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-42795", "url": "https://www.cve.org/CVERecord?id=CVE-2023-42795" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-42795", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42795" }, { "category": "external", "summary": "http://www.openwall.com/lists/oss-security/2023/10/10/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/10/9" }, { "category": "external", "summary": "https://lists.apache.org/thread/065jfyo583490r9j2v73nhpyxdob56lw", "url": "https://lists.apache.org/thread/065jfyo583490r9j2v73nhpyxdob56lw" } ], "release_date": "2023-10-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-11-15T17:07:49+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Fuse 7.12.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:7247" }, { "category": "workaround", "details": "No mitigation is currently available for this flaw.", "product_ids": [ "Red Hat Fuse 7.12.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, "products": [ "Red Hat Fuse 7.12.1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "tomcat: improper cleaning of recycled objects could lead to information leak" }, { "cve": "CVE-2023-44487", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2023-10-09T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2242803" } ], "notes": [ { "category": "description", "text": "A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. Red Hat has rated the severity of this flaw as \u0027Important\u0027 as the US Cybersecurity and Infrastructure Security Agency (CISA) declared this vulnerability an active exploit.\r\n\r\nCVE-2023-39325 was assigned for the Rapid Reset Attack in the Go language packages.\r\n\r\nSecurity Bulletin\r\nhttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003", "title": "Vulnerability description" }, { "category": "summary", "text": "HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)", "title": "Vulnerability summary" }, { "category": "other", "text": "NGINX has been marked as Moderate Impact because, for performance and resource consumption reasons, NGINX limits the number of concurrent streams to a default of 128. In addition, to optimally balance network and server performance, NGINX allows the client to persist HTTP connections for up to 1000 requests by default using an HTTP keepalive.\n\nThe majority of RHEL utilities are not long-running applications; instead, they are command-line tools. These tools utilize Golang package as build-time dependency, which is why they are classified as having a \"Moderate\" level of impact.\n\nrhc component is no longer impacted by CVE-2023-44487 \u0026 CVE-2023-39325.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse 7.12.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-44487" }, { "category": "external", "summary": "RHBZ#2242803", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803" }, { "category": "external", "summary": "RHSB-2023-003", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-003" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-44487", "url": "https://www.cve.org/CVERecord?id=CVE-2023-44487" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487" }, { "category": "external", "summary": "https://github.com/dotnet/announcements/issues/277", "url": "https://github.com/dotnet/announcements/issues/277" }, { "category": "external", "summary": "https://pkg.go.dev/vuln/GO-2023-2102", "url": "https://pkg.go.dev/vuln/GO-2023-2102" }, { "category": "external", "summary": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487", "url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487" }, { "category": "external", "summary": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/", "url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2023-10-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-11-15T17:07:49+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Fuse 7.12.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:7247" }, { "category": "workaround", "details": "Users are strongly urged to update their software as soon as fixes are available. \nThere are several mitigation approaches for this flaw. \n\n1. If circumstances permit, users may disable http2 endpoints to circumvent the flaw altogether until a fix is available.\n2. IP-based blocking or flood protection and rate control tools may be used at network endpoints to filter incoming traffic.\n3. Several package specific mitigations are also available. \n a. nginx: https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/\n b. netty: https://github.com/netty/netty/security/advisories/GHSA-xpw8-rcwv-8f8p\n c. haproxy: https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487\n d. nghttp2: https://github.com/nghttp2/nghttp2/security/advisories/GHSA-vx74-f528-fxqg\n e. golang: The default stream concurrency limit in golang is 250 streams (requests) per HTTP/2 connection. This value may be adjusted in the golang.org/x/net/http2 package using the Server.MaxConcurrentStreams setting and the ConfigureServer function which are available in golang.org/x/net/http2.", "product_ids": [ "Red Hat Fuse 7.12.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse 7.12.1" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-10-10T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Important" } ], "title": "HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)" }, { "cve": "CVE-2023-45648", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2023-10-12T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2243749" } ], "notes": [ { "category": "description", "text": "A flaw was found in Apache Tomcat, where an improper input validation can occur. This flaw allows a malicious user to send a crafted request containing an invalid trailer header, which could be treated as multiple requests, potentially leading to request smuggling when behind a reverse proxy.", "title": "Vulnerability description" }, { "category": "summary", "text": "tomcat: incorrectly parsed http trailer headers can cause request smuggling", "title": "Vulnerability summary" }, { "category": "other", "text": "The request smuggling is not guaranteed to have relevant information within every request and the scenario behind a reverse proxy which fails to handle the request too is necessary, hence the Moderate impact.\n\nThe Red Hat AMQ Broker team removed any tomcat dependencies in version 7.11.3. Please refer to https://errata.devel.redhat.com/advisory/121941.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse 7.12.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-45648" }, { "category": "external", "summary": "RHBZ#2243749", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243749" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-45648", "url": "https://www.cve.org/CVERecord?id=CVE-2023-45648" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-45648", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45648" }, { "category": "external", "summary": "http://www.openwall.com/lists/oss-security/2023/10/10/10", "url": "http://www.openwall.com/lists/oss-security/2023/10/10/10" }, { "category": "external", "summary": "https://lists.apache.org/thread/2pv8yz1pyp088tsxfb7ogltk9msk0jdp", "url": "https://lists.apache.org/thread/2pv8yz1pyp088tsxfb7ogltk9msk0jdp" } ], "release_date": "2023-10-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-11-15T17:07:49+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Fuse 7.12.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:7247" }, { "category": "workaround", "details": "No mitigation is currently available for this flaw.", "product_ids": [ "Red Hat Fuse 7.12.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1" }, "products": [ "Red Hat Fuse 7.12.1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "tomcat: incorrectly parsed http trailer headers can cause request smuggling" }, { "cve": "CVE-2023-46604", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2023-10-27T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2246645" } ], "notes": [ { "category": "description", "text": "A flaw was found in Apache ActiveMQ, specifically the OpenWire Module. This flaw may allow a remote malicious user to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol, causing the broker to instantiate any class on the classpath. This issue happens when OpenWire commands are unmarshalled, without validating the provided throwable class type, which could allow an attacker to jeopardize the entire server.", "title": "Vulnerability description" }, { "category": "summary", "text": "activemq-openwire: OpenWire Module: Unbounded deserialization causes ActiveMQ to be vulnerable to a remote code execution (RCE) attack", "title": "Vulnerability summary" }, { "category": "other", "text": "If the openwire protocol IS NOT in use, system operators can disable the OpenWire protocol which removes most risk of this vulnerability being exploited. If OpenWire IS being used, see the Mitigations section for potential options to reduce your attack surface.\n\n\n* How to determine if an AMQ 7 system is affected:\nCheck in the broker.xml configuration file. Notice the presence of **OPENWIRE** in the following snippet which indicates a vulnerable configuration. \n~~~\n\u003cacceptor name=\"artemis\"\u003etcp://localhost:####?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;protocols=CORE,AMQP,STOMP,HORNETQ,MQTT,**OPENWIRE**;useEpoll=true;amqpCredits=1000;amqpLowCredits=300;anycastPrefix=jms.queue.;multicastPrefix=jms.topic.\u003c/acceptor\u003e\n~~~\n\n\n* How to determine if an AMQ 7 for OpenShift system is affected:\nGet the `ActivemqArtemis` CR yaml and review the acceptor protocol and see if the following entry is present: `(default, all, Openwire)` which indicates the system is vulnerable.\n\n\n* How to determine if a Fuse 6 system is affected:\nBy default Fuse 6 includes and enables ActiveMQ Broker. So unless this has been manually disabled, every Fuse 6 system is affected by this vulnerability.\n\n\n* How to determine if a Fuse 7 system is affected:\nFuse 7 itself is not vulnerable. By default it ships the vulnerable activemq-client jar, however it does not instantiate an ActiveMQ broker. If this feature (connect to an external ActiveMQ Broker) were manually configured, it would make it vulnerable.\n\n\n* How to determine if a Fuse Online system is affected:\nSyndesis, an Integration Platform As A Service part of Fuse Online which runs on top of Openshift, does not use activemq code. Also, it doesn\u0027t instantiate a broker with Openwire protocol enabled, which makes it not vulnerable to this CVE.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse 7.12.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-46604" }, { "category": "external", "summary": "RHBZ#2246645", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2246645" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-46604", "url": "https://www.cve.org/CVERecord?id=CVE-2023-46604" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-46604", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46604" }, { "category": "external", "summary": "https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt", "url": "https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt" }, { "category": "external", "summary": "https://lists.apache.org/thread/y1ztwb3gktny47mj9sdv2sbw49nkgsgp", "url": "https://lists.apache.org/thread/y1ztwb3gktny47mj9sdv2sbw49nkgsgp" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2023-10-27T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-11-15T17:07:49+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Fuse 7.12.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:7247" }, { "category": "workaround", "details": "In affected systems, it may be possible to mitigate some of the risks from this vulnerability. However this mitigation cannot eliminate all risks; the only complete resolution is to apply software updates. On systems where the broker is exposed to the public network, use firewall rules to restrict the transport ports and enable SSL to protect this \"Transport\".", "product_ids": [ "Red Hat Fuse 7.12.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse 7.12.1" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-11-02T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Critical" } ], "title": "activemq-openwire: OpenWire Module: Unbounded deserialization causes ActiveMQ to be vulnerable to a remote code execution (RCE) attack" } ] }
rhsa-2023_6207
Vulnerability from csaf_redhat
Published
2023-10-31 13:05
Modified
2024-11-15 17:33
Summary
Red Hat Security Advisory: Red Hat JBoss Web Server 5.7.6 release and security update
Notes
Topic
Red Hat JBoss Web Server 5.7.6 zip release is now available for Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, and Windows Server.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.
This release of Red Hat JBoss Web Server 5.7.6 serves as a replacement for Red Hat JBoss Web Server 5.7.5. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes, linked to in the References section.
Security Fix(es):
* tomcat: improper cleaning of recycled objects could lead to information leak (CVE-2023-42795)
* tomcat: incorrectly parsed http trailer headers can cause request smuggling (CVE-2023-45648)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat JBoss Web Server 5.7.6 zip release is now available for Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, and Windows Server.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 5.7.6 serves as a replacement for Red Hat JBoss Web Server 5.7.5. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes, linked to in the References section.\n\nSecurity Fix(es):\n\n* tomcat: improper cleaning of recycled objects could lead to information leak (CVE-2023-42795)\n\n* tomcat: incorrectly parsed http trailer headers can cause request smuggling (CVE-2023-45648)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2023:6207", "url": "https://access.redhat.com/errata/RHSA-2023:6207" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "2243749", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243749" }, { "category": "external", "summary": "2243752", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243752" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_6207.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Web Server 5.7.6 release and security update", "tracking": { "current_release_date": "2024-11-15T17:33:35+00:00", "generator": { "date": "2024-11-15T17:33:35+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2023:6207", "initial_release_date": "2023-10-31T13:05:06+00:00", "revision_history": [ { "date": "2023-10-31T13:05:06+00:00", "number": "1", "summary": "Initial version" }, { "date": "2023-10-31T13:05:06+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T17:33:35+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Web Server 5", "product": { "name": "Red Hat JBoss Web Server 5", "product_id": "Red Hat JBoss Web Server 5", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.7" } } } ], "category": "product_family", "name": "Red Hat JBoss Web Server" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2023-42795", "cwe": { "id": "CWE-459", "name": "Incomplete Cleanup" }, "discovery_date": "2023-10-12T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2243752" } ], "notes": [ { "category": "description", "text": "A flaw was found in Apache Tomcat. Tomcat may skip, after an error, the recycling of the internal objects that the next request/response process might use, resulting in information leaking from one request to the next. This flaw allows a malicious user to have access to this information.", "title": "Vulnerability description" }, { "category": "summary", "text": "tomcat: improper cleaning of recycled objects could lead to information leak", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat rates this as a Moderate impact as the confidentiality is not fully compromised and the malicious user does not have confirmation over the scenario to replicate the error and capture the possible jeopardizing response.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Web Server 5" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-42795" }, { "category": "external", "summary": "RHBZ#2243752", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243752" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-42795", "url": "https://www.cve.org/CVERecord?id=CVE-2023-42795" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-42795", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42795" }, { "category": "external", "summary": "http://www.openwall.com/lists/oss-security/2023/10/10/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/10/9" }, { "category": "external", "summary": "https://lists.apache.org/thread/065jfyo583490r9j2v73nhpyxdob56lw", "url": "https://lists.apache.org/thread/065jfyo583490r9j2v73nhpyxdob56lw" } ], "release_date": "2023-10-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-10-31T13:05:06+00:00", "details": "Before applying the update, back up your existing Red Hat JBoss Web Server installation, including all applications and configuration files.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.", "product_ids": [ "Red Hat JBoss Web Server 5" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:6207" }, { "category": "workaround", "details": "No mitigation is currently available for this flaw.", "product_ids": [ "Red Hat JBoss Web Server 5" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, "products": [ "Red Hat JBoss Web Server 5" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "tomcat: improper cleaning of recycled objects could lead to information leak" }, { "cve": "CVE-2023-45648", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2023-10-12T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2243749" } ], "notes": [ { "category": "description", "text": "A flaw was found in Apache Tomcat, where an improper input validation can occur. This flaw allows a malicious user to send a crafted request containing an invalid trailer header, which could be treated as multiple requests, potentially leading to request smuggling when behind a reverse proxy.", "title": "Vulnerability description" }, { "category": "summary", "text": "tomcat: incorrectly parsed http trailer headers can cause request smuggling", "title": "Vulnerability summary" }, { "category": "other", "text": "The request smuggling is not guaranteed to have relevant information within every request and the scenario behind a reverse proxy which fails to handle the request too is necessary, hence the Moderate impact.\n\nThe Red Hat AMQ Broker team removed any tomcat dependencies in version 7.11.3. Please refer to https://errata.devel.redhat.com/advisory/121941.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Web Server 5" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-45648" }, { "category": "external", "summary": "RHBZ#2243749", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243749" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-45648", "url": "https://www.cve.org/CVERecord?id=CVE-2023-45648" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-45648", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45648" }, { "category": "external", "summary": "http://www.openwall.com/lists/oss-security/2023/10/10/10", "url": "http://www.openwall.com/lists/oss-security/2023/10/10/10" }, { "category": "external", "summary": "https://lists.apache.org/thread/2pv8yz1pyp088tsxfb7ogltk9msk0jdp", "url": "https://lists.apache.org/thread/2pv8yz1pyp088tsxfb7ogltk9msk0jdp" } ], "release_date": "2023-10-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-10-31T13:05:06+00:00", "details": "Before applying the update, back up your existing Red Hat JBoss Web Server installation, including all applications and configuration files.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.", "product_ids": [ "Red Hat JBoss Web Server 5" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:6207" }, { "category": "workaround", "details": "No mitigation is currently available for this flaw.", "product_ids": [ "Red Hat JBoss Web Server 5" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1" }, "products": [ "Red Hat JBoss Web Server 5" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "tomcat: incorrectly parsed http trailer headers can cause request smuggling" } ] }
rhsa-2023_6206
Vulnerability from csaf_redhat
Published
2023-10-31 13:09
Modified
2024-11-15 17:33
Summary
Red Hat Security Advisory: Red Hat JBoss Web Server 5.7.6 release and security update
Notes
Topic
An update is now available for Red Hat JBoss Web Server 5.7.6 on Red Hat Enterprise Linux versions 7, 8, and 9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.
This release of Red Hat JBoss Web Server 5.7.6 serves as a replacement for Red Hat JBoss Web Server 5.7.5. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes, linked to in the References section.
Security Fix(es):
* tomcat: improper cleaning of recycled objects could lead to information leak (CVE-2023-42795)
* tomcat: incorrectly parsed http trailer headers can cause request smuggling (CVE-2023-45648)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat JBoss Web Server 5.7.6 on Red Hat Enterprise Linux versions 7, 8, and 9.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 5.7.6 serves as a replacement for Red Hat JBoss Web Server 5.7.5. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes, linked to in the References section.\n\nSecurity Fix(es):\n\n* tomcat: improper cleaning of recycled objects could lead to information leak (CVE-2023-42795)\n\n* tomcat: incorrectly parsed http trailer headers can cause request smuggling (CVE-2023-45648)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2023:6206", "url": "https://access.redhat.com/errata/RHSA-2023:6206" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "2243749", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243749" }, { "category": "external", "summary": "2243752", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243752" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_6206.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Web Server 5.7.6 release and security update", "tracking": { "current_release_date": "2024-11-15T17:33:48+00:00", "generator": { "date": "2024-11-15T17:33:48+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2023:6206", "initial_release_date": "2023-10-31T13:09:55+00:00", "revision_history": [ { "date": "2023-10-31T13:09:55+00:00", "number": "1", "summary": "Initial version" }, { "date": "2023-10-31T13:09:55+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T17:33:48+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Web Server 5.7 for RHEL 7 Server", "product": { "name": "Red Hat JBoss Web Server 5.7 for RHEL 7 Server", "product_id": "7Server-JWS-5.7", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.7::el7" } } }, { "category": "product_name", "name": "Red Hat JBoss Web Server 5.7 for RHEL 8", "product": { "name": "Red Hat JBoss Web Server 5.7 for RHEL 8", "product_id": "8Base-JWS-5.7", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.7::el8" } } }, { "category": "product_name", "name": "Red Hat JBoss Web Server 5.7 for RHEL 9", "product": { "name": "Red Hat JBoss Web Server 5.7 for RHEL 9", "product_id": "9Base-JWS-5.7", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.7::el9" } } } ], "category": "product_family", "name": "Red Hat JBoss Web Server" }, { "branches": [ { "category": "product_version", "name": "jws5-tomcat-0:9.0.62-18.redhat_00016.1.el7jws.src", "product": { "name": "jws5-tomcat-0:9.0.62-18.redhat_00016.1.el7jws.src", "product_id": "jws5-tomcat-0:9.0.62-18.redhat_00016.1.el7jws.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jws5-tomcat@9.0.62-18.redhat_00016.1.el7jws?arch=src" } } }, { "category": "product_version", "name": "jws5-tomcat-0:9.0.62-18.redhat_00016.1.el8jws.src", "product": { "name": "jws5-tomcat-0:9.0.62-18.redhat_00016.1.el8jws.src", "product_id": "jws5-tomcat-0:9.0.62-18.redhat_00016.1.el8jws.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jws5-tomcat@9.0.62-18.redhat_00016.1.el8jws?arch=src" } } }, { "category": "product_version", "name": "jws5-tomcat-0:9.0.62-18.redhat_00016.1.el9jws.src", "product": { "name": "jws5-tomcat-0:9.0.62-18.redhat_00016.1.el9jws.src", "product_id": "jws5-tomcat-0:9.0.62-18.redhat_00016.1.el9jws.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jws5-tomcat@9.0.62-18.redhat_00016.1.el9jws?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "jws5-tomcat-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "product": { "name": "jws5-tomcat-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "product_id": "jws5-tomcat-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jws5-tomcat@9.0.62-18.redhat_00016.1.el7jws?arch=noarch" } } }, { "category": "product_version", "name": "jws5-tomcat-admin-webapps-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "product": { "name": "jws5-tomcat-admin-webapps-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "product_id": "jws5-tomcat-admin-webapps-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jws5-tomcat-admin-webapps@9.0.62-18.redhat_00016.1.el7jws?arch=noarch" } } }, { "category": "product_version", "name": "jws5-tomcat-docs-webapp-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "product": { "name": "jws5-tomcat-docs-webapp-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "product_id": "jws5-tomcat-docs-webapp-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jws5-tomcat-docs-webapp@9.0.62-18.redhat_00016.1.el7jws?arch=noarch" } } }, { "category": "product_version", "name": "jws5-tomcat-el-3.0-api-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "product": { "name": "jws5-tomcat-el-3.0-api-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "product_id": "jws5-tomcat-el-3.0-api-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jws5-tomcat-el-3.0-api@9.0.62-18.redhat_00016.1.el7jws?arch=noarch" } } }, { "category": "product_version", "name": "jws5-tomcat-java-jdk11-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "product": { "name": "jws5-tomcat-java-jdk11-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "product_id": "jws5-tomcat-java-jdk11-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jws5-tomcat-java-jdk11@9.0.62-18.redhat_00016.1.el7jws?arch=noarch" } } }, { "category": "product_version", "name": "jws5-tomcat-java-jdk8-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "product": { "name": "jws5-tomcat-java-jdk8-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "product_id": "jws5-tomcat-java-jdk8-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jws5-tomcat-java-jdk8@9.0.62-18.redhat_00016.1.el7jws?arch=noarch" } } }, { "category": "product_version", "name": "jws5-tomcat-javadoc-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "product": { "name": "jws5-tomcat-javadoc-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "product_id": "jws5-tomcat-javadoc-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jws5-tomcat-javadoc@9.0.62-18.redhat_00016.1.el7jws?arch=noarch" } } }, { "category": "product_version", "name": "jws5-tomcat-jsp-2.3-api-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "product": { "name": "jws5-tomcat-jsp-2.3-api-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "product_id": "jws5-tomcat-jsp-2.3-api-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jws5-tomcat-jsp-2.3-api@9.0.62-18.redhat_00016.1.el7jws?arch=noarch" } } }, { "category": "product_version", "name": "jws5-tomcat-lib-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "product": { "name": "jws5-tomcat-lib-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "product_id": "jws5-tomcat-lib-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jws5-tomcat-lib@9.0.62-18.redhat_00016.1.el7jws?arch=noarch" } } }, { "category": "product_version", "name": "jws5-tomcat-selinux-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "product": { "name": "jws5-tomcat-selinux-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "product_id": "jws5-tomcat-selinux-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jws5-tomcat-selinux@9.0.62-18.redhat_00016.1.el7jws?arch=noarch" } } }, { "category": "product_version", "name": "jws5-tomcat-servlet-4.0-api-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "product": { "name": "jws5-tomcat-servlet-4.0-api-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "product_id": "jws5-tomcat-servlet-4.0-api-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jws5-tomcat-servlet-4.0-api@9.0.62-18.redhat_00016.1.el7jws?arch=noarch" } } }, { "category": "product_version", "name": "jws5-tomcat-webapps-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "product": { "name": "jws5-tomcat-webapps-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "product_id": "jws5-tomcat-webapps-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jws5-tomcat-webapps@9.0.62-18.redhat_00016.1.el7jws?arch=noarch" } } }, { "category": "product_version", "name": "jws5-tomcat-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "product": { "name": "jws5-tomcat-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "product_id": "jws5-tomcat-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jws5-tomcat@9.0.62-18.redhat_00016.1.el8jws?arch=noarch" } } }, { "category": "product_version", "name": "jws5-tomcat-admin-webapps-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "product": { "name": "jws5-tomcat-admin-webapps-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "product_id": "jws5-tomcat-admin-webapps-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jws5-tomcat-admin-webapps@9.0.62-18.redhat_00016.1.el8jws?arch=noarch" } } }, { "category": "product_version", "name": "jws5-tomcat-docs-webapp-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "product": { "name": "jws5-tomcat-docs-webapp-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "product_id": "jws5-tomcat-docs-webapp-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jws5-tomcat-docs-webapp@9.0.62-18.redhat_00016.1.el8jws?arch=noarch" } } }, { "category": "product_version", "name": "jws5-tomcat-el-3.0-api-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "product": { "name": "jws5-tomcat-el-3.0-api-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "product_id": "jws5-tomcat-el-3.0-api-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jws5-tomcat-el-3.0-api@9.0.62-18.redhat_00016.1.el8jws?arch=noarch" } } }, { "category": "product_version", "name": "jws5-tomcat-javadoc-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "product": { "name": "jws5-tomcat-javadoc-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "product_id": "jws5-tomcat-javadoc-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jws5-tomcat-javadoc@9.0.62-18.redhat_00016.1.el8jws?arch=noarch" } } }, { "category": "product_version", "name": "jws5-tomcat-jsp-2.3-api-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "product": { "name": "jws5-tomcat-jsp-2.3-api-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "product_id": "jws5-tomcat-jsp-2.3-api-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jws5-tomcat-jsp-2.3-api@9.0.62-18.redhat_00016.1.el8jws?arch=noarch" } } }, { "category": "product_version", "name": "jws5-tomcat-lib-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "product": { "name": "jws5-tomcat-lib-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "product_id": "jws5-tomcat-lib-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jws5-tomcat-lib@9.0.62-18.redhat_00016.1.el8jws?arch=noarch" } } }, { "category": "product_version", "name": "jws5-tomcat-selinux-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "product": { "name": "jws5-tomcat-selinux-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "product_id": "jws5-tomcat-selinux-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jws5-tomcat-selinux@9.0.62-18.redhat_00016.1.el8jws?arch=noarch" } } }, { "category": "product_version", "name": "jws5-tomcat-servlet-4.0-api-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "product": { "name": "jws5-tomcat-servlet-4.0-api-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "product_id": "jws5-tomcat-servlet-4.0-api-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jws5-tomcat-servlet-4.0-api@9.0.62-18.redhat_00016.1.el8jws?arch=noarch" } } }, { "category": "product_version", "name": "jws5-tomcat-webapps-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "product": { "name": "jws5-tomcat-webapps-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "product_id": "jws5-tomcat-webapps-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jws5-tomcat-webapps@9.0.62-18.redhat_00016.1.el8jws?arch=noarch" } } }, { "category": "product_version", "name": "jws5-tomcat-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "product": { "name": "jws5-tomcat-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "product_id": "jws5-tomcat-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jws5-tomcat@9.0.62-18.redhat_00016.1.el9jws?arch=noarch" } } }, { "category": "product_version", "name": "jws5-tomcat-admin-webapps-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "product": { "name": "jws5-tomcat-admin-webapps-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "product_id": "jws5-tomcat-admin-webapps-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jws5-tomcat-admin-webapps@9.0.62-18.redhat_00016.1.el9jws?arch=noarch" } } }, { "category": "product_version", "name": "jws5-tomcat-docs-webapp-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "product": { "name": "jws5-tomcat-docs-webapp-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "product_id": "jws5-tomcat-docs-webapp-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jws5-tomcat-docs-webapp@9.0.62-18.redhat_00016.1.el9jws?arch=noarch" } } }, { "category": "product_version", "name": "jws5-tomcat-el-3.0-api-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "product": { "name": "jws5-tomcat-el-3.0-api-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "product_id": "jws5-tomcat-el-3.0-api-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jws5-tomcat-el-3.0-api@9.0.62-18.redhat_00016.1.el9jws?arch=noarch" } } }, { "category": "product_version", "name": "jws5-tomcat-javadoc-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "product": { "name": "jws5-tomcat-javadoc-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "product_id": "jws5-tomcat-javadoc-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jws5-tomcat-javadoc@9.0.62-18.redhat_00016.1.el9jws?arch=noarch" } } }, { "category": "product_version", "name": "jws5-tomcat-jsp-2.3-api-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "product": { "name": "jws5-tomcat-jsp-2.3-api-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "product_id": "jws5-tomcat-jsp-2.3-api-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jws5-tomcat-jsp-2.3-api@9.0.62-18.redhat_00016.1.el9jws?arch=noarch" } } }, { "category": "product_version", "name": "jws5-tomcat-lib-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "product": { "name": "jws5-tomcat-lib-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "product_id": "jws5-tomcat-lib-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jws5-tomcat-lib@9.0.62-18.redhat_00016.1.el9jws?arch=noarch" } } }, { "category": "product_version", "name": "jws5-tomcat-selinux-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "product": { "name": "jws5-tomcat-selinux-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "product_id": "jws5-tomcat-selinux-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jws5-tomcat-selinux@9.0.62-18.redhat_00016.1.el9jws?arch=noarch" } } }, { "category": "product_version", "name": "jws5-tomcat-servlet-4.0-api-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "product": { "name": "jws5-tomcat-servlet-4.0-api-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "product_id": "jws5-tomcat-servlet-4.0-api-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jws5-tomcat-servlet-4.0-api@9.0.62-18.redhat_00016.1.el9jws?arch=noarch" } } }, { "category": "product_version", "name": "jws5-tomcat-webapps-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "product": { "name": "jws5-tomcat-webapps-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "product_id": "jws5-tomcat-webapps-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jws5-tomcat-webapps@9.0.62-18.redhat_00016.1.el9jws?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "jws5-tomcat-0:9.0.62-18.redhat_00016.1.el7jws.noarch as a component of Red Hat JBoss Web Server 5.7 for RHEL 7 Server", "product_id": "7Server-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el7jws.noarch" }, "product_reference": "jws5-tomcat-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "relates_to_product_reference": "7Server-JWS-5.7" }, { "category": "default_component_of", "full_product_name": { "name": "jws5-tomcat-0:9.0.62-18.redhat_00016.1.el7jws.src as a component of Red Hat JBoss Web Server 5.7 for RHEL 7 Server", "product_id": "7Server-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el7jws.src" }, "product_reference": "jws5-tomcat-0:9.0.62-18.redhat_00016.1.el7jws.src", "relates_to_product_reference": "7Server-JWS-5.7" }, { "category": "default_component_of", "full_product_name": { "name": "jws5-tomcat-admin-webapps-0:9.0.62-18.redhat_00016.1.el7jws.noarch as a component of Red Hat JBoss Web Server 5.7 for RHEL 7 Server", "product_id": "7Server-JWS-5.7:jws5-tomcat-admin-webapps-0:9.0.62-18.redhat_00016.1.el7jws.noarch" }, "product_reference": "jws5-tomcat-admin-webapps-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "relates_to_product_reference": "7Server-JWS-5.7" }, { "category": "default_component_of", "full_product_name": { "name": "jws5-tomcat-docs-webapp-0:9.0.62-18.redhat_00016.1.el7jws.noarch as a component of Red Hat JBoss Web Server 5.7 for RHEL 7 Server", "product_id": "7Server-JWS-5.7:jws5-tomcat-docs-webapp-0:9.0.62-18.redhat_00016.1.el7jws.noarch" }, "product_reference": "jws5-tomcat-docs-webapp-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "relates_to_product_reference": "7Server-JWS-5.7" }, { "category": "default_component_of", "full_product_name": { "name": "jws5-tomcat-el-3.0-api-0:9.0.62-18.redhat_00016.1.el7jws.noarch as a component of Red Hat JBoss Web Server 5.7 for RHEL 7 Server", "product_id": "7Server-JWS-5.7:jws5-tomcat-el-3.0-api-0:9.0.62-18.redhat_00016.1.el7jws.noarch" }, "product_reference": "jws5-tomcat-el-3.0-api-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "relates_to_product_reference": "7Server-JWS-5.7" }, { "category": "default_component_of", "full_product_name": { "name": "jws5-tomcat-java-jdk11-0:9.0.62-18.redhat_00016.1.el7jws.noarch as a component of Red Hat JBoss Web Server 5.7 for RHEL 7 Server", "product_id": "7Server-JWS-5.7:jws5-tomcat-java-jdk11-0:9.0.62-18.redhat_00016.1.el7jws.noarch" }, "product_reference": "jws5-tomcat-java-jdk11-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "relates_to_product_reference": "7Server-JWS-5.7" }, { "category": "default_component_of", "full_product_name": { "name": "jws5-tomcat-java-jdk8-0:9.0.62-18.redhat_00016.1.el7jws.noarch as a component of Red Hat JBoss Web Server 5.7 for RHEL 7 Server", "product_id": "7Server-JWS-5.7:jws5-tomcat-java-jdk8-0:9.0.62-18.redhat_00016.1.el7jws.noarch" }, "product_reference": "jws5-tomcat-java-jdk8-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "relates_to_product_reference": "7Server-JWS-5.7" }, { "category": "default_component_of", "full_product_name": { "name": "jws5-tomcat-javadoc-0:9.0.62-18.redhat_00016.1.el7jws.noarch as a component of Red Hat JBoss Web Server 5.7 for RHEL 7 Server", "product_id": "7Server-JWS-5.7:jws5-tomcat-javadoc-0:9.0.62-18.redhat_00016.1.el7jws.noarch" }, "product_reference": "jws5-tomcat-javadoc-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "relates_to_product_reference": "7Server-JWS-5.7" }, { "category": "default_component_of", "full_product_name": { "name": "jws5-tomcat-jsp-2.3-api-0:9.0.62-18.redhat_00016.1.el7jws.noarch as a component of Red Hat JBoss Web Server 5.7 for RHEL 7 Server", "product_id": "7Server-JWS-5.7:jws5-tomcat-jsp-2.3-api-0:9.0.62-18.redhat_00016.1.el7jws.noarch" }, "product_reference": "jws5-tomcat-jsp-2.3-api-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "relates_to_product_reference": "7Server-JWS-5.7" }, { "category": "default_component_of", "full_product_name": { "name": "jws5-tomcat-lib-0:9.0.62-18.redhat_00016.1.el7jws.noarch as a component of Red Hat JBoss Web Server 5.7 for RHEL 7 Server", "product_id": "7Server-JWS-5.7:jws5-tomcat-lib-0:9.0.62-18.redhat_00016.1.el7jws.noarch" }, "product_reference": "jws5-tomcat-lib-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "relates_to_product_reference": "7Server-JWS-5.7" }, { "category": "default_component_of", "full_product_name": { "name": "jws5-tomcat-selinux-0:9.0.62-18.redhat_00016.1.el7jws.noarch as a component of Red Hat JBoss Web Server 5.7 for RHEL 7 Server", "product_id": "7Server-JWS-5.7:jws5-tomcat-selinux-0:9.0.62-18.redhat_00016.1.el7jws.noarch" }, "product_reference": "jws5-tomcat-selinux-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "relates_to_product_reference": "7Server-JWS-5.7" }, { "category": "default_component_of", "full_product_name": { "name": "jws5-tomcat-servlet-4.0-api-0:9.0.62-18.redhat_00016.1.el7jws.noarch as a component of Red Hat JBoss Web Server 5.7 for RHEL 7 Server", "product_id": "7Server-JWS-5.7:jws5-tomcat-servlet-4.0-api-0:9.0.62-18.redhat_00016.1.el7jws.noarch" }, "product_reference": "jws5-tomcat-servlet-4.0-api-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "relates_to_product_reference": "7Server-JWS-5.7" }, { "category": "default_component_of", "full_product_name": { "name": "jws5-tomcat-webapps-0:9.0.62-18.redhat_00016.1.el7jws.noarch as a component of Red Hat JBoss Web Server 5.7 for RHEL 7 Server", "product_id": "7Server-JWS-5.7:jws5-tomcat-webapps-0:9.0.62-18.redhat_00016.1.el7jws.noarch" }, "product_reference": "jws5-tomcat-webapps-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "relates_to_product_reference": "7Server-JWS-5.7" }, { "category": "default_component_of", "full_product_name": { "name": "jws5-tomcat-0:9.0.62-18.redhat_00016.1.el8jws.noarch as a component of Red Hat JBoss Web Server 5.7 for RHEL 8", "product_id": "8Base-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el8jws.noarch" }, "product_reference": "jws5-tomcat-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "relates_to_product_reference": "8Base-JWS-5.7" }, { "category": "default_component_of", "full_product_name": { "name": "jws5-tomcat-0:9.0.62-18.redhat_00016.1.el8jws.src as a component of Red Hat JBoss Web Server 5.7 for RHEL 8", "product_id": "8Base-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el8jws.src" }, "product_reference": "jws5-tomcat-0:9.0.62-18.redhat_00016.1.el8jws.src", "relates_to_product_reference": "8Base-JWS-5.7" }, { "category": "default_component_of", "full_product_name": { "name": "jws5-tomcat-admin-webapps-0:9.0.62-18.redhat_00016.1.el8jws.noarch as a component of Red Hat JBoss Web Server 5.7 for RHEL 8", "product_id": "8Base-JWS-5.7:jws5-tomcat-admin-webapps-0:9.0.62-18.redhat_00016.1.el8jws.noarch" }, "product_reference": "jws5-tomcat-admin-webapps-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "relates_to_product_reference": "8Base-JWS-5.7" }, { "category": "default_component_of", "full_product_name": { "name": "jws5-tomcat-docs-webapp-0:9.0.62-18.redhat_00016.1.el8jws.noarch as a component of Red Hat JBoss Web Server 5.7 for RHEL 8", "product_id": "8Base-JWS-5.7:jws5-tomcat-docs-webapp-0:9.0.62-18.redhat_00016.1.el8jws.noarch" }, "product_reference": "jws5-tomcat-docs-webapp-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "relates_to_product_reference": "8Base-JWS-5.7" }, { "category": "default_component_of", "full_product_name": { "name": "jws5-tomcat-el-3.0-api-0:9.0.62-18.redhat_00016.1.el8jws.noarch as a component of Red Hat JBoss Web Server 5.7 for RHEL 8", "product_id": "8Base-JWS-5.7:jws5-tomcat-el-3.0-api-0:9.0.62-18.redhat_00016.1.el8jws.noarch" }, "product_reference": "jws5-tomcat-el-3.0-api-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "relates_to_product_reference": "8Base-JWS-5.7" }, { "category": "default_component_of", "full_product_name": { "name": "jws5-tomcat-javadoc-0:9.0.62-18.redhat_00016.1.el8jws.noarch as a component of Red Hat JBoss Web Server 5.7 for RHEL 8", "product_id": "8Base-JWS-5.7:jws5-tomcat-javadoc-0:9.0.62-18.redhat_00016.1.el8jws.noarch" }, "product_reference": "jws5-tomcat-javadoc-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "relates_to_product_reference": "8Base-JWS-5.7" }, { "category": "default_component_of", "full_product_name": { "name": "jws5-tomcat-jsp-2.3-api-0:9.0.62-18.redhat_00016.1.el8jws.noarch as a component of Red Hat JBoss Web Server 5.7 for RHEL 8", "product_id": "8Base-JWS-5.7:jws5-tomcat-jsp-2.3-api-0:9.0.62-18.redhat_00016.1.el8jws.noarch" }, "product_reference": "jws5-tomcat-jsp-2.3-api-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "relates_to_product_reference": "8Base-JWS-5.7" }, { "category": "default_component_of", "full_product_name": { "name": "jws5-tomcat-lib-0:9.0.62-18.redhat_00016.1.el8jws.noarch as a component of Red Hat JBoss Web Server 5.7 for RHEL 8", "product_id": "8Base-JWS-5.7:jws5-tomcat-lib-0:9.0.62-18.redhat_00016.1.el8jws.noarch" }, "product_reference": "jws5-tomcat-lib-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "relates_to_product_reference": "8Base-JWS-5.7" }, { "category": "default_component_of", "full_product_name": { "name": "jws5-tomcat-selinux-0:9.0.62-18.redhat_00016.1.el8jws.noarch as a component of Red Hat JBoss Web Server 5.7 for RHEL 8", "product_id": "8Base-JWS-5.7:jws5-tomcat-selinux-0:9.0.62-18.redhat_00016.1.el8jws.noarch" }, "product_reference": "jws5-tomcat-selinux-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "relates_to_product_reference": "8Base-JWS-5.7" }, { "category": "default_component_of", "full_product_name": { "name": "jws5-tomcat-servlet-4.0-api-0:9.0.62-18.redhat_00016.1.el8jws.noarch as a component of Red Hat JBoss Web Server 5.7 for RHEL 8", "product_id": "8Base-JWS-5.7:jws5-tomcat-servlet-4.0-api-0:9.0.62-18.redhat_00016.1.el8jws.noarch" }, "product_reference": "jws5-tomcat-servlet-4.0-api-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "relates_to_product_reference": "8Base-JWS-5.7" }, { "category": "default_component_of", "full_product_name": { "name": "jws5-tomcat-webapps-0:9.0.62-18.redhat_00016.1.el8jws.noarch as a component of Red Hat JBoss Web Server 5.7 for RHEL 8", "product_id": "8Base-JWS-5.7:jws5-tomcat-webapps-0:9.0.62-18.redhat_00016.1.el8jws.noarch" }, "product_reference": "jws5-tomcat-webapps-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "relates_to_product_reference": "8Base-JWS-5.7" }, { "category": "default_component_of", "full_product_name": { "name": "jws5-tomcat-0:9.0.62-18.redhat_00016.1.el9jws.noarch as a component of Red Hat JBoss Web Server 5.7 for RHEL 9", "product_id": "9Base-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el9jws.noarch" }, "product_reference": "jws5-tomcat-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "relates_to_product_reference": "9Base-JWS-5.7" }, { "category": "default_component_of", "full_product_name": { "name": "jws5-tomcat-0:9.0.62-18.redhat_00016.1.el9jws.src as a component of Red Hat JBoss Web Server 5.7 for RHEL 9", "product_id": "9Base-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el9jws.src" }, "product_reference": "jws5-tomcat-0:9.0.62-18.redhat_00016.1.el9jws.src", "relates_to_product_reference": "9Base-JWS-5.7" }, { "category": "default_component_of", "full_product_name": { "name": "jws5-tomcat-admin-webapps-0:9.0.62-18.redhat_00016.1.el9jws.noarch as a component of Red Hat JBoss Web Server 5.7 for RHEL 9", "product_id": "9Base-JWS-5.7:jws5-tomcat-admin-webapps-0:9.0.62-18.redhat_00016.1.el9jws.noarch" }, "product_reference": "jws5-tomcat-admin-webapps-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "relates_to_product_reference": "9Base-JWS-5.7" }, { "category": "default_component_of", "full_product_name": { "name": "jws5-tomcat-docs-webapp-0:9.0.62-18.redhat_00016.1.el9jws.noarch as a component of Red Hat JBoss Web Server 5.7 for RHEL 9", "product_id": "9Base-JWS-5.7:jws5-tomcat-docs-webapp-0:9.0.62-18.redhat_00016.1.el9jws.noarch" }, "product_reference": "jws5-tomcat-docs-webapp-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "relates_to_product_reference": "9Base-JWS-5.7" }, { "category": "default_component_of", "full_product_name": { "name": "jws5-tomcat-el-3.0-api-0:9.0.62-18.redhat_00016.1.el9jws.noarch as a component of Red Hat JBoss Web Server 5.7 for RHEL 9", "product_id": "9Base-JWS-5.7:jws5-tomcat-el-3.0-api-0:9.0.62-18.redhat_00016.1.el9jws.noarch" }, "product_reference": "jws5-tomcat-el-3.0-api-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "relates_to_product_reference": "9Base-JWS-5.7" }, { "category": "default_component_of", "full_product_name": { "name": "jws5-tomcat-javadoc-0:9.0.62-18.redhat_00016.1.el9jws.noarch as a component of Red Hat JBoss Web Server 5.7 for RHEL 9", "product_id": "9Base-JWS-5.7:jws5-tomcat-javadoc-0:9.0.62-18.redhat_00016.1.el9jws.noarch" }, "product_reference": "jws5-tomcat-javadoc-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "relates_to_product_reference": "9Base-JWS-5.7" }, { "category": "default_component_of", "full_product_name": { "name": "jws5-tomcat-jsp-2.3-api-0:9.0.62-18.redhat_00016.1.el9jws.noarch as a component of Red Hat JBoss Web Server 5.7 for RHEL 9", "product_id": "9Base-JWS-5.7:jws5-tomcat-jsp-2.3-api-0:9.0.62-18.redhat_00016.1.el9jws.noarch" }, "product_reference": "jws5-tomcat-jsp-2.3-api-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "relates_to_product_reference": "9Base-JWS-5.7" }, { "category": "default_component_of", "full_product_name": { "name": "jws5-tomcat-lib-0:9.0.62-18.redhat_00016.1.el9jws.noarch as a component of Red Hat JBoss Web Server 5.7 for RHEL 9", "product_id": "9Base-JWS-5.7:jws5-tomcat-lib-0:9.0.62-18.redhat_00016.1.el9jws.noarch" }, "product_reference": "jws5-tomcat-lib-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "relates_to_product_reference": "9Base-JWS-5.7" }, { "category": "default_component_of", "full_product_name": { "name": "jws5-tomcat-selinux-0:9.0.62-18.redhat_00016.1.el9jws.noarch as a component of Red Hat JBoss Web Server 5.7 for RHEL 9", "product_id": "9Base-JWS-5.7:jws5-tomcat-selinux-0:9.0.62-18.redhat_00016.1.el9jws.noarch" }, "product_reference": "jws5-tomcat-selinux-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "relates_to_product_reference": "9Base-JWS-5.7" }, { "category": "default_component_of", "full_product_name": { "name": "jws5-tomcat-servlet-4.0-api-0:9.0.62-18.redhat_00016.1.el9jws.noarch as a component of Red Hat JBoss Web Server 5.7 for RHEL 9", "product_id": "9Base-JWS-5.7:jws5-tomcat-servlet-4.0-api-0:9.0.62-18.redhat_00016.1.el9jws.noarch" }, "product_reference": "jws5-tomcat-servlet-4.0-api-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "relates_to_product_reference": "9Base-JWS-5.7" }, { "category": "default_component_of", "full_product_name": { "name": "jws5-tomcat-webapps-0:9.0.62-18.redhat_00016.1.el9jws.noarch as a component of Red Hat JBoss Web Server 5.7 for RHEL 9", "product_id": "9Base-JWS-5.7:jws5-tomcat-webapps-0:9.0.62-18.redhat_00016.1.el9jws.noarch" }, "product_reference": "jws5-tomcat-webapps-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "relates_to_product_reference": "9Base-JWS-5.7" } ] }, "vulnerabilities": [ { "cve": "CVE-2023-42795", "cwe": { "id": "CWE-459", "name": "Incomplete Cleanup" }, "discovery_date": "2023-10-12T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2243752" } ], "notes": [ { "category": "description", "text": "A flaw was found in Apache Tomcat. Tomcat may skip, after an error, the recycling of the internal objects that the next request/response process might use, resulting in information leaking from one request to the next. This flaw allows a malicious user to have access to this information.", "title": "Vulnerability description" }, { "category": "summary", "text": "tomcat: improper cleaning of recycled objects could lead to information leak", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat rates this as a Moderate impact as the confidentiality is not fully compromised and the malicious user does not have confirmation over the scenario to replicate the error and capture the possible jeopardizing response.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el7jws.src", "7Server-JWS-5.7:jws5-tomcat-admin-webapps-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-docs-webapp-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-el-3.0-api-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-java-jdk11-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-java-jdk8-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-javadoc-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-jsp-2.3-api-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-lib-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-selinux-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-servlet-4.0-api-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-webapps-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "8Base-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el8jws.src", "8Base-JWS-5.7:jws5-tomcat-admin-webapps-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-docs-webapp-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-el-3.0-api-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-javadoc-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-jsp-2.3-api-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-lib-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-selinux-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-servlet-4.0-api-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-webapps-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "9Base-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el9jws.src", "9Base-JWS-5.7:jws5-tomcat-admin-webapps-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-docs-webapp-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-el-3.0-api-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-javadoc-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-jsp-2.3-api-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-lib-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-selinux-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-servlet-4.0-api-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-webapps-0:9.0.62-18.redhat_00016.1.el9jws.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-42795" }, { "category": "external", "summary": "RHBZ#2243752", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243752" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-42795", "url": "https://www.cve.org/CVERecord?id=CVE-2023-42795" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-42795", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42795" }, { "category": "external", "summary": "http://www.openwall.com/lists/oss-security/2023/10/10/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/10/9" }, { "category": "external", "summary": "https://lists.apache.org/thread/065jfyo583490r9j2v73nhpyxdob56lw", "url": "https://lists.apache.org/thread/065jfyo583490r9j2v73nhpyxdob56lw" } ], "release_date": "2023-10-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-10-31T13:09:55+00:00", "details": "Before applying the update, back up your existing Red Hat JBoss Web Server installation, including all applications and configuration files.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el7jws.src", "7Server-JWS-5.7:jws5-tomcat-admin-webapps-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-docs-webapp-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-el-3.0-api-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-java-jdk11-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-java-jdk8-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-javadoc-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-jsp-2.3-api-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-lib-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-selinux-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-servlet-4.0-api-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-webapps-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "8Base-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el8jws.src", "8Base-JWS-5.7:jws5-tomcat-admin-webapps-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-docs-webapp-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-el-3.0-api-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-javadoc-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-jsp-2.3-api-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-lib-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-selinux-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-servlet-4.0-api-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-webapps-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "9Base-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el9jws.src", "9Base-JWS-5.7:jws5-tomcat-admin-webapps-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-docs-webapp-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-el-3.0-api-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-javadoc-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-jsp-2.3-api-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-lib-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-selinux-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-servlet-4.0-api-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-webapps-0:9.0.62-18.redhat_00016.1.el9jws.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:6206" }, { "category": "workaround", "details": "No mitigation is currently available for this flaw.", "product_ids": [ "7Server-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el7jws.src", "7Server-JWS-5.7:jws5-tomcat-admin-webapps-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-docs-webapp-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-el-3.0-api-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-java-jdk11-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-java-jdk8-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-javadoc-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-jsp-2.3-api-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-lib-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-selinux-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-servlet-4.0-api-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-webapps-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "8Base-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el8jws.src", "8Base-JWS-5.7:jws5-tomcat-admin-webapps-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-docs-webapp-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-el-3.0-api-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-javadoc-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-jsp-2.3-api-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-lib-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-selinux-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-servlet-4.0-api-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-webapps-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "9Base-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el9jws.src", "9Base-JWS-5.7:jws5-tomcat-admin-webapps-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-docs-webapp-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-el-3.0-api-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-javadoc-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-jsp-2.3-api-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-lib-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-selinux-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-servlet-4.0-api-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-webapps-0:9.0.62-18.redhat_00016.1.el9jws.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, "products": [ "7Server-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el7jws.src", "7Server-JWS-5.7:jws5-tomcat-admin-webapps-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-docs-webapp-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-el-3.0-api-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-java-jdk11-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-java-jdk8-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-javadoc-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-jsp-2.3-api-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-lib-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-selinux-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-servlet-4.0-api-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-webapps-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "8Base-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el8jws.src", "8Base-JWS-5.7:jws5-tomcat-admin-webapps-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-docs-webapp-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-el-3.0-api-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-javadoc-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-jsp-2.3-api-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-lib-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-selinux-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-servlet-4.0-api-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-webapps-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "9Base-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el9jws.src", "9Base-JWS-5.7:jws5-tomcat-admin-webapps-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-docs-webapp-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-el-3.0-api-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-javadoc-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-jsp-2.3-api-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-lib-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-selinux-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-servlet-4.0-api-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-webapps-0:9.0.62-18.redhat_00016.1.el9jws.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "tomcat: improper cleaning of recycled objects could lead to information leak" }, { "cve": "CVE-2023-45648", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2023-10-12T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2243749" } ], "notes": [ { "category": "description", "text": "A flaw was found in Apache Tomcat, where an improper input validation can occur. This flaw allows a malicious user to send a crafted request containing an invalid trailer header, which could be treated as multiple requests, potentially leading to request smuggling when behind a reverse proxy.", "title": "Vulnerability description" }, { "category": "summary", "text": "tomcat: incorrectly parsed http trailer headers can cause request smuggling", "title": "Vulnerability summary" }, { "category": "other", "text": "The request smuggling is not guaranteed to have relevant information within every request and the scenario behind a reverse proxy which fails to handle the request too is necessary, hence the Moderate impact.\n\nThe Red Hat AMQ Broker team removed any tomcat dependencies in version 7.11.3. Please refer to https://errata.devel.redhat.com/advisory/121941.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el7jws.src", "7Server-JWS-5.7:jws5-tomcat-admin-webapps-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-docs-webapp-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-el-3.0-api-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-java-jdk11-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-java-jdk8-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-javadoc-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-jsp-2.3-api-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-lib-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-selinux-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-servlet-4.0-api-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-webapps-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "8Base-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el8jws.src", "8Base-JWS-5.7:jws5-tomcat-admin-webapps-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-docs-webapp-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-el-3.0-api-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-javadoc-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-jsp-2.3-api-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-lib-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-selinux-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-servlet-4.0-api-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-webapps-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "9Base-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el9jws.src", "9Base-JWS-5.7:jws5-tomcat-admin-webapps-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-docs-webapp-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-el-3.0-api-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-javadoc-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-jsp-2.3-api-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-lib-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-selinux-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-servlet-4.0-api-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-webapps-0:9.0.62-18.redhat_00016.1.el9jws.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-45648" }, { "category": "external", "summary": "RHBZ#2243749", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243749" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-45648", "url": "https://www.cve.org/CVERecord?id=CVE-2023-45648" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-45648", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45648" }, { "category": "external", "summary": "http://www.openwall.com/lists/oss-security/2023/10/10/10", "url": "http://www.openwall.com/lists/oss-security/2023/10/10/10" }, { "category": "external", "summary": "https://lists.apache.org/thread/2pv8yz1pyp088tsxfb7ogltk9msk0jdp", "url": "https://lists.apache.org/thread/2pv8yz1pyp088tsxfb7ogltk9msk0jdp" } ], "release_date": "2023-10-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-10-31T13:09:55+00:00", "details": "Before applying the update, back up your existing Red Hat JBoss Web Server installation, including all applications and configuration files.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el7jws.src", "7Server-JWS-5.7:jws5-tomcat-admin-webapps-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-docs-webapp-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-el-3.0-api-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-java-jdk11-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-java-jdk8-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-javadoc-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-jsp-2.3-api-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-lib-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-selinux-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-servlet-4.0-api-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-webapps-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "8Base-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el8jws.src", "8Base-JWS-5.7:jws5-tomcat-admin-webapps-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-docs-webapp-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-el-3.0-api-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-javadoc-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-jsp-2.3-api-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-lib-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-selinux-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-servlet-4.0-api-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-webapps-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "9Base-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el9jws.src", "9Base-JWS-5.7:jws5-tomcat-admin-webapps-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-docs-webapp-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-el-3.0-api-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-javadoc-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-jsp-2.3-api-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-lib-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-selinux-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-servlet-4.0-api-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-webapps-0:9.0.62-18.redhat_00016.1.el9jws.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:6206" }, { "category": "workaround", "details": "No mitigation is currently available for this flaw.", "product_ids": [ "7Server-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el7jws.src", "7Server-JWS-5.7:jws5-tomcat-admin-webapps-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-docs-webapp-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-el-3.0-api-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-java-jdk11-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-java-jdk8-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-javadoc-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-jsp-2.3-api-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-lib-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-selinux-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-servlet-4.0-api-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-webapps-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "8Base-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el8jws.src", "8Base-JWS-5.7:jws5-tomcat-admin-webapps-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-docs-webapp-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-el-3.0-api-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-javadoc-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-jsp-2.3-api-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-lib-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-selinux-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-servlet-4.0-api-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-webapps-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "9Base-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el9jws.src", "9Base-JWS-5.7:jws5-tomcat-admin-webapps-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-docs-webapp-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-el-3.0-api-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-javadoc-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-jsp-2.3-api-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-lib-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-selinux-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-servlet-4.0-api-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-webapps-0:9.0.62-18.redhat_00016.1.el9jws.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1" }, "products": [ "7Server-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el7jws.src", "7Server-JWS-5.7:jws5-tomcat-admin-webapps-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-docs-webapp-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-el-3.0-api-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-java-jdk11-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-java-jdk8-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-javadoc-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-jsp-2.3-api-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-lib-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-selinux-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-servlet-4.0-api-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "7Server-JWS-5.7:jws5-tomcat-webapps-0:9.0.62-18.redhat_00016.1.el7jws.noarch", "8Base-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el8jws.src", "8Base-JWS-5.7:jws5-tomcat-admin-webapps-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-docs-webapp-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-el-3.0-api-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-javadoc-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-jsp-2.3-api-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-lib-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-selinux-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-servlet-4.0-api-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "8Base-JWS-5.7:jws5-tomcat-webapps-0:9.0.62-18.redhat_00016.1.el8jws.noarch", "9Base-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-0:9.0.62-18.redhat_00016.1.el9jws.src", "9Base-JWS-5.7:jws5-tomcat-admin-webapps-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-docs-webapp-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-el-3.0-api-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-javadoc-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-jsp-2.3-api-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-lib-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-selinux-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-servlet-4.0-api-0:9.0.62-18.redhat_00016.1.el9jws.noarch", "9Base-JWS-5.7:jws5-tomcat-webapps-0:9.0.62-18.redhat_00016.1.el9jws.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "tomcat: incorrectly parsed http trailer headers can cause request smuggling" } ] }
wid-sec-w-2024-0107
Vulnerability from csaf_certbund
Published
2024-01-16 23:00
Modified
2024-01-16 23:00
Summary
Oracle Communications Applications: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Communications Applications umfasst eine Sammlung von Werkzeugen zur Verwaltung von Messaging-, Kommunikationsdiensten und -ressourcen.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Communications Applications ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Communications Applications umfasst eine Sammlung von Werkzeugen zur Verwaltung von Messaging-, Kommunikationsdiensten und -ressourcen.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Communications Applications ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden.", "title": "Angriff" }, { "category": "general", "text": "- UNIX\n- Linux\n- Windows", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2024-0107 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0107.json" }, { "category": "self", "summary": "WID-SEC-2024-0107 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0107" }, { "category": "external", "summary": "Oracle Critical Patch Update Advisory - January 2024 - Appendix Oracle Communications Applications vom 2024-01-16", "url": "https://www.oracle.com/security-alerts/cpujan2024.html#AppendixCAGBU" } ], "source_lang": "en-US", "title": "Oracle Communications Applications: Mehrere Schwachstellen", "tracking": { "current_release_date": "2024-01-16T23:00:00.000+00:00", "generator": { "date": "2024-08-15T18:03:44.309+00:00", "engine": { "name": "BSI-WID", "version": "1.3.5" } }, "id": "WID-SEC-W-2024-0107", "initial_release_date": "2024-01-16T23:00:00.000+00:00", "revision_history": [ { "date": "2024-01-16T23:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Oracle Communications Applications 7.4.0", "product": { "name": "Oracle Communications Applications 7.4.0", "product_id": "T018938", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:7.4.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications 7.4.1", "product": { "name": "Oracle Communications Applications 7.4.1", "product_id": "T018939", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:7.4.1" } } }, { "category": "product_name", "name": "Oracle Communications Applications 7.4.2", "product": { "name": "Oracle Communications Applications 7.4.2", "product_id": "T018940", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:7.4.2" } } }, { "category": "product_name", "name": "Oracle Communications Applications 6.0.1.0.0", "product": { "name": "Oracle Communications Applications 6.0.1.0.0", "product_id": "T021634", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:6.0.1.0.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications 7.5.0", "product": { "name": "Oracle Communications Applications 7.5.0", "product_id": "T021639", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:7.5.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications 7.4", "product": { "name": "Oracle Communications Applications 7.4", "product_id": "T022811", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:7.4" } } }, { "category": "product_name", "name": "Oracle Communications Applications \u003c= 12.0.6.0.0", "product": { "name": "Oracle Communications Applications \u003c= 12.0.6.0.0", "product_id": "T027325", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:12.0.6.0.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications \u003c= 12.0.0.8.0", "product": { "name": "Oracle Communications Applications \u003c= 12.0.0.8.0", "product_id": "T028669", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:12.0.0.8.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications 3.0.3.2", "product": { "name": "Oracle Communications Applications 3.0.3.2", "product_id": "T028670", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:3.0.3.2" } } }, { "category": "product_name", "name": "Oracle Communications Applications 10.0.1.7.0", "product": { "name": "Oracle Communications Applications 10.0.1.7.0", "product_id": "T028674", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:10.0.1.7.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications 7.4.0.7.0", "product": { "name": "Oracle Communications Applications 7.4.0.7.0", "product_id": "T028676", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:7.4.0.7.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications 7.4.1.5.0", "product": { "name": "Oracle Communications Applications 7.4.1.5.0", "product_id": "T028677", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:7.4.1.5.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications 7.4.2.8.0", "product": { "name": "Oracle Communications Applications 7.4.2.8.0", "product_id": "T028678", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:7.4.2.8.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications 6.3.1.0.0", "product": { "name": "Oracle Communications Applications 6.3.1.0.0", "product_id": "T030578", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:6.3.1.0.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications \u003c= 12.0.0.8", "product": { "name": "Oracle Communications Applications \u003c= 12.0.0.8", "product_id": "T030579", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:12.0.0.8" } } }, { "category": "product_name", "name": "Oracle Communications Applications \u003c= 6.0.3", "product": { "name": "Oracle Communications Applications \u003c= 6.0.3", "product_id": "T030581", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:6.0.3" } } }, { "category": "product_name", "name": "Oracle Communications Applications \u003c= 12.0.0.7", "product": { "name": "Oracle Communications Applications \u003c= 12.0.0.7", "product_id": "T032083", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:12.0.0.7" } } }, { "category": "product_name", "name": "Oracle Communications Applications 15.0.0.0.0", "product": { "name": "Oracle Communications Applications 15.0.0.0.0", "product_id": "T032084", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:15.0.0.0.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications 3.0.3.3", "product": { "name": "Oracle Communications Applications 3.0.3.3", "product_id": "T032085", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:3.0.3.3" } } }, { "category": "product_name", "name": "Oracle Communications Applications 8.1.0.24.0", "product": { "name": "Oracle Communications Applications 8.1.0.24.0", "product_id": "T032086", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:8.1.0.24.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications \u003c= 5.5.19", "product": { "name": "Oracle Communications Applications \u003c= 5.5.19", "product_id": "T032087", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:5.5.19" } } } ], "category": "product_name", "name": "Communications Applications" } ], "category": "vendor", "name": "Oracle" } ] }, "vulnerabilities": [ { "cve": "CVE-2023-5072", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-5072" }, { "cve": "CVE-2023-45648", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-45648" }, { "cve": "CVE-2023-44981", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-44981" }, { "cve": "CVE-2023-44487", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-44487" }, { "cve": "CVE-2023-44483", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-44483" }, { "cve": "CVE-2023-42794", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-42794" }, { "cve": "CVE-2023-42503", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-42503" }, { "cve": "CVE-2023-37536", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-37536" }, { "cve": "CVE-2023-34981", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-34981" }, { "cve": "CVE-2023-34034", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-34034" }, { "cve": "CVE-2023-33201", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-33201" }, { "cve": "CVE-2023-31122", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-31122" }, { "cve": "CVE-2023-2976", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-2976" }, { "cve": "CVE-2023-28823", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-28823" }, { "cve": "CVE-2023-25194", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-25194" }, { "cve": "CVE-2023-20883", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-20883" }, { "cve": "CVE-2022-45868", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2022-45868" }, { "cve": "CVE-2022-42920", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2022-42920" }, { "cve": "CVE-2022-36944", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2022-36944" }, { "cve": "CVE-2022-31160", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2022-31160" }, { "cve": "CVE-2022-31147", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2022-31147" }, { "cve": "CVE-2022-1471", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2022-1471" }, { "cve": "CVE-2021-4104", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2021-4104" }, { "cve": "CVE-2021-37533", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2021-37533" } ] }
wid-sec-w-2024-0528
Vulnerability from csaf_certbund
Published
2024-02-29 23:00
Modified
2024-02-29 23:00
Summary
Dell Data Protection Advisor: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Data Protection Advisor ist eine Monitoring Lösung. Der Collector ist der lokale Agent.
Angriff
Ein Angreifer kann mehrere Schwachstellen in Dell Data Protection Advisor ausnutzen, um beliebigen Code auszuführen, einen Denial-of-Service-Zustand herbeizuführen, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Berechtigungen zu erweitern oder einen nicht spezifizierten Angriff durchzuführen.
Betroffene Betriebssysteme
- Windows
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Data Protection Advisor ist eine Monitoring L\u00f6sung. Der Collector ist der lokale Agent.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein Angreifer kann mehrere Schwachstellen in Dell Data Protection Advisor ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Berechtigungen zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren.", "title": "Angriff" }, { "category": "general", "text": "- Windows", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2024-0528 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0528.json" }, { "category": "self", "summary": "WID-SEC-2024-0528 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0528" }, { "category": "external", "summary": "Dell Security Advisory DSA-2024-107 vom 2024-02-29", "url": "https://www.dell.com/support/kbdoc/000222618/dsa-2024-=" } ], "source_lang": "en-US", "title": "Dell Data Protection Advisor: Mehrere Schwachstellen", "tracking": { "current_release_date": "2024-02-29T23:00:00.000+00:00", "generator": { "date": "2024-08-15T18:05:58.480+00:00", "engine": { "name": "BSI-WID", "version": "1.3.5" } }, "id": "WID-SEC-W-2024-0528", "initial_release_date": "2024-02-29T23:00:00.000+00:00", "revision_history": [ { "date": "2024-02-29T23:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "\u003c 19.10", "product": { "name": "Dell Data Protection Advisor \u003c 19.10", "product_id": "T033198" } } ], "category": "product_name", "name": "Data Protection Advisor" } ], "category": "vendor", "name": "Dell" } ] }, "vulnerabilities": [ { "cve": "CVE-2023-45648", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2023-45648" }, { "cve": "CVE-2023-42795", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2023-42795" }, { "cve": "CVE-2023-41080", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2023-41080" }, { "cve": "CVE-2023-34055", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2023-34055" }, { "cve": "CVE-2023-28708", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2023-28708" }, { "cve": "CVE-2023-28154", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2023-28154" }, { "cve": "CVE-2023-22081", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2023-22081" }, { "cve": "CVE-2023-22067", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2023-22067" }, { "cve": "CVE-2023-22025", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2023-22025" }, { "cve": "CVE-2023-20883", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2023-20883" }, { "cve": "CVE-2023-20873", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2023-20873" }, { "cve": "CVE-2023-20863", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2023-20863" }, { "cve": "CVE-2023-20861", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2023-20861" }, { "cve": "CVE-2022-46175", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2022-46175" }, { "cve": "CVE-2022-41854", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2022-41854" }, { "cve": "CVE-2022-38752", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2022-38752" }, { "cve": "CVE-2022-38751", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2022-38751" }, { "cve": "CVE-2022-38750", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2022-38750" }, { "cve": "CVE-2022-38749", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2022-38749" }, { "cve": "CVE-2022-37603", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2022-37603" }, { "cve": "CVE-2022-37601", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2022-37601" }, { "cve": "CVE-2022-37599", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2022-37599" }, { "cve": "CVE-2022-31129", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2022-31129" }, { "cve": "CVE-2022-27772", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2022-27772" }, { "cve": "CVE-2022-25881", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2022-25881" }, { "cve": "CVE-2022-25858", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2022-25858" }, { "cve": "CVE-2022-22971", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2022-22971" }, { "cve": "CVE-2022-22970", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2022-22970" }, { "cve": "CVE-2022-22968", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2022-22968" }, { "cve": "CVE-2022-22965", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2022-22965" }, { "cve": "CVE-2022-22950", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2022-22950" }, { "cve": "CVE-2021-43980", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2021-43980" }, { "cve": "CVE-2021-33037", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2021-33037" }, { "cve": "CVE-2021-30640", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2021-30640" }, { "cve": "CVE-2020-5421", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2020-5421" }, { "cve": "CVE-2020-1938", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2020-1938" }, { "cve": "CVE-2020-1935", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2020-1935" }, { "cve": "CVE-2020-13943", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2020-13943" }, { "cve": "CVE-2020-13935", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2020-13935" }, { "cve": "CVE-2020-13934", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2020-13934" }, { "cve": "CVE-2020-11996", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2020-11996" }, { "cve": "CVE-2019-2684", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2019-2684" }, { "cve": "CVE-2019-17563", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2019-17563" }, { "cve": "CVE-2019-12418", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2019-12418" }, { "cve": "CVE-2019-10072", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2019-10072" }, { "cve": "CVE-2019-0232", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2019-0232" }, { "cve": "CVE-2019-0221", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2019-0221" }, { "cve": "CVE-2019-0199", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2019-0199" }, { "cve": "CVE-2018-8037", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2018-8037" }, { "cve": "CVE-2018-8034", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2018-8034" }, { "cve": "CVE-2018-8014", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2018-8014" }, { "cve": "CVE-2018-15756", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2018-15756" }, { "cve": "CVE-2018-1336", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2018-1336" }, { "cve": "CVE-2018-1305", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2018-1305" }, { "cve": "CVE-2018-1304", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2018-1304" }, { "cve": "CVE-2018-1275", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2018-1275" }, { "cve": "CVE-2018-1272", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2018-1272" }, { "cve": "CVE-2018-1271", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2018-1271" }, { "cve": "CVE-2018-1270", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2018-1270" }, { "cve": "CVE-2018-1257", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2018-1257" }, { "cve": "CVE-2018-1199", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2018-1199" }, { "cve": "CVE-2018-1196", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2018-1196" }, { "cve": "CVE-2018-11784", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2018-11784" }, { "cve": "CVE-2018-11040", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2018-11040" }, { "cve": "CVE-2018-11039", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2018-11039" }, { "cve": "CVE-2017-8046", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2017-8046" }, { "cve": "CVE-2017-7675", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2017-7675" }, { "cve": "CVE-2017-7674", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2017-7674" }, { "cve": "CVE-2017-5664", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2017-5664" }, { "cve": "CVE-2017-5651", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2017-5651" }, { "cve": "CVE-2017-5650", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2017-5650" }, { "cve": "CVE-2017-5648", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2017-5648" }, { "cve": "CVE-2017-5647", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2017-5647" }, { "cve": "CVE-2017-18640", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2017-18640" }, { "cve": "CVE-2017-12617", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2017-12617" }, { "cve": "CVE-2016-9878", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2016-9878" }, { "cve": "CVE-2016-8745", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2016-8745" }, { "cve": "CVE-2016-8735", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2016-8735" }, { "cve": "CVE-2016-6817", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2016-6817" }, { "cve": "CVE-2016-6816", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in Dell Data Protection Advisor. Diese Fehler bestehen in den Komponenten von Drittanbietern wie Apache Tomcat, Java SE oder Spring Framework und anderen aufgrund mehrerer sicherheitsrelevanter Probleme. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Dateien zu manipulieren, vertrauliche Informationen offenzulegen, seine Rechte zu erweitern oder einen nicht spezifizierten Angriff durchzuf\u00fchren." } ], "release_date": "2024-02-29T23:00:00.000+00:00", "title": "CVE-2016-6816" } ] }
wid-sec-w-2024-0106
Vulnerability from csaf_certbund
Published
2024-01-16 23:00
Modified
2024-01-16 23:00
Summary
Oracle Communications: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Oracle Communications umfasst branchenspezifische Lösungen für die Telekommunikationsbranche.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Communications ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
- Sonstiges
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Oracle Communications umfasst branchenspezifische L\u00f6sungen f\u00fcr die Telekommunikationsbranche.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Communications ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden.", "title": "Angriff" }, { "category": "general", "text": "- UNIX\n- Linux\n- Windows\n- Sonstiges", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2024-0106 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0106.json" }, { "category": "self", "summary": "WID-SEC-2024-0106 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0106" }, { "category": "external", "summary": "Oracle Critical Patch Update Advisory - January 2024 - Appendix Oracle Communications vom 2024-01-16", "url": "https://www.oracle.com/security-alerts/cpujan2024.html#AppendixCGBU" } ], "source_lang": "en-US", "title": "Oracle Communications: Mehrere Schwachstellen", "tracking": { "current_release_date": "2024-01-16T23:00:00.000+00:00", "generator": { "date": "2024-08-15T18:03:43.880+00:00", "engine": { "name": "BSI-WID", "version": "1.3.5" } }, "id": "WID-SEC-W-2024-0106", "initial_release_date": "2024-01-16T23:00:00.000+00:00", "revision_history": [ { "date": "2024-01-16T23:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Oracle Communications 5.0", "product": { "name": "Oracle Communications 5.0", "product_id": "T021645", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications:5.0" } } }, { "category": "product_name", "name": "Oracle Communications 8.6.0.0", "product": { "name": "Oracle Communications 8.6.0.0", "product_id": "T024970", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications:8.6.0.0" } } }, { "category": "product_name", "name": "Oracle Communications 23.1.0", "product": { "name": "Oracle Communications 23.1.0", "product_id": "T027326", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications:23.1.0" } } }, { "category": "product_name", "name": "Oracle Communications 12.6.1.0.0", "product": { "name": "Oracle Communications 12.6.1.0.0", "product_id": "T027338", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications:12.6.1.0.0" } } }, { "category": "product_name", "name": "Oracle Communications 23.2.0", "product": { "name": "Oracle Communications 23.2.0", "product_id": "T028682", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications:23.2.0" } } }, { "category": "product_name", "name": "Oracle Communications 5.1", "product": { "name": "Oracle Communications 5.1", "product_id": "T028684", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications:5.1" } } }, { "category": "product_name", "name": "Oracle Communications 23.1.3", "product": { "name": "Oracle Communications 23.1.3", "product_id": "T030584", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications:23.1.3" } } }, { "category": "product_name", "name": "Oracle Communications 23.2.1", "product": { "name": "Oracle Communications 23.2.1", "product_id": "T030585", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications:23.2.1" } } }, { "category": "product_name", "name": "Oracle Communications 23.3.0", "product": { "name": "Oracle Communications 23.3.0", "product_id": "T030586", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications:23.3.0" } } }, { "category": "product_name", "name": "Oracle Communications 9.0.0.0", "product": { "name": "Oracle Communications 9.0.0.0", "product_id": "T030589", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications:9.0.0.0" } } }, { "category": "product_name", "name": "Oracle Communications 23.3.1", "product": { "name": "Oracle Communications 23.3.1", "product_id": "T032088", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications:23.3.1" } } }, { "category": "product_name", "name": "Oracle Communications \u003c= 9.0.2.0.1", "product": { "name": "Oracle Communications \u003c= 9.0.2.0.1", "product_id": "T032089", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications:9.0.2.0.1" } } }, { "category": "product_name", "name": "Oracle Communications 15.0.0.0.0", "product": { "name": "Oracle Communications 15.0.0.0.0", "product_id": "T032090", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications:15.0.0.0.0" } } }, { "category": "product_name", "name": "Oracle Communications 23.4.0", "product": { "name": "Oracle Communications 23.4.0", "product_id": "T032091", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications:23.4.0" } } }, { "category": "product_name", "name": "Oracle Communications 23.1.4", "product": { "name": "Oracle Communications 23.1.4", "product_id": "T032092", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications:23.1.4" } } }, { "category": "product_name", "name": "Oracle Communications 23.2.0.0.2", "product": { "name": "Oracle Communications 23.2.0.0.2", "product_id": "T032093", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications:23.2.0.0.2" } } }, { "category": "product_name", "name": "Oracle Communications 23.3.0.0.0", "product": { "name": "Oracle Communications 23.3.0.0.0", "product_id": "T032094", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications:23.3.0.0.0" } } } ], "category": "product_name", "name": "Communications" } ], "category": "vendor", "name": "Oracle" } ] }, "vulnerabilities": [ { "cve": "CVE-2023-5072", "notes": [ { "category": "description", "text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028682", "T030585", "T030584", "T030586", "T030589", "T032094", "T032088", "T032092", "T032093", "T032090", "T021645", "T032091", "T027326", "T024970", "T027338", "T028684" ], "last_affected": [ "T032089" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-5072" }, { "cve": "CVE-2023-50164", "notes": [ { "category": "description", "text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028682", "T030585", "T030584", "T030586", "T030589", "T032094", "T032088", "T032092", "T032093", "T032090", "T021645", "T032091", "T027326", "T024970", "T027338", "T028684" ], "last_affected": [ "T032089" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-50164" }, { "cve": "CVE-2023-4911", "notes": [ { "category": "description", "text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028682", "T030585", "T030584", "T030586", "T030589", "T032094", "T032088", "T032092", "T032093", "T032090", "T021645", "T032091", "T027326", "T024970", "T027338", "T028684" ], "last_affected": [ "T032089" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-4911" }, { "cve": "CVE-2023-46604", "notes": [ { "category": "description", "text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028682", "T030585", "T030584", "T030586", "T030589", "T032094", "T032088", "T032092", "T032093", "T032090", "T021645", "T032091", "T027326", "T024970", "T027338", "T028684" ], "last_affected": [ "T032089" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-46604" }, { "cve": "CVE-2023-46589", "notes": [ { "category": "description", "text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028682", "T030585", "T030584", "T030586", "T030589", "T032094", "T032088", "T032092", "T032093", "T032090", "T021645", "T032091", "T027326", "T024970", "T027338", "T028684" ], "last_affected": [ "T032089" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-46589" }, { "cve": "CVE-2023-45648", "notes": [ { "category": "description", "text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028682", "T030585", "T030584", "T030586", "T030589", "T032094", "T032088", "T032092", "T032093", "T032090", "T021645", "T032091", "T027326", "T024970", "T027338", "T028684" ], "last_affected": [ "T032089" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-45648" }, { "cve": "CVE-2023-45145", "notes": [ { "category": "description", "text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028682", "T030585", "T030584", "T030586", "T030589", "T032094", "T032088", "T032092", "T032093", "T032090", "T021645", "T032091", "T027326", "T024970", "T027338", "T028684" ], "last_affected": [ "T032089" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-45145" }, { "cve": "CVE-2023-44981", "notes": [ { "category": "description", "text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028682", "T030585", "T030584", "T030586", "T030589", "T032094", "T032088", "T032092", "T032093", "T032090", "T021645", "T032091", "T027326", "T024970", "T027338", "T028684" ], "last_affected": [ "T032089" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-44981" }, { "cve": "CVE-2023-44487", "notes": [ { "category": "description", "text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028682", "T030585", "T030584", "T030586", "T030589", "T032094", "T032088", "T032092", "T032093", "T032090", "T021645", "T032091", "T027326", "T024970", "T027338", "T028684" ], "last_affected": [ "T032089" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-44487" }, { "cve": "CVE-2023-44483", "notes": [ { "category": "description", "text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028682", "T030585", "T030584", "T030586", "T030589", "T032094", "T032088", "T032092", "T032093", "T032090", "T021645", "T032091", "T027326", "T024970", "T027338", "T028684" ], "last_affected": [ "T032089" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-44483" }, { "cve": "CVE-2023-43496", "notes": [ { "category": "description", "text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028682", "T030585", "T030584", "T030586", "T030589", "T032094", "T032088", "T032092", "T032093", "T032090", "T021645", "T032091", "T027326", "T024970", "T027338", "T028684" ], "last_affected": [ "T032089" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-43496" }, { "cve": "CVE-2023-41053", "notes": [ { "category": "description", "text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028682", "T030585", "T030584", "T030586", "T030589", "T032094", "T032088", "T032092", "T032093", "T032090", "T021645", "T032091", "T027326", "T024970", "T027338", "T028684" ], "last_affected": [ "T032089" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-41053" }, { "cve": "CVE-2023-40167", "notes": [ { "category": "description", "text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028682", "T030585", "T030584", "T030586", "T030589", "T032094", "T032088", "T032092", "T032093", "T032090", "T021645", "T032091", "T027326", "T024970", "T027338", "T028684" ], "last_affected": [ "T032089" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-40167" }, { "cve": "CVE-2023-38325", "notes": [ { "category": "description", "text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028682", "T030585", "T030584", "T030586", "T030589", "T032094", "T032088", "T032092", "T032093", "T032090", "T021645", "T032091", "T027326", "T024970", "T027338", "T028684" ], "last_affected": [ "T032089" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-38325" }, { "cve": "CVE-2023-37536", "notes": [ { "category": "description", "text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028682", "T030585", "T030584", "T030586", "T030589", "T032094", "T032088", "T032092", "T032093", "T032090", "T021645", "T032091", "T027326", "T024970", "T027338", "T028684" ], "last_affected": [ "T032089" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-37536" }, { "cve": "CVE-2023-36478", "notes": [ { "category": "description", "text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028682", "T030585", "T030584", "T030586", "T030589", "T032094", "T032088", "T032092", "T032093", "T032090", "T021645", "T032091", "T027326", "T024970", "T027338", "T028684" ], "last_affected": [ "T032089" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-36478" }, { "cve": "CVE-2023-34055", "notes": [ { "category": "description", "text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028682", "T030585", "T030584", "T030586", "T030589", "T032094", "T032088", "T032092", "T032093", "T032090", "T021645", "T032091", "T027326", "T024970", "T027338", "T028684" ], "last_affected": [ "T032089" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-34055" }, { "cve": "CVE-2023-34053", "notes": [ { "category": "description", "text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028682", "T030585", "T030584", "T030586", "T030589", "T032094", "T032088", "T032092", "T032093", "T032090", "T021645", "T032091", "T027326", "T024970", "T027338", "T028684" ], "last_affected": [ "T032089" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-34053" }, { "cve": "CVE-2023-34034", "notes": [ { "category": "description", "text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028682", "T030585", "T030584", "T030586", "T030589", "T032094", "T032088", "T032092", "T032093", "T032090", "T021645", "T032091", "T027326", "T024970", "T027338", "T028684" ], "last_affected": [ "T032089" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-34034" }, { "cve": "CVE-2023-33201", "notes": [ { "category": "description", "text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028682", "T030585", "T030584", "T030586", "T030589", "T032094", "T032088", "T032092", "T032093", "T032090", "T021645", "T032091", "T027326", "T024970", "T027338", "T028684" ], "last_affected": [ "T032089" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-33201" }, { "cve": "CVE-2023-31582", "notes": [ { "category": "description", "text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028682", "T030585", "T030584", "T030586", "T030589", "T032094", "T032088", "T032092", "T032093", "T032090", "T021645", "T032091", "T027326", "T024970", "T027338", "T028684" ], "last_affected": [ "T032089" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-31582" }, { "cve": "CVE-2023-31486", "notes": [ { "category": "description", "text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028682", "T030585", "T030584", "T030586", "T030589", "T032094", "T032088", "T032092", "T032093", "T032090", "T021645", "T032091", "T027326", "T024970", "T027338", "T028684" ], "last_affected": [ "T032089" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-31486" }, { "cve": "CVE-2023-30861", "notes": [ { "category": "description", "text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028682", "T030585", "T030584", "T030586", "T030589", "T032094", "T032088", "T032092", "T032093", "T032090", "T021645", "T032091", "T027326", "T024970", "T027338", "T028684" ], "last_affected": [ "T032089" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-30861" }, { "cve": "CVE-2023-2976", "notes": [ { "category": "description", "text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028682", "T030585", "T030584", "T030586", "T030589", "T032094", "T032088", "T032092", "T032093", "T032090", "T021645", "T032091", "T027326", "T024970", "T027338", "T028684" ], "last_affected": [ "T032089" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-2976" }, { "cve": "CVE-2023-2283", "notes": [ { "category": "description", "text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028682", "T030585", "T030584", "T030586", "T030589", "T032094", "T032088", "T032092", "T032093", "T032090", "T021645", "T032091", "T027326", "T024970", "T027338", "T028684" ], "last_affected": [ "T032089" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-2283" }, { "cve": "CVE-2023-22102", "notes": [ { "category": "description", "text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028682", "T030585", "T030584", "T030586", "T030589", "T032094", "T032088", "T032092", "T032093", "T032090", "T021645", "T032091", "T027326", "T024970", "T027338", "T028684" ], "last_affected": [ "T032089" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-22102" }, { "cve": "CVE-2023-1108", "notes": [ { "category": "description", "text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028682", "T030585", "T030584", "T030586", "T030589", "T032094", "T032088", "T032092", "T032093", "T032090", "T021645", "T032091", "T027326", "T024970", "T027338", "T028684" ], "last_affected": [ "T032089" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2023-1108" }, { "cve": "CVE-2022-48174", "notes": [ { "category": "description", "text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028682", "T030585", "T030584", "T030586", "T030589", "T032094", "T032088", "T032092", "T032093", "T032090", "T021645", "T032091", "T027326", "T024970", "T027338", "T028684" ], "last_affected": [ "T032089" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2022-48174" }, { "cve": "CVE-2022-46751", "notes": [ { "category": "description", "text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028682", "T030585", "T030584", "T030586", "T030589", "T032094", "T032088", "T032092", "T032093", "T032090", "T021645", "T032091", "T027326", "T024970", "T027338", "T028684" ], "last_affected": [ "T032089" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2022-46751" }, { "cve": "CVE-2021-46848", "notes": [ { "category": "description", "text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028682", "T030585", "T030584", "T030586", "T030589", "T032094", "T032088", "T032092", "T032093", "T032090", "T021645", "T032091", "T027326", "T024970", "T027338", "T028684" ], "last_affected": [ "T032089" ] }, "release_date": "2024-01-16T23:00:00.000+00:00", "title": "CVE-2021-46848" } ] }
wid-sec-w-2023-2963
Vulnerability from csaf_certbund
Published
2023-11-16 23:00
Modified
2023-11-16 23:00
Summary
Trellix ePolicy Orchestrator: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Trellix ePolicy Orchestrator (ePO) zentralisiert und optimiert die Verwaltung der Sicherheit von Endgeräten, Netzwerken und Inhalten.
Angriff
Ein entfernter Angreifer kann mehrere Schwachstellen in Trellix ePolicy Orchestrator ausnutzen, um sich administrative Rechte zu verschaffen, um einen Redirect-Angriff auszuführen und um nicht näher spezifizierte Auswirkungen zu erzielen.
Betroffene Betriebssysteme
- Windows
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Trellix ePolicy Orchestrator (ePO) zentralisiert und optimiert die Verwaltung der Sicherheit von Endger\u00e4ten, Netzwerken und Inhalten.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein entfernter Angreifer kann mehrere Schwachstellen in Trellix ePolicy Orchestrator ausnutzen, um sich administrative Rechte zu verschaffen, um einen Redirect-Angriff auszuf\u00fchren und um nicht n\u00e4her spezifizierte Auswirkungen zu erzielen.", "title": "Angriff" }, { "category": "general", "text": "- Windows", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2023-2963 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-2963.json" }, { "category": "self", "summary": "WID-SEC-2023-2963 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-2963" }, { "category": "external", "summary": "Trellix Security Bulletin vom 2023-11-16", "url": "https://kcm.trellix.com/corporate/index?page=content\u0026id=SB10410\u0026actp=null\u0026viewlocale=en_US\u0026showDraft=false\u0026platinum_status=false\u0026locale=en_US" } ], "source_lang": "en-US", "title": "Trellix ePolicy Orchestrator: Mehrere Schwachstellen", "tracking": { "current_release_date": "2023-11-16T23:00:00.000+00:00", "generator": { "date": "2024-08-15T18:01:51.137+00:00", "engine": { "name": "BSI-WID", "version": "1.3.5" } }, "id": "WID-SEC-W-2023-2963", "initial_release_date": "2023-11-16T23:00:00.000+00:00", "revision_history": [ { "date": "2023-11-16T23:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_name", "name": "Trellix ePolicy Orchestrator \u003c 5.10.0 SP1 UP2", "product": { "name": "Trellix ePolicy Orchestrator \u003c 5.10.0 SP1 UP2", "product_id": "T031268", "product_identification_helper": { "cpe": "cpe:/a:trellix:epolicy_orchestrator:5.10.0:sp1_up2" } } } ], "category": "vendor", "name": "Trellix" } ] }, "vulnerabilities": [ { "cve": "CVE-2023-5445", "notes": [ { "category": "description", "text": "Es existiert eine Schwachstelle in Trellix ePolicy Orchestrator. Ein Angreifer kann den URL-Parameter manipulieren und dadurch einen Nutzer auf eine b\u00f6sartige Webseite umleiten." } ], "release_date": "2023-11-16T23:00:00.000+00:00", "title": "CVE-2023-5445" }, { "cve": "CVE-2023-5444", "notes": [ { "category": "description", "text": "Es besteht eine Schwachstelle in Trellix ePolicy Orchestrator bez\u00fcglich des Dashboard-Bereichs der Benutzeroberfl\u00e4che. Ein Angreifer kann eine Cross-Site Request Forgery ausnutzen, um neue Benutzer mit administrativen Rechten zu erstellen. Ein erfolgreiches Ausnutzen der Schwachstelle erfordert eine Benutzerinteraktion." } ], "release_date": "2023-11-16T23:00:00.000+00:00", "title": "CVE-2023-5444" }, { "cve": "CVE-2023-45648", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Trellix ePolicy Orchestrator bez\u00fcglich der verwendeten Komponenten Apache Tomcat und Java Runtime Environment. Die Auswirkungen im Zusammenhang mit ePO sind nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "release_date": "2023-11-16T23:00:00.000+00:00", "title": "CVE-2023-45648" }, { "cve": "CVE-2023-42795", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Trellix ePolicy Orchestrator bez\u00fcglich der verwendeten Komponenten Apache Tomcat und Java Runtime Environment. Die Auswirkungen im Zusammenhang mit ePO sind nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "release_date": "2023-11-16T23:00:00.000+00:00", "title": "CVE-2023-42795" }, { "cve": "CVE-2023-42794", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen in Trellix ePolicy Orchestrator bez\u00fcglich der verwendeten Komponenten Apache Tomcat und Java Runtime Environment. Die Auswirkungen im Zusammenhang mit ePO sind nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "release_date": "2023-11-16T23:00:00.000+00:00", "title": "CVE-2023-42794" } ] }
wid-sec-w-2023-2628
Vulnerability from csaf_certbund
Published
2023-10-10 22:00
Modified
2024-11-17 23:00
Summary
Apache Tomcat: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Apache Tomcat ist ein Web-Applikationsserver für verschiedene Plattformen.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Apache Tomcat ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen, Sicherheitsmaßnahmen zu umgehen oder vertrauliche Informationen offenzulegen.
Betroffene Betriebssysteme
- Linux
- MacOS X
- Windows
{ "document": { "aggregate_severity": { "text": "mittel" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Apache Tomcat ist ein Web-Applikationsserver f\u00fcr verschiedene Plattformen.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Apache Tomcat ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen, Sicherheitsma\u00dfnahmen zu umgehen oder vertrauliche Informationen offenzulegen.", "title": "Angriff" }, { "category": "general", "text": "- Linux\n- MacOS X\n- Windows", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2023-2628 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-2628.json" }, { "category": "self", "summary": "WID-SEC-2023-2628 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-2628" }, { "category": "external", "summary": "IBM Security Bulletin 7111624 vom 2024-01-24", "url": "https://www.ibm.com/support/pages/node/7111624" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:0474 vom 2024-01-25", "url": "https://access.redhat.com/errata/RHSA-2024:0474" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2024-0474 vom 2024-01-25", "url": "https://linux.oracle.com/errata/ELSA-2024-0474.html" }, { "category": "external", "summary": "DELL Security Update", "url": "https://www.dell.com/support/kbdoc/de-de/000221476/dsa-2024-058-security-update-for-dell-networker-vproxy-multiple-components-vulnerabilities" }, { "category": "external", "summary": "Hitachi Vulnerability Information HITACHI-SEC-2024-107 vom 2024-01-30", "url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2024-107/index.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:0472-1 vom 2024-02-14", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-February/017913.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:0125 vom 2024-01-10", "url": "https://access.redhat.com/errata/RHSA-2024:0125" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2024-0125 vom 2024-01-11", "url": "https://linux.oracle.com/errata/ELSA-2024-0125.html" }, { "category": "external", "summary": "IBM Security Bulletin 7099297 vom 2023-12-18", "url": "https://www.ibm.com/support/pages/node/7099297" }, { "category": "external", "summary": "IBM Security Bulletin 7107757 vom 2024-01-16", "url": "https://www.ibm.com/support/pages/node/7107757" }, { "category": "external", "summary": "IBM Security Bulletin 7107755 vom 2024-01-16", "url": "https://www.ibm.com/support/pages/node/7107755" }, { "category": "external", "summary": "Dell Security Advisory DSA-2024-133 vom 2024-03-12", "url": "https://www.dell.com/support/kbdoc/000223002/dsa-2024-=" }, { "category": "external", "summary": "Debian Security Advisory DSA-5522 vom 2023-10-11", "url": "https://www.debian.org/security/2023/dsa-5522" }, { "category": "external", "summary": "Debian Security Advisory DSA-5521 vom 2023-10-11", "url": "https://www.debian.org/security/2023/dsa-5521" }, { "category": "external", "summary": "Apache Tomcat 8 Changelog vom 2023-10-10", "url": "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.94" }, { "category": "external", "summary": "Apache Tomcat 9 Changelog vom 2023-10-10", "url": "https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.81" }, { "category": "external", "summary": "Debian Security Advisory DLA-3617 vom 2023-10-13", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html" }, { "category": "external", "summary": "Amazon Linux Security Advisory ALASTOMCAT8.5-2023-016 vom 2023-10-18", "url": "https://alas.aws.amazon.com/AL2/ALASTOMCAT8.5-2023-016.html" }, { "category": "external", "summary": "Amazon Linux Security Advisory ALASTOMCAT9-2023-010 vom 2023-10-18", "url": "https://alas.aws.amazon.com/AL2/ALASTOMCAT9-2023-010.html" }, { "category": "external", "summary": "GitHub Security Advisory GHSA-G8PJ-R55Q-5C2V vom 2023-10-18", "url": "https://github.com/vaadin/platform/releases/tag/24.2.0" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2023:4129-1 vom 2023-10-19", "url": "https://lists.suse.com/pipermail/sle-security-updates/2023-October/016747.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2023:5928 vom 2023-10-20", "url": "https://access.redhat.com/errata/RHSA-2023:5928" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2023:5929 vom 2023-10-19", "url": "https://access.redhat.com/errata/RHSA-2023:5929" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2023:5929 vom 2023-10-19", "url": "https://access.redhat.com/errata/RHSA-2023:5929.html" }, { "category": "external", "summary": "Amazon Linux Security Advisory ALAS-2023-1868 vom 2023-10-19", "url": "https://alas.aws.amazon.com/ALAS-2023-1868.html" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2023-5929 vom 2023-10-24", "url": "https://linux.oracle.com/errata/ELSA-2023-5929.html" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2023-5928 vom 2023-10-25", "url": "http://linux.oracle.com/errata/ELSA-2023-5928.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2023:6145 vom 2023-10-27", "url": "https://access.redhat.com/errata/RHSA-2023:6145" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2023-6120 vom 2023-10-27", "url": "https://linux.oracle.com/errata/ELSA-2023-6120.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2023:6207 vom 2023-10-31", "url": "https://access.redhat.com/errata/RHSA-2023:6207" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2023:6206 vom 2023-10-31", "url": "https://access.redhat.com/errata/RHSA-2023:6206" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2023:4337-1 vom 2023-11-02", "url": "https://lists.suse.com/pipermail/sle-security-updates/2023-November/016986.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2023:4423-1 vom 2023-11-13", "url": "https://lists.suse.com/pipermail/sle-security-updates/2023-November/017018.html" }, { "category": "external", "summary": "Camunda Security Notice 97 vom 2023-11-13", "url": "https://docs.camunda.org/security/notices/" }, { "category": "external", "summary": "IBM Security Bulletin 7072626 vom 2023-11-14", "url": "https://www.ibm.com/support/pages/node/7072626" }, { "category": "external", "summary": "IBM Security Bulletin 7105133 vom 2024-01-05", "url": "http://www.ibm.com/support/pages/node/7105133" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2023:7247 vom 2023-11-16", "url": "https://access.redhat.com/errata/RHSA-2023:7247" }, { "category": "external", "summary": "IBM Security Bulletin 7076274 vom 2023-11-15", "url": "https://www.ibm.com/support/pages/node/7076274" }, { "category": "external", "summary": "IBM Security Bulletin", "url": "https://www.ibm.com/support/pages/node/7082717" }, { "category": "external", "summary": "Xerox Security Bulletin XRX23-021", "url": "https://securitydocs.business.xerox.com/wp-content/uploads/2023/11/XRX23-021_FFPSv2_Win10_SecurityBulletin_Nov2023.pdf" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2023:7623 vom 2023-12-07", "url": "https://access.redhat.com/errata/RHSA-2023:7623" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2023:7625 vom 2023-12-07", "url": "https://access.redhat.com/errata/RHSA-2023:7625" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2023:7626 vom 2023-12-07", "url": "https://access.redhat.com/errata/RHSA-2023:7626" }, { "category": "external", "summary": "Amazon Linux Security Advisory ALASTOMCAT9-2024-012 vom 2024-03-19", "url": "https://alas.aws.amazon.com/AL2/ALASTOMCAT9-2024-012.html" }, { "category": "external", "summary": "Amazon Linux Security Advisory ALAS-2024-2501 vom 2024-03-19", "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2501.html" }, { "category": "external", "summary": "IBM Security Bulletin 7114769 vom 2024-04-30", "url": "https://www.ibm.com/support/pages/node/7114769" }, { "category": "external", "summary": "IBM Security Bulletin 7156539 vom 2024-06-18", "url": "https://www.ibm.com/support/pages/node/7156539" }, { "category": "external", "summary": "Hitachi Vulnerability Information HITACHI-SEC-2024-134 vom 2024-07-02", "url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2024-134/index.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:4631 vom 2024-07-18", "url": "https://access.redhat.com/errata/RHSA-2024:4631" }, { "category": "external", "summary": "Hitachi Vulnerability Information HITACHI-SEC-2024-126 vom 2024-08-06", "url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2024-126/index.html" }, { "category": "external", "summary": "Brocade Security Advisory BSA-2024-2429 vom 2024-11-02", "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25158" }, { "category": "external", "summary": "Ubuntu Security Notice USN-7106-1 vom 2024-11-18", "url": "https://ubuntu.com/security/notices/USN-7106-1" } ], "source_lang": "en-US", "title": "Apache Tomcat: Mehrere Schwachstellen", "tracking": { "current_release_date": "2024-11-17T23:00:00.000+00:00", "generator": { "date": "2024-11-18T09:05:50.256+00:00", "engine": { "name": "BSI-WID", "version": "1.3.8" } }, "id": "WID-SEC-W-2023-2628", "initial_release_date": "2023-10-10T22:00:00.000+00:00", "revision_history": [ { "date": "2023-10-10T22:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2023-10-15T22:00:00.000+00:00", "number": "2", "summary": "Neue Updates von Debian aufgenommen" }, { "date": "2023-10-17T22:00:00.000+00:00", "number": "3", "summary": "Neue Updates von Amazon aufgenommen" }, { "date": "2023-10-18T22:00:00.000+00:00", "number": "4", "summary": "Neue Updates von Open Source aufgenommen" }, { "date": "2023-10-19T22:00:00.000+00:00", "number": "5", "summary": "Neue Updates von Red Hat und Amazon aufgenommen" }, { "date": "2023-10-23T22:00:00.000+00:00", "number": "6", "summary": "Neue Updates von Oracle Linux aufgenommen" }, { "date": "2023-10-24T22:00:00.000+00:00", "number": "7", "summary": "Neue Updates von Oracle Linux aufgenommen" }, { "date": "2023-10-26T22:00:00.000+00:00", "number": "8", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2023-10-29T23:00:00.000+00:00", "number": "9", "summary": "Neue Updates von Oracle Linux aufgenommen" }, { "date": "2023-10-31T23:00:00.000+00:00", "number": "10", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2023-11-02T23:00:00.000+00:00", "number": "11", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2023-11-13T23:00:00.000+00:00", "number": "12", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2023-11-14T23:00:00.000+00:00", "number": "13", "summary": "Neue Updates von IBM und IBM-APAR aufgenommen" }, { "date": "2023-11-15T23:00:00.000+00:00", "number": "14", "summary": "Neue Updates von Red Hat und IBM aufgenommen" }, { "date": "2023-11-26T23:00:00.000+00:00", "number": "15", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2023-11-28T23:00:00.000+00:00", "number": "16", "summary": "Neue Updates von XEROX aufgenommen" }, { "date": "2023-12-07T23:00:00.000+00:00", "number": "17", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2023-12-18T23:00:00.000+00:00", "number": "18", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2024-01-04T23:00:00.000+00:00", "number": "19", "summary": "Neue Updates von IBM und IBM-APAR aufgenommen" }, { "date": "2024-01-10T23:00:00.000+00:00", "number": "20", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2024-01-11T23:00:00.000+00:00", "number": "21", "summary": "Neue Updates von Oracle Linux aufgenommen" }, { "date": "2024-01-15T23:00:00.000+00:00", "number": "22", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2024-01-24T23:00:00.000+00:00", "number": "23", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2024-01-25T23:00:00.000+00:00", "number": "24", "summary": "Neue Updates von Red Hat und Oracle Linux aufgenommen" }, { "date": "2024-01-28T23:00:00.000+00:00", "number": "25", "summary": "Neue Updates von Dell aufgenommen" }, { "date": "2024-01-29T23:00:00.000+00:00", "number": "26", "summary": "Neue Updates von HITACHI aufgenommen" }, { "date": "2024-02-14T23:00:00.000+00:00", "number": "27", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2024-03-12T23:00:00.000+00:00", "number": "28", "summary": "Neue Updates von Dell aufgenommen" }, { "date": "2024-03-18T23:00:00.000+00:00", "number": "29", "summary": "Neue Updates von Amazon aufgenommen" }, { "date": "2024-05-01T22:00:00.000+00:00", "number": "30", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2024-06-17T22:00:00.000+00:00", "number": "31", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2024-07-01T22:00:00.000+00:00", "number": "32", "summary": "Neue Updates von HITACHI aufgenommen" }, { "date": "2024-07-18T22:00:00.000+00:00", "number": "33", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2024-08-05T22:00:00.000+00:00", "number": "34", "summary": "Neue Updates von HITACHI aufgenommen" }, { "date": "2024-11-03T23:00:00.000+00:00", "number": "35", "summary": "Neue Updates von BROCADE aufgenommen" }, { "date": "2024-11-17T23:00:00.000+00:00", "number": "36", "summary": "Neue Updates von Ubuntu aufgenommen" } ], "status": "final", "version": "36" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_name", "name": "Amazon Linux 2", "product": { "name": "Amazon Linux 2", "product_id": "398363", "product_identification_helper": { "cpe": "cpe:/o:amazon:linux_2:-" } } } ], "category": "vendor", "name": "Amazon" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "\u003c8.5.94", "product": { "name": "Apache Tomcat \u003c8.5.94", "product_id": "T030426" } }, { "category": "product_version", "name": "8.5.94", "product": { "name": "Apache Tomcat 8.5.94", "product_id": "T030426-fixed", "product_identification_helper": { "cpe": "cpe:/a:apache:tomcat:8.5.94" } } }, { "category": "product_version_range", "name": "\u003c9.0.81", "product": { "name": "Apache Tomcat \u003c9.0.81", "product_id": "T030427" } }, { "category": "product_version", "name": "9.0.81", "product": { "name": "Apache Tomcat 9.0.81", "product_id": "T030427-fixed", "product_identification_helper": { "cpe": "cpe:/a:apache:tomcat:9.0.81" } } } ], "category": "product_name", "name": "Tomcat" } ], "category": "vendor", "name": "Apache" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "\u003c2.3.1", "product": { "name": "Broadcom Brocade SANnav \u003c2.3.1", "product_id": "T034139" } }, { "category": "product_version", "name": "2.3.1", "product": { "name": "Broadcom Brocade SANnav 2.3.1", "product_id": "T034139-fixed", "product_identification_helper": { "cpe": "cpe:/a:broadcom:brocade_sannav:2.3.1" } } }, { "category": "product_version_range", "name": "\u003c2.3.0a", "product": { "name": "Broadcom Brocade SANnav \u003c2.3.0a", "product_id": "T034294" } }, { "category": "product_version", "name": "2.3.0a", "product": { "name": "Broadcom Brocade SANnav 2.3.0a", "product_id": "T034294-fixed", "product_identification_helper": { "cpe": "cpe:/a:broadcom:brocade_sannav:2.3.0a" } } } ], "category": "product_name", "name": "Brocade SANnav" } ], "category": "vendor", "name": "Broadcom" }, { "branches": [ { "category": "product_name", "name": "Debian Linux", "product": { "name": "Debian Linux", "product_id": "2951", "product_identification_helper": { "cpe": "cpe:/o:debian:debian_linux:-" } } } ], "category": "vendor", "name": "Debian" }, { "branches": [ { "branches": [ { "category": "product_name", "name": "Dell NetWorker", "product": { "name": "Dell NetWorker", "product_id": "T024663", "product_identification_helper": { "cpe": "cpe:/a:dell:networker:-" } } }, { "category": "product_version_range", "name": "vProxy\u003c19.9.0.4", "product": { "name": "Dell NetWorker vProxy\u003c19.9.0.4", "product_id": "T032377" } }, { "category": "product_version", "name": "vProxy19.9.0.4", "product": { "name": "Dell NetWorker vProxy19.9.0.4", "product_id": "T032377-fixed", "product_identification_helper": { "cpe": "cpe:/a:dell:networker:vproxy_19.9.0.4" } } }, { "category": "product_version_range", "name": "vProxy\u003c19.10", "product": { "name": "Dell NetWorker vProxy\u003c19.10", "product_id": "T032378" } }, { "category": "product_version", "name": "vProxy19.10", "product": { "name": "Dell NetWorker vProxy19.10", "product_id": "T032378-fixed", "product_identification_helper": { "cpe": "cpe:/a:dell:networker:vproxy_19.10" } } } ], "category": "product_name", "name": "NetWorker" } ], "category": "vendor", "name": "Dell" }, { "branches": [ { "category": "product_name", "name": "Hitachi Ops Center", "product": { "name": "Hitachi Ops Center", "product_id": "T017562", "product_identification_helper": { "cpe": "cpe:/a:hitachi:ops_center:-" } } } ], "category": "vendor", "name": "Hitachi" }, { "branches": [ { "category": "product_name", "name": "IBM FlashSystem", "product": { "name": "IBM FlashSystem", "product_id": "T025159", "product_identification_helper": { "cpe": "cpe:/a:ibm:flashsystem:-" } } }, { "branches": [ { "category": "product_version", "name": "10.1-10.1.0.2", "product": { "name": "IBM Integration Bus 10.1-10.1.0.2", "product_id": "T031084", "product_identification_helper": { "cpe": "cpe:/a:ibm:integration_bus:10.1_-_10.1.0.2" } } } ], "category": "product_name", "name": "Integration Bus" }, { "category": "product_name", "name": "IBM Operational Decision Manager", "product": { "name": "IBM Operational Decision Manager", "product_id": "T005180", "product_identification_helper": { "cpe": "cpe:/a:ibm:operational_decision_manager:-" } } }, { "branches": [ { "category": "product_version", "name": "V10", "product": { "name": "IBM Power Hardware Management Console V10", "product_id": "T023373", "product_identification_helper": { "cpe": "cpe:/a:ibm:hardware_management_console:v10" } } } ], "category": "product_name", "name": "Power Hardware Management Console" }, { "branches": [ { "category": "product_version", "name": "7.5", "product": { "name": "IBM QRadar SIEM 7.5", "product_id": "T022954", "product_identification_helper": { "cpe": "cpe:/a:ibm:qradar_siem:7.5" } } } ], "category": "product_name", "name": "QRadar SIEM" }, { "branches": [ { "category": "product_version", "name": "8.0.0.24", "product": { "name": "IBM Rational Build Forge 8.0.0.24", "product_id": "T030689", "product_identification_helper": { "cpe": "cpe:/a:ibm:rational_build_forge:8.0.0.24" } } } ], "category": "product_name", "name": "Rational Build Forge" }, { "category": "product_name", "name": "IBM SAN Volume Controller", "product": { "name": "IBM SAN Volume Controller", "product_id": "T002782", "product_identification_helper": { "cpe": "cpe:/a:ibm:san_volume_controller:-" } } }, { "branches": [ { "category": "product_version", "name": "11.5", "product": { "name": "IBM Security Guardium 11.5", "product_id": "1411051", "product_identification_helper": { "cpe": "cpe:/a:ibm:security_guardium:11.5" } } } ], "category": "product_name", "name": "Security Guardium" }, { "branches": [ { "category": "product_version", "name": "V5000", "product": { "name": "IBM Storwize V5000", "product_id": "T020641", "product_identification_helper": { "cpe": "cpe:/a:ibm:storwize:v5000" } } }, { "category": "product_name", "name": "IBM Storwize", "product": { "name": "IBM Storwize", "product_id": "T021621", "product_identification_helper": { "cpe": "cpe:/a:ibm:storwize:-" } } } ], "category": "product_name", "name": "Storwize" } ], "category": "vendor", "name": "IBM" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "\u003c7.21.0-alpha1", "product": { "name": "Open Source Camunda \u003c7.21.0-alpha1", "product_id": "T031061" } }, { "category": "product_version", "name": "7.21.0-alpha1", "product": { "name": "Open Source Camunda 7.21.0-alpha1", "product_id": "T031061-fixed", "product_identification_helper": { "cpe": "cpe:/a:camunda:camunda:7.21.0-alpha1" } } }, { "category": "product_version_range", "name": "\u003c7.20.1", "product": { "name": "Open Source Camunda \u003c7.20.1", "product_id": "T031062" } }, { "category": "product_version", "name": "7.20.1", "product": { "name": "Open Source Camunda 7.20.1", "product_id": "T031062-fixed", "product_identification_helper": { "cpe": "cpe:/a:camunda:camunda:7.20.1" } } }, { "category": "product_version_range", "name": "\u003c7.19.8", "product": { "name": "Open Source Camunda \u003c7.19.8", "product_id": "T031063" } }, { "category": "product_version", "name": "7.19.8", "product": { "name": "Open Source Camunda 7.19.8", "product_id": "T031063-fixed", "product_identification_helper": { "cpe": "cpe:/a:camunda:camunda:7.19.8" } } }, { "category": "product_version_range", "name": "\u003c7.18.12", "product": { "name": "Open Source Camunda \u003c7.18.12", "product_id": "T031064" } }, { "category": "product_version", "name": "7.18.12", "product": { "name": "Open Source Camunda 7.18.12", "product_id": "T031064-fixed", "product_identification_helper": { "cpe": "cpe:/a:camunda:camunda:7.18.12" } } }, { "category": "product_version_range", "name": "RPA Bridge \u003c1.1.10", "product": { "name": "Open Source Camunda RPA Bridge \u003c1.1.10", "product_id": "T031065" } }, { "category": "product_version", "name": "RPA Bridge 1.1.10", "product": { "name": "Open Source Camunda RPA Bridge 1.1.10", "product_id": "T031065-fixed", "product_identification_helper": { "cpe": "cpe:/a:camunda:camunda:rpa_bridge__1.1.10" } } } ], "category": "product_name", "name": "Camunda" }, { "branches": [ { "category": "product_version_range", "name": "\u003c24.2.0", "product": { "name": "Open Source Vaadin \u003c24.2.0", "product_id": "T030676" } }, { "category": "product_version", "name": "24.2.0", "product": { "name": "Open Source Vaadin 24.2.0", "product_id": "T030676-fixed", "product_identification_helper": { "cpe": "cpe:/a:vaadin:vaadin:24.2.0" } } } ], "category": "product_name", "name": "Vaadin" } ], "category": "vendor", "name": "Open Source" }, { "branches": [ { "category": "product_name", "name": "Oracle Linux", "product": { "name": "Oracle Linux", "product_id": "T004914", "product_identification_helper": { "cpe": "cpe:/o:oracle:linux:-" } } } ], "category": "vendor", "name": "Oracle" }, { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux", "product": { "name": "Red Hat Enterprise Linux", "product_id": "67646", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:-" } } }, { "branches": [ { "category": "product_version", "name": "1", "product": { "name": "Red Hat JBoss Core Services 1", "product_id": "459970", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_core_services:1.0" } } }, { "category": "product_name", "name": "Red Hat JBoss Core Services", "product": { "name": "Red Hat JBoss Core Services", "product_id": "T012412", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_core_services:-" } } } ], "category": "product_name", "name": "JBoss Core Services" }, { "branches": [ { "category": "product_version_range", "name": "\u003c5.7.7", "product": { "name": "Red Hat JBoss Web Server \u003c5.7.7", "product_id": "T031508" } }, { "category": "product_version", "name": "5.7.7", "product": { "name": "Red Hat JBoss Web Server 5.7.7", "product_id": "T031508-fixed", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.7.7" } } } ], "category": "product_name", "name": "JBoss Web Server" } ], "category": "vendor", "name": "Red Hat" }, { "branches": [ { "category": "product_name", "name": "SUSE Linux", "product": { "name": "SUSE Linux", "product_id": "T002207", "product_identification_helper": { "cpe": "cpe:/o:suse:suse_linux:-" } } } ], "category": "vendor", "name": "SUSE" }, { "branches": [ { "category": "product_name", "name": "Ubuntu Linux", "product": { "name": "Ubuntu Linux", "product_id": "T000126", "product_identification_helper": { "cpe": "cpe:/o:canonical:ubuntu_linux:-" } } } ], "category": "vendor", "name": "Ubuntu" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "v2 / Windows 10", "product": { "name": "Xerox FreeFlow Print Server v2 / Windows 10", "product_id": "T031383", "product_identification_helper": { "cpe": "cpe:/a:xerox:freeflow_print_server:v2__windows_10" } } } ], "category": "product_name", "name": "FreeFlow Print Server" } ], "category": "vendor", "name": "Xerox" } ] }, "vulnerabilities": [ { "cve": "CVE-2023-42794", "notes": [ { "category": "description", "text": "Es besteht eine Schwachstelle in Apache Tomcat. Dieser Fehler besteht im internen Fork des Commons FileUpload-Pakets aufgrund einer unvollst\u00e4ndigen Bereinigung. Ein entfernter Angreifer kann diese Schwachstelle ausnutzen, um einen Denial-of-Service-Zustand zu verursachen." } ], "product_status": { "known_affected": [ "67646", "T012412", "T030426", "T030689", "T004914", "T020641", "T024663", "T005180", "398363", "T031508", "T025159", "T023373", "T034139", "T032377", "T002782", "T032378", "T030676", "T031061", "T031063", "T031062", "T031084", "T034294", "T031065", "T031064", "T031383", "T017562", "T022954", "T021621", "2951", "T002207", "T000126", "T030427", "459970", "1411051" ] }, "release_date": "2023-10-10T22:00:00.000+00:00", "title": "CVE-2023-42794" }, { "cve": "CVE-2023-42795", "notes": [ { "category": "description", "text": "Es besteht eine Schwachstelle in Apache Tomcat. Dieser Fehler besteht aufgrund des \u00dcberspringens einiger Teile des Recycling-Prozesses durch den Dienst. Ein entfernter Angreifer kann diese Schwachstelle ausnutzen, um vertrauliche Informationen offenzulegen." } ], "product_status": { "known_affected": [ "67646", "T012412", "T030426", "T030689", "T004914", "T020641", "T024663", "T005180", "398363", "T031508", "T025159", "T023373", "T034139", "T032377", "T002782", "T032378", "T030676", "T031061", "T031063", "T031062", "T031084", "T034294", "T031065", "T031064", "T031383", "T017562", "T022954", "T021621", "2951", "T002207", "T000126", "T030427", "459970", "1411051" ] }, "release_date": "2023-10-10T22:00:00.000+00:00", "title": "CVE-2023-42795" }, { "cve": "CVE-2023-44487", "notes": [ { "category": "description", "text": "Es besteht eine Schwachstelle in Apache Tomcat in der HTTP/2-Implementierung. Bei der \u00dcberpr\u00fcfung von Stream-Limits werden abgebrochene Verbindungen nicht gez\u00e4hlt, obwohl der Worker-Prozess noch an der Anfrage arbeitet. Ein Angreifer kann dies f\u00fcr einen Denial-of-Service-Angriff ausnutzen, indem er zahlreiche Anfragestr\u00f6me parallel \u00f6ffnet und jeden einzelnen mit dem RST_STREAM-Frame des HTTP/2-Protokolls schnell abbricht, ohne auf Antworten zu warten. Diese Art von Angriff wird als \"HTTP/2 Rapid Reset\"-Angriff bezeichnet." } ], "product_status": { "known_affected": [ "67646", "T012412", "T030426", "T030689", "T004914", "T020641", "T024663", "T005180", "398363", "T031508", "T025159", "T023373", "T034139", "T032377", "T002782", "T032378", "T030676", "T031061", "T031063", "T031062", "T031084", "T034294", "T031065", "T031064", "T031383", "T017562", "T022954", "T021621", "2951", "T002207", "T000126", "T030427", "459970", "1411051" ] }, "release_date": "2023-10-10T22:00:00.000+00:00", "title": "CVE-2023-44487" }, { "cve": "CVE-2023-45648", "notes": [ { "category": "description", "text": "Es besteht eine Schwachstelle in Apache Tomcat. Dieser Fehler besteht in den HTTP-Trailer-Headern aufgrund einer unzureichenden Eingabevalidierung. Durch die Verwendung eines speziell gestalteten, ung\u00fcltigen Trailer-Headers kann ein entfernter Angreifer diese Schwachstelle zur Umgehung von Sicherheitsma\u00dfnahmen ausnutzen." } ], "product_status": { "known_affected": [ "67646", "T012412", "T030426", "T030689", "T004914", "T020641", "T024663", "T005180", "398363", "T031508", "T025159", "T023373", "T034139", "T032377", "T002782", "T032378", "T030676", "T031061", "T031063", "T031062", "T031084", "T034294", "T031065", "T031064", "T031383", "T017562", "T022954", "T021621", "2951", "T002207", "T000126", "T030427", "459970", "1411051" ] }, "release_date": "2023-10-10T22:00:00.000+00:00", "title": "CVE-2023-45648" } ] }
wid-sec-w-2024-1238
Vulnerability from csaf_certbund
Published
2024-05-27 22:00
Modified
2024-05-27 22:00
Summary
HPE HP-UX: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
HP-UX ist ein Unix Betriebssystem von HP.
Angriff
Ein anonymer oder lokaler Angreifer kann mehrere Schwachstellen in HPE HP-UX Tomcat Servlet Engine ausnutzen, um Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand zu verursachen, vertrauliche Informationen offenzulegen oder Dateien zu manipulieren.
Betroffene Betriebssysteme
- Sonstiges
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "HP-UX ist ein Unix Betriebssystem von HP.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein anonymer oder lokaler Angreifer kann mehrere Schwachstellen in HPE HP-UX Tomcat Servlet Engine ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand zu verursachen, vertrauliche Informationen offenzulegen oder Dateien zu manipulieren.", "title": "Angriff" }, { "category": "general", "text": "- Sonstiges", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2024-1238 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-1238.json" }, { "category": "self", "summary": "WID-SEC-2024-1238 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-1238" }, { "category": "external", "summary": "HPE Security Bulletin HPESBUX04652 rev.1 vom 2024-05-27", "url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbux04652en_us\u0026docLocale=en_US" } ], "source_lang": "en-US", "title": "HPE HP-UX: Mehrere Schwachstellen", "tracking": { "current_release_date": "2024-05-27T22:00:00.000+00:00", "generator": { "date": "2024-08-15T18:09:34.846+00:00", "engine": { "name": "BSI-WID", "version": "1.3.5" } }, "id": "WID-SEC-W-2024-1238", "initial_release_date": "2024-05-27T22:00:00.000+00:00", "revision_history": [ { "date": "2024-05-27T22:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "Apache Tomcat 9 Servlet Engine \u003cD.9.0.87.01", "product": { "name": "HPE HP-UX Apache Tomcat 9 Servlet Engine \u003cD.9.0.87.01", "product_id": "T035072" } } ], "category": "product_name", "name": "HP-UX" } ], "category": "vendor", "name": "HPE" } ] }, "vulnerabilities": [ { "cve": "CVE-2017-12616", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in HPE HP-UX in der Tomcat-basierten Servlet-Engine. Ein anonymer oder lokaler Angreifer kann diese ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand zu verursachen, vertrauliche Informationen offenzulegen oder Dateien zu manipulieren. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion, um erfolgreich ausgenutzt zu werden." } ], "release_date": "2024-05-27T22:00:00.000+00:00", "title": "CVE-2017-12616" }, { "cve": "CVE-2017-12617", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in HPE HP-UX in der Tomcat-basierten Servlet-Engine. Ein anonymer oder lokaler Angreifer kann diese ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand zu verursachen, vertrauliche Informationen offenzulegen oder Dateien zu manipulieren. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion, um erfolgreich ausgenutzt zu werden." } ], "release_date": "2024-05-27T22:00:00.000+00:00", "title": "CVE-2017-12617" }, { "cve": "CVE-2021-30639", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in HPE HP-UX in der Tomcat-basierten Servlet-Engine. Ein anonymer oder lokaler Angreifer kann diese ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand zu verursachen, vertrauliche Informationen offenzulegen oder Dateien zu manipulieren. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion, um erfolgreich ausgenutzt zu werden." } ], "release_date": "2024-05-27T22:00:00.000+00:00", "title": "CVE-2021-30639" }, { "cve": "CVE-2021-30640", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in HPE HP-UX in der Tomcat-basierten Servlet-Engine. Ein anonymer oder lokaler Angreifer kann diese ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand zu verursachen, vertrauliche Informationen offenzulegen oder Dateien zu manipulieren. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion, um erfolgreich ausgenutzt zu werden." } ], "release_date": "2024-05-27T22:00:00.000+00:00", "title": "CVE-2021-30640" }, { "cve": "CVE-2021-33037", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in HPE HP-UX in der Tomcat-basierten Servlet-Engine. Ein anonymer oder lokaler Angreifer kann diese ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand zu verursachen, vertrauliche Informationen offenzulegen oder Dateien zu manipulieren. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion, um erfolgreich ausgenutzt zu werden." } ], "release_date": "2024-05-27T22:00:00.000+00:00", "title": "CVE-2021-33037" }, { "cve": "CVE-2021-41079", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in HPE HP-UX in der Tomcat-basierten Servlet-Engine. Ein anonymer oder lokaler Angreifer kann diese ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand zu verursachen, vertrauliche Informationen offenzulegen oder Dateien zu manipulieren. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion, um erfolgreich ausgenutzt zu werden." } ], "release_date": "2024-05-27T22:00:00.000+00:00", "title": "CVE-2021-41079" }, { "cve": "CVE-2021-42340", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in HPE HP-UX in der Tomcat-basierten Servlet-Engine. Ein anonymer oder lokaler Angreifer kann diese ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand zu verursachen, vertrauliche Informationen offenzulegen oder Dateien zu manipulieren. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion, um erfolgreich ausgenutzt zu werden." } ], "release_date": "2024-05-27T22:00:00.000+00:00", "title": "CVE-2021-42340" }, { "cve": "CVE-2021-43980", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in HPE HP-UX in der Tomcat-basierten Servlet-Engine. Ein anonymer oder lokaler Angreifer kann diese ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand zu verursachen, vertrauliche Informationen offenzulegen oder Dateien zu manipulieren. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion, um erfolgreich ausgenutzt zu werden." } ], "release_date": "2024-05-27T22:00:00.000+00:00", "title": "CVE-2021-43980" }, { "cve": "CVE-2022-23181", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in HPE HP-UX in der Tomcat-basierten Servlet-Engine. Ein anonymer oder lokaler Angreifer kann diese ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand zu verursachen, vertrauliche Informationen offenzulegen oder Dateien zu manipulieren. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion, um erfolgreich ausgenutzt zu werden." } ], "release_date": "2024-05-27T22:00:00.000+00:00", "title": "CVE-2022-23181" }, { "cve": "CVE-2022-29885", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in HPE HP-UX in der Tomcat-basierten Servlet-Engine. Ein anonymer oder lokaler Angreifer kann diese ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand zu verursachen, vertrauliche Informationen offenzulegen oder Dateien zu manipulieren. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion, um erfolgreich ausgenutzt zu werden." } ], "release_date": "2024-05-27T22:00:00.000+00:00", "title": "CVE-2022-29885" }, { "cve": "CVE-2022-34305", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in HPE HP-UX in der Tomcat-basierten Servlet-Engine. Ein anonymer oder lokaler Angreifer kann diese ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand zu verursachen, vertrauliche Informationen offenzulegen oder Dateien zu manipulieren. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion, um erfolgreich ausgenutzt zu werden." } ], "release_date": "2024-05-27T22:00:00.000+00:00", "title": "CVE-2022-34305" }, { "cve": "CVE-2022-42252", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in HPE HP-UX in der Tomcat-basierten Servlet-Engine. Ein anonymer oder lokaler Angreifer kann diese ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand zu verursachen, vertrauliche Informationen offenzulegen oder Dateien zu manipulieren. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion, um erfolgreich ausgenutzt zu werden." } ], "release_date": "2024-05-27T22:00:00.000+00:00", "title": "CVE-2022-42252" }, { "cve": "CVE-2022-45143", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in HPE HP-UX in der Tomcat-basierten Servlet-Engine. Ein anonymer oder lokaler Angreifer kann diese ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand zu verursachen, vertrauliche Informationen offenzulegen oder Dateien zu manipulieren. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion, um erfolgreich ausgenutzt zu werden." } ], "release_date": "2024-05-27T22:00:00.000+00:00", "title": "CVE-2022-45143" }, { "cve": "CVE-2023-24998", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in HPE HP-UX in der Tomcat-basierten Servlet-Engine. Ein anonymer oder lokaler Angreifer kann diese ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand zu verursachen, vertrauliche Informationen offenzulegen oder Dateien zu manipulieren. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion, um erfolgreich ausgenutzt zu werden." } ], "release_date": "2024-05-27T22:00:00.000+00:00", "title": "CVE-2023-24998" }, { "cve": "CVE-2023-28708", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in HPE HP-UX in der Tomcat-basierten Servlet-Engine. Ein anonymer oder lokaler Angreifer kann diese ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand zu verursachen, vertrauliche Informationen offenzulegen oder Dateien zu manipulieren. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion, um erfolgreich ausgenutzt zu werden." } ], "release_date": "2024-05-27T22:00:00.000+00:00", "title": "CVE-2023-28708" }, { "cve": "CVE-2023-28709", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in HPE HP-UX in der Tomcat-basierten Servlet-Engine. Ein anonymer oder lokaler Angreifer kann diese ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand zu verursachen, vertrauliche Informationen offenzulegen oder Dateien zu manipulieren. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion, um erfolgreich ausgenutzt zu werden." } ], "release_date": "2024-05-27T22:00:00.000+00:00", "title": "CVE-2023-28709" }, { "cve": "CVE-2023-34981", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in HPE HP-UX in der Tomcat-basierten Servlet-Engine. Ein anonymer oder lokaler Angreifer kann diese ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand zu verursachen, vertrauliche Informationen offenzulegen oder Dateien zu manipulieren. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion, um erfolgreich ausgenutzt zu werden." } ], "release_date": "2024-05-27T22:00:00.000+00:00", "title": "CVE-2023-34981" }, { "cve": "CVE-2023-41080", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in HPE HP-UX in der Tomcat-basierten Servlet-Engine. Ein anonymer oder lokaler Angreifer kann diese ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand zu verursachen, vertrauliche Informationen offenzulegen oder Dateien zu manipulieren. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion, um erfolgreich ausgenutzt zu werden." } ], "release_date": "2024-05-27T22:00:00.000+00:00", "title": "CVE-2023-41080" }, { "cve": "CVE-2023-42794", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in HPE HP-UX in der Tomcat-basierten Servlet-Engine. Ein anonymer oder lokaler Angreifer kann diese ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand zu verursachen, vertrauliche Informationen offenzulegen oder Dateien zu manipulieren. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion, um erfolgreich ausgenutzt zu werden." } ], "release_date": "2024-05-27T22:00:00.000+00:00", "title": "CVE-2023-42794" }, { "cve": "CVE-2023-42795", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in HPE HP-UX in der Tomcat-basierten Servlet-Engine. Ein anonymer oder lokaler Angreifer kann diese ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand zu verursachen, vertrauliche Informationen offenzulegen oder Dateien zu manipulieren. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion, um erfolgreich ausgenutzt zu werden." } ], "release_date": "2024-05-27T22:00:00.000+00:00", "title": "CVE-2023-42795" }, { "cve": "CVE-2023-44487", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in HPE HP-UX in der Tomcat-basierten Servlet-Engine. Ein anonymer oder lokaler Angreifer kann diese ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand zu verursachen, vertrauliche Informationen offenzulegen oder Dateien zu manipulieren. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion, um erfolgreich ausgenutzt zu werden." } ], "release_date": "2024-05-27T22:00:00.000+00:00", "title": "CVE-2023-44487" }, { "cve": "CVE-2023-45648", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in HPE HP-UX in der Tomcat-basierten Servlet-Engine. Ein anonymer oder lokaler Angreifer kann diese ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand zu verursachen, vertrauliche Informationen offenzulegen oder Dateien zu manipulieren. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion, um erfolgreich ausgenutzt zu werden." } ], "release_date": "2024-05-27T22:00:00.000+00:00", "title": "CVE-2023-45648" }, { "cve": "CVE-2023-46589", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in HPE HP-UX in der Tomcat-basierten Servlet-Engine. Ein anonymer oder lokaler Angreifer kann diese ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand zu verursachen, vertrauliche Informationen offenzulegen oder Dateien zu manipulieren. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion, um erfolgreich ausgenutzt zu werden." } ], "release_date": "2024-05-27T22:00:00.000+00:00", "title": "CVE-2023-46589" }, { "cve": "CVE-2024-23672", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in HPE HP-UX in der Tomcat-basierten Servlet-Engine. Ein anonymer oder lokaler Angreifer kann diese ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand zu verursachen, vertrauliche Informationen offenzulegen oder Dateien zu manipulieren. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion, um erfolgreich ausgenutzt zu werden." } ], "release_date": "2024-05-27T22:00:00.000+00:00", "title": "CVE-2024-23672" }, { "cve": "CVE-2024-24549", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen in HPE HP-UX in der Tomcat-basierten Servlet-Engine. Ein anonymer oder lokaler Angreifer kann diese ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand zu verursachen, vertrauliche Informationen offenzulegen oder Dateien zu manipulieren. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion, um erfolgreich ausgenutzt zu werden." } ], "release_date": "2024-05-27T22:00:00.000+00:00", "title": "CVE-2024-24549" } ] }
gsd-2023-45648
Vulnerability from gsd
Modified
2023-12-13 01:20
Details
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially
crafted, invalid trailer header could cause Tomcat to treat a single
request as multiple requests leading to the possibility of request
smuggling when behind a reverse proxy.
Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.
Aliases
Aliases
{ "GSD": { "alias": "CVE-2023-45648", "id": "GSD-2023-45648" }, "gsd": { "metadata": { "exploitCode": "unknown", "remediation": "unknown", "reportConfidence": "confirmed", "type": "vulnerability" }, "osvSchema": { "aliases": [ "CVE-2023-45648" ], "details": "Improper Input Validation vulnerability in Apache Tomcat.Tomcat\u00a0from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially \ncrafted, invalid trailer header could cause Tomcat to treat a single \nrequest as multiple requests leading to the possibility of request \nsmuggling when behind a reverse proxy.\n\nUsers are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.\n\n", "id": "GSD-2023-45648", "modified": "2023-12-13T01:20:38.016185Z", "schema_version": "1.4.0" } }, "namespaces": { "cve.org": { "CVE_data_meta": { "ASSIGNER": "security@apache.org", "ID": "CVE-2023-45648", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Apache Tomcat", "version": { "version_data": [ { "version_affected": "\u003c=", "version_name": "11.0.0-M1", "version_value": "11.0.0-M11" }, { "version_affected": "\u003c=", "version_name": "10.1.0-M1", "version_value": "10.1.13" }, { "version_affected": "\u003c=", "version_name": "9.0.0-M1", "version_value": "9.0.81" }, { "version_affected": "\u003c=", "version_name": "8.5.0", "version_value": "8.5.93" } ] } } ] }, "vendor_name": "Apache Software Foundation" } ] } }, "credits": [ { "lang": "en", "value": "Keran Mu and Jianjun Chen from Tsinghua University and Zhongguancun Laboratory" } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Improper Input Validation vulnerability in Apache Tomcat.Tomcat\u00a0from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially \ncrafted, invalid trailer header could cause Tomcat to treat a single \nrequest as multiple requests leading to the possibility of request \nsmuggling when behind a reverse proxy.\n\nUsers are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.\n\n" } ] }, "generator": { "engine": "Vulnogram 0.1.0-dev" }, "problemtype": { "problemtype_data": [ { "description": [ { "cweId": "CWE-20", "lang": "eng", "value": "CWE-20 Improper Input Validation" } ] } ] }, "references": { "reference_data": [ { "name": "https://lists.apache.org/thread/2pv8yz1pyp088tsxfb7ogltk9msk0jdp", "refsource": "MISC", "url": "https://lists.apache.org/thread/2pv8yz1pyp088tsxfb7ogltk9msk0jdp" }, { "name": "http://www.openwall.com/lists/oss-security/2023/10/10/10", "refsource": "MISC", "url": "http://www.openwall.com/lists/oss-security/2023/10/10/10" }, { "name": "https://www.debian.org/security/2023/dsa-5522", "refsource": "MISC", "url": "https://www.debian.org/security/2023/dsa-5522" }, { "name": "https://www.debian.org/security/2023/dsa-5521", "refsource": "MISC", "url": "https://www.debian.org/security/2023/dsa-5521" }, { "name": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html", "refsource": "MISC", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html" }, { "name": "https://security.netapp.com/advisory/ntap-20231103-0007/", "refsource": "MISC", "url": "https://security.netapp.com/advisory/ntap-20231103-0007/" } ] }, "source": { "discovery": "EXTERNAL" } }, "nvd.nist.gov": { "configurations": { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:10.1.0:milestone3:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:10.1.0:milestone4:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:10.1.0:milestone5:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:10.1.0:milestone1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:10.1.0:milestone2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:10.1.0:milestone7:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:10.1.0:milestone8:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:10.1.0:milestone9:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:10.1.0:milestone6:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:10.1.0:milestone10:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:10.1.0:milestone11:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:10.1.0:milestone12:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:10.1.0:milestone13:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:10.1.0:milestone14:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:10.1.0:milestone16:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:10.1.0:milestone15:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:10.1.0:milestone17:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:11.0.0:milestone1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:11.0.0:milestone2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:11.0.0:milestone4:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:11.0.0:milestone3:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:11.0.0:milestone5:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:11.0.0:milestone7:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:11.0.0:milestone8:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:11.0.0:milestone9:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:11.0.0:milestone10:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:11.0.0:milestone6:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "10.1.14", "versionStartIncluding": "10.1.1", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:10.1.0:milestone20:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:10.1.0:milestone19:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:10.1.0:milestone18:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "8.5.94", "versionStartIncluding": "8.5.0", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "9.0.81", "versionStartIncluding": "9.0.1", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:11.0.0:milestone11:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" } ] }, "cve": { "CVE_data_meta": { "ASSIGNER": "security@apache.org", "ID": "CVE-2023-45648" }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "en", "value": "Improper Input Validation vulnerability in Apache Tomcat.Tomcat\u00a0from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially \ncrafted, invalid trailer header could cause Tomcat to treat a single \nrequest as multiple requests leading to the possibility of request \nsmuggling when behind a reverse proxy.\n\nUsers are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.\n\n" } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "en", "value": "CWE-20" } ] } ] }, "references": { "reference_data": [ { "name": "https://lists.apache.org/thread/2pv8yz1pyp088tsxfb7ogltk9msk0jdp", "refsource": "MISC", "tags": [ "Vendor Advisory" ], "url": "https://lists.apache.org/thread/2pv8yz1pyp088tsxfb7ogltk9msk0jdp" }, { "name": "http://www.openwall.com/lists/oss-security/2023/10/10/10", "refsource": "MISC", "tags": [ "Mailing List", "Third Party Advisory" ], "url": "http://www.openwall.com/lists/oss-security/2023/10/10/10" }, { "name": "https://www.debian.org/security/2023/dsa-5522", "refsource": "MISC", "tags": [ "Third Party Advisory" ], "url": "https://www.debian.org/security/2023/dsa-5522" }, { "name": "https://www.debian.org/security/2023/dsa-5521", "refsource": "MISC", "tags": [ "Third Party Advisory" ], "url": "https://www.debian.org/security/2023/dsa-5521" }, { "name": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html", "refsource": "MISC", "tags": [ "Mailing List", "Third Party Advisory" ], "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html" }, { "name": "https://security.netapp.com/advisory/ntap-20231103-0007/", "refsource": "MISC", "tags": [], "url": "https://security.netapp.com/advisory/ntap-20231103-0007/" } ] } }, "impact": { "baseMetricV3": { "cvssV3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1" }, "exploitabilityScore": 3.9, "impactScore": 1.4 } }, "lastModifiedDate": "2023-11-04T06:15Z", "publishedDate": "2023-10-10T19:15Z" } } }
icsa-24-228-06
Vulnerability from csaf_cisa
Published
2024-08-13 00:00
Modified
2024-08-13 00:00
Summary
Siemens SINEC NMS
Notes
Summary
SINEC NMS before V3.0 is affected by multiple vulnerabilities.
Siemens has released a new version for SINEC NMS and recommends to update to the latest version.
General Recommendations
As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download:
https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.
Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity
Additional Resources
For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories
Terms of Use
Siemens Security Advisories are subject to the terms and conditions contained in Siemens' underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter "License Terms"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens' Global Website (https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.
Advisory Conversion Disclaimer
This CISA CSAF advisory was converted from Siemens ProductCERT's CSAF advisory.
Critical infrastructure sectors
Multiple
Countries/areas deployed
Worldwide
Company headquarters location
Germany
Recommended Practices
CISA recommends users take defensive measures to minimize the exploitation risk of this vulnerability.
Recommended Practices
Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet.
Recommended Practices
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
Recommended Practices
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices.
Recommended Practices
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Recommended Practices
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Recommended Practices
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Recommended Practices
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
{ "document": { "acknowledgments": [ { "organization": "Siemens ProductCERT", "summary": "reporting these vulnerabilities to CISA." } ], "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Disclosure is not limited", "tlp": { "label": "WHITE", "url": "https://us-cert.cisa.gov/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "SINEC NMS before V3.0 is affected by multiple vulnerabilities.\n\nSiemens has released a new version for SINEC NMS and recommends to update to the latest version.", "title": "Summary" }, { "category": "general", "text": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: \nhttps://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "title": "General Recommendations" }, { "category": "general", "text": "For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories", "title": "Additional Resources" }, { "category": "legal_disclaimer", "text": "Siemens Security Advisories are subject to the terms and conditions contained in Siemens\u0027 underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter \"License Terms\"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens\u0027 Global Website (https://www.siemens.com/terms_of_use, hereinafter \"Terms of Use\"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.", "title": "Terms of Use" }, { "category": "legal_disclaimer", "text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.", "title": "Legal Notice" }, { "category": "other", "text": "This CISA CSAF advisory was converted from Siemens ProductCERT\u0027s CSAF advisory.", "title": "Advisory Conversion Disclaimer" }, { "category": "other", "text": "Multiple", "title": "Critical infrastructure sectors" }, { "category": "other", "text": "Worldwide", "title": "Countries/areas deployed" }, { "category": "other", "text": "Germany", "title": "Company headquarters location" }, { "category": "general", "text": "CISA recommends users take defensive measures to minimize the exploitation risk of this vulnerability.", "title": "Recommended Practices" }, { "category": "general", "text": "Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet.", "title": "Recommended Practices" }, { "category": "general", "text": "Locate control system networks and remote devices behind firewalls and isolate them from business networks.", "title": "Recommended Practices" }, { "category": "general", "text": "When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices.", "title": "Recommended Practices" }, { "category": "general", "text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.", "title": "Recommended Practices" }, { "category": "general", "text": "CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.", "title": "Recommended Practices" }, { "category": "general", "text": "CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.", "title": "Recommended Practices" }, { "category": "general", "text": "Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.", "title": "Recommended Practices" } ], "publisher": { "category": "other", "contact_details": "central@cisa.dhs.gov", "name": "CISA", "namespace": "https://www.cisa.gov/" }, "references": [ { "category": "self", "summary": "SSA-784301: Multiple Vulnerabilities in SINEC NMS Before V3.0 - CSAF Version", "url": "https://cert-portal.siemens.com/productcert/csaf/ssa-784301.json" }, { "category": "self", "summary": "SSA-784301: Multiple Vulnerabilities in SINEC NMS Before V3.0 - HTML Version", "url": "https://cert-portal.siemens.com/productcert/html/ssa-784301.html" }, { "category": "self", "summary": "ICS Advisory ICSA-24-228-06 JSON", "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2024/icsa-24-228-06.json" }, { "category": "self", "summary": "ICS Advisory ICSA-24-228-06 - Web Version", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-228-06" }, { "category": "external", "summary": "Recommended Practices", "url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01" }, { "category": "external", "summary": "Recommended Practices", "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices" }, { "category": "external", "summary": "Recommended Practices", "url": "https://www.cisa.gov/topics/industrial-control-systems" }, { "category": "external", "summary": "Recommended Practices", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" }, { "category": "external", "summary": "Recommended Practices", "url": "https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf" }, { "category": "external", "summary": "Recommended Practices", "url": "https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B" } ], "title": "Siemens SINEC NMS", "tracking": { "current_release_date": "2024-08-13T00:00:00.000000Z", "generator": { "engine": { "name": "CISA CSAF Generator", "version": "1" } }, "id": "ICSA-24-228-06", "initial_release_date": "2024-08-13T00:00:00.000000Z", "revision_history": [ { "date": "2024-08-13T00:00:00.000000Z", "legacy_version": "1.0", "number": "1", "summary": "Publication Date" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "\u003cV3.0", "product": { "name": "SINEC NMS", "product_id": "CSAFPID-0001" } } ], "category": "product_name", "name": "SINEC NMS" } ], "category": "vendor", "name": "Siemens" } ] }, "vulnerabilities": [ { "cve": "CVE-2023-4611", "cwe": { "id": "CWE-416", "name": "Use After Free" }, "notes": [ { "category": "summary", "text": "A use-after-free flaw was found in mm/mempolicy.c in the memory management subsystem in the Linux Kernel. This issue is caused by a race between mbind() and VMA-locked page fault, and may allow a local attacker to crash the system or lead to a kernel information leak.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2023-4611" }, { "cve": "CVE-2023-5868", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "A memory disclosure vulnerability was found in PostgreSQL that allows remote users to access sensitive information by exploiting certain aggregate function calls with \u0027unknown\u0027-type arguments. Handling \u0027unknown\u0027-type values from string literals without type designation can disclose bytes, potentially revealing notable and confidential information. This issue exists due to excessive data output in aggregate function calls, enabling remote users to read some portion of system memory.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2023-5868" }, { "cve": "CVE-2023-5869", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "A flaw was found in PostgreSQL that allows authenticated database users to execute arbitrary code through missing overflow checks during SQL array value modification. This issue exists due to an integer overflow during array modification where a remote user can trigger the overflow by providing specially crafted data. This enables the execution of arbitrary code on the target system, allowing users to write arbitrary bytes to memory and extensively read the server\u0027s memory.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2023-5869" }, { "cve": "CVE-2023-5870", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "A flaw was found in PostgreSQL involving the pg_cancel_backend role that signals background workers, including the logical replication launcher, autovacuum workers, and the autovacuum launcher. Successful exploitation requires a non-core extension with a less-resilient background worker and would affect that specific background worker only. This issue may allow a remote high privileged user to launch a denial of service (DoS) attack.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 4.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2023-5870" }, { "cve": "CVE-2023-6378", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "A serialization vulnerability in logback receiver component part of logback version 1.4.11 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2023-6378" }, { "cve": "CVE-2023-6481", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "A serialization vulnerability in logback receiver component part of logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2023-6481" }, { "cve": "CVE-2023-31122", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.57.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2023-31122" }, { "cve": "CVE-2023-34050", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "notes": [ { "category": "summary", "text": "In spring AMQP versions 1.0.0 to 2.4.16 and 3.0.0 to 3.0.9 , allowed list patterns for deserializable class names were added to Spring AMQP, allowing users to lock down deserialization of data in messages from untrusted sources; however by default, when no allowed list was provided, all classes could be deserialized. Specifically, an application is vulnerable if \r\n\r\n * the SimpleMessageConverter or SerializerMessageConverter is used \r\n * the user does not configure allowed list patterns \r\n * untrusted message originators gain permissions to write messages to the RabbitMQ broker to send malicious content.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.0, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2023-34050" }, { "cve": "CVE-2023-39615", "cwe": { "id": "CWE-119", "name": "Improper Restriction of Operations within the Bounds of a Memory Buffer" }, "notes": [ { "category": "summary", "text": "Xmlsoft Libxml2 v2.11.0 was discovered to contain an out-of-bounds read via the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted XML file. NOTE: the vendor\u0027s position is that the product does not support the legacy SAX1 interface with custom callbacks; there is a crash even without crafted input.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2023-39615" }, { "cve": "CVE-2023-42794", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "Incomplete Cleanup vulnerability in Apache Tomcat.\r\n\r\nThe internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, \r\nin progress refactoring that exposed a potential denial of service on \r\nWindows if a web application opened a stream for an uploaded file but \r\nfailed to close the stream. The file would never be deleted from disk \r\ncreating the possibility of an eventual denial of service due to the \r\ndisk being full.\r\n\r\nUsers are recommended to upgrade to version 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2023-42794" }, { "cve": "CVE-2023-42795", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could \r\ncause Tomcat to skip some parts of the recycling process leading to \r\ninformation leaking from the current request/response to the next.\r\n\r\nUsers are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2023-42795" }, { "cve": "CVE-2023-43622", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known \"slow loris\" attack pattern.\r\nThis has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout.\r\n\r\nThis issue affects Apache HTTP Server: from 2.4.55 through 2.4.57.\r\n\r\nUsers are recommended to upgrade to version 2.4.58, which fixes the issue.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2023-43622" }, { "cve": "CVE-2023-44487", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "notes": [ { "category": "summary", "text": "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2023-44487" }, { "cve": "CVE-2023-45648", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "Improper Input Validation vulnerability in Apache Tomcat.Tomcat\u00a0from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially \r\ncrafted, invalid trailer header could cause Tomcat to treat a single \r\nrequest as multiple requests leading to the possibility of request \r\nsmuggling when behind a reverse proxy.\r\n\r\nUsers are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2023-45648" }, { "cve": "CVE-2023-45802", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request\u0027s memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of memory before that.\r\n\r\nThis was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their own test client. During \"normal\" HTTP/2 use, the probability to hit this bug is very low. The kept memory would not become noticeable before the connection closes or times out.\r\n\r\nUsers are recommended to upgrade to version 2.4.58, which fixes the issue.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2023-45802" }, { "cve": "CVE-2023-46120", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "notes": [ { "category": "summary", "text": "The RabbitMQ Java client library allows Java and JVM-based applications to connect to and interact with RabbitMQ nodes. `maxBodyLebgth` was not used when receiving Message objects. Attackers could send a very large Message causing a memory overflow and triggering an OOM Error. Users of RabbitMQ may suffer from DoS attacks from RabbitMQ Java client which will ultimately exhaust the memory of the consumer. This vulnerability was patched in version 5.18.0.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 4.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2023-46120" }, { "cve": "CVE-2023-46280", "cwe": { "id": "CWE-125", "name": "Out-of-bounds Read" }, "notes": [ { "category": "summary", "text": "The affected applications contain an out of bounds read vulnerability. This could allow an attacker to cause a Blue Screen of Death (BSOD) crash of the underlying Windows kernel.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2023-46280" }, { "cve": "CVE-2023-46589", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2023-46589" }, { "cve": "CVE-2023-52425", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "notes": [ { "category": "summary", "text": "libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2023-52425" }, { "cve": "CVE-2023-52426", "cwe": { "id": "CWE-776", "name": "Improper Restriction of Recursive Entity References in DTDs (\u0027XML Entity Expansion\u0027)" }, "notes": [ { "category": "summary", "text": "libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2023-52426" }, { "cve": "CVE-2024-0985", "cwe": { "id": "CWE-271", "name": "Privilege Dropping / Lowering Errors" }, "notes": [ { "category": "summary", "text": "Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker\u0027s roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker\u0027s materialized view. Versions before PostgreSQL 16.2, 15.6, 14.11, 13.14, and 12.18 are affected.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 8.0, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2024-0985" }, { "cve": "CVE-2024-25062", "cwe": { "id": "CWE-416", "name": "Use After Free" }, "notes": [ { "category": "summary", "text": "An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2024-25062" }, { "cve": "CVE-2024-28182", "cwe": { "id": "CWE-770", "name": "Allocation of Resources Without Limits or Throttling" }, "notes": [ { "category": "summary", "text": "nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2024-28182" }, { "cve": "CVE-2024-28757", "cwe": { "id": "CWE-776", "name": "Improper Restriction of Recursive Entity References in DTDs (\u0027XML Entity Expansion\u0027)" }, "notes": [ { "category": "summary", "text": "libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate).", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2024-28757" }, { "cve": "CVE-2024-36398", "cwe": { "id": "CWE-250", "name": "Execution with Unnecessary Privileges" }, "notes": [ { "category": "summary", "text": "The affected application executes a subset of its services as `NT AUTHORITY\\SYSTEM`. This could allow a local attacker to execute operating system commands with elevated privileges.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2024-36398" }, { "cve": "CVE-2024-41938", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "notes": [ { "category": "summary", "text": "The importCertificate function of the SINEC NMS Control web application contains a path traversal vulnerability. This could allow an authenticated attacker it to delete arbitrary certificate files on the drive SINEC NMS is installed on.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2024-41938" }, { "cve": "CVE-2024-41939", "cwe": { "id": "CWE-863", "name": "Incorrect Authorization" }, "notes": [ { "category": "summary", "text": "The affected application does not properly enforce authorization checks. This could allow an authenticated attacker to bypass the checks and elevate their privileges on the application.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2024-41939" }, { "cve": "CVE-2024-41940", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "The affected application does not properly validate user input to a privileged command queue. This could allow an authenticated attacker to execute OS commands with elevated privileges.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 9.1, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2024-41940" }, { "cve": "CVE-2024-41941", "cwe": { "id": "CWE-863", "name": "Incorrect Authorization" }, "notes": [ { "category": "summary", "text": "The affected application does not properly enforce authorization checks. This could allow an authenticated attacker to bypass the checks and modify settings in the application without authorization.", "title": "Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "CSAFPID-0001" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "title": "CVE-2024-41941" } ] }
ssa-784301
Vulnerability from csaf_siemens
Published
2024-08-13 00:00
Modified
2024-08-13 00:00
Summary
SSA-784301: Multiple Vulnerabilities in SINEC NMS Before V3.0
Notes
Summary
SINEC NMS before V3.0 is affected by multiple vulnerabilities.
Siemens has released a new version for SINEC NMS and recommends to update to the latest version.
General Recommendations
As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download:
https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.
Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity
Additional Resources
For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories
Terms of Use
Siemens Security Advisories are subject to the terms and conditions contained in Siemens' underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter "License Terms"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens' Global Website (https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.
{ "document": { "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Disclosure is not limited. (TLPv2: TLP:CLEAR)", "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "summary", "text": "SINEC NMS before V3.0 is affected by multiple vulnerabilities.\n\nSiemens has released a new version for SINEC NMS and recommends to update to the latest version.", "title": "Summary" }, { "category": "general", "text": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: \nhttps://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity", "title": "General Recommendations" }, { "category": "general", "text": "For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories", "title": "Additional Resources" }, { "category": "legal_disclaimer", "text": "Siemens Security Advisories are subject to the terms and conditions contained in Siemens\u0027 underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter \"License Terms\"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens\u0027 Global Website (https://www.siemens.com/terms_of_use, hereinafter \"Terms of Use\"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "productcert@siemens.com", "name": "Siemens ProductCERT", "namespace": "https://www.siemens.com" }, "references": [ { "category": "self", "summary": "SSA-784301: Multiple Vulnerabilities in SINEC NMS Before V3.0 - HTML Version", "url": "https://cert-portal.siemens.com/productcert/html/ssa-784301.html" }, { "category": "self", "summary": "SSA-784301: Multiple Vulnerabilities in SINEC NMS Before V3.0 - CSAF Version", "url": "https://cert-portal.siemens.com/productcert/csaf/ssa-784301.json" } ], "title": "SSA-784301: Multiple Vulnerabilities in SINEC NMS Before V3.0", "tracking": { "current_release_date": "2024-08-13T00:00:00Z", "generator": { "engine": { "name": "Siemens ProductCERT CSAF Generator", "version": "1" } }, "id": "SSA-784301", "initial_release_date": "2024-08-13T00:00:00Z", "revision_history": [ { "date": "2024-08-13T00:00:00Z", "legacy_version": "1.0", "number": "1", "summary": "Publication Date" } ], "status": "interim", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "\u003cV3.0", "product": { "name": "SINEC NMS", "product_id": "1" } } ], "category": "product_name", "name": "SINEC NMS" } ], "category": "vendor", "name": "Siemens" } ] }, "vulnerabilities": [ { "cve": "CVE-2023-4611", "cwe": { "id": "CWE-416", "name": "Use After Free" }, "notes": [ { "category": "summary", "text": "A use-after-free flaw was found in mm/mempolicy.c in the memory management subsystem in the Linux Kernel. This issue is caused by a race between mbind() and VMA-locked page fault, and may allow a local attacker to crash the system or lead to a kernel information leak.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2023-4611" }, { "cve": "CVE-2023-5868", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "A memory disclosure vulnerability was found in PostgreSQL that allows remote users to access sensitive information by exploiting certain aggregate function calls with \u0027unknown\u0027-type arguments. Handling \u0027unknown\u0027-type values from string literals without type designation can disclose bytes, potentially revealing notable and confidential information. This issue exists due to excessive data output in aggregate function calls, enabling remote users to read some portion of system memory.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2023-5868" }, { "cve": "CVE-2023-5869", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "A flaw was found in PostgreSQL that allows authenticated database users to execute arbitrary code through missing overflow checks during SQL array value modification. This issue exists due to an integer overflow during array modification where a remote user can trigger the overflow by providing specially crafted data. This enables the execution of arbitrary code on the target system, allowing users to write arbitrary bytes to memory and extensively read the server\u0027s memory.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2023-5869" }, { "cve": "CVE-2023-5870", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "A flaw was found in PostgreSQL involving the pg_cancel_backend role that signals background workers, including the logical replication launcher, autovacuum workers, and the autovacuum launcher. Successful exploitation requires a non-core extension with a less-resilient background worker and would affect that specific background worker only. This issue may allow a remote high privileged user to launch a denial of service (DoS) attack.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 4.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2023-5870" }, { "cve": "CVE-2023-6378", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "A serialization vulnerability in logback receiver component part of logback version 1.4.11 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2023-6378" }, { "cve": "CVE-2023-6481", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "A serialization vulnerability in logback receiver component part of logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2023-6481" }, { "cve": "CVE-2023-31122", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.57.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2023-31122" }, { "cve": "CVE-2023-34050", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "notes": [ { "category": "summary", "text": "In spring AMQP versions 1.0.0 to 2.4.16 and 3.0.0 to 3.0.9 , allowed list patterns for deserializable class names were added to Spring AMQP, allowing users to lock down deserialization of data in messages from untrusted sources; however by default, when no allowed list was provided, all classes could be deserialized. Specifically, an application is vulnerable if \r\n\r\n * the SimpleMessageConverter or SerializerMessageConverter is used \r\n * the user does not configure allowed list patterns \r\n * untrusted message originators gain permissions to write messages to the RabbitMQ broker to send malicious content.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.0, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2023-34050" }, { "cve": "CVE-2023-39615", "cwe": { "id": "CWE-119", "name": "Improper Restriction of Operations within the Bounds of a Memory Buffer" }, "notes": [ { "category": "summary", "text": "Xmlsoft Libxml2 v2.11.0 was discovered to contain an out-of-bounds read via the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted XML file. NOTE: the vendor\u0027s position is that the product does not support the legacy SAX1 interface with custom callbacks; there is a crash even without crafted input.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2023-39615" }, { "cve": "CVE-2023-42794", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "Incomplete Cleanup vulnerability in Apache Tomcat.\r\n\r\nThe internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, \r\nin progress refactoring that exposed a potential denial of service on \r\nWindows if a web application opened a stream for an uploaded file but \r\nfailed to close the stream. The file would never be deleted from disk \r\ncreating the possibility of an eventual denial of service due to the \r\ndisk being full.\r\n\r\nUsers are recommended to upgrade to version 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2023-42794" }, { "cve": "CVE-2023-42795", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could \r\ncause Tomcat to skip some parts of the recycling process leading to \r\ninformation leaking from the current request/response to the next.\r\n\r\nUsers are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2023-42795" }, { "cve": "CVE-2023-43622", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known \"slow loris\" attack pattern.\r\nThis has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout.\r\n\r\nThis issue affects Apache HTTP Server: from 2.4.55 through 2.4.57.\r\n\r\nUsers are recommended to upgrade to version 2.4.58, which fixes the issue.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2023-43622" }, { "cve": "CVE-2023-44487", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "notes": [ { "category": "summary", "text": "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2023-44487" }, { "cve": "CVE-2023-45648", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "Improper Input Validation vulnerability in Apache Tomcat.Tomcat\u00a0from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially \r\ncrafted, invalid trailer header could cause Tomcat to treat a single \r\nrequest as multiple requests leading to the possibility of request \r\nsmuggling when behind a reverse proxy.\r\n\r\nUsers are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2023-45648" }, { "cve": "CVE-2023-45802", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request\u0027s memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of memory before that.\r\n\r\nThis was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their own test client. During \"normal\" HTTP/2 use, the probability to hit this bug is very low. The kept memory would not become noticeable before the connection closes or times out.\r\n\r\nUsers are recommended to upgrade to version 2.4.58, which fixes the issue.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2023-45802" }, { "cve": "CVE-2023-46120", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "notes": [ { "category": "summary", "text": "The RabbitMQ Java client library allows Java and JVM-based applications to connect to and interact with RabbitMQ nodes. `maxBodyLebgth` was not used when receiving Message objects. Attackers could send a very large Message causing a memory overflow and triggering an OOM Error. Users of RabbitMQ may suffer from DoS attacks from RabbitMQ Java client which will ultimately exhaust the memory of the consumer. This vulnerability was patched in version 5.18.0.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 4.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2023-46120" }, { "cve": "CVE-2023-46280", "cwe": { "id": "CWE-125", "name": "Out-of-bounds Read" }, "notes": [ { "category": "summary", "text": "The affected applications contain an out of bounds read vulnerability. This could allow an attacker to cause a Blue Screen of Death (BSOD) crash of the underlying Windows kernel.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2023-46280" }, { "cve": "CVE-2023-46589", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2023-46589" }, { "cve": "CVE-2023-52425", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "notes": [ { "category": "summary", "text": "libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2023-52425" }, { "cve": "CVE-2023-52426", "cwe": { "id": "CWE-776", "name": "Improper Restriction of Recursive Entity References in DTDs (\u0027XML Entity Expansion\u0027)" }, "notes": [ { "category": "summary", "text": "libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2023-52426" }, { "cve": "CVE-2024-0985", "cwe": { "id": "CWE-271", "name": "Privilege Dropping / Lowering Errors" }, "notes": [ { "category": "summary", "text": "Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker\u0027s roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker\u0027s materialized view. Versions before PostgreSQL 16.2, 15.6, 14.11, 13.14, and 12.18 are affected.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 8.0, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2024-0985" }, { "cve": "CVE-2024-25062", "cwe": { "id": "CWE-416", "name": "Use After Free" }, "notes": [ { "category": "summary", "text": "An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2024-25062" }, { "cve": "CVE-2024-28182", "cwe": { "id": "CWE-770", "name": "Allocation of Resources Without Limits or Throttling" }, "notes": [ { "category": "summary", "text": "nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2024-28182" }, { "cve": "CVE-2024-28757", "cwe": { "id": "CWE-776", "name": "Improper Restriction of Recursive Entity References in DTDs (\u0027XML Entity Expansion\u0027)" }, "notes": [ { "category": "summary", "text": "libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate).", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2024-28757" }, { "cve": "CVE-2024-36398", "cwe": { "id": "CWE-250", "name": "Execution with Unnecessary Privileges" }, "notes": [ { "category": "summary", "text": "The affected application executes a subset of its services as `NT AUTHORITY\\SYSTEM`. This could allow a local attacker to execute operating system commands with elevated privileges.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2024-36398" }, { "cve": "CVE-2024-41938", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "notes": [ { "category": "summary", "text": "The importCertificate function of the SINEC NMS Control web application contains a path traversal vulnerability. This could allow an authenticated attacker it to delete arbitrary certificate files on the drive SINEC NMS is installed on.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2024-41938" }, { "cve": "CVE-2024-41939", "cwe": { "id": "CWE-863", "name": "Incorrect Authorization" }, "notes": [ { "category": "summary", "text": "The affected application does not properly enforce authorization checks. This could allow an authenticated attacker to bypass the checks and elevate their privileges on the application.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2024-41939" }, { "cve": "CVE-2024-41940", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "The affected application does not properly validate user input to a privileged command queue. This could allow an authenticated attacker to execute OS commands with elevated privileges.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 9.1, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2024-41940" }, { "cve": "CVE-2024-41941", "cwe": { "id": "CWE-863", "name": "Incorrect Authorization" }, "notes": [ { "category": "summary", "text": "The affected application does not properly enforce authorization checks. This could allow an authenticated attacker to bypass the checks and modify settings in the application without authorization.", "title": "Summary" } ], "product_status": { "known_affected": [ "1" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update to V3.0 or later version", "product_ids": [ "1" ], "url": "https://support.industry.siemens.com/cs/ww/en/view/109973059/" } ], "scores": [ { "cvss_v3": { "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "1" ] } ], "title": "CVE-2024-41941" } ] }
ghsa-r6j3-px5g-cq3x
Vulnerability from github
Published
2023-10-10 21:31
Modified
2024-04-24 15:41
Severity ?
Summary
Apache Tomcat Improper Input Validation vulnerability
Details
Improper Input Validation vulnerability in Apache Tomcat.
Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy.
Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.
{ "affected": [ { "package": { "ecosystem": "Maven", "name": "org.apache.tomcat:tomcat" }, "ranges": [ { "events": [ { "introduced": "11.0.0-M1" }, { "fixed": "11.0.0-M12" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.apache.tomcat:tomcat" }, "ranges": [ { "events": [ { "introduced": "10.1.0-M1" }, { "fixed": "10.1.14" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.apache.tomcat:tomcat" }, "ranges": [ { "events": [ { "introduced": "9.0.0-M1" }, { "fixed": "9.0.81" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.apache.tomcat:tomcat" }, "ranges": [ { "events": [ { "introduced": "8.5.0" }, { "fixed": "8.5.94" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.apache.tomcat.embed:tomcat-embed-core" }, "ranges": [ { "events": [ { "introduced": "11.0.0-M1" }, { "fixed": "11.0.0-M12" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.apache.tomcat.embed:tomcat-embed-core" }, "ranges": [ { "events": [ { "introduced": "10.1.0-M1" }, { "fixed": "10.1.14" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.apache.tomcat.embed:tomcat-embed-core" }, "ranges": [ { "events": [ { "introduced": "9.0.0-M1" }, { "fixed": "9.0.81" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.apache.tomcat.embed:tomcat-embed-core" }, "ranges": [ { "events": [ { "introduced": "8.5.0" }, { "fixed": "8.5.94" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2023-45648" ], "database_specific": { "cwe_ids": [ "CWE-20" ], "github_reviewed": true, "github_reviewed_at": "2023-10-10T22:29:58Z", "nvd_published_at": "2023-10-10T19:15:09Z", "severity": "MODERATE" }, "details": "Improper Input Validation vulnerability in Apache Tomcat.\n\nTomcat\u00a0from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single \nrequest as multiple requests leading to the possibility of request smuggling when behind a reverse proxy.\n\nUsers are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.", "id": "GHSA-r6j3-px5g-cq3x", "modified": "2024-04-24T15:41:59Z", "published": "2023-10-10T21:31:12Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45648" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/59583245639d8c42ae0009f4a4a70464d3ea70a0" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/8ecff306507be8e4fd3adee1ae5de1ea6661a8f4" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/c83fe47725f7ae9ae213568d9039171124fb7ec6" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/eb5c094e5560764cda436362254997511a3ca1f6" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "https://lists.apache.org/thread/2pv8yz1pyp088tsxfb7ogltk9msk0jdp" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20231103-0007" }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5521" }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5522" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2023/10/10/10" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "type": "CVSS_V3" } ], "summary": "Apache Tomcat Improper Input Validation vulnerability" }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.