Search

Find a vulnerability

Search criteria

    16 vulnerabilities found for integration_camel_quarkus by redhat

    CVE-2023-4853 (GCVE-0-2023-4853)

    Vulnerability from nvd – Published: 2023-09-20 09:47 – Updated: 2025-11-07 10:17
    VLAI
    Title
    Quarkus: http security policy bypass
    Summary
    A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.
    CWE
    • CWE-148 - Improper Neutralization of Input Leaders
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2023:5170 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2023:5310 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2023:5337 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2023:5446 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2023:5479 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2023:5480 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2023:6107 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2023:6112 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2023:7653 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/security/cve/CVE-2023-4853 vdb-entryx_refsource_REDHAT
    https://access.redhat.com/security/vulnerabilitie… technical-descriptionx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2238034 issue-trackingx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    Red Hat Openshift Serverless 1 on RHEL 8 Unaffected: 0:1.9.2-3.el8 , < * (rpm)
        cpe:/a:redhat:serverless:1.0::el8
    Create a notification for this product.
    Red Hat Red Hat build of OptaPlanner 8     cpe:/a:redhat:optaplanner:::el6
    Create a notification for this product.
    Red Hat Red Hat build of Quarkus 2.13.8.SP2 Unaffected: 2.13.8.Final-redhat-00005 , < * (rpm)
        cpe:/a:redhat:quarkus:2.13
    Create a notification for this product.
    Red Hat Red Hat Camel Extensions for Quarkus 2.13.3-1     cpe:/a:redhat:camel_quarkus:2.13
    Create a notification for this product.
    Red Hat Red Hat OpenShift Serverless 1.30 Unaffected: 1.9.2-3 , < * (rpm)
        cpe:/a:redhat:openshift_serverless:1.30::el8
    Create a notification for this product.
    Red Hat Red Hat OpenShift Serverless 1.30 Unaffected: 1.30.1-1 , < * (rpm)
        cpe:/a:redhat:openshift_serverless:1.30::el8
    Create a notification for this product.
    Red Hat Red Hat OpenShift Serverless 1.30 Unaffected: 1.30.0-5 , < * (rpm)
        cpe:/a:redhat:openshift_serverless:1.30::el8
    Create a notification for this product.
    Red Hat Red Hat OpenShift Serverless 1.30 Unaffected: 1.30.0-6 , < * (rpm)
        cpe:/a:redhat:openshift_serverless:1.30::el8
    Create a notification for this product.
    Red Hat RHEL-8 based Middleware Containers Unaffected: 7.13.4-3 , < * (rpm)
        cpe:/a:redhat:rhosemc:1.0::el8
    Create a notification for this product.
    Red Hat RHEL-8 based Middleware Containers Unaffected: 7.13.4-2 , < * (rpm)
        cpe:/a:redhat:rhosemc:1.0::el8
    Create a notification for this product.
    Red Hat RHINT Camel-K-1.10.2     cpe:/a:redhat:camel_k:1
    Create a notification for this product.
    Red Hat RHINT Service Registry 2.5.4 GA     cpe:/a:redhat:service_registry:2.5
    Create a notification for this product.
    Red Hat RHPAM 7.13.4 async     cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13
    Create a notification for this product.
    Red Hat Red Hat Process Automation 7     cpe:/a:redhat:jboss_enterprise_bpms_platform:7
    Create a notification for this product.
    Date Public
    2023-09-08 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T07:38:00.803Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2023:5170",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2023:5170"
              },
              {
                "name": "RHSA-2023:5310",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2023:5310"
              },
              {
                "name": "RHSA-2023:5337",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2023:5337"
              },
              {
                "name": "RHSA-2023:5446",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2023:5446"
              },
              {
                "name": "RHSA-2023:5479",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2023:5479"
              },
              {
                "name": "RHSA-2023:5480",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2023:5480"
              },
              {
                "name": "RHSA-2023:6107",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2023:6107"
              },
              {
                "name": "RHSA-2023:6112",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2023:6112"
              },
              {
                "name": "RHSA-2023:7653",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2023:7653"
              },
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2023-4853"
              },
              {
                "name": "RHSB-2023-002",
                "tags": [
                  "technical-description",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-002"
              },
              {
                "name": "RHBZ#2238034",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238034"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:serverless:1.0::el8"
              ],
              "defaultStatus": "affected",
              "packageName": "openshift-serverless-clients",
              "product": "Openshift Serverless 1 on RHEL 8",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "0:1.9.2-3.el8",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:optaplanner:::el6"
              ],
              "defaultStatus": "unaffected",
              "packageName": "quarkus-vertx-http",
              "product": "Red Hat build of OptaPlanner 8",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:quarkus:2.13"
              ],
              "defaultStatus": "affected",
              "packageName": "io.quarkus/quarkus-keycloak-authorization",
              "product": "Red Hat build of Quarkus 2.13.8.SP2",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "2.13.8.Final-redhat-00005",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:quarkus:2.13"
              ],
              "defaultStatus": "affected",
              "packageName": "io.quarkus/quarkus-undertow",
              "product": "Red Hat build of Quarkus 2.13.8.SP2",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "2.13.8.Final-redhat-00005",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:quarkus:2.13"
              ],
              "defaultStatus": "affected",
              "packageName": "io.quarkus/quarkus-vertx-http",
              "product": "Red Hat build of Quarkus 2.13.8.SP2",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "2.13.8.Final-redhat-00005",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
              "cpes": [
                "cpe:/a:redhat:camel_quarkus:2.13"
              ],
              "defaultStatus": "unaffected",
              "packageName": "quarkus-vertx-http",
              "product": "Red Hat Camel Extensions for Quarkus 2.13.3-1",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:openshift_serverless:1.30::el8"
              ],
              "defaultStatus": "affected",
              "packageName": "openshift-serverless-1/client-kn-rhel8",
              "product": "Red Hat OpenShift Serverless 1.30",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.9.2-3",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:openshift_serverless:1.30::el8"
              ],
              "defaultStatus": "affected",
              "packageName": "openshift-serverless-1/ingress-rhel8-operator",
              "product": "Red Hat OpenShift Serverless 1.30",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.30.1-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:openshift_serverless:1.30::el8"
              ],
              "defaultStatus": "affected",
              "packageName": "openshift-serverless-1/knative-rhel8-operator",
              "product": "Red Hat OpenShift Serverless 1.30",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.30.1-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:openshift_serverless:1.30::el8"
              ],
              "defaultStatus": "affected",
              "packageName": "openshift-serverless-1/kn-cli-artifacts-rhel8",
              "product": "Red Hat OpenShift Serverless 1.30",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.9.2-3",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:openshift_serverless:1.30::el8"
              ],
              "defaultStatus": "affected",
              "packageName": "openshift-serverless-1/serverless-operator-bundle",
              "product": "Red Hat OpenShift Serverless 1.30",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.30.1-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:openshift_serverless:1.30::el8"
              ],
              "defaultStatus": "affected",
              "packageName": "openshift-serverless-1/serverless-rhel8-operator",
              "product": "Red Hat OpenShift Serverless 1.30",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.30.1-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:openshift_serverless:1.30::el8"
              ],
              "defaultStatus": "affected",
              "packageName": "openshift-serverless-1/svls-must-gather-rhel8",
              "product": "Red Hat OpenShift Serverless 1.30",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.30.1-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:openshift_serverless:1.30::el8"
              ],
              "defaultStatus": "affected",
              "packageName": "openshift-serverless-1-tech-preview/logic-data-index-ephemeral-rhel8",
              "product": "Red Hat OpenShift Serverless 1.30",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.30.0-5",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:openshift_serverless:1.30::el8"
              ],
              "defaultStatus": "affected",
              "packageName": "openshift-serverless-1-tech-preview/logic-swf-builder-rhel8",
              "product": "Red Hat OpenShift Serverless 1.30",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.30.0-6",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:openshift_serverless:1.30::el8"
              ],
              "defaultStatus": "affected",
              "packageName": "openshift-serverless-1-tech-preview/logic-swf-devmode-rhel8",
              "product": "Red Hat OpenShift Serverless 1.30",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.30.0-6",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:rhosemc:1.0::el8"
              ],
              "defaultStatus": "affected",
              "packageName": "rhpam-7/rhpam-kogito-builder-rhel8",
              "product": "RHEL-8 based Middleware Containers",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "7.13.4-3",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:rhosemc:1.0::el8"
              ],
              "defaultStatus": "affected",
              "packageName": "rhpam-7/rhpam-kogito-rhel8-operator",
              "product": "RHEL-8 based Middleware Containers",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "7.13.4-2",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:rhosemc:1.0::el8"
              ],
              "defaultStatus": "affected",
              "packageName": "rhpam-7/rhpam-kogito-rhel8-operator-bundle",
              "product": "RHEL-8 based Middleware Containers",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "7.13.4-2",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:rhosemc:1.0::el8"
              ],
              "defaultStatus": "affected",
              "packageName": "rhpam-7/rhpam-kogito-runtime-jvm-rhel8",
              "product": "RHEL-8 based Middleware Containers",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "7.13.4-3",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:rhosemc:1.0::el8"
              ],
              "defaultStatus": "affected",
              "packageName": "rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8",
              "product": "RHEL-8 based Middleware Containers",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "7.13.4-3",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
              "cpes": [
                "cpe:/a:redhat:camel_k:1"
              ],
              "defaultStatus": "unaffected",
              "packageName": "quarkus-vertx-http",
              "product": "RHINT Camel-K-1.10.2",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:service_registry:2.5"
              ],
              "defaultStatus": "unaffected",
              "packageName": "quarkus-vertx-http",
              "product": "RHINT Service Registry 2.5.4 GA",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13"
              ],
              "defaultStatus": "unaffected",
              "product": "RHPAM 7.13.4 async",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
              ],
              "defaultStatus": "affected",
              "packageName": "quarkus-vertx-http",
              "product": "Red Hat Process Automation 7",
              "vendor": "Red Hat"
            }
          ],
          "datePublic": "2023-09-08T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Important"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-148",
                  "description": "Improper Neutralization of Input Leaders",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-07T10:17:29.266Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2023:5170",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2023:5170"
            },
            {
              "name": "RHSA-2023:5310",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2023:5310"
            },
            {
              "name": "RHSA-2023:5337",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2023:5337"
            },
            {
              "name": "RHSA-2023:5446",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2023:5446"
            },
            {
              "name": "RHSA-2023:5479",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2023:5479"
            },
            {
              "name": "RHSA-2023:5480",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2023:5480"
            },
            {
              "name": "RHSA-2023:6107",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2023:6107"
            },
            {
              "name": "RHSA-2023:6112",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2023:6112"
            },
            {
              "name": "RHSA-2023:7653",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2023:7653"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2023-4853"
            },
            {
              "name": "RHSB-2023-002",
              "tags": [
                "technical-description",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-002"
            },
            {
              "name": "RHBZ#2238034",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238034"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2023-09-08T00:00:00.000Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2023-09-08T00:00:00.000Z",
              "value": "Made public."
            }
          ],
          "title": "Quarkus: http security policy bypass",
          "workarounds": [
            {
              "lang": "en",
              "value": "Use a \u2018deny\u2019 wildcard for base paths, then authenticate specifics within that:\n\nExamples:\n```\ndeny: /*\nauthenticated: /services/*\n```\nor\n```\ndeny: /services/*\nroles-allowed: /services/rbac/*\n```\n\nNOTE: Products are only vulnerable if they use (or allow use of) path-based HTTP policy configuration. Products may also be affected\u2013shipping the component in question\u2013without being vulnerable (\u201caffected at reduced impact\u201d).\n\nSee https://access.redhat.com/security/vulnerabilities/RHSB-2023-002 for more detailed mitigations."
            }
          ],
          "x_redhatCweChain": "CWE-148: Improper Neutralization of Input Leaders"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2023-4853",
        "datePublished": "2023-09-20T09:47:32.150Z",
        "dateReserved": "2023-09-08T16:10:38.379Z",
        "dateUpdated": "2025-11-07T10:17:29.266Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-41862 (GCVE-0-2022-41862)

    Vulnerability from nvd – Published: 2023-03-03 00:00 – Updated: 2025-03-07 16:03
    VLAI
    Summary
    In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions a server can cause a libpq client to over-read and report an error message containing uninitialized bytes.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    n/a postgresql Affected: postgresql 5.2, postgresql 14.7, postgresql 13.10, postgresql 12.14, postgresql 11.19
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T12:56:38.305Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.postgresql.org/support/security/CVE-2022-41862/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2165722"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20230427-0002/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "HIGH",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 3.7,
                  "baseSeverity": "LOW",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-41862",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-07T16:02:06.549666Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-07T16:03:01.364Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "postgresql",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "postgresql 5.2, postgresql 14.7, postgresql 13.10, postgresql 12.14, postgresql 11.19"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions a server can cause a libpq client to over-read and report an error message containing uninitialized bytes."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-04-27T00:00:00.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "url": "https://www.postgresql.org/support/security/CVE-2022-41862/"
            },
            {
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2165722"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20230427-0002/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2022-41862",
        "datePublished": "2023-03-03T00:00:00.000Z",
        "dateReserved": "2022-09-30T00:00:00.000Z",
        "dateUpdated": "2025-03-07T16:03:01.364Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-0084 (GCVE-0-2022-0084)

    Vulnerability from nvd – Published: 2022-08-26 17:25 – Updated: 2024-08-02 23:18
    VLAI
    Summary
    A flaw was found in XNIO, specifically in the notifyReadClosed method. The issue revealed this method was logging a message to another expected end. This flaw allows an attacker to send flawed requests to a server, possibly causing log contention-related performance concerns or an unwanted disk fill-up.
    Severity
    No CVSS data available.
    CWE
    • CWE-770 - - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    n/a xnio Affected: Fixed in v3.x
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T23:18:41.681Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064226"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2022-0084"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/xnio/xnio/pull/291"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/xnio/xnio/commit/fdefb3b8b715d33387cadc4d48991fb1989b0c12"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xnio",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "Fixed in v3.x"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in XNIO, specifically in the notifyReadClosed method. The issue revealed this method was logging a message to another expected end. This flaw allows an attacker to send flawed requests to a server, possibly causing log contention-related performance concerns or an unwanted disk fill-up."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770 - Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-08-26T17:25:46.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064226"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2022-0084"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xnio/xnio/pull/291"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xnio/xnio/commit/fdefb3b8b715d33387cadc4d48991fb1989b0c12"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2022-0084",
        "datePublished": "2022-08-26T17:25:46.000Z",
        "dateReserved": "2022-01-03T00:00:00.000Z",
        "dateUpdated": "2024-08-02T23:18:41.681Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-4178 (GCVE-0-2021-4178)

    Vulnerability from nvd – Published: 2022-08-24 15:02 – Updated: 2024-08-03 17:16
    VLAI
    Summary
    A arbitrary code execution flaw was found in the Fabric 8 Kubernetes client affecting versions 5.0.0-beta-1 and above. Due to an improperly configured YAML parsing, this will allow a local and privileged attacker to supply malicious YAML.
    Severity
    No CVSS data available.
    CWE
    • CWE-502 - - Deserialization of Untrusted Data
    Assigner
    Impacted products
    Vendor Product Version
    n/a kubernetes-client Affected: Affects 5.x versions, Fixed in kubernetes-client v5.0.3 and above.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T17:16:04.264Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034388"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2021-4178"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/advisories/GHSA-98g7-rxmf-rrxm"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/fabric8io/kubernetes-client/issues/3653"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kubernetes-client",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "Affects 5.x versions, Fixed in kubernetes-client v5.0.3 and above."
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A arbitrary code execution flaw was found in the Fabric 8 Kubernetes client affecting versions 5.0.0-beta-1 and above. Due to an improperly configured YAML parsing, this will allow a local and privileged attacker to supply malicious YAML."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502 - Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-08-24T15:02:11.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034388"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2021-4178"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/advisories/GHSA-98g7-rxmf-rrxm"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/fabric8io/kubernetes-client/issues/3653"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2021-4178",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "kubernetes-client",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Affects 5.x versions, Fixed in kubernetes-client v5.0.3 and above."
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A arbitrary code execution flaw was found in the Fabric 8 Kubernetes client affecting versions 5.0.0-beta-1 and above. Due to an improperly configured YAML parsing, this will allow a local and privileged attacker to supply malicious YAML."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-502 - Deserialization of Untrusted Data"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=2034388",
                  "refsource": "MISC",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034388"
                },
                {
                  "name": "https://access.redhat.com/security/cve/CVE-2021-4178",
                  "refsource": "MISC",
                  "url": "https://access.redhat.com/security/cve/CVE-2021-4178"
                },
                {
                  "name": "https://github.com/advisories/GHSA-98g7-rxmf-rrxm",
                  "refsource": "MISC",
                  "url": "https://github.com/advisories/GHSA-98g7-rxmf-rrxm"
                },
                {
                  "name": "https://github.com/fabric8io/kubernetes-client/issues/3653",
                  "refsource": "MISC",
                  "url": "https://github.com/fabric8io/kubernetes-client/issues/3653"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2021-4178",
        "datePublished": "2022-08-24T15:02:11.000Z",
        "dateReserved": "2021-12-27T00:00:00.000Z",
        "dateUpdated": "2024-08-03T17:16:04.264Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-3690 (GCVE-0-2021-3690)

    Vulnerability from nvd – Published: 2022-08-23 15:50 – Updated: 2024-08-03 17:01
    VLAI
    Summary
    A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denial of service. The highest threat from this vulnerability is availability.
    Severity
    No CVSS data available.
    CWE
    • CWE-400 - - Uncontrolled Resource Consumption
    Assigner
    Impacted products
    Vendor Product Version
    n/a undertow Affected: Fixed in 2.2.10.Final, 2.0.40.Final
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T17:01:08.307Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://issues.redhat.com/browse/UNDERTOW-1935"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1991299"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2021-3690"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/undertow-io/undertow/commit/c7e84a0b7efced38506d7d1dfea5902366973877"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "undertow",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "Fixed in 2.2.10.Final, 2.0.40.Final"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denial of service. The highest threat from this vulnerability is availability."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 - Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-08-23T15:50:35.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://issues.redhat.com/browse/UNDERTOW-1935"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1991299"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2021-3690"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/undertow-io/undertow/commit/c7e84a0b7efced38506d7d1dfea5902366973877"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2021-3690",
        "datePublished": "2022-08-23T15:50:35.000Z",
        "dateReserved": "2021-08-09T00:00:00.000Z",
        "dateUpdated": "2024-08-03T17:01:08.307Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-4104 (GCVE-0-2021-4104)

    Vulnerability from nvd – Published: 2021-12-14 00:00 – Updated: 2026-05-28 19:53
    VLAI
    Title
    Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2
    Summary
    JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Log4j 1.x Affected: Apache Log4j 1.2 1.2.x
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T17:16:04.172Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2021-4104"
              },
              {
                "name": "VU#930724",
                "tags": [
                  "third-party-advisory",
                  "x_transferred"
                ],
                "url": "https://www.kb.cert.org/vuls/id/930724"
              },
              {
                "name": "[oss-security] 20220118 CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2022/01/18/3"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20211223-0007/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
              },
              {
                "name": "GLSA-202209-02",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202209-02"
              },
              {
                "name": "GLSA-202310-16",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202310-16"
              },
              {
                "name": "GLSA-202312-02",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202312-02"
              },
              {
                "name": "GLSA-202312-04",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202312-04"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "HIGH",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-4104",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2023-12-20T16:29:18.701121Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-28T19:53:14.378Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apache Log4j 1.x",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "status": "affected",
                  "version": "Apache Log4j 1.2 1.2.x"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502 Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-12-22T09:06:15.357Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228"
            },
            {
              "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126"
            },
            {
              "url": "https://access.redhat.com/security/cve/CVE-2021-4104"
            },
            {
              "name": "VU#930724",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.kb.cert.org/vuls/id/930724"
            },
            {
              "name": "[oss-security] 20220118 CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/01/18/3"
            },
            {
              "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
            },
            {
              "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20211223-0007/"
            },
            {
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            },
            {
              "name": "GLSA-202209-02",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202209-02"
            },
            {
              "name": "GLSA-202310-16",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202310-16"
            },
            {
              "name": "GLSA-202312-02",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202312-02"
            },
            {
              "name": "GLSA-202312-04",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202312-04"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2021-4104",
        "datePublished": "2021-12-14T00:00:00.000Z",
        "dateReserved": "2021-12-13T00:00:00.000Z",
        "dateUpdated": "2026-05-28T19:53:14.378Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2021-3642 (GCVE-0-2021-3642)

    Vulnerability from nvd – Published: 2021-08-05 20:48 – Updated: 2024-08-03 17:01
    VLAI
    Summary
    A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality.
    Severity
    No CVSS data available.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    n/a wildfly-elytron Affected: Wildfly Elytron 1.10.14.Final, Wildfly Elytron 1.15.5.Final, Wildfly Elytron 1.16.1.Final
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T17:01:07.598Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1981407"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "wildfly-elytron",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "Wildfly Elytron 1.10.14.Final, Wildfly Elytron 1.15.5.Final, Wildfly Elytron 1.16.1.Final"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-203",
                  "description": "CWE-203",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-08-30T17:37:38.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1981407"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2021-3642",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "wildfly-elytron",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Wildfly Elytron 1.10.14.Final, Wildfly Elytron 1.15.5.Final, Wildfly Elytron 1.16.1.Final"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-203"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1981407",
                  "refsource": "MISC",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1981407"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2021-3642",
        "datePublished": "2021-08-05T20:48:01.000Z",
        "dateReserved": "2021-07-12T00:00:00.000Z",
        "dateUpdated": "2024-08-03T17:01:07.598Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-3536 (GCVE-0-2021-3536)

    Vulnerability from nvd – Published: 2021-05-20 12:15 – Updated: 2024-08-03 17:01
    VLAI
    Summary
    A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode via the admin console, it is possible to add a payload in the name field, leading to XSS. This affects Confidentiality and Integrity.
    Severity
    No CVSS data available.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    n/a wildfly Affected: Wildfly 23.0.2.Final
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T17:01:07.095Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948001"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "wildfly",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "Wildfly 23.0.2.Final"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode via the admin console, it is possible to add a payload in the name field, leading to XSS. This affects Confidentiality and Integrity."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-05-20T12:15:09.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948001"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2021-3536",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "wildfly",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Wildfly 23.0.2.Final"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode via the admin console, it is possible to add a payload in the name field, leading to XSS. This affects Confidentiality and Integrity."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1948001",
                  "refsource": "MISC",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948001"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2021-3536",
        "datePublished": "2021-05-20T12:15:09.000Z",
        "dateReserved": "2021-05-05T00:00:00.000Z",
        "dateUpdated": "2024-08-03T17:01:07.095Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-4853 (GCVE-0-2023-4853)

    Vulnerability from cvelistv5 – Published: 2023-09-20 09:47 – Updated: 2025-11-07 10:17
    VLAI
    Title
    Quarkus: http security policy bypass
    Summary
    A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.
    CWE
    • CWE-148 - Improper Neutralization of Input Leaders
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2023:5170 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2023:5310 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2023:5337 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2023:5446 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2023:5479 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2023:5480 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2023:6107 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2023:6112 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2023:7653 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/security/cve/CVE-2023-4853 vdb-entryx_refsource_REDHAT
    https://access.redhat.com/security/vulnerabilitie… technical-descriptionx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2238034 issue-trackingx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    Red Hat Openshift Serverless 1 on RHEL 8 Unaffected: 0:1.9.2-3.el8 , < * (rpm)
        cpe:/a:redhat:serverless:1.0::el8
    Create a notification for this product.
    Red Hat Red Hat build of OptaPlanner 8     cpe:/a:redhat:optaplanner:::el6
    Create a notification for this product.
    Red Hat Red Hat build of Quarkus 2.13.8.SP2 Unaffected: 2.13.8.Final-redhat-00005 , < * (rpm)
        cpe:/a:redhat:quarkus:2.13
    Create a notification for this product.
    Red Hat Red Hat Camel Extensions for Quarkus 2.13.3-1     cpe:/a:redhat:camel_quarkus:2.13
    Create a notification for this product.
    Red Hat Red Hat OpenShift Serverless 1.30 Unaffected: 1.9.2-3 , < * (rpm)
        cpe:/a:redhat:openshift_serverless:1.30::el8
    Create a notification for this product.
    Red Hat Red Hat OpenShift Serverless 1.30 Unaffected: 1.30.1-1 , < * (rpm)
        cpe:/a:redhat:openshift_serverless:1.30::el8
    Create a notification for this product.
    Red Hat Red Hat OpenShift Serverless 1.30 Unaffected: 1.30.0-5 , < * (rpm)
        cpe:/a:redhat:openshift_serverless:1.30::el8
    Create a notification for this product.
    Red Hat Red Hat OpenShift Serverless 1.30 Unaffected: 1.30.0-6 , < * (rpm)
        cpe:/a:redhat:openshift_serverless:1.30::el8
    Create a notification for this product.
    Red Hat RHEL-8 based Middleware Containers Unaffected: 7.13.4-3 , < * (rpm)
        cpe:/a:redhat:rhosemc:1.0::el8
    Create a notification for this product.
    Red Hat RHEL-8 based Middleware Containers Unaffected: 7.13.4-2 , < * (rpm)
        cpe:/a:redhat:rhosemc:1.0::el8
    Create a notification for this product.
    Red Hat RHINT Camel-K-1.10.2     cpe:/a:redhat:camel_k:1
    Create a notification for this product.
    Red Hat RHINT Service Registry 2.5.4 GA     cpe:/a:redhat:service_registry:2.5
    Create a notification for this product.
    Red Hat RHPAM 7.13.4 async     cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13
    Create a notification for this product.
    Red Hat Red Hat Process Automation 7     cpe:/a:redhat:jboss_enterprise_bpms_platform:7
    Create a notification for this product.
    Date Public
    2023-09-08 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T07:38:00.803Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2023:5170",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2023:5170"
              },
              {
                "name": "RHSA-2023:5310",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2023:5310"
              },
              {
                "name": "RHSA-2023:5337",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2023:5337"
              },
              {
                "name": "RHSA-2023:5446",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2023:5446"
              },
              {
                "name": "RHSA-2023:5479",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2023:5479"
              },
              {
                "name": "RHSA-2023:5480",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2023:5480"
              },
              {
                "name": "RHSA-2023:6107",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2023:6107"
              },
              {
                "name": "RHSA-2023:6112",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2023:6112"
              },
              {
                "name": "RHSA-2023:7653",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2023:7653"
              },
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2023-4853"
              },
              {
                "name": "RHSB-2023-002",
                "tags": [
                  "technical-description",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-002"
              },
              {
                "name": "RHBZ#2238034",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238034"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:serverless:1.0::el8"
              ],
              "defaultStatus": "affected",
              "packageName": "openshift-serverless-clients",
              "product": "Openshift Serverless 1 on RHEL 8",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "0:1.9.2-3.el8",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:optaplanner:::el6"
              ],
              "defaultStatus": "unaffected",
              "packageName": "quarkus-vertx-http",
              "product": "Red Hat build of OptaPlanner 8",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:quarkus:2.13"
              ],
              "defaultStatus": "affected",
              "packageName": "io.quarkus/quarkus-keycloak-authorization",
              "product": "Red Hat build of Quarkus 2.13.8.SP2",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "2.13.8.Final-redhat-00005",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:quarkus:2.13"
              ],
              "defaultStatus": "affected",
              "packageName": "io.quarkus/quarkus-undertow",
              "product": "Red Hat build of Quarkus 2.13.8.SP2",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "2.13.8.Final-redhat-00005",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:quarkus:2.13"
              ],
              "defaultStatus": "affected",
              "packageName": "io.quarkus/quarkus-vertx-http",
              "product": "Red Hat build of Quarkus 2.13.8.SP2",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "2.13.8.Final-redhat-00005",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
              "cpes": [
                "cpe:/a:redhat:camel_quarkus:2.13"
              ],
              "defaultStatus": "unaffected",
              "packageName": "quarkus-vertx-http",
              "product": "Red Hat Camel Extensions for Quarkus 2.13.3-1",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:openshift_serverless:1.30::el8"
              ],
              "defaultStatus": "affected",
              "packageName": "openshift-serverless-1/client-kn-rhel8",
              "product": "Red Hat OpenShift Serverless 1.30",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.9.2-3",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:openshift_serverless:1.30::el8"
              ],
              "defaultStatus": "affected",
              "packageName": "openshift-serverless-1/ingress-rhel8-operator",
              "product": "Red Hat OpenShift Serverless 1.30",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.30.1-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:openshift_serverless:1.30::el8"
              ],
              "defaultStatus": "affected",
              "packageName": "openshift-serverless-1/knative-rhel8-operator",
              "product": "Red Hat OpenShift Serverless 1.30",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.30.1-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:openshift_serverless:1.30::el8"
              ],
              "defaultStatus": "affected",
              "packageName": "openshift-serverless-1/kn-cli-artifacts-rhel8",
              "product": "Red Hat OpenShift Serverless 1.30",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.9.2-3",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:openshift_serverless:1.30::el8"
              ],
              "defaultStatus": "affected",
              "packageName": "openshift-serverless-1/serverless-operator-bundle",
              "product": "Red Hat OpenShift Serverless 1.30",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.30.1-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:openshift_serverless:1.30::el8"
              ],
              "defaultStatus": "affected",
              "packageName": "openshift-serverless-1/serverless-rhel8-operator",
              "product": "Red Hat OpenShift Serverless 1.30",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.30.1-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:openshift_serverless:1.30::el8"
              ],
              "defaultStatus": "affected",
              "packageName": "openshift-serverless-1/svls-must-gather-rhel8",
              "product": "Red Hat OpenShift Serverless 1.30",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.30.1-1",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:openshift_serverless:1.30::el8"
              ],
              "defaultStatus": "affected",
              "packageName": "openshift-serverless-1-tech-preview/logic-data-index-ephemeral-rhel8",
              "product": "Red Hat OpenShift Serverless 1.30",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.30.0-5",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:openshift_serverless:1.30::el8"
              ],
              "defaultStatus": "affected",
              "packageName": "openshift-serverless-1-tech-preview/logic-swf-builder-rhel8",
              "product": "Red Hat OpenShift Serverless 1.30",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.30.0-6",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:openshift_serverless:1.30::el8"
              ],
              "defaultStatus": "affected",
              "packageName": "openshift-serverless-1-tech-preview/logic-swf-devmode-rhel8",
              "product": "Red Hat OpenShift Serverless 1.30",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.30.0-6",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:rhosemc:1.0::el8"
              ],
              "defaultStatus": "affected",
              "packageName": "rhpam-7/rhpam-kogito-builder-rhel8",
              "product": "RHEL-8 based Middleware Containers",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "7.13.4-3",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:rhosemc:1.0::el8"
              ],
              "defaultStatus": "affected",
              "packageName": "rhpam-7/rhpam-kogito-rhel8-operator",
              "product": "RHEL-8 based Middleware Containers",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "7.13.4-2",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:rhosemc:1.0::el8"
              ],
              "defaultStatus": "affected",
              "packageName": "rhpam-7/rhpam-kogito-rhel8-operator-bundle",
              "product": "RHEL-8 based Middleware Containers",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "7.13.4-2",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:rhosemc:1.0::el8"
              ],
              "defaultStatus": "affected",
              "packageName": "rhpam-7/rhpam-kogito-runtime-jvm-rhel8",
              "product": "RHEL-8 based Middleware Containers",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "7.13.4-3",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:rhosemc:1.0::el8"
              ],
              "defaultStatus": "affected",
              "packageName": "rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8",
              "product": "RHEL-8 based Middleware Containers",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "7.13.4-3",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
              "cpes": [
                "cpe:/a:redhat:camel_k:1"
              ],
              "defaultStatus": "unaffected",
              "packageName": "quarkus-vertx-http",
              "product": "RHINT Camel-K-1.10.2",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:service_registry:2.5"
              ],
              "defaultStatus": "unaffected",
              "packageName": "quarkus-vertx-http",
              "product": "RHINT Service Registry 2.5.4 GA",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13"
              ],
              "defaultStatus": "unaffected",
              "product": "RHPAM 7.13.4 async",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
              ],
              "defaultStatus": "affected",
              "packageName": "quarkus-vertx-http",
              "product": "Red Hat Process Automation 7",
              "vendor": "Red Hat"
            }
          ],
          "datePublic": "2023-09-08T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Important"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-148",
                  "description": "Improper Neutralization of Input Leaders",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-07T10:17:29.266Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2023:5170",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2023:5170"
            },
            {
              "name": "RHSA-2023:5310",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2023:5310"
            },
            {
              "name": "RHSA-2023:5337",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2023:5337"
            },
            {
              "name": "RHSA-2023:5446",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2023:5446"
            },
            {
              "name": "RHSA-2023:5479",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2023:5479"
            },
            {
              "name": "RHSA-2023:5480",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2023:5480"
            },
            {
              "name": "RHSA-2023:6107",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2023:6107"
            },
            {
              "name": "RHSA-2023:6112",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2023:6112"
            },
            {
              "name": "RHSA-2023:7653",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2023:7653"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2023-4853"
            },
            {
              "name": "RHSB-2023-002",
              "tags": [
                "technical-description",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-002"
            },
            {
              "name": "RHBZ#2238034",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238034"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2023-09-08T00:00:00.000Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2023-09-08T00:00:00.000Z",
              "value": "Made public."
            }
          ],
          "title": "Quarkus: http security policy bypass",
          "workarounds": [
            {
              "lang": "en",
              "value": "Use a \u2018deny\u2019 wildcard for base paths, then authenticate specifics within that:\n\nExamples:\n```\ndeny: /*\nauthenticated: /services/*\n```\nor\n```\ndeny: /services/*\nroles-allowed: /services/rbac/*\n```\n\nNOTE: Products are only vulnerable if they use (or allow use of) path-based HTTP policy configuration. Products may also be affected\u2013shipping the component in question\u2013without being vulnerable (\u201caffected at reduced impact\u201d).\n\nSee https://access.redhat.com/security/vulnerabilities/RHSB-2023-002 for more detailed mitigations."
            }
          ],
          "x_redhatCweChain": "CWE-148: Improper Neutralization of Input Leaders"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2023-4853",
        "datePublished": "2023-09-20T09:47:32.150Z",
        "dateReserved": "2023-09-08T16:10:38.379Z",
        "dateUpdated": "2025-11-07T10:17:29.266Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-41862 (GCVE-0-2022-41862)

    Vulnerability from cvelistv5 – Published: 2023-03-03 00:00 – Updated: 2025-03-07 16:03
    VLAI
    Summary
    In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions a server can cause a libpq client to over-read and report an error message containing uninitialized bytes.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    n/a postgresql Affected: postgresql 5.2, postgresql 14.7, postgresql 13.10, postgresql 12.14, postgresql 11.19
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T12:56:38.305Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.postgresql.org/support/security/CVE-2022-41862/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2165722"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20230427-0002/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "HIGH",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 3.7,
                  "baseSeverity": "LOW",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-41862",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-07T16:02:06.549666Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-07T16:03:01.364Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "postgresql",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "postgresql 5.2, postgresql 14.7, postgresql 13.10, postgresql 12.14, postgresql 11.19"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions a server can cause a libpq client to over-read and report an error message containing uninitialized bytes."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-04-27T00:00:00.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "url": "https://www.postgresql.org/support/security/CVE-2022-41862/"
            },
            {
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2165722"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20230427-0002/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2022-41862",
        "datePublished": "2023-03-03T00:00:00.000Z",
        "dateReserved": "2022-09-30T00:00:00.000Z",
        "dateUpdated": "2025-03-07T16:03:01.364Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-0084 (GCVE-0-2022-0084)

    Vulnerability from cvelistv5 – Published: 2022-08-26 17:25 – Updated: 2024-08-02 23:18
    VLAI
    Summary
    A flaw was found in XNIO, specifically in the notifyReadClosed method. The issue revealed this method was logging a message to another expected end. This flaw allows an attacker to send flawed requests to a server, possibly causing log contention-related performance concerns or an unwanted disk fill-up.
    Severity
    No CVSS data available.
    CWE
    • CWE-770 - - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    n/a xnio Affected: Fixed in v3.x
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T23:18:41.681Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064226"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2022-0084"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/xnio/xnio/pull/291"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/xnio/xnio/commit/fdefb3b8b715d33387cadc4d48991fb1989b0c12"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xnio",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "Fixed in v3.x"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in XNIO, specifically in the notifyReadClosed method. The issue revealed this method was logging a message to another expected end. This flaw allows an attacker to send flawed requests to a server, possibly causing log contention-related performance concerns or an unwanted disk fill-up."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770 - Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-08-26T17:25:46.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064226"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2022-0084"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xnio/xnio/pull/291"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xnio/xnio/commit/fdefb3b8b715d33387cadc4d48991fb1989b0c12"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2022-0084",
        "datePublished": "2022-08-26T17:25:46.000Z",
        "dateReserved": "2022-01-03T00:00:00.000Z",
        "dateUpdated": "2024-08-02T23:18:41.681Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-4178 (GCVE-0-2021-4178)

    Vulnerability from cvelistv5 – Published: 2022-08-24 15:02 – Updated: 2024-08-03 17:16
    VLAI
    Summary
    A arbitrary code execution flaw was found in the Fabric 8 Kubernetes client affecting versions 5.0.0-beta-1 and above. Due to an improperly configured YAML parsing, this will allow a local and privileged attacker to supply malicious YAML.
    Severity
    No CVSS data available.
    CWE
    • CWE-502 - - Deserialization of Untrusted Data
    Assigner
    Impacted products
    Vendor Product Version
    n/a kubernetes-client Affected: Affects 5.x versions, Fixed in kubernetes-client v5.0.3 and above.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T17:16:04.264Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034388"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2021-4178"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/advisories/GHSA-98g7-rxmf-rrxm"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/fabric8io/kubernetes-client/issues/3653"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kubernetes-client",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "Affects 5.x versions, Fixed in kubernetes-client v5.0.3 and above."
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A arbitrary code execution flaw was found in the Fabric 8 Kubernetes client affecting versions 5.0.0-beta-1 and above. Due to an improperly configured YAML parsing, this will allow a local and privileged attacker to supply malicious YAML."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502 - Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-08-24T15:02:11.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034388"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2021-4178"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/advisories/GHSA-98g7-rxmf-rrxm"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/fabric8io/kubernetes-client/issues/3653"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2021-4178",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "kubernetes-client",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Affects 5.x versions, Fixed in kubernetes-client v5.0.3 and above."
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A arbitrary code execution flaw was found in the Fabric 8 Kubernetes client affecting versions 5.0.0-beta-1 and above. Due to an improperly configured YAML parsing, this will allow a local and privileged attacker to supply malicious YAML."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-502 - Deserialization of Untrusted Data"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=2034388",
                  "refsource": "MISC",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034388"
                },
                {
                  "name": "https://access.redhat.com/security/cve/CVE-2021-4178",
                  "refsource": "MISC",
                  "url": "https://access.redhat.com/security/cve/CVE-2021-4178"
                },
                {
                  "name": "https://github.com/advisories/GHSA-98g7-rxmf-rrxm",
                  "refsource": "MISC",
                  "url": "https://github.com/advisories/GHSA-98g7-rxmf-rrxm"
                },
                {
                  "name": "https://github.com/fabric8io/kubernetes-client/issues/3653",
                  "refsource": "MISC",
                  "url": "https://github.com/fabric8io/kubernetes-client/issues/3653"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2021-4178",
        "datePublished": "2022-08-24T15:02:11.000Z",
        "dateReserved": "2021-12-27T00:00:00.000Z",
        "dateUpdated": "2024-08-03T17:16:04.264Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-3690 (GCVE-0-2021-3690)

    Vulnerability from cvelistv5 – Published: 2022-08-23 15:50 – Updated: 2024-08-03 17:01
    VLAI
    Summary
    A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denial of service. The highest threat from this vulnerability is availability.
    Severity
    No CVSS data available.
    CWE
    • CWE-400 - - Uncontrolled Resource Consumption
    Assigner
    Impacted products
    Vendor Product Version
    n/a undertow Affected: Fixed in 2.2.10.Final, 2.0.40.Final
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T17:01:08.307Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://issues.redhat.com/browse/UNDERTOW-1935"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1991299"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2021-3690"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/undertow-io/undertow/commit/c7e84a0b7efced38506d7d1dfea5902366973877"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "undertow",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "Fixed in 2.2.10.Final, 2.0.40.Final"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denial of service. The highest threat from this vulnerability is availability."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 - Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-08-23T15:50:35.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://issues.redhat.com/browse/UNDERTOW-1935"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1991299"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2021-3690"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/undertow-io/undertow/commit/c7e84a0b7efced38506d7d1dfea5902366973877"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2021-3690",
        "datePublished": "2022-08-23T15:50:35.000Z",
        "dateReserved": "2021-08-09T00:00:00.000Z",
        "dateUpdated": "2024-08-03T17:01:08.307Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-4104 (GCVE-0-2021-4104)

    Vulnerability from cvelistv5 – Published: 2021-12-14 00:00 – Updated: 2026-05-28 19:53
    VLAI
    Title
    Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2
    Summary
    JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Log4j 1.x Affected: Apache Log4j 1.2 1.2.x
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T17:16:04.172Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2021-4104"
              },
              {
                "name": "VU#930724",
                "tags": [
                  "third-party-advisory",
                  "x_transferred"
                ],
                "url": "https://www.kb.cert.org/vuls/id/930724"
              },
              {
                "name": "[oss-security] 20220118 CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2022/01/18/3"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20211223-0007/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
              },
              {
                "name": "GLSA-202209-02",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202209-02"
              },
              {
                "name": "GLSA-202310-16",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202310-16"
              },
              {
                "name": "GLSA-202312-02",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202312-02"
              },
              {
                "name": "GLSA-202312-04",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202312-04"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "HIGH",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-4104",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2023-12-20T16:29:18.701121Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-28T19:53:14.378Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apache Log4j 1.x",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "status": "affected",
                  "version": "Apache Log4j 1.2 1.2.x"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502 Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-12-22T09:06:15.357Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228"
            },
            {
              "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126"
            },
            {
              "url": "https://access.redhat.com/security/cve/CVE-2021-4104"
            },
            {
              "name": "VU#930724",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.kb.cert.org/vuls/id/930724"
            },
            {
              "name": "[oss-security] 20220118 CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/01/18/3"
            },
            {
              "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
            },
            {
              "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20211223-0007/"
            },
            {
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            },
            {
              "name": "GLSA-202209-02",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202209-02"
            },
            {
              "name": "GLSA-202310-16",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202310-16"
            },
            {
              "name": "GLSA-202312-02",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202312-02"
            },
            {
              "name": "GLSA-202312-04",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202312-04"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2021-4104",
        "datePublished": "2021-12-14T00:00:00.000Z",
        "dateReserved": "2021-12-13T00:00:00.000Z",
        "dateUpdated": "2026-05-28T19:53:14.378Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2021-3642 (GCVE-0-2021-3642)

    Vulnerability from cvelistv5 – Published: 2021-08-05 20:48 – Updated: 2024-08-03 17:01
    VLAI
    Summary
    A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality.
    Severity
    No CVSS data available.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    n/a wildfly-elytron Affected: Wildfly Elytron 1.10.14.Final, Wildfly Elytron 1.15.5.Final, Wildfly Elytron 1.16.1.Final
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T17:01:07.598Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1981407"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "wildfly-elytron",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "Wildfly Elytron 1.10.14.Final, Wildfly Elytron 1.15.5.Final, Wildfly Elytron 1.16.1.Final"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-203",
                  "description": "CWE-203",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-08-30T17:37:38.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1981407"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2021-3642",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "wildfly-elytron",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Wildfly Elytron 1.10.14.Final, Wildfly Elytron 1.15.5.Final, Wildfly Elytron 1.16.1.Final"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-203"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1981407",
                  "refsource": "MISC",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1981407"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2021-3642",
        "datePublished": "2021-08-05T20:48:01.000Z",
        "dateReserved": "2021-07-12T00:00:00.000Z",
        "dateUpdated": "2024-08-03T17:01:07.598Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-3536 (GCVE-0-2021-3536)

    Vulnerability from cvelistv5 – Published: 2021-05-20 12:15 – Updated: 2024-08-03 17:01
    VLAI
    Summary
    A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode via the admin console, it is possible to add a payload in the name field, leading to XSS. This affects Confidentiality and Integrity.
    Severity
    No CVSS data available.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    n/a wildfly Affected: Wildfly 23.0.2.Final
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T17:01:07.095Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948001"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "wildfly",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "Wildfly 23.0.2.Final"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode via the admin console, it is possible to add a payload in the name field, leading to XSS. This affects Confidentiality and Integrity."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-05-20T12:15:09.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948001"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2021-3536",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "wildfly",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Wildfly 23.0.2.Final"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode via the admin console, it is possible to add a payload in the name field, leading to XSS. This affects Confidentiality and Integrity."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1948001",
                  "refsource": "MISC",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948001"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2021-3536",
        "datePublished": "2021-05-20T12:15:09.000Z",
        "dateReserved": "2021-05-05T00:00:00.000Z",
        "dateUpdated": "2024-08-03T17:01:07.095Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }