Search

Find a vulnerability

Search criteria

    28 vulnerabilities found for satellite_capsule by redhat

    CVE-2025-9572 (GCVE-0-2025-9572)

    Vulnerability from nvd – Published: 2026-02-27 07:28 – Updated: 2026-03-24 11:28
    VLAI
    Title
    Foreman: satellite: graphql api permission bypass leads to information disclosure
    Summary
    n authorization flaw in Foreman's GraphQL API allows low-privileged users to access metadata beyond their assigned permissions. Unlike the REST API, which correctly enforces access controls, the GraphQL endpoint does not apply proper filtering, leading to an authorization bypass.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    The Foreman Foreman Affected: 1.22.0 , < 3.16.2 (semver)
    Create a notification for this product.
    Red Hat Red Hat Satellite 6.15 for RHEL 8 Unaffected: 0:3.9.1.14-1.el8sat , < * (rpm)
        cpe:/a:redhat:satellite:6.15::el8
        cpe:/a:redhat:satellite_utils:6.15::el8
        cpe:/a:redhat:satellite_capsule:6.15::el8
    Create a notification for this product.
    Red Hat Red Hat Satellite 6.15 for RHEL 8 Unaffected: 0:6.15.5.7-1.el8sat , < * (rpm)
        cpe:/a:redhat:satellite:6.15::el8
        cpe:/a:redhat:satellite_utils:6.15::el8
        cpe:/a:redhat:satellite_capsule:6.15::el8
    Create a notification for this product.
    Red Hat Red Hat Satellite 6.16 for RHEL 8 Unaffected: 0:3.12.0.12-1.el8sat , < * (rpm)
        cpe:/a:redhat:satellite_utils:6.16::el8
        cpe:/a:redhat:satellite_capsule:6.16::el9
        cpe:/a:redhat:satellite_utils:6.16::el9
        cpe:/a:redhat:satellite_capsule:6.16::el8
        cpe:/a:redhat:satellite:6.16::el8
        cpe:/a:redhat:satellite:6.16::el9
    Create a notification for this product.
    Red Hat Red Hat Satellite 6.16 for RHEL 8 Unaffected: 0:6.16.5.6-1.el8sat , < * (rpm)
        cpe:/a:redhat:satellite_utils:6.16::el8
        cpe:/a:redhat:satellite_capsule:6.16::el9
        cpe:/a:redhat:satellite_utils:6.16::el9
        cpe:/a:redhat:satellite_capsule:6.16::el8
        cpe:/a:redhat:satellite:6.16::el8
        cpe:/a:redhat:satellite:6.16::el9
    Create a notification for this product.
    Red Hat Red Hat Satellite 6.16 for RHEL 9 Unaffected: 0:3.12.0.12-1.el9sat , < * (rpm)
        cpe:/a:redhat:satellite_utils:6.16::el8
        cpe:/a:redhat:satellite_capsule:6.16::el9
        cpe:/a:redhat:satellite_utils:6.16::el9
        cpe:/a:redhat:satellite_capsule:6.16::el8
        cpe:/a:redhat:satellite:6.16::el8
        cpe:/a:redhat:satellite:6.16::el9
    Create a notification for this product.
    Red Hat Red Hat Satellite 6.16 for RHEL 9 Unaffected: 0:6.16.5.6-1.el9sat , < * (rpm)
        cpe:/a:redhat:satellite_utils:6.16::el8
        cpe:/a:redhat:satellite_capsule:6.16::el9
        cpe:/a:redhat:satellite_utils:6.16::el9
        cpe:/a:redhat:satellite_capsule:6.16::el8
        cpe:/a:redhat:satellite:6.16::el8
        cpe:/a:redhat:satellite:6.16::el9
    Create a notification for this product.
    Red Hat Red Hat Satellite 6.17 for RHEL 9 Unaffected: 0:3.14.0.11-1.el9sat , < * (rpm)
        cpe:/a:redhat:satellite_capsule:6.17::el9
        cpe:/a:redhat:satellite:6.17::el9
        cpe:/a:redhat:satellite_utils:6.17::el9
    Create a notification for this product.
    Red Hat Red Hat Satellite 6.18 for RHEL 9 Unaffected: 0:3.16.0.7-1.el9sat , < * (rpm)
        cpe:/a:redhat:satellite_capsule:6.18::el9
        cpe:/a:redhat:satellite:6.18::el9
        cpe:/a:redhat:satellite_utils:6.18::el9
    Create a notification for this product.
    Red Hat Red Hat Satellite 6.18 for RHEL 9 Unaffected: 0:4.18.0.4-1.el9sat , < * (rpm)
        cpe:/a:redhat:satellite_capsule:6.18::el9
        cpe:/a:redhat:satellite:6.18::el9
        cpe:/a:redhat:satellite_utils:6.18::el9
    Create a notification for this product.
    Red Hat Red Hat Satellite 6.18 for RHEL 9 Unaffected: 0:6.18.1-1.el9sat , < * (rpm)
        cpe:/a:redhat:satellite_capsule:6.18::el9
        cpe:/a:redhat:satellite:6.18::el9
        cpe:/a:redhat:satellite_utils:6.18::el9
    Create a notification for this product.
    Date Public
    2025-08-29 06:12
    Credits
    Red Hat would like to thank Ohad Levy (Redhat) for reporting this issue.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-9572",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-27T18:42:27.523966Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-27T18:42:37.881Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/theforeman/foreman",
              "defaultStatus": "unaffected",
              "packageName": "foreman",
              "product": "Foreman",
              "vendor": "The Foreman",
              "versions": [
                {
                  "lessThan": "3.16.2",
                  "status": "affected",
                  "version": "1.22.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:satellite:6.15::el8",
                "cpe:/a:redhat:satellite_utils:6.15::el8",
                "cpe:/a:redhat:satellite_capsule:6.15::el8"
              ],
              "defaultStatus": "affected",
              "packageName": "foreman",
              "product": "Red Hat Satellite 6.15 for RHEL 8",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "0:3.9.1.14-1.el8sat",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:satellite:6.15::el8",
                "cpe:/a:redhat:satellite_utils:6.15::el8",
                "cpe:/a:redhat:satellite_capsule:6.15::el8"
              ],
              "defaultStatus": "affected",
              "packageName": "satellite",
              "product": "Red Hat Satellite 6.15 for RHEL 8",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "0:6.15.5.7-1.el8sat",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:satellite_utils:6.16::el8",
                "cpe:/a:redhat:satellite_capsule:6.16::el9",
                "cpe:/a:redhat:satellite_utils:6.16::el9",
                "cpe:/a:redhat:satellite_capsule:6.16::el8",
                "cpe:/a:redhat:satellite:6.16::el8",
                "cpe:/a:redhat:satellite:6.16::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "foreman",
              "product": "Red Hat Satellite 6.16 for RHEL 8",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "0:3.12.0.12-1.el8sat",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:satellite_utils:6.16::el8",
                "cpe:/a:redhat:satellite_capsule:6.16::el9",
                "cpe:/a:redhat:satellite_utils:6.16::el9",
                "cpe:/a:redhat:satellite_capsule:6.16::el8",
                "cpe:/a:redhat:satellite:6.16::el8",
                "cpe:/a:redhat:satellite:6.16::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "satellite",
              "product": "Red Hat Satellite 6.16 for RHEL 8",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "0:6.16.5.6-1.el8sat",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:satellite_utils:6.16::el8",
                "cpe:/a:redhat:satellite_capsule:6.16::el9",
                "cpe:/a:redhat:satellite_utils:6.16::el9",
                "cpe:/a:redhat:satellite_capsule:6.16::el8",
                "cpe:/a:redhat:satellite:6.16::el8",
                "cpe:/a:redhat:satellite:6.16::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "foreman",
              "product": "Red Hat Satellite 6.16 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "0:3.12.0.12-1.el9sat",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:satellite_utils:6.16::el8",
                "cpe:/a:redhat:satellite_capsule:6.16::el9",
                "cpe:/a:redhat:satellite_utils:6.16::el9",
                "cpe:/a:redhat:satellite_capsule:6.16::el8",
                "cpe:/a:redhat:satellite:6.16::el8",
                "cpe:/a:redhat:satellite:6.16::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "satellite",
              "product": "Red Hat Satellite 6.16 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "0:6.16.5.6-1.el9sat",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:satellite_capsule:6.17::el9",
                "cpe:/a:redhat:satellite:6.17::el9",
                "cpe:/a:redhat:satellite_utils:6.17::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "foreman",
              "product": "Red Hat Satellite 6.17 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "0:3.14.0.11-1.el9sat",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:satellite_capsule:6.18::el9",
                "cpe:/a:redhat:satellite:6.18::el9",
                "cpe:/a:redhat:satellite_utils:6.18::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "foreman",
              "product": "Red Hat Satellite 6.18 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "0:3.16.0.7-1.el9sat",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:satellite_capsule:6.18::el9",
                "cpe:/a:redhat:satellite:6.18::el9",
                "cpe:/a:redhat:satellite_utils:6.18::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rubygem-katello",
              "product": "Red Hat Satellite 6.18 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "0:4.18.0.4-1.el9sat",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:satellite_capsule:6.18::el9",
                "cpe:/a:redhat:satellite:6.18::el9",
                "cpe:/a:redhat:satellite_utils:6.18::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "satellite",
              "product": "Red Hat Satellite 6.18 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "0:6.18.1-1.el9sat",
                  "versionType": "rpm"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Red Hat would like to thank Ohad Levy (Redhat) for reporting this issue."
            }
          ],
          "datePublic": "2025-08-29T06:12:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "n authorization flaw in Foreman\u0027s GraphQL API allows low-privileged users to access metadata beyond their assigned permissions. Unlike the REST API, which correctly enforces access controls, the GraphQL endpoint does not apply proper filtering, leading to an authorization bypass."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Moderate"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-24T11:28:32.518Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2025:21886",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2025:21886"
            },
            {
              "name": "RHSA-2025:21893",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2025:21893"
            },
            {
              "name": "RHSA-2025:21894",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2025:21894"
            },
            {
              "name": "RHSA-2025:21897",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2025:21897"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2025-9572"
            },
            {
              "name": "RHBZ#2391715",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2391715"
            },
            {
              "url": "https://theforeman.org/security.html#2025-9572"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-08-29T00:00:00.000Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2025-08-29T06:12:00.000Z",
              "value": "Made public."
            }
          ],
          "title": "Foreman: satellite: graphql api permission bypass leads to information disclosure",
          "workarounds": [
            {
              "lang": "en",
              "value": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-863: Incorrect Authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2025-9572",
        "datePublished": "2026-02-27T07:28:44.391Z",
        "dateReserved": "2025-08-28T08:47:45.693Z",
        "dateUpdated": "2026-03-24T11:28:32.518Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2020-10716 (GCVE-0-2020-10716)

    Vulnerability from nvd – Published: 2021-05-27 18:46 – Updated: 2024-08-04 11:14
    VLAI
    Summary
    A flaw was found in Red Hat Satellite's Job Invocation, where the "User Input" entry was not properly restricted to the view. This flaw allows a malicious Satellite user to scan through the Job Invocation, with the ability to search for passwords and other sensitive data. This flaw affects tfm-rubygem-foreman_ansible versions before 4.0.3.4.
    Severity
    No CVSS data available.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    n/a rubygem-foreman_ansible Affected: tfm-rubygem-foreman_ansible 4.0.3.4
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T11:14:14.168Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1827300"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1814998"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "rubygem-foreman_ansible",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "tfm-rubygem-foreman_ansible 4.0.3.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in Red Hat Satellite\u0027s Job Invocation, where the \"User Input\" entry was not properly restricted to the view. This flaw allows a malicious Satellite user to scan through the Job Invocation, with the ability to search for passwords and other sensitive data. This flaw affects tfm-rubygem-foreman_ansible versions before 4.0.3.4."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "CWE-285",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-05-27T18:46:07.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1827300"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1814998"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2020-10716",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "rubygem-foreman_ansible",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "tfm-rubygem-foreman_ansible 4.0.3.4"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A flaw was found in Red Hat Satellite\u0027s Job Invocation, where the \"User Input\" entry was not properly restricted to the view. This flaw allows a malicious Satellite user to scan through the Job Invocation, with the ability to search for passwords and other sensitive data. This flaw affects tfm-rubygem-foreman_ansible versions before 4.0.3.4."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-285"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1827300",
                  "refsource": "MISC",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1827300"
                },
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1814998",
                  "refsource": "MISC",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1814998"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2020-10716",
        "datePublished": "2021-05-27T18:46:07.000Z",
        "dateReserved": "2020-03-20T00:00:00.000Z",
        "dateUpdated": "2024-08-04T11:14:14.168Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-10693 (GCVE-0-2020-10693)

    Vulnerability from nvd – Published: 2020-05-06 13:03 – Updated: 2024-08-04 11:06
    VLAI
    Summary
    A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Hibernate hibernate-validator Affected: 6.1.2.Final
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T11:06:11.169Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "[portals-pluto-dev] 20210714 [jira] [Created] (PLUTO-791) Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a%40%3Cpluto-dev.portals.apache.org%3E"
              },
              {
                "name": "[portals-pluto-dev] 20210714 [jira] [Closed] (PLUTO-791) Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c%40%3Cpluto-dev.portals.apache.org%3E"
              },
              {
                "name": "[portals-pluto-scm] 20210714 [portals-pluto] branch master updated: PLUTO-791 Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4%40%3Cpluto-scm.portals.apache.org%3E"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10693"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "hibernate-validator",
              "vendor": "Hibernate",
              "versions": [
                {
                  "status": "affected",
                  "version": "6.1.2.Final"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-19T23:20:51.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "[portals-pluto-dev] 20210714 [jira] [Created] (PLUTO-791) Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a%40%3Cpluto-dev.portals.apache.org%3E"
            },
            {
              "name": "[portals-pluto-dev] 20210714 [jira] [Closed] (PLUTO-791) Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c%40%3Cpluto-dev.portals.apache.org%3E"
            },
            {
              "name": "[portals-pluto-scm] 20210714 [portals-pluto] branch master updated: PLUTO-791 Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4%40%3Cpluto-scm.portals.apache.org%3E"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10693"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2020-10693",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "hibernate-validator",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "6.1.2.Final"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Hibernate"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages."
                }
              ]
            },
            "impact": {
              "cvss": [
                [
                  {
                    "vectorString": "5.3/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                    "version": "3.0"
                  }
                ]
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-20"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "[portals-pluto-dev] 20210714 [jira] [Created] (PLUTO-791) Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a@%3Cpluto-dev.portals.apache.org%3E"
                },
                {
                  "name": "[portals-pluto-dev] 20210714 [jira] [Closed] (PLUTO-791) Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c@%3Cpluto-dev.portals.apache.org%3E"
                },
                {
                  "name": "[portals-pluto-scm] 20210714 [portals-pluto] branch master updated: PLUTO-791 Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4@%3Cpluto-scm.portals.apache.org%3E"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
                },
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10693",
                  "refsource": "CONFIRM",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10693"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2020-10693",
        "datePublished": "2020-05-06T13:03:33.000Z",
        "dateReserved": "2020-03-20T00:00:00.000Z",
        "dateUpdated": "2024-08-04T11:06:11.169Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-1000632 (GCVE-0-2018-1000632)

    Vulnerability from nvd – Published: 2018-08-20 19:00 – Updated: 2024-08-05 12:40
    VLAI
    Summary
    dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    URL Tags
    https://lists.debian.org/debian-lts-announce/2018… mailing-listx_refsource_MLIST
    https://access.redhat.com/errata/RHSA-2019:0364 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:0362 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:0365 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:0380 vendor-advisoryx_refsource_REDHAT
    https://lists.apache.org/thread.html/708d94141126… mailing-listx_refsource_MLIST
    https://access.redhat.com/errata/RHSA-2019:1160 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:1162 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:1159 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:1161 vendor-advisoryx_refsource_REDHAT
    https://lists.apache.org/thread.html/7f6e120e6ed4… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/4a77652531d6… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/5a020ecaa3c7… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/00571f362a7a… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/d7d960b2778e… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/9d4c1af6f702… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/7e9e78f0e428… mailing-listx_refsource_MLIST
    https://access.redhat.com/errata/RHSA-2019:3172 vendor-advisoryx_refsource_REDHAT
    https://www.oracle.com/security-alerts/cpuapr2020.html x_refsource_MISC
    https://www.oracle.com/security-alerts/cpujul2020.html x_refsource_MISC
    https://www.oracle.com/technetwork/security-advis… x_refsource_CONFIRM
    https://github.com/dom4j/dom4j/issues/48 x_refsource_CONFIRM
    https://github.com/dom4j/dom4j/commit/e598eb43d41… x_refsource_CONFIRM
    https://ihacktoprotect.com/post/dom4j-xml-injection/ x_refsource_MISC
    https://security.netapp.com/advisory/ntap-2019053… x_refsource_CONFIRM
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://www.oracle.com/security-alerts/cpuApr2021.html x_refsource_MISC
    https://lists.apache.org/thread.html/rb1b990d7920… mailing-listx_refsource_MLIST
    Date Public
    2018-07-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T12:40:47.850Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "[debian-lts-announce] 20180924 [SECURITY] [DLA 1517-1] dom4j security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2018/09/msg00028.html"
              },
              {
                "name": "RHSA-2019:0364",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:0364"
              },
              {
                "name": "RHSA-2019:0362",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:0362"
              },
              {
                "name": "RHSA-2019:0365",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:0365"
              },
              {
                "name": "RHSA-2019:0380",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:0380"
              },
              {
                "name": "[lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E"
              },
              {
                "name": "RHSA-2019:1160",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:1160"
              },
              {
                "name": "RHSA-2019:1162",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:1162"
              },
              {
                "name": "RHSA-2019:1159",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:1159"
              },
              {
                "name": "RHSA-2019:1161",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:1161"
              },
              {
                "name": "[maven-dev] 20190531 proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/7f6e120e6ed473f4e00dde4c398fc6698eb383bd7857d20513e989ce%40%3Cdev.maven.apache.org%3E"
              },
              {
                "name": "[maven-dev] 20190531 Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/4a77652531d62299a30815cf5f233af183425db8e3c9a824a814e768%40%3Cdev.maven.apache.org%3E"
              },
              {
                "name": "[maven-commits] 20190531 [maven-archetype] 01/01: ARCHETYPE-567: switch to dom4j 2.1.1 (and Java 8) dom4j 2.1.1 requires Java 8 dom4j 2.0.2 would retain Java 7 but is vulnerable to CVE-2018-1000632 dom4j 2.0.3 fixes CVE-2018-1000632 but has been pending for ~1 year",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/5a020ecaa3c701f408f612f7ba2ee37a021644c4a39da2079ed3ddbc%40%3Ccommits.maven.apache.org%3E"
              },
              {
                "name": "[maven-commits] 20190601 [maven-archetype] 01/01: ARCHETYPE-567: switch to dom4j 2.1.1 (and Java 8) dom4j 2.1.1 requires Java 8 dom4j 2.0.2 would retain Java 7 but is vulnerable to CVE-2018-1000632 dom4j 2.0.3 fixes CVE-2018-1000632 but has been pending for ~1 year",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/00571f362a7a2470fba50a31282c65637c40d2e21ebe6ee535a4ed74%40%3Ccommits.maven.apache.org%3E"
              },
              {
                "name": "[maven-dev] 20190603 Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/d7d960b2778e35ec9b4d40c8efd468c7ce7163bcf6489b633491c89f%40%3Cdev.maven.apache.org%3E"
              },
              {
                "name": "[maven-commits] 20190604 [maven-archetype] branch master updated: ARCHETYPE-567: switch to dom4j 2.1.1 (and Java 8) dom4j 2.1.1 requires Java 8 dom4j 2.0.2 would retain Java 7 but is vulnerable to CVE-2018-1000632 dom4j 2.0.3 fixes CVE-2018-1000632 but has been pending for ~1 year",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/9d4c1af6f702c3d6d6f229de57112ddccac8ce44446a01b7937ab9e0%40%3Ccommits.maven.apache.org%3E"
              },
              {
                "name": "[maven-dev] 20190610 Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/7e9e78f0e4288fac6591992836d2a80d4df19161e54bd71ab4b8e458%40%3Cdev.maven.apache.org%3E"
              },
              {
                "name": "RHSA-2019:3172",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3172"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/dom4j/dom4j/issues/48"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://ihacktoprotect.com/post/dom4j-xml-injection/"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20190530-0001/"
              },
              {
                "name": "FEDORA-2021-f28c870528",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IOOVVCRQE6ATFD2JM2EMDXOQXTRIVZGP/"
              },
              {
                "name": "FEDORA-2021-8015a8cdc4",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJULAHVR3I5SX7OSMXAG75IMNSAYOXGA/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
              },
              {
                "name": "[freemarker-notifications] 20210906 [jira] [Created] (FREEMARKER-190) The jar dom4j has known security issue that Freemarker compiles dependend on it",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51%40%3Cnotifications.freemarker.apache.org%3E"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "dateAssigned": "2018-08-19T00:00:00.000Z",
          "datePublic": "2018-07-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-09-07T05:06:02.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "name": "[debian-lts-announce] 20180924 [SECURITY] [DLA 1517-1] dom4j security update",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2018/09/msg00028.html"
            },
            {
              "name": "RHSA-2019:0364",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:0364"
            },
            {
              "name": "RHSA-2019:0362",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:0362"
            },
            {
              "name": "RHSA-2019:0365",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:0365"
            },
            {
              "name": "RHSA-2019:0380",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:0380"
            },
            {
              "name": "[lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E"
            },
            {
              "name": "RHSA-2019:1160",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:1160"
            },
            {
              "name": "RHSA-2019:1162",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:1162"
            },
            {
              "name": "RHSA-2019:1159",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:1159"
            },
            {
              "name": "RHSA-2019:1161",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:1161"
            },
            {
              "name": "[maven-dev] 20190531 proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/7f6e120e6ed473f4e00dde4c398fc6698eb383bd7857d20513e989ce%40%3Cdev.maven.apache.org%3E"
            },
            {
              "name": "[maven-dev] 20190531 Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/4a77652531d62299a30815cf5f233af183425db8e3c9a824a814e768%40%3Cdev.maven.apache.org%3E"
            },
            {
              "name": "[maven-commits] 20190531 [maven-archetype] 01/01: ARCHETYPE-567: switch to dom4j 2.1.1 (and Java 8) dom4j 2.1.1 requires Java 8 dom4j 2.0.2 would retain Java 7 but is vulnerable to CVE-2018-1000632 dom4j 2.0.3 fixes CVE-2018-1000632 but has been pending for ~1 year",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/5a020ecaa3c701f408f612f7ba2ee37a021644c4a39da2079ed3ddbc%40%3Ccommits.maven.apache.org%3E"
            },
            {
              "name": "[maven-commits] 20190601 [maven-archetype] 01/01: ARCHETYPE-567: switch to dom4j 2.1.1 (and Java 8) dom4j 2.1.1 requires Java 8 dom4j 2.0.2 would retain Java 7 but is vulnerable to CVE-2018-1000632 dom4j 2.0.3 fixes CVE-2018-1000632 but has been pending for ~1 year",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/00571f362a7a2470fba50a31282c65637c40d2e21ebe6ee535a4ed74%40%3Ccommits.maven.apache.org%3E"
            },
            {
              "name": "[maven-dev] 20190603 Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/d7d960b2778e35ec9b4d40c8efd468c7ce7163bcf6489b633491c89f%40%3Cdev.maven.apache.org%3E"
            },
            {
              "name": "[maven-commits] 20190604 [maven-archetype] branch master updated: ARCHETYPE-567: switch to dom4j 2.1.1 (and Java 8) dom4j 2.1.1 requires Java 8 dom4j 2.0.2 would retain Java 7 but is vulnerable to CVE-2018-1000632 dom4j 2.0.3 fixes CVE-2018-1000632 but has been pending for ~1 year",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/9d4c1af6f702c3d6d6f229de57112ddccac8ce44446a01b7937ab9e0%40%3Ccommits.maven.apache.org%3E"
            },
            {
              "name": "[maven-dev] 20190610 Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/7e9e78f0e4288fac6591992836d2a80d4df19161e54bd71ab4b8e458%40%3Cdev.maven.apache.org%3E"
            },
            {
              "name": "RHSA-2019:3172",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3172"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/dom4j/dom4j/issues/48"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://ihacktoprotect.com/post/dom4j-xml-injection/"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20190530-0001/"
            },
            {
              "name": "FEDORA-2021-f28c870528",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IOOVVCRQE6ATFD2JM2EMDXOQXTRIVZGP/"
            },
            {
              "name": "FEDORA-2021-8015a8cdc4",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJULAHVR3I5SX7OSMXAG75IMNSAYOXGA/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
            },
            {
              "name": "[freemarker-notifications] 20210906 [jira] [Created] (FREEMARKER-190) The jar dom4j has known security issue that Freemarker compiles dependend on it",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51%40%3Cnotifications.freemarker.apache.org%3E"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "DATE_ASSIGNED": "2018-08-19T17:09:33.115822",
              "DATE_REQUESTED": "2018-07-30T13:22:12",
              "ID": "CVE-2018-1000632",
              "REQUESTER": "mario.s.s.areias@gmail.com",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "[debian-lts-announce] 20180924 [SECURITY] [DLA 1517-1] dom4j security update",
                  "refsource": "MLIST",
                  "url": "https://lists.debian.org/debian-lts-announce/2018/09/msg00028.html"
                },
                {
                  "name": "RHSA-2019:0364",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:0364"
                },
                {
                  "name": "RHSA-2019:0362",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:0362"
                },
                {
                  "name": "RHSA-2019:0365",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:0365"
                },
                {
                  "name": "RHSA-2019:0380",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:0380"
                },
                {
                  "name": "[lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E"
                },
                {
                  "name": "RHSA-2019:1160",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:1160"
                },
                {
                  "name": "RHSA-2019:1162",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:1162"
                },
                {
                  "name": "RHSA-2019:1159",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:1159"
                },
                {
                  "name": "RHSA-2019:1161",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:1161"
                },
                {
                  "name": "[maven-dev] 20190531 proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/7f6e120e6ed473f4e00dde4c398fc6698eb383bd7857d20513e989ce@%3Cdev.maven.apache.org%3E"
                },
                {
                  "name": "[maven-dev] 20190531 Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/4a77652531d62299a30815cf5f233af183425db8e3c9a824a814e768@%3Cdev.maven.apache.org%3E"
                },
                {
                  "name": "[maven-commits] 20190531 [maven-archetype] 01/01: ARCHETYPE-567: switch to dom4j 2.1.1 (and Java 8) dom4j 2.1.1 requires Java 8 dom4j 2.0.2 would retain Java 7 but is vulnerable to CVE-2018-1000632 dom4j 2.0.3 fixes CVE-2018-1000632 but has been pending for ~1 year",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/5a020ecaa3c701f408f612f7ba2ee37a021644c4a39da2079ed3ddbc@%3Ccommits.maven.apache.org%3E"
                },
                {
                  "name": "[maven-commits] 20190601 [maven-archetype] 01/01: ARCHETYPE-567: switch to dom4j 2.1.1 (and Java 8) dom4j 2.1.1 requires Java 8 dom4j 2.0.2 would retain Java 7 but is vulnerable to CVE-2018-1000632 dom4j 2.0.3 fixes CVE-2018-1000632 but has been pending for ~1 year",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/00571f362a7a2470fba50a31282c65637c40d2e21ebe6ee535a4ed74@%3Ccommits.maven.apache.org%3E"
                },
                {
                  "name": "[maven-dev] 20190603 Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/d7d960b2778e35ec9b4d40c8efd468c7ce7163bcf6489b633491c89f@%3Cdev.maven.apache.org%3E"
                },
                {
                  "name": "[maven-commits] 20190604 [maven-archetype] branch master updated: ARCHETYPE-567: switch to dom4j 2.1.1 (and Java 8) dom4j 2.1.1 requires Java 8 dom4j 2.0.2 would retain Java 7 but is vulnerable to CVE-2018-1000632 dom4j 2.0.3 fixes CVE-2018-1000632 but has been pending for ~1 year",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/9d4c1af6f702c3d6d6f229de57112ddccac8ce44446a01b7937ab9e0@%3Ccommits.maven.apache.org%3E"
                },
                {
                  "name": "[maven-dev] 20190610 Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/7e9e78f0e4288fac6591992836d2a80d4df19161e54bd71ab4b8e458@%3Cdev.maven.apache.org%3E"
                },
                {
                  "name": "RHSA-2019:3172",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3172"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuapr2020.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujul2020.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
                },
                {
                  "name": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
                },
                {
                  "name": "https://github.com/dom4j/dom4j/issues/48",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/dom4j/dom4j/issues/48"
                },
                {
                  "name": "https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387"
                },
                {
                  "name": "https://ihacktoprotect.com/post/dom4j-xml-injection/",
                  "refsource": "MISC",
                  "url": "https://ihacktoprotect.com/post/dom4j-xml-injection/"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20190530-0001/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20190530-0001/"
                },
                {
                  "name": "FEDORA-2021-f28c870528",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOOVVCRQE6ATFD2JM2EMDXOQXTRIVZGP/"
                },
                {
                  "name": "FEDORA-2021-8015a8cdc4",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KJULAHVR3I5SX7OSMXAG75IMNSAYOXGA/"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
                },
                {
                  "name": "[freemarker-notifications] 20210906 [jira] [Created] (FREEMARKER-190) The jar dom4j has known security issue that Freemarker compiles dependend on it",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51@%3Cnotifications.freemarker.apache.org%3E"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2018-1000632",
        "datePublished": "2018-08-20T19:00:00.000Z",
        "dateReserved": "2018-07-30T00:00:00.000Z",
        "dateUpdated": "2024-08-05T12:40:47.850Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2016-8639 (GCVE-0-2016-8639)

    Vulnerability from nvd – Published: 2018-08-01 13:00 – Updated: 2024-08-06 02:27
    VLAI
    Summary
    It was found that foreman before 1.13.0 is vulnerable to a stored XSS via an organization or location name. This could allow an attacker with privileges to set the organization or location name to display arbitrary HTML including scripting code within the web interface.
    CWE
    Assigner
    References
    Impacted products
    Date Public
    2016-05-12 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T02:27:41.125Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8639"
              },
              {
                "name": "RHSA-2018:0336",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:0336"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/theforeman/foreman/pull/3523"
              },
              {
                "name": "94263",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/94263"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://projects.theforeman.org/issues/15037"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "foreman",
              "vendor": "The Foreman Project",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.13.0"
                }
              ]
            }
          ],
          "datePublic": "2016-05-12T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "It was found that foreman before 1.13.0 is vulnerable to a stored XSS via an organization or location name. This could allow an attacker with privileges to set the organization or location name to display arbitrary HTML including scripting code within the web interface."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-08-02T09:57:01.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8639"
            },
            {
              "name": "RHSA-2018:0336",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:0336"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/theforeman/foreman/pull/3523"
            },
            {
              "name": "94263",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/94263"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://projects.theforeman.org/issues/15037"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2016-8639",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "foreman",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "1.13.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "The Foreman Project"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "It was found that foreman before 1.13.0 is vulnerable to a stored XSS via an organization or location name. This could allow an attacker with privileges to set the organization or location name to display arbitrary HTML including scripting code within the web interface."
                }
              ]
            },
            "impact": {
              "cvss": [
                [
                  {
                    "vectorString": "6.1/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                    "version": "3.0"
                  }
                ],
                [
                  {
                    "vectorString": "4.9/AV:N/AC:M/Au:S/C:P/I:P/A:N",
                    "version": "2.0"
                  }
                ]
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8639",
                  "refsource": "CONFIRM",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8639"
                },
                {
                  "name": "RHSA-2018:0336",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:0336"
                },
                {
                  "name": "https://github.com/theforeman/foreman/pull/3523",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/theforeman/foreman/pull/3523"
                },
                {
                  "name": "94263",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/94263"
                },
                {
                  "name": "https://projects.theforeman.org/issues/15037",
                  "refsource": "CONFIRM",
                  "url": "https://projects.theforeman.org/issues/15037"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2016-8639",
        "datePublished": "2018-08-01T13:00:00.000Z",
        "dateReserved": "2016-10-12T00:00:00.000Z",
        "dateUpdated": "2024-08-06T02:27:41.125Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2016-9595 (GCVE-0-2016-9595)

    Vulnerability from nvd – Published: 2018-07-27 18:00 – Updated: 2024-08-06 02:59
    VLAI
    Summary
    A flaw was found in katello-debug before 3.4.0 where certain scripts and log files used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.
    CWE
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2018:0336 vendor-advisoryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2… x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Foreman katello-debug Affected: 3.4.0
    Create a notification for this product.
    Date Public
    2018-07-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T02:59:02.231Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2018:0336",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:0336"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9595"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "katello-debug",
              "vendor": "Foreman",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.4.0"
                }
              ]
            }
          ],
          "datePublic": "2018-07-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in katello-debug before 3.4.0 where certain scripts and log files used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-377",
                  "description": "CWE-377",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-07-28T09:57:01.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2018:0336",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:0336"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9595"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2016-9595",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "katello-debug",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "3.4.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Foreman"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A flaw was found in katello-debug before 3.4.0 where certain scripts and log files used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files."
                }
              ]
            },
            "impact": {
              "cvss": [
                [
                  {
                    "vectorString": "7.3/CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
                    "version": "3.0"
                  }
                ],
                [
                  {
                    "vectorString": "6.9/AV:L/AC:M/Au:N/C:C/I:C/A:C",
                    "version": "2.0"
                  }
                ]
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-377"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "RHSA-2018:0336",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:0336"
                },
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9595",
                  "refsource": "CONFIRM",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9595"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2016-9595",
        "datePublished": "2018-07-27T18:00:00.000Z",
        "dateReserved": "2016-11-23T00:00:00.000Z",
        "dateUpdated": "2024-08-06T02:59:02.231Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2016-1000338 (GCVE-0-2016-1000338)

    Vulnerability from nvd – Published: 2018-06-01 00:00 – Updated: 2024-08-06 03:55
    VLAI
    Summary
    In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Date Public
    2016-10-14 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T03:55:27.500Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "[debian-lts-announce] 20180707 [SECURITY] [DLA 1418-1] bouncycastle security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html"
              },
              {
                "name": "RHSA-2018:2669",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2669"
              },
              {
                "name": "USN-3727-1",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://usn.ubuntu.com/3727-1/"
              },
              {
                "name": "RHSA-2018:2927",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2927"
              },
              {
                "name": "[lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/bcgit/bc-java/commit/b0c3ce99d43d73a096268831d0d120ffc89eac7f#diff-3679f5a9d2b939d0d3ee1601a7774fb0"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20231006-0011/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2016-10-14T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of \u0027invisible\u0027 data into a signed structure."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-10-06T14:06:34.847Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "name": "[debian-lts-announce] 20180707 [SECURITY] [DLA 1418-1] bouncycastle security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html"
            },
            {
              "name": "RHSA-2018:2669",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2669"
            },
            {
              "name": "USN-3727-1",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://usn.ubuntu.com/3727-1/"
            },
            {
              "name": "RHSA-2018:2927",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2927"
            },
            {
              "name": "[lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E"
            },
            {
              "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
            },
            {
              "url": "https://github.com/bcgit/bc-java/commit/b0c3ce99d43d73a096268831d0d120ffc89eac7f#diff-3679f5a9d2b939d0d3ee1601a7774fb0"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20231006-0011/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2016-1000338",
        "datePublished": "2018-06-01T00:00:00.000Z",
        "dateReserved": "2018-06-01T00:00:00.000Z",
        "dateUpdated": "2024-08-06T03:55:27.500Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-10237 (GCVE-0-2018-10237)

    Vulnerability from nvd – Published: 2018-04-26 21:00 – Updated: 2024-08-05 07:32
    VLAI
    Summary
    Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2018:2428 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2740 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2741 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2742 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2598 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2643 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2424 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2423 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2425 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2927 vendor-advisoryx_refsource_REDHAT
    http://www.securitytracker.com/id/1041707 vdb-entryx_refsource_SECTRACK
    https://access.redhat.com/errata/RHSA-2018:2743 vendor-advisoryx_refsource_REDHAT
    https://lists.apache.org/thread.html/cc48fe770c45… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/19fa48533bc7… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/ff8dcfe29377… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/3ddd79c801ed… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/3d5dbdd92ac9… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/33c6bccfeb7a… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/053d9ce4d579… mailing-listx_refsource_MLIST
    https://access.redhat.com/errata/RHSA-2019:2858 vendor-advisoryx_refsource_REDHAT
    https://lists.apache.org/thread.html/b0656d359c7d… mailing-listx_refsource_MLIST
    https://access.redhat.com/errata/RHSA-2019:3149 vendor-advisoryx_refsource_REDHAT
    https://lists.apache.org/thread.html/519eb0fd4564… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/f9bc3e55f4e2… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r27eb79a87a7… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r95799427b33… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/rc78f6e84f82… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/ra0adb9653c7… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/rd0c8ec6e044… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r38e2ab87528… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r2ea4e5e5aa8… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r43491b25b2e… mailing-listx_refsource_MLIST
    https://www.oracle.com/security-alerts/cpuapr2020.html x_refsource_MISC
    https://lists.apache.org/thread.html/rc8467f357b9… mailing-listx_refsource_MLIST
    https://www.oracle.com/security-alerts/cpujul2020.html x_refsource_MISC
    https://groups.google.com/d/topic/guava-announce/… x_refsource_CONFIRM
    https://lists.apache.org/thread.html/r02e39d7beb3… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r02e39d7beb3… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r50fc0bcc734… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/rdc56c15693c… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/ra8906723927… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/ra4f44016926… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/rb3da574c34b… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r223bc776a07… mailing-listx_refsource_MLIST
    https://www.oracle.com/security-alerts/cpujan2021.html x_refsource_MISC
    https://lists.apache.org/thread.html/r841c5e14e1b… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r22c8173b804… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r352e40ca987… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r30e7d7b6bfa… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r3c3b33ee5be… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/rd01f5ff0164… mailing-listx_refsource_MLIST
    https://www.oracle.com/security-alerts/cpuoct2021.html x_refsource_MISC
    https://security.netapp.com/advisory/ntap-2022062… x_refsource_CONFIRM
    Date Public
    2018-04-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T07:32:01.750Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2018:2428",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2428"
              },
              {
                "name": "RHSA-2018:2740",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2740"
              },
              {
                "name": "RHSA-2018:2741",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2741"
              },
              {
                "name": "RHSA-2018:2742",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2742"
              },
              {
                "name": "RHSA-2018:2598",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2598"
              },
              {
                "name": "RHSA-2018:2643",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2643"
              },
              {
                "name": "RHSA-2018:2424",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2424"
              },
              {
                "name": "RHSA-2018:2423",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2423"
              },
              {
                "name": "RHSA-2018:2425",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2425"
              },
              {
                "name": "RHSA-2018:2927",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2927"
              },
              {
                "name": "1041707",
                "tags": [
                  "vdb-entry",
                  "x_refsource_SECTRACK",
                  "x_transferred"
                ],
                "url": "http://www.securitytracker.com/id/1041707"
              },
              {
                "name": "RHSA-2018:2743",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2743"
              },
              {
                "name": "[hadoop-hdfs-dev] 20190401 Update guava to 27.0-jre in hadoop-project",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/cc48fe770c45a74dc3b37ed0817393e0c96701fc49bc431ed922f3cc%40%3Chdfs-dev.hadoop.apache.org%3E"
              },
              {
                "name": "[hadoop-common-dev] 20190401 Update guava to 27.0-jre in hadoop-project",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/19fa48533bc7ea1accf6b12746a74ed888ae6e49a5cf81ae4f807495%40%3Ccommon-dev.hadoop.apache.org%3E"
              },
              {
                "name": "[pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E"
              },
              {
                "name": "[activemq-issues] 20190516 [jira] [Created] (AMQ-7208) Security Issue related to Guava 18.0",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/3ddd79c801edd99c0978e83dbe2168ebd36fd42acfa5dac38fb03dd6%40%3Cissues.activemq.apache.org%3E"
              },
              {
                "name": "[activemq-gitbox] 20190530 [GitHub] [activemq-artemis] brusdev opened a new pull request #2687: ARTEMIS-2359 Upgrade to Guava 24.1",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/3d5dbdd92ac9ceaef90e40f78599f9109f2f345252e0ac9d98e7e084%40%3Cgitbox.activemq.apache.org%3E"
              },
              {
                "name": "[cassandra-commits] 20190612 [jira] [Assigned] (CASSANDRA-14760) CVE-2018-10237 Security vulnerability in 3.11.3",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/33c6bccfeb7adf644d4d79894ca8f09370be6ed4b20632c2e228d085%40%3Ccommits.cassandra.apache.org%3E"
              },
              {
                "name": "[activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E"
              },
              {
                "name": "RHSA-2019:2858",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2858"
              },
              {
                "name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"
              },
              {
                "name": "RHSA-2019:3149",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3149"
              },
              {
                "name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"
              },
              {
                "name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"
              },
              {
                "name": "[cxf-dev] 20200206 [GitHub] [cxf] davidkarlsen opened a new pull request #638: upgrade guava, CVE-2018-10237",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r27eb79a87a760335226dbfa6a7b7bffea539a535f8e80c41e482106d%40%3Cdev.cxf.apache.org%3E"
              },
              {
                "name": "[cxf-dev] 20200206 [GitHub] [cxf] reta commented on a change in pull request #638: upgrade guava, CVE-2018-10237",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r95799427b335807a4c54776908125c3e66597b65845ae50096d9278a%40%3Cdev.cxf.apache.org%3E"
              },
              {
                "name": "[cxf-dev] 20200211 [GitHub] [cxf] coheigea commented on a change in pull request #638: upgrade guava, CVE-2018-10237",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rc78f6e84f82cc662860e96526d8ab969f34dbe12dc560e22d9d147a3%40%3Cdev.cxf.apache.org%3E"
              },
              {
                "name": "[kafka-users] 20200413 CVEs for the dependency software guava and rocksdbjni of Kafka",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/ra0adb9653c7de9539b93cc8434143b655f753b9f60580ff260becb2b%40%3Cusers.kafka.apache.org%3E"
              },
              {
                "name": "[cxf-dev] 20200420 [GitHub] [cxf] coheigea commented on a change in pull request #638: upgrade guava, CVE-2018-10237",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rd0c8ec6e044aa2958dd0549ebf8ecead7f5968c9474ba73a504161b2%40%3Cdev.cxf.apache.org%3E"
              },
              {
                "name": "[cxf-dev] 20200420 [GitHub] [cxf] reta commented on a change in pull request #638: upgrade guava, CVE-2018-10237",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r38e2ab87528d3c904e7fac496e8fd766b9277656ff95b97d6b6b6dcd%40%3Cdev.cxf.apache.org%3E"
              },
              {
                "name": "[cxf-dev] 20200420 [GitHub] [cxf] andrei-ivanov commented on a change in pull request #638: upgrade guava, CVE-2018-10237",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r2ea4e5e5aa8ad73b001a466c582899620961f47d77a40af712c1fdf9%40%3Cdev.cxf.apache.org%3E"
              },
              {
                "name": "[syncope-dev] 20200423 Re: Time to cut 2.1.6 / 2.0.15?",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r43491b25b2e5c368c34b106a82eff910a5cea3e90de82ad75cc16540%40%3Cdev.syncope.apache.org%3E"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
              },
              {
                "name": "[hadoop-common-dev] 20200623 Update guava to 27.0-jre in hadoop branch-2.10",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rc8467f357b943ceaa86f289f8bc1a5d1c7955b75d3bac1426f2d4ac1%40%3Ccommon-dev.hadoop.apache.org%3E"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://groups.google.com/d/topic/guava-announce/xqWALw4W1vs/discussion"
              },
              {
                "name": "[flink-dev] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb%40%3Cdev.flink.apache.org%3E"
              },
              {
                "name": "[flink-user] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb%40%3Cuser.flink.apache.org%3E"
              },
              {
                "name": "[flink-dev] 20200806 [jira] [Created] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r50fc0bcc734dd82e691d36d209258683141bfc0083739a77e56ad92d%40%3Cdev.flink.apache.org%3E"
              },
              {
                "name": "[flink-issues] 20200806 [jira] [Created] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rdc56c15693c236e31e1e95f847b8e5e74fc0a05741d47488e7fc8c45%40%3Cissues.flink.apache.org%3E"
              },
              {
                "name": "[flink-issues] 20200814 [jira] [Commented] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/ra8906723927aef2a599398c238eacfc845b74d812e0093ec2fc70a7d%40%3Cissues.flink.apache.org%3E"
              },
              {
                "name": "[lucene-issues] 20201022 [jira] [Created] (SOLR-14960) Solr-clustering is bringing in CVE-2018-10237 vulnerable guava",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/ra4f44016926dcb034b3b230280a18102062f94ae55b8a31bb92fed84%40%3Cissues.lucene.apache.org%3E"
              },
              {
                "name": "[lucene-issues] 20201022 [jira] [Updated] (SOLR-14960) Solr-clustering is bringing in CVE-2018-10237 vulnerable guava",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rb3da574c34bc6bd37972d2266af3093b90d7e437460423c24f477919%40%3Cissues.lucene.apache.org%3E"
              },
              {
                "name": "[lucene-issues] 20201022 [jira] [Resolved] (SOLR-14960) Solr-clustering is bringing in CVE-2018-10237 vulnerable guava",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r223bc776a077d0795786c38cbc6e7dd808fce1a9161b00ba9c0a5d55%40%3Cissues.lucene.apache.org%3E"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
              },
              {
                "name": "[maven-issues] 20210122 [GitHub] [maven-indexer] akurtakov opened a new pull request #75: Remove guava dependency from indexer-core",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r841c5e14e1b55281523ebcde661ece00b38a0569e00ef5e12bd5f6ba%40%3Cissues.maven.apache.org%3E"
              },
              {
                "name": "[flink-issues] 20210212 [jira] [Closed] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r22c8173b804cd4a420c43064ba4e363d0022aa421008b1989f7354d4%40%3Cissues.flink.apache.org%3E"
              },
              {
                "name": "[samza-commits] 20210310 [GitHub] [samza] Telesia opened a new pull request #1471: SAMZA-2630: Upgrade dependencies for security fixes",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21%40%3Ccommits.samza.apache.org%3E"
              },
              {
                "name": "[storm-issues] 20210315 [jira] [Created] (STORM-3754) Upgrade Guava version because of security vulnerability",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r30e7d7b6bfa630dacc41649a0e96dad75165d50474c1241068aa0f94%40%3Cissues.storm.apache.org%3E"
              },
              {
                "name": "[pulsar-commits] 20210406 [GitHub] [pulsar] lhotari opened a new pull request #10149: Upgrade jclouds to 2.3.0 to fix security vulnerabilities",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r3c3b33ee5bef0c67391d27a97cbfd89d44f328cf072b601b58d4e748%40%3Ccommits.pulsar.apache.org%3E"
              },
              {
                "name": "[arrow-github] 20210610 [GitHub] [arrow] projjal opened a new pull request #10501: ARROW-13032: Update guava version",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rd01f5ff0164c468ec7abc96ff7646cea3cce6378da2e4aa29c6bcb95%40%3Cgithub.arrow.apache.org%3E"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20220629-0008/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2018-04-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-06-29T18:07:18.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "name": "RHSA-2018:2428",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2428"
            },
            {
              "name": "RHSA-2018:2740",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2740"
            },
            {
              "name": "RHSA-2018:2741",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2741"
            },
            {
              "name": "RHSA-2018:2742",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2742"
            },
            {
              "name": "RHSA-2018:2598",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2598"
            },
            {
              "name": "RHSA-2018:2643",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2643"
            },
            {
              "name": "RHSA-2018:2424",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2424"
            },
            {
              "name": "RHSA-2018:2423",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2423"
            },
            {
              "name": "RHSA-2018:2425",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2425"
            },
            {
              "name": "RHSA-2018:2927",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2927"
            },
            {
              "name": "1041707",
              "tags": [
                "vdb-entry",
                "x_refsource_SECTRACK"
              ],
              "url": "http://www.securitytracker.com/id/1041707"
            },
            {
              "name": "RHSA-2018:2743",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2743"
            },
            {
              "name": "[hadoop-hdfs-dev] 20190401 Update guava to 27.0-jre in hadoop-project",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/cc48fe770c45a74dc3b37ed0817393e0c96701fc49bc431ed922f3cc%40%3Chdfs-dev.hadoop.apache.org%3E"
            },
            {
              "name": "[hadoop-common-dev] 20190401 Update guava to 27.0-jre in hadoop-project",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/19fa48533bc7ea1accf6b12746a74ed888ae6e49a5cf81ae4f807495%40%3Ccommon-dev.hadoop.apache.org%3E"
            },
            {
              "name": "[pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E"
            },
            {
              "name": "[activemq-issues] 20190516 [jira] [Created] (AMQ-7208) Security Issue related to Guava 18.0",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/3ddd79c801edd99c0978e83dbe2168ebd36fd42acfa5dac38fb03dd6%40%3Cissues.activemq.apache.org%3E"
            },
            {
              "name": "[activemq-gitbox] 20190530 [GitHub] [activemq-artemis] brusdev opened a new pull request #2687: ARTEMIS-2359 Upgrade to Guava 24.1",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/3d5dbdd92ac9ceaef90e40f78599f9109f2f345252e0ac9d98e7e084%40%3Cgitbox.activemq.apache.org%3E"
            },
            {
              "name": "[cassandra-commits] 20190612 [jira] [Assigned] (CASSANDRA-14760) CVE-2018-10237 Security vulnerability in 3.11.3",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/33c6bccfeb7adf644d4d79894ca8f09370be6ed4b20632c2e228d085%40%3Ccommits.cassandra.apache.org%3E"
            },
            {
              "name": "[activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E"
            },
            {
              "name": "RHSA-2019:2858",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2858"
            },
            {
              "name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"
            },
            {
              "name": "RHSA-2019:3149",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3149"
            },
            {
              "name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"
            },
            {
              "name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"
            },
            {
              "name": "[cxf-dev] 20200206 [GitHub] [cxf] davidkarlsen opened a new pull request #638: upgrade guava, CVE-2018-10237",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r27eb79a87a760335226dbfa6a7b7bffea539a535f8e80c41e482106d%40%3Cdev.cxf.apache.org%3E"
            },
            {
              "name": "[cxf-dev] 20200206 [GitHub] [cxf] reta commented on a change in pull request #638: upgrade guava, CVE-2018-10237",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r95799427b335807a4c54776908125c3e66597b65845ae50096d9278a%40%3Cdev.cxf.apache.org%3E"
            },
            {
              "name": "[cxf-dev] 20200211 [GitHub] [cxf] coheigea commented on a change in pull request #638: upgrade guava, CVE-2018-10237",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rc78f6e84f82cc662860e96526d8ab969f34dbe12dc560e22d9d147a3%40%3Cdev.cxf.apache.org%3E"
            },
            {
              "name": "[kafka-users] 20200413 CVEs for the dependency software guava and rocksdbjni of Kafka",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/ra0adb9653c7de9539b93cc8434143b655f753b9f60580ff260becb2b%40%3Cusers.kafka.apache.org%3E"
            },
            {
              "name": "[cxf-dev] 20200420 [GitHub] [cxf] coheigea commented on a change in pull request #638: upgrade guava, CVE-2018-10237",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rd0c8ec6e044aa2958dd0549ebf8ecead7f5968c9474ba73a504161b2%40%3Cdev.cxf.apache.org%3E"
            },
            {
              "name": "[cxf-dev] 20200420 [GitHub] [cxf] reta commented on a change in pull request #638: upgrade guava, CVE-2018-10237",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r38e2ab87528d3c904e7fac496e8fd766b9277656ff95b97d6b6b6dcd%40%3Cdev.cxf.apache.org%3E"
            },
            {
              "name": "[cxf-dev] 20200420 [GitHub] [cxf] andrei-ivanov commented on a change in pull request #638: upgrade guava, CVE-2018-10237",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r2ea4e5e5aa8ad73b001a466c582899620961f47d77a40af712c1fdf9%40%3Cdev.cxf.apache.org%3E"
            },
            {
              "name": "[syncope-dev] 20200423 Re: Time to cut 2.1.6 / 2.0.15?",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r43491b25b2e5c368c34b106a82eff910a5cea3e90de82ad75cc16540%40%3Cdev.syncope.apache.org%3E"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
            },
            {
              "name": "[hadoop-common-dev] 20200623 Update guava to 27.0-jre in hadoop branch-2.10",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rc8467f357b943ceaa86f289f8bc1a5d1c7955b75d3bac1426f2d4ac1%40%3Ccommon-dev.hadoop.apache.org%3E"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://groups.google.com/d/topic/guava-announce/xqWALw4W1vs/discussion"
            },
            {
              "name": "[flink-dev] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb%40%3Cdev.flink.apache.org%3E"
            },
            {
              "name": "[flink-user] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb%40%3Cuser.flink.apache.org%3E"
            },
            {
              "name": "[flink-dev] 20200806 [jira] [Created] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r50fc0bcc734dd82e691d36d209258683141bfc0083739a77e56ad92d%40%3Cdev.flink.apache.org%3E"
            },
            {
              "name": "[flink-issues] 20200806 [jira] [Created] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rdc56c15693c236e31e1e95f847b8e5e74fc0a05741d47488e7fc8c45%40%3Cissues.flink.apache.org%3E"
            },
            {
              "name": "[flink-issues] 20200814 [jira] [Commented] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/ra8906723927aef2a599398c238eacfc845b74d812e0093ec2fc70a7d%40%3Cissues.flink.apache.org%3E"
            },
            {
              "name": "[lucene-issues] 20201022 [jira] [Created] (SOLR-14960) Solr-clustering is bringing in CVE-2018-10237 vulnerable guava",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/ra4f44016926dcb034b3b230280a18102062f94ae55b8a31bb92fed84%40%3Cissues.lucene.apache.org%3E"
            },
            {
              "name": "[lucene-issues] 20201022 [jira] [Updated] (SOLR-14960) Solr-clustering is bringing in CVE-2018-10237 vulnerable guava",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rb3da574c34bc6bd37972d2266af3093b90d7e437460423c24f477919%40%3Cissues.lucene.apache.org%3E"
            },
            {
              "name": "[lucene-issues] 20201022 [jira] [Resolved] (SOLR-14960) Solr-clustering is bringing in CVE-2018-10237 vulnerable guava",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r223bc776a077d0795786c38cbc6e7dd808fce1a9161b00ba9c0a5d55%40%3Cissues.lucene.apache.org%3E"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
            },
            {
              "name": "[maven-issues] 20210122 [GitHub] [maven-indexer] akurtakov opened a new pull request #75: Remove guava dependency from indexer-core",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r841c5e14e1b55281523ebcde661ece00b38a0569e00ef5e12bd5f6ba%40%3Cissues.maven.apache.org%3E"
            },
            {
              "name": "[flink-issues] 20210212 [jira] [Closed] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r22c8173b804cd4a420c43064ba4e363d0022aa421008b1989f7354d4%40%3Cissues.flink.apache.org%3E"
            },
            {
              "name": "[samza-commits] 20210310 [GitHub] [samza] Telesia opened a new pull request #1471: SAMZA-2630: Upgrade dependencies for security fixes",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21%40%3Ccommits.samza.apache.org%3E"
            },
            {
              "name": "[storm-issues] 20210315 [jira] [Created] (STORM-3754) Upgrade Guava version because of security vulnerability",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r30e7d7b6bfa630dacc41649a0e96dad75165d50474c1241068aa0f94%40%3Cissues.storm.apache.org%3E"
            },
            {
              "name": "[pulsar-commits] 20210406 [GitHub] [pulsar] lhotari opened a new pull request #10149: Upgrade jclouds to 2.3.0 to fix security vulnerabilities",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r3c3b33ee5bef0c67391d27a97cbfd89d44f328cf072b601b58d4e748%40%3Ccommits.pulsar.apache.org%3E"
            },
            {
              "name": "[arrow-github] 20210610 [GitHub] [arrow] projjal opened a new pull request #10501: ARROW-13032: Update guava version",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rd01f5ff0164c468ec7abc96ff7646cea3cce6378da2e4aa29c6bcb95%40%3Cgithub.arrow.apache.org%3E"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20220629-0008/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2018-10237",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "RHSA-2018:2428",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2428"
                },
                {
                  "name": "RHSA-2018:2740",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2740"
                },
                {
                  "name": "RHSA-2018:2741",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2741"
                },
                {
                  "name": "RHSA-2018:2742",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2742"
                },
                {
                  "name": "RHSA-2018:2598",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2598"
                },
                {
                  "name": "RHSA-2018:2643",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2643"
                },
                {
                  "name": "RHSA-2018:2424",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2424"
                },
                {
                  "name": "RHSA-2018:2423",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2423"
                },
                {
                  "name": "RHSA-2018:2425",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2425"
                },
                {
                  "name": "RHSA-2018:2927",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2927"
                },
                {
                  "name": "1041707",
                  "refsource": "SECTRACK",
                  "url": "http://www.securitytracker.com/id/1041707"
                },
                {
                  "name": "RHSA-2018:2743",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2743"
                },
                {
                  "name": "[hadoop-hdfs-dev] 20190401 Update guava to 27.0-jre in hadoop-project",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/cc48fe770c45a74dc3b37ed0817393e0c96701fc49bc431ed922f3cc@%3Chdfs-dev.hadoop.apache.org%3E"
                },
                {
                  "name": "[hadoop-common-dev] 20190401 Update guava to 27.0-jre in hadoop-project",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/19fa48533bc7ea1accf6b12746a74ed888ae6e49a5cf81ae4f807495@%3Ccommon-dev.hadoop.apache.org%3E"
                },
                {
                  "name": "[pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E"
                },
                {
                  "name": "[activemq-issues] 20190516 [jira] [Created] (AMQ-7208) Security Issue related to Guava 18.0",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/3ddd79c801edd99c0978e83dbe2168ebd36fd42acfa5dac38fb03dd6@%3Cissues.activemq.apache.org%3E"
                },
                {
                  "name": "[activemq-gitbox] 20190530 [GitHub] [activemq-artemis] brusdev opened a new pull request #2687: ARTEMIS-2359 Upgrade to Guava 24.1",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/3d5dbdd92ac9ceaef90e40f78599f9109f2f345252e0ac9d98e7e084@%3Cgitbox.activemq.apache.org%3E"
                },
                {
                  "name": "[cassandra-commits] 20190612 [jira] [Assigned] (CASSANDRA-14760) CVE-2018-10237 Security vulnerability in 3.11.3",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/33c6bccfeb7adf644d4d79894ca8f09370be6ed4b20632c2e228d085@%3Ccommits.cassandra.apache.org%3E"
                },
                {
                  "name": "[activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E"
                },
                {
                  "name": "RHSA-2019:2858",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2858"
                },
                {
                  "name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E"
                },
                {
                  "name": "RHSA-2019:3149",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3149"
                },
                {
                  "name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E"
                },
                {
                  "name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E"
                },
                {
                  "name": "[cxf-dev] 20200206 [GitHub] [cxf] davidkarlsen opened a new pull request #638: upgrade guava, CVE-2018-10237",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r27eb79a87a760335226dbfa6a7b7bffea539a535f8e80c41e482106d@%3Cdev.cxf.apache.org%3E"
                },
                {
                  "name": "[cxf-dev] 20200206 [GitHub] [cxf] reta commented on a change in pull request #638: upgrade guava, CVE-2018-10237",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r95799427b335807a4c54776908125c3e66597b65845ae50096d9278a@%3Cdev.cxf.apache.org%3E"
                },
                {
                  "name": "[cxf-dev] 20200211 [GitHub] [cxf] coheigea commented on a change in pull request #638: upgrade guava, CVE-2018-10237",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rc78f6e84f82cc662860e96526d8ab969f34dbe12dc560e22d9d147a3@%3Cdev.cxf.apache.org%3E"
                },
                {
                  "name": "[kafka-users] 20200413 CVEs for the dependency software guava and rocksdbjni of Kafka",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/ra0adb9653c7de9539b93cc8434143b655f753b9f60580ff260becb2b@%3Cusers.kafka.apache.org%3E"
                },
                {
                  "name": "[cxf-dev] 20200420 [GitHub] [cxf] coheigea commented on a change in pull request #638: upgrade guava, CVE-2018-10237",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rd0c8ec6e044aa2958dd0549ebf8ecead7f5968c9474ba73a504161b2@%3Cdev.cxf.apache.org%3E"
                },
                {
                  "name": "[cxf-dev] 20200420 [GitHub] [cxf] reta commented on a change in pull request #638: upgrade guava, CVE-2018-10237",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r38e2ab87528d3c904e7fac496e8fd766b9277656ff95b97d6b6b6dcd@%3Cdev.cxf.apache.org%3E"
                },
                {
                  "name": "[cxf-dev] 20200420 [GitHub] [cxf] andrei-ivanov commented on a change in pull request #638: upgrade guava, CVE-2018-10237",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r2ea4e5e5aa8ad73b001a466c582899620961f47d77a40af712c1fdf9@%3Cdev.cxf.apache.org%3E"
                },
                {
                  "name": "[syncope-dev] 20200423 Re: Time to cut 2.1.6 / 2.0.15?",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r43491b25b2e5c368c34b106a82eff910a5cea3e90de82ad75cc16540@%3Cdev.syncope.apache.org%3E"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuapr2020.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
                },
                {
                  "name": "[hadoop-common-dev] 20200623 Update guava to 27.0-jre in hadoop branch-2.10",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rc8467f357b943ceaa86f289f8bc1a5d1c7955b75d3bac1426f2d4ac1@%3Ccommon-dev.hadoop.apache.org%3E"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujul2020.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
                },
                {
                  "name": "https://groups.google.com/d/topic/guava-announce/xqWALw4W1vs/discussion",
                  "refsource": "CONFIRM",
                  "url": "https://groups.google.com/d/topic/guava-announce/xqWALw4W1vs/discussion"
                },
                {
                  "name": "[flink-dev] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb@%3Cdev.flink.apache.org%3E"
                },
                {
                  "name": "[flink-user] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb@%3Cuser.flink.apache.org%3E"
                },
                {
                  "name": "[flink-dev] 20200806 [jira] [Created] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r50fc0bcc734dd82e691d36d209258683141bfc0083739a77e56ad92d@%3Cdev.flink.apache.org%3E"
                },
                {
                  "name": "[flink-issues] 20200806 [jira] [Created] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rdc56c15693c236e31e1e95f847b8e5e74fc0a05741d47488e7fc8c45@%3Cissues.flink.apache.org%3E"
                },
                {
                  "name": "[flink-issues] 20200814 [jira] [Commented] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/ra8906723927aef2a599398c238eacfc845b74d812e0093ec2fc70a7d@%3Cissues.flink.apache.org%3E"
                },
                {
                  "name": "[lucene-issues] 20201022 [jira] [Created] (SOLR-14960) Solr-clustering is bringing in CVE-2018-10237 vulnerable guava",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/ra4f44016926dcb034b3b230280a18102062f94ae55b8a31bb92fed84@%3Cissues.lucene.apache.org%3E"
                },
                {
                  "name": "[lucene-issues] 20201022 [jira] [Updated] (SOLR-14960) Solr-clustering is bringing in CVE-2018-10237 vulnerable guava",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rb3da574c34bc6bd37972d2266af3093b90d7e437460423c24f477919@%3Cissues.lucene.apache.org%3E"
                },
                {
                  "name": "[lucene-issues] 20201022 [jira] [Resolved] (SOLR-14960) Solr-clustering is bringing in CVE-2018-10237 vulnerable guava",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r223bc776a077d0795786c38cbc6e7dd808fce1a9161b00ba9c0a5d55@%3Cissues.lucene.apache.org%3E"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujan2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
                },
                {
                  "name": "[maven-issues] 20210122 [GitHub] [maven-indexer] akurtakov opened a new pull request #75: Remove guava dependency from indexer-core",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r841c5e14e1b55281523ebcde661ece00b38a0569e00ef5e12bd5f6ba@%3Cissues.maven.apache.org%3E"
                },
                {
                  "name": "[flink-issues] 20210212 [jira] [Closed] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r22c8173b804cd4a420c43064ba4e363d0022aa421008b1989f7354d4@%3Cissues.flink.apache.org%3E"
                },
                {
                  "name": "[samza-commits] 20210310 [GitHub] [samza] Telesia opened a new pull request #1471: SAMZA-2630: Upgrade dependencies for security fixes",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21@%3Ccommits.samza.apache.org%3E"
                },
                {
                  "name": "[storm-issues] 20210315 [jira] [Created] (STORM-3754) Upgrade Guava version because of security vulnerability",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r30e7d7b6bfa630dacc41649a0e96dad75165d50474c1241068aa0f94@%3Cissues.storm.apache.org%3E"
                },
                {
                  "name": "[pulsar-commits] 20210406 [GitHub] [pulsar] lhotari opened a new pull request #10149: Upgrade jclouds to 2.3.0 to fix security vulnerabilities",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r3c3b33ee5bef0c67391d27a97cbfd89d44f328cf072b601b58d4e748@%3Ccommits.pulsar.apache.org%3E"
                },
                {
                  "name": "[arrow-github] 20210610 [GitHub] [arrow] projjal opened a new pull request #10501: ARROW-13032: Update guava version",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rd01f5ff0164c468ec7abc96ff7646cea3cce6378da2e4aa29c6bcb95@%3Cgithub.arrow.apache.org%3E"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20220629-0008/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20220629-0008/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2018-10237",
        "datePublished": "2018-04-26T21:00:00.000Z",
        "dateReserved": "2018-04-20T00:00:00.000Z",
        "dateUpdated": "2024-08-05T07:32:01.750Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-5382 (GCVE-0-2018-5382)

    Vulnerability from nvd – Published: 2018-04-16 13:00 – Updated: 2024-09-16 16:27
    VLAI
    Title
    Bouncy Castle BKS-V1 keystore files vulnerable to trivial hash collisions
    Summary
    The default BKS keystore use an HMAC that is only 16 bits long, which can allow an attacker to compromise the integrity of a BKS keystore. Bouncy Castle release 1.47 changes the BKS format to a format which uses a 160 bit HMAC instead. This applies to any BKS keystore generated prior to BC 1.47. For situations where people need to create the files for legacy reasons a specific keystore type "BKS-V1" was introduced in 1.49. It should be noted that the use of "BKS-V1" is discouraged by the library authors and should only be used where it is otherwise safe to do so, as in where the use of a 16 bit checksum for the file integrity check is not going to cause a security issue in itself.
    Severity
    No CVSS data available.
    CWE
    • CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
    Assigner
    References
    Impacted products
    Vendor Product Version
    Legion of the Bouncy Castle Bouncy Castle Affected: all , < 1.47 (custom)
    Create a notification for this product.
    Date Public
    2012-03-20 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T05:33:44.404Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "103453",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/103453"
              },
              {
                "name": "RHSA-2018:2927",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2927"
              },
              {
                "name": "VU#306792",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_CERT-VN",
                  "x_transferred"
                ],
                "url": "https://www.kb.cert.org/vuls/id/306792"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.bouncycastle.org/releasenotes.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Bouncy Castle",
              "vendor": "Legion of the Bouncy Castle",
              "versions": [
                {
                  "lessThan": "1.47",
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2012-03-20T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The default BKS keystore use an HMAC that is only 16 bits long, which can allow an attacker to compromise the integrity of a BKS keystore. Bouncy Castle release 1.47 changes the BKS format to a format which uses a 160 bit HMAC instead. This applies to any BKS keystore generated prior to BC 1.47. For situations where people need to create the files for legacy reasons a specific keystore type \"BKS-V1\" was introduced in 1.49. It should be noted that the use of \"BKS-V1\" is discouraged by the library authors and should only be used where it is otherwise safe to do so, as in where the use of a 16 bit checksum for the file integrity check is not going to cause a security issue in itself."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-327",
                  "description": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-04-02T18:52:28.000Z",
            "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
            "shortName": "certcc"
          },
          "references": [
            {
              "name": "103453",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/103453"
            },
            {
              "name": "RHSA-2018:2927",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2927"
            },
            {
              "name": "VU#306792",
              "tags": [
                "third-party-advisory",
                "x_refsource_CERT-VN"
              ],
              "url": "https://www.kb.cert.org/vuls/id/306792"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.bouncycastle.org/releasenotes.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Bouncy Castle BKS-V1 keystore files vulnerable to trivial hash collisions",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cert@cert.org",
              "DATE_PUBLIC": "2012-03-20T00:00:00.000Z",
              "ID": "CVE-2018-5382",
              "STATE": "PUBLIC",
              "TITLE": "Bouncy Castle BKS-V1 keystore files vulnerable to trivial hash collisions"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Bouncy Castle",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "all",
                                "version_value": "1.47"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Legion of the Bouncy Castle"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The default BKS keystore use an HMAC that is only 16 bits long, which can allow an attacker to compromise the integrity of a BKS keystore. Bouncy Castle release 1.47 changes the BKS format to a format which uses a 160 bit HMAC instead. This applies to any BKS keystore generated prior to BC 1.47. For situations where people need to create the files for legacy reasons a specific keystore type \"BKS-V1\" was introduced in 1.49. It should be noted that the use of \"BKS-V1\" is discouraged by the library authors and should only be used where it is otherwise safe to do so, as in where the use of a 16 bit checksum for the file integrity check is not going to cause a security issue in itself."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "103453",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/103453"
                },
                {
                  "name": "RHSA-2018:2927",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2927"
                },
                {
                  "name": "VU#306792",
                  "refsource": "CERT-VN",
                  "url": "https://www.kb.cert.org/vuls/id/306792"
                },
                {
                  "name": "https://www.bouncycastle.org/releasenotes.html",
                  "refsource": "MISC",
                  "url": "https://www.bouncycastle.org/releasenotes.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuoct2020.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "assignerShortName": "certcc",
        "cveId": "CVE-2018-5382",
        "datePublished": "2018-04-16T13:00:00.000Z",
        "dateReserved": "2018-01-12T00:00:00.000Z",
        "dateUpdated": "2024-09-16T16:27:56.228Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-2667 (GCVE-0-2017-2667)

    Vulnerability from nvd – Published: 2018-03-12 15:00 – Updated: 2024-08-05 14:02
    VLAI
    Summary
    Hammer CLI, a CLI utility for Foreman, before version 0.10.0, did not explicitly set the verify_ssl flag for apipie-bindings that disable it by default. As a result the server certificates are not checked and connections are prone to man-in-the-middle attacks.
    Severity
    No CVSS data available.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Foreman Hammer CLI Affected: 0.10.0
    Create a notification for this product.
    Date Public
    2017-03-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T14:02:07.434Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1436262"
              },
              {
                "name": "RHSA-2018:0336",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:0336"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://projects.theforeman.org/issues/19033"
              },
              {
                "name": "97153",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/97153"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Hammer CLI",
              "vendor": "Foreman",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.10.0"
                }
              ]
            }
          ],
          "datePublic": "2017-03-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Hammer CLI, a CLI utility for Foreman, before version 0.10.0, did not explicitly set the verify_ssl flag for apipie-bindings that disable it by default. As a result the server certificates are not checked and connections are prone to man-in-the-middle attacks."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-345",
                  "description": "CWE-345",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-03-13T09:57:01.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1436262"
            },
            {
              "name": "RHSA-2018:0336",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:0336"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://projects.theforeman.org/issues/19033"
            },
            {
              "name": "97153",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/97153"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2017-2667",
        "datePublished": "2018-03-12T15:00:00.000Z",
        "dateReserved": "2016-12-01T00:00:00.000Z",
        "dateUpdated": "2024-08-05T14:02:07.434Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-15095 (GCVE-0-2017-15095)

    Vulnerability from nvd – Published: 2018-02-06 15:00 – Updated: 2024-09-16 22:57
    VLAI
    Summary
    A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
    Severity
    No CVSS data available.
    CWE
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2018:1448 vendor-advisoryx_refsource_REDHAT
    http://www.securityfocus.com/bid/103880 vdb-entryx_refsource_BID
    https://access.redhat.com/errata/RHSA-2018:0479 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:0481 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:1449 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:1450 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:0577 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:0576 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2017:3190 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:1451 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2017:3189 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2927 vendor-advisoryx_refsource_REDHAT
    http://www.securitytracker.com/id/1039769 vdb-entryx_refsource_SECTRACK
    https://access.redhat.com/errata/RHSA-2018:0342 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:0480 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:1447 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:0478 vendor-advisoryx_refsource_REDHAT
    https://www.debian.org/security/2017/dsa-4037 vendor-advisoryx_refsource_DEBIAN
    https://access.redhat.com/errata/RHSA-2019:2858 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:3149 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:3892 vendor-advisoryx_refsource_REDHAT
    https://lists.apache.org/thread.html/f095a791bda6… mailing-listx_refsource_MLIST
    https://lists.debian.org/debian-lts-announce/2020… mailing-listx_refsource_MLIST
    http://www.oracle.com/technetwork/security-adviso… x_refsource_CONFIRM
    http://www.oracle.com/technetwork/security-adviso… x_refsource_CONFIRM
    http://www.oracle.com/technetwork/security-adviso… x_refsource_CONFIRM
    https://www.oracle.com/technetwork/security-advis… x_refsource_CONFIRM
    https://www.oracle.com/technetwork/security-advis… x_refsource_MISC
    https://www.oracle.com/security-alerts/cpuoct2020.html x_refsource_MISC
    https://security.netapp.com/advisory/ntap-2017121… x_refsource_CONFIRM
    https://github.com/FasterXML/jackson-databind/iss… x_refsource_CONFIRM
    https://github.com/FasterXML/jackson-databind/iss… x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    FasterXML jackson-databind Affected: before 2.8.10
    Affected: before 2.9.1
    Create a notification for this product.
    Date Public
    2017-06-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T19:50:14.982Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2018:1448",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:1448"
              },
              {
                "name": "103880",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/103880"
              },
              {
                "name": "RHSA-2018:0479",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:0479"
              },
              {
                "name": "RHSA-2018:0481",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:0481"
              },
              {
                "name": "RHSA-2018:1449",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:1449"
              },
              {
                "name": "RHSA-2018:1450",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:1450"
              },
              {
                "name": "RHSA-2018:0577",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:0577"
              },
              {
                "name": "RHSA-2018:0576",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:0576"
              },
              {
                "name": "RHSA-2017:3190",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:3190"
              },
              {
                "name": "RHSA-2018:1451",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:1451"
              },
              {
                "name": "RHSA-2017:3189",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:3189"
              },
              {
                "name": "RHSA-2018:2927",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2927"
              },
              {
                "name": "1039769",
                "tags": [
                  "vdb-entry",
                  "x_refsource_SECTRACK",
                  "x_transferred"
                ],
                "url": "http://www.securitytracker.com/id/1039769"
              },
              {
                "name": "RHSA-2018:0342",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:0342"
              },
              {
                "name": "RHSA-2018:0480",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:0480"
              },
              {
                "name": "RHSA-2018:1447",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:1447"
              },
              {
                "name": "RHSA-2018:0478",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:0478"
              },
              {
                "name": "DSA-4037",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2017/dsa-4037"
              },
              {
                "name": "RHSA-2019:2858",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2858"
              },
              {
                "name": "RHSA-2019:3149",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3149"
              },
              {
                "name": "RHSA-2019:3892",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3892"
              },
              {
                "name": "[lucene-solr-user] 20191219 Re: CVE-2017-7525 fix for Solr 7.7.x",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629%40%3Csolr-user.lucene.apache.org%3E"
              },
              {
                "name": "[debian-lts-announce] 20200131 [SECURITY] [DLA 2091-1] libjackson-json-java security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20171214-0003/"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/FasterXML/jackson-databind/issues/1737"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/FasterXML/jackson-databind/issues/1680"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jackson-databind",
              "vendor": "FasterXML",
              "versions": [
                {
                  "status": "affected",
                  "version": "before 2.8.10"
                },
                {
                  "status": "affected",
                  "version": "before 2.9.1"
                }
              ]
            }
          ],
          "datePublic": "2017-06-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-184",
                  "description": "CWE-184",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-10-20T21:14:51.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2018:1448",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:1448"
            },
            {
              "name": "103880",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/103880"
            },
            {
              "name": "RHSA-2018:0479",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:0479"
            },
            {
              "name": "RHSA-2018:0481",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:0481"
            },
            {
              "name": "RHSA-2018:1449",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:1449"
            },
            {
              "name": "RHSA-2018:1450",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:1450"
            },
            {
              "name": "RHSA-2018:0577",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:0577"
            },
            {
              "name": "RHSA-2018:0576",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:0576"
            },
            {
              "name": "RHSA-2017:3190",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:3190"
            },
            {
              "name": "RHSA-2018:1451",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:1451"
            },
            {
              "name": "RHSA-2017:3189",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:3189"
            },
            {
              "name": "RHSA-2018:2927",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2927"
            },
            {
              "name": "1039769",
              "tags": [
                "vdb-entry",
                "x_refsource_SECTRACK"
              ],
              "url": "http://www.securitytracker.com/id/1039769"
            },
            {
              "name": "RHSA-2018:0342",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:0342"
            },
            {
              "name": "RHSA-2018:0480",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:0480"
            },
            {
              "name": "RHSA-2018:1447",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:1447"
            },
            {
              "name": "RHSA-2018:0478",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:0478"
            },
            {
              "name": "DSA-4037",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2017/dsa-4037"
            },
            {
              "name": "RHSA-2019:2858",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2858"
            },
            {
              "name": "RHSA-2019:3149",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3149"
            },
            {
              "name": "RHSA-2019:3892",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3892"
            },
            {
              "name": "[lucene-solr-user] 20191219 Re: CVE-2017-7525 fix for Solr 7.7.x",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629%40%3Csolr-user.lucene.apache.org%3E"
            },
            {
              "name": "[debian-lts-announce] 20200131 [SECURITY] [DLA 2091-1] libjackson-json-java security update",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20171214-0003/"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/FasterXML/jackson-databind/issues/1737"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/FasterXML/jackson-databind/issues/1680"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "DATE_PUBLIC": "2017-06-27T00:00:00",
              "ID": "CVE-2017-15095",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "jackson-databind",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "before 2.8.10"
                              },
                              {
                                "version_value": "before 2.9.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "FasterXML"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-184"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "RHSA-2018:1448",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:1448"
                },
                {
                  "name": "103880",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/103880"
                },
                {
                  "name": "RHSA-2018:0479",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:0479"
                },
                {
                  "name": "RHSA-2018:0481",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:0481"
                },
                {
                  "name": "RHSA-2018:1449",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:1449"
                },
                {
                  "name": "RHSA-2018:1450",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:1450"
                },
                {
                  "name": "RHSA-2018:0577",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:0577"
                },
                {
                  "name": "RHSA-2018:0576",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:0576"
                },
                {
                  "name": "RHSA-2017:3190",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:3190"
                },
                {
                  "name": "RHSA-2018:1451",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:1451"
                },
                {
                  "name": "RHSA-2017:3189",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:3189"
                },
                {
                  "name": "RHSA-2018:2927",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2927"
                },
                {
                  "name": "1039769",
                  "refsource": "SECTRACK",
                  "url": "http://www.securitytracker.com/id/1039769"
                },
                {
                  "name": "RHSA-2018:0342",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:0342"
                },
                {
                  "name": "RHSA-2018:0480",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:0480"
                },
                {
                  "name": "RHSA-2018:1447",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:1447"
                },
                {
                  "name": "RHSA-2018:0478",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:0478"
                },
                {
                  "name": "DSA-4037",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2017/dsa-4037"
                },
                {
                  "name": "RHSA-2019:2858",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2858"
                },
                {
                  "name": "RHSA-2019:3149",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3149"
                },
                {
                  "name": "RHSA-2019:3892",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3892"
                },
                {
                  "name": "[lucene-solr-user] 20191219 Re: CVE-2017-7525 fix for Solr 7.7.x",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629@%3Csolr-user.lucene.apache.org%3E"
                },
                {
                  "name": "[debian-lts-announce] 20200131 [SECURITY] [DLA 2091-1] libjackson-json-java security update",
                  "refsource": "MLIST",
                  "url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html"
                },
                {
                  "name": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html",
                  "refsource": "CONFIRM",
                  "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
                },
                {
                  "name": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html",
                  "refsource": "CONFIRM",
                  "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
                },
                {
                  "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html",
                  "refsource": "CONFIRM",
                  "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
                },
                {
                  "name": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
                },
                {
                  "name": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuoct2020.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20171214-0003/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20171214-0003/"
                },
                {
                  "name": "https://github.com/FasterXML/jackson-databind/issues/1737",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/FasterXML/jackson-databind/issues/1737"
                },
                {
                  "name": "https://github.com/FasterXML/jackson-databind/issues/1680",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/FasterXML/jackson-databind/issues/1680"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2017-15095",
        "datePublished": "2018-02-06T15:00:00.000Z",
        "dateReserved": "2017-10-08T00:00:00.000Z",
        "dateUpdated": "2024-09-16T22:57:07.488Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-7536 (GCVE-0-2017-7536)

    Vulnerability from nvd – Published: 2018-01-10 15:00 – Updated: 2024-09-16 17:32
    VLAI
    Summary
    In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().
    Severity
    No CVSS data available.
    CWE
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2017:2809 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:3817 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2740 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2017:2810 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2741 vendor-advisoryx_refsource_REDHAT
    http://www.securitytracker.com/id/1039744 vdb-entryx_refsource_SECTRACK
    https://access.redhat.com/errata/RHSA-2018:2742 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2017:3458 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2017:2808 vendor-advisoryx_refsource_REDHAT
    http://www.securityfocus.com/bid/101048 vdb-entryx_refsource_BID
    https://access.redhat.com/errata/RHSA-2017:3455 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2927 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2017:3456 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2743 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2017:3454 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2017:3141 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2017:2811 vendor-advisoryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=1465573 x_refsource_CONFIRM
    https://lists.apache.org/thread.html/9317fd092b25… mailing-listx_refsource_MLIST
    Impacted products
    Vendor Product Version
    Red Hat, Inc. hibernate-validator Affected: 5.2.x before 5.2.5 final
    Affected: 5.3.x
    Affected: 5.4.x
    Create a notification for this product.
    Date Public
    2017-06-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T16:04:11.963Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2017:2809",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:2809"
              },
              {
                "name": "RHSA-2018:3817",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:3817"
              },
              {
                "name": "RHSA-2018:2740",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2740"
              },
              {
                "name": "RHSA-2017:2810",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:2810"
              },
              {
                "name": "RHSA-2018:2741",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2741"
              },
              {
                "name": "1039744",
                "tags": [
                  "vdb-entry",
                  "x_refsource_SECTRACK",
                  "x_transferred"
                ],
                "url": "http://www.securitytracker.com/id/1039744"
              },
              {
                "name": "RHSA-2018:2742",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2742"
              },
              {
                "name": "RHSA-2017:3458",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:3458"
              },
              {
                "name": "RHSA-2017:2808",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:2808"
              },
              {
                "name": "101048",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/101048"
              },
              {
                "name": "RHSA-2017:3455",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:3455"
              },
              {
                "name": "RHSA-2018:2927",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2927"
              },
              {
                "name": "RHSA-2017:3456",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:3456"
              },
              {
                "name": "RHSA-2018:2743",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2743"
              },
              {
                "name": "RHSA-2017:3454",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:3454"
              },
              {
                "name": "RHSA-2017:3141",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:3141"
              },
              {
                "name": "RHSA-2017:2811",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:2811"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1465573"
              },
              {
                "name": "[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "hibernate-validator",
              "vendor": "Red Hat, Inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "5.2.x before 5.2.5 final"
                },
                {
                  "status": "affected",
                  "version": "5.3.x"
                },
                {
                  "status": "affected",
                  "version": "5.4.x"
                }
              ]
            }
          ],
          "datePublic": "2017-06-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager\u0027s reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue()."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-592",
                  "description": "CWE-592",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-11-16T01:07:02.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2017:2809",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:2809"
            },
            {
              "name": "RHSA-2018:3817",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:3817"
            },
            {
              "name": "RHSA-2018:2740",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2740"
            },
            {
              "name": "RHSA-2017:2810",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:2810"
            },
            {
              "name": "RHSA-2018:2741",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2741"
            },
            {
              "name": "1039744",
              "tags": [
                "vdb-entry",
                "x_refsource_SECTRACK"
              ],
              "url": "http://www.securitytracker.com/id/1039744"
            },
            {
              "name": "RHSA-2018:2742",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2742"
            },
            {
              "name": "RHSA-2017:3458",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:3458"
            },
            {
              "name": "RHSA-2017:2808",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:2808"
            },
            {
              "name": "101048",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/101048"
            },
            {
              "name": "RHSA-2017:3455",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:3455"
            },
            {
              "name": "RHSA-2018:2927",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2927"
            },
            {
              "name": "RHSA-2017:3456",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:3456"
            },
            {
              "name": "RHSA-2018:2743",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2743"
            },
            {
              "name": "RHSA-2017:3454",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:3454"
            },
            {
              "name": "RHSA-2017:3141",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:3141"
            },
            {
              "name": "RHSA-2017:2811",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:2811"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1465573"
            },
            {
              "name": "[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "DATE_PUBLIC": "2017-06-27T00:00:00",
              "ID": "CVE-2017-7536",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "hibernate-validator",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "5.2.x before 5.2.5 final"
                              },
                              {
                                "version_value": "5.3.x"
                              },
                              {
                                "version_value": "5.4.x"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Red Hat, Inc."
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager\u0027s reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue()."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-592"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "RHSA-2017:2809",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:2809"
                },
                {
                  "name": "RHSA-2018:3817",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:3817"
                },
                {
                  "name": "RHSA-2018:2740",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2740"
                },
                {
                  "name": "RHSA-2017:2810",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:2810"
                },
                {
                  "name": "RHSA-2018:2741",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2741"
                },
                {
                  "name": "1039744",
                  "refsource": "SECTRACK",
                  "url": "http://www.securitytracker.com/id/1039744"
                },
                {
                  "name": "RHSA-2018:2742",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2742"
                },
                {
                  "name": "RHSA-2017:3458",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:3458"
                },
                {
                  "name": "RHSA-2017:2808",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:2808"
                },
                {
                  "name": "101048",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/101048"
                },
                {
                  "name": "RHSA-2017:3455",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:3455"
                },
                {
                  "name": "RHSA-2018:2927",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2927"
                },
                {
                  "name": "RHSA-2017:3456",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:3456"
                },
                {
                  "name": "RHSA-2018:2743",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2743"
                },
                {
                  "name": "RHSA-2017:3454",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:3454"
                },
                {
                  "name": "RHSA-2017:3141",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:3141"
                },
                {
                  "name": "RHSA-2017:2811",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:2811"
                },
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1465573",
                  "refsource": "CONFIRM",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1465573"
                },
                {
                  "name": "[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2017-7536",
        "datePublished": "2018-01-10T15:00:00.000Z",
        "dateReserved": "2017-04-05T00:00:00.000Z",
        "dateUpdated": "2024-09-16T17:32:38.135Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-15100 (GCVE-0-2017-15100)

    Vulnerability from nvd – Published: 2017-11-27 14:00 – Updated: 2024-08-05 19:50
    VLAI
    Summary
    An attacker submitting facts to the Foreman server containing HTML can cause a stored XSS on certain pages: (1) Facts page, when clicking on the "chart" button and hovering over the chart; (2) Trends page, when checking the graph for a trend based on a such fact; (3) Statistics page, for facts that are aggregated on this page.
    Severity
    No CVSS data available.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Foreman Project Foreman Affected: 1.2 and later, a fix is planned for 1.16.0
    Create a notification for this product.
    Date Public
    2017-10-31 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T19:50:16.130Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/theforeman/foreman/pull/4967"
              },
              {
                "name": "RHSA-2018:2927",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2927"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://projects.theforeman.org/issues/21519"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Foreman",
              "vendor": "Foreman Project",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.2 and later, a fix is planned for 1.16.0"
                }
              ]
            }
          ],
          "datePublic": "2017-10-31T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "An attacker submitting facts to the Foreman server containing HTML can cause a stored XSS on certain pages: (1) Facts page, when clicking on the \"chart\" button and hovering over the chart; (2) Trends page, when checking the graph for a trend based on a such fact; (3) Statistics page, for facts that are aggregated on this page."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-10-17T09:57:01.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/theforeman/foreman/pull/4967"
            },
            {
              "name": "RHSA-2018:2927",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2927"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://projects.theforeman.org/issues/21519"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2017-15100",
        "datePublished": "2017-11-27T14:00:00.000Z",
        "dateReserved": "2017-10-08T00:00:00.000Z",
        "dateUpdated": "2024-08-05T19:50:16.130Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-5929 (GCVE-0-2017-5929)

    Vulnerability from nvd – Published: 2017-03-13 06:14 – Updated: 2024-08-05 15:18
    VLAI
    Summary
    QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2017:1832 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2017:1675 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2927 vendor-advisoryx_refsource_REDHAT
    https://logback.qos.ch/news.html x_refsource_CONFIRM
    https://access.redhat.com/errata/RHSA-2017:1676 vendor-advisoryx_refsource_REDHAT
    https://lists.apache.org/thread.html/a6db61616180… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/18d509024d9a… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/fa4eaaa6ff41… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r967953a14e0… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/rbb4dfca2f7e… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/re9b78772729… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r2c2d57ca180… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/rd2227af3c9a… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r0bb19330e48… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r46736428935… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r397bf637832… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/rc5f0cc2f3b1… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r718f27bed89… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r2a08573ddee… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/ra007cec726a… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r632ec30791b… mailing-listx_refsource_MLIST
    Date Public
    2017-03-13 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T15:18:48.814Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2017:1832",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:1832"
              },
              {
                "name": "RHSA-2017:1675",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:1675"
              },
              {
                "name": "RHSA-2018:2927",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2927"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://logback.qos.ch/news.html"
              },
              {
                "name": "RHSA-2017:1676",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:1676"
              },
              {
                "name": "[cassandra-commits] 20191112 [jira] [Created] (CASSANDRA-15411) [9.8] [CVE-2017-5929] [Cassandra] [2.2.5]",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/a6db61616180d73711d6db25703085940026e2dbc40f153f9d22b203%40%3Ccommits.cassandra.apache.org%3E"
              },
              {
                "name": "[cassandra-commits] 20191112 [jira] [Updated] (CASSANDRA-15411) [9.8] [CVE-2017-5929] [Cassandra] [2.2.5]",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/18d509024d9aeb07f0e9579066f80bf5d4dcf20467b0c240043890d1%40%3Ccommits.cassandra.apache.org%3E"
              },
              {
                "name": "[cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15421) CVE-2017-5929(QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/fa4eaaa6ff41ac6f79811e053c152ee89b7c5da8a6ac848ae97df67f%40%3Ccommits.cassandra.apache.org%3E"
              },
              {
                "name": "[brooklyn-dev] 20200420 [GitHub] [brooklyn-server] duncangrant opened a new pull request #1091: Update library versions due to CVEs",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r967953a14e05016bc4bcae9ef3dd92e770181158b4246976ed8295c9%40%3Cdev.brooklyn.apache.org%3E"
              },
              {
                "name": "[mnemonic-dev] 20201202 [GitHub] [mnemonic] yzz127 opened a new pull request #152: MNEMONIC-553: Fix for CVE-2017-5929",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rbb4dfca2f7e3e8f3570eec21c79832d33a51dfde6762725660b60169%40%3Cdev.mnemonic.apache.org%3E"
              },
              {
                "name": "[mnemonic-dev] 20201204 [GitHub] [mnemonic] bigdata-memory merged pull request #152: MNEMONIC-553: Fix for CVE-2017-5929",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/re9b787727291786dfe088e3cd078c7d195c0b5781e15d3cd24a3b2fc%40%3Cdev.mnemonic.apache.org%3E"
              },
              {
                "name": "[mnemonic-commits] 20201204 [mnemonic] branch master updated: MNEMONIC-553: Fix for CVE-2017-5929",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r2c2d57ca180e8173c90fe313ddf8eabbdcf8e3ae196f8b9f42599790%40%3Ccommits.mnemonic.apache.org%3E"
              },
              {
                "name": "[cassandra-commits] 20210108 [jira] [Updated] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rd2227af3c9ada2a72dc72ed05517f5857a34d487580e1f2803922ff9%40%3Ccommits.cassandra.apache.org%3E"
              },
              {
                "name": "[cassandra-commits] 20210108 [jira] [Updated] (CASSANDRA-15421) CVE-2017-5929 in 3.11.x (QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r0bb19330e48d5ad784fa20dacba9e5538d8d60f5cd9142e0f1432b4b%40%3Ccommits.cassandra.apache.org%3E"
              },
              {
                "name": "[cassandra-commits] 20210108 [jira] [Commented] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r4673642893562c58cbee60c151ded6c077e8a2d02296e862224a9161%40%3Ccommits.cassandra.apache.org%3E"
              },
              {
                "name": "[cassandra-commits] 20210111 [jira] [Commented] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r397bf63783240fbb5713389d3f889d287ae0c11509006700ac720037%40%3Ccommits.cassandra.apache.org%3E"
              },
              {
                "name": "[cassandra-commits] 20210111 [jira] [Updated] (CASSANDRA-15411) [9.8] [CVE-2017-5929] [Cassandra] [2.2.5]",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rc5f0cc2f3b153bdf15ee7389d78585829abc9c7af4d322ba1085dd3e%40%3Ccommits.cassandra.apache.org%3E"
              },
              {
                "name": "[cassandra-commits] 20210111 [jira] [Updated] (CASSANDRA-15421) CVE-2017-5929 in 3.11.x (QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r718f27bed898008a8e037d9cc848cfc1df4d18abcbaee0cb0c142cfb%40%3Ccommits.cassandra.apache.org%3E"
              },
              {
                "name": "[cassandra-commits] 20210111 [jira] [Assigned] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r2a08573ddee4a86dc96d469485a5843a01710ee0dc2078dfca410c79%40%3Ccommits.cassandra.apache.org%3E"
              },
              {
                "name": "[cassandra-commits] 20210111 [jira] [Updated] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/ra007cec726a3927c918ec94c4316d05d1829c49eae8dc3648adc35e2%40%3Ccommits.cassandra.apache.org%3E"
              },
              {
                "name": "[cassandra-commits] 20210923 [jira] [Updated] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r632ec30791b441e2eb5a3129532bf1b689bf181d0ef7daf50bcf0fd6%40%3Ccommits.cassandra.apache.org%3E"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2017-03-13T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-09-23T15:06:07.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "name": "RHSA-2017:1832",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:1832"
            },
            {
              "name": "RHSA-2017:1675",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:1675"
            },
            {
              "name": "RHSA-2018:2927",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2927"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://logback.qos.ch/news.html"
            },
            {
              "name": "RHSA-2017:1676",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:1676"
            },
            {
              "name": "[cassandra-commits] 20191112 [jira] [Created] (CASSANDRA-15411) [9.8] [CVE-2017-5929] [Cassandra] [2.2.5]",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/a6db61616180d73711d6db25703085940026e2dbc40f153f9d22b203%40%3Ccommits.cassandra.apache.org%3E"
            },
            {
              "name": "[cassandra-commits] 20191112 [jira] [Updated] (CASSANDRA-15411) [9.8] [CVE-2017-5929] [Cassandra] [2.2.5]",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/18d509024d9aeb07f0e9579066f80bf5d4dcf20467b0c240043890d1%40%3Ccommits.cassandra.apache.org%3E"
            },
            {
              "name": "[cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15421) CVE-2017-5929(QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/fa4eaaa6ff41ac6f79811e053c152ee89b7c5da8a6ac848ae97df67f%40%3Ccommits.cassandra.apache.org%3E"
            },
            {
              "name": "[brooklyn-dev] 20200420 [GitHub] [brooklyn-server] duncangrant opened a new pull request #1091: Update library versions due to CVEs",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r967953a14e05016bc4bcae9ef3dd92e770181158b4246976ed8295c9%40%3Cdev.brooklyn.apache.org%3E"
            },
            {
              "name": "[mnemonic-dev] 20201202 [GitHub] [mnemonic] yzz127 opened a new pull request #152: MNEMONIC-553: Fix for CVE-2017-5929",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rbb4dfca2f7e3e8f3570eec21c79832d33a51dfde6762725660b60169%40%3Cdev.mnemonic.apache.org%3E"
            },
            {
              "name": "[mnemonic-dev] 20201204 [GitHub] [mnemonic] bigdata-memory merged pull request #152: MNEMONIC-553: Fix for CVE-2017-5929",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/re9b787727291786dfe088e3cd078c7d195c0b5781e15d3cd24a3b2fc%40%3Cdev.mnemonic.apache.org%3E"
            },
            {
              "name": "[mnemonic-commits] 20201204 [mnemonic] branch master updated: MNEMONIC-553: Fix for CVE-2017-5929",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r2c2d57ca180e8173c90fe313ddf8eabbdcf8e3ae196f8b9f42599790%40%3Ccommits.mnemonic.apache.org%3E"
            },
            {
              "name": "[cassandra-commits] 20210108 [jira] [Updated] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rd2227af3c9ada2a72dc72ed05517f5857a34d487580e1f2803922ff9%40%3Ccommits.cassandra.apache.org%3E"
            },
            {
              "name": "[cassandra-commits] 20210108 [jira] [Updated] (CASSANDRA-15421) CVE-2017-5929 in 3.11.x (QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r0bb19330e48d5ad784fa20dacba9e5538d8d60f5cd9142e0f1432b4b%40%3Ccommits.cassandra.apache.org%3E"
            },
            {
              "name": "[cassandra-commits] 20210108 [jira] [Commented] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r4673642893562c58cbee60c151ded6c077e8a2d02296e862224a9161%40%3Ccommits.cassandra.apache.org%3E"
            },
            {
              "name": "[cassandra-commits] 20210111 [jira] [Commented] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r397bf63783240fbb5713389d3f889d287ae0c11509006700ac720037%40%3Ccommits.cassandra.apache.org%3E"
            },
            {
              "name": "[cassandra-commits] 20210111 [jira] [Updated] (CASSANDRA-15411) [9.8] [CVE-2017-5929] [Cassandra] [2.2.5]",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rc5f0cc2f3b153bdf15ee7389d78585829abc9c7af4d322ba1085dd3e%40%3Ccommits.cassandra.apache.org%3E"
            },
            {
              "name": "[cassandra-commits] 20210111 [jira] [Updated] (CASSANDRA-15421) CVE-2017-5929 in 3.11.x (QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r718f27bed898008a8e037d9cc848cfc1df4d18abcbaee0cb0c142cfb%40%3Ccommits.cassandra.apache.org%3E"
            },
            {
              "name": "[cassandra-commits] 20210111 [jira] [Assigned] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r2a08573ddee4a86dc96d469485a5843a01710ee0dc2078dfca410c79%40%3Ccommits.cassandra.apache.org%3E"
            },
            {
              "name": "[cassandra-commits] 20210111 [jira] [Updated] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/ra007cec726a3927c918ec94c4316d05d1829c49eae8dc3648adc35e2%40%3Ccommits.cassandra.apache.org%3E"
            },
            {
              "name": "[cassandra-commits] 20210923 [jira] [Updated] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r632ec30791b441e2eb5a3129532bf1b689bf181d0ef7daf50bcf0fd6%40%3Ccommits.cassandra.apache.org%3E"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2017-5929",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "RHSA-2017:1832",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:1832"
                },
                {
                  "name": "RHSA-2017:1675",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:1675"
                },
                {
                  "name": "RHSA-2018:2927",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2927"
                },
                {
                  "name": "https://logback.qos.ch/news.html",
                  "refsource": "CONFIRM",
                  "url": "https://logback.qos.ch/news.html"
                },
                {
                  "name": "RHSA-2017:1676",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:1676"
                },
                {
                  "name": "[cassandra-commits] 20191112 [jira] [Created] (CASSANDRA-15411) [9.8] [CVE-2017-5929] [Cassandra] [2.2.5]",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/a6db61616180d73711d6db25703085940026e2dbc40f153f9d22b203@%3Ccommits.cassandra.apache.org%3E"
                },
                {
                  "name": "[cassandra-commits] 20191112 [jira] [Updated] (CASSANDRA-15411) [9.8] [CVE-2017-5929] [Cassandra] [2.2.5]",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/18d509024d9aeb07f0e9579066f80bf5d4dcf20467b0c240043890d1@%3Ccommits.cassandra.apache.org%3E"
                },
                {
                  "name": "[cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15421) CVE-2017-5929(QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.)",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/fa4eaaa6ff41ac6f79811e053c152ee89b7c5da8a6ac848ae97df67f@%3Ccommits.cassandra.apache.org%3E"
                },
                {
                  "name": "[brooklyn-dev] 20200420 [GitHub] [brooklyn-server] duncangrant opened a new pull request #1091: Update library versions due to CVEs",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r967953a14e05016bc4bcae9ef3dd92e770181158b4246976ed8295c9@%3Cdev.brooklyn.apache.org%3E"
                },
                {
                  "name": "[mnemonic-dev] 20201202 [GitHub] [mnemonic] yzz127 opened a new pull request #152: MNEMONIC-553: Fix for CVE-2017-5929",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rbb4dfca2f7e3e8f3570eec21c79832d33a51dfde6762725660b60169@%3Cdev.mnemonic.apache.org%3E"
                },
                {
                  "name": "[mnemonic-dev] 20201204 [GitHub] [mnemonic] bigdata-memory merged pull request #152: MNEMONIC-553: Fix for CVE-2017-5929",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/re9b787727291786dfe088e3cd078c7d195c0b5781e15d3cd24a3b2fc@%3Cdev.mnemonic.apache.org%3E"
                },
                {
                  "name": "[mnemonic-commits] 20201204 [mnemonic] branch master updated: MNEMONIC-553: Fix for CVE-2017-5929",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r2c2d57ca180e8173c90fe313ddf8eabbdcf8e3ae196f8b9f42599790@%3Ccommits.mnemonic.apache.org%3E"
                },
                {
                  "name": "[cassandra-commits] 20210108 [jira] [Updated] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rd2227af3c9ada2a72dc72ed05517f5857a34d487580e1f2803922ff9@%3Ccommits.cassandra.apache.org%3E"
                },
                {
                  "name": "[cassandra-commits] 20210108 [jira] [Updated] (CASSANDRA-15421) CVE-2017-5929 in 3.11.x (QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.)",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r0bb19330e48d5ad784fa20dacba9e5538d8d60f5cd9142e0f1432b4b@%3Ccommits.cassandra.apache.org%3E"
                },
                {
                  "name": "[cassandra-commits] 20210108 [jira] [Commented] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r4673642893562c58cbee60c151ded6c077e8a2d02296e862224a9161@%3Ccommits.cassandra.apache.org%3E"
                },
                {
                  "name": "[cassandra-commits] 20210111 [jira] [Commented] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r397bf63783240fbb5713389d3f889d287ae0c11509006700ac720037@%3Ccommits.cassandra.apache.org%3E"
                },
                {
                  "name": "[cassandra-commits] 20210111 [jira] [Updated] (CASSANDRA-15411) [9.8] [CVE-2017-5929] [Cassandra] [2.2.5]",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rc5f0cc2f3b153bdf15ee7389d78585829abc9c7af4d322ba1085dd3e@%3Ccommits.cassandra.apache.org%3E"
                },
                {
                  "name": "[cassandra-commits] 20210111 [jira] [Updated] (CASSANDRA-15421) CVE-2017-5929 in 3.11.x (QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.)",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r718f27bed898008a8e037d9cc848cfc1df4d18abcbaee0cb0c142cfb@%3Ccommits.cassandra.apache.org%3E"
                },
                {
                  "name": "[cassandra-commits] 20210111 [jira] [Assigned] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r2a08573ddee4a86dc96d469485a5843a01710ee0dc2078dfca410c79@%3Ccommits.cassandra.apache.org%3E"
                },
                {
                  "name": "[cassandra-commits] 20210111 [jira] [Updated] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/ra007cec726a3927c918ec94c4316d05d1829c49eae8dc3648adc35e2@%3Ccommits.cassandra.apache.org%3E"
                },
                {
                  "name": "[cassandra-commits] 20210923 [jira] [Updated] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r632ec30791b441e2eb5a3129532bf1b689bf181d0ef7daf50bcf0fd6@%3Ccommits.cassandra.apache.org%3E"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2017-5929",
        "datePublished": "2017-03-13T06:14:00.000Z",
        "dateReserved": "2017-02-07T00:00:00.000Z",
        "dateUpdated": "2024-08-05T15:18:48.814Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-9572 (GCVE-0-2025-9572)

    Vulnerability from cvelistv5 – Published: 2026-02-27 07:28 – Updated: 2026-03-24 11:28
    VLAI
    Title
    Foreman: satellite: graphql api permission bypass leads to information disclosure
    Summary
    n authorization flaw in Foreman's GraphQL API allows low-privileged users to access metadata beyond their assigned permissions. Unlike the REST API, which correctly enforces access controls, the GraphQL endpoint does not apply proper filtering, leading to an authorization bypass.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    The Foreman Foreman Affected: 1.22.0 , < 3.16.2 (semver)
    Create a notification for this product.
    Red Hat Red Hat Satellite 6.15 for RHEL 8 Unaffected: 0:3.9.1.14-1.el8sat , < * (rpm)
        cpe:/a:redhat:satellite:6.15::el8
        cpe:/a:redhat:satellite_utils:6.15::el8
        cpe:/a:redhat:satellite_capsule:6.15::el8
    Create a notification for this product.
    Red Hat Red Hat Satellite 6.15 for RHEL 8 Unaffected: 0:6.15.5.7-1.el8sat , < * (rpm)
        cpe:/a:redhat:satellite:6.15::el8
        cpe:/a:redhat:satellite_utils:6.15::el8
        cpe:/a:redhat:satellite_capsule:6.15::el8
    Create a notification for this product.
    Red Hat Red Hat Satellite 6.16 for RHEL 8 Unaffected: 0:3.12.0.12-1.el8sat , < * (rpm)
        cpe:/a:redhat:satellite_utils:6.16::el8
        cpe:/a:redhat:satellite_capsule:6.16::el9
        cpe:/a:redhat:satellite_utils:6.16::el9
        cpe:/a:redhat:satellite_capsule:6.16::el8
        cpe:/a:redhat:satellite:6.16::el8
        cpe:/a:redhat:satellite:6.16::el9
    Create a notification for this product.
    Red Hat Red Hat Satellite 6.16 for RHEL 8 Unaffected: 0:6.16.5.6-1.el8sat , < * (rpm)
        cpe:/a:redhat:satellite_utils:6.16::el8
        cpe:/a:redhat:satellite_capsule:6.16::el9
        cpe:/a:redhat:satellite_utils:6.16::el9
        cpe:/a:redhat:satellite_capsule:6.16::el8
        cpe:/a:redhat:satellite:6.16::el8
        cpe:/a:redhat:satellite:6.16::el9
    Create a notification for this product.
    Red Hat Red Hat Satellite 6.16 for RHEL 9 Unaffected: 0:3.12.0.12-1.el9sat , < * (rpm)
        cpe:/a:redhat:satellite_utils:6.16::el8
        cpe:/a:redhat:satellite_capsule:6.16::el9
        cpe:/a:redhat:satellite_utils:6.16::el9
        cpe:/a:redhat:satellite_capsule:6.16::el8
        cpe:/a:redhat:satellite:6.16::el8
        cpe:/a:redhat:satellite:6.16::el9
    Create a notification for this product.
    Red Hat Red Hat Satellite 6.16 for RHEL 9 Unaffected: 0:6.16.5.6-1.el9sat , < * (rpm)
        cpe:/a:redhat:satellite_utils:6.16::el8
        cpe:/a:redhat:satellite_capsule:6.16::el9
        cpe:/a:redhat:satellite_utils:6.16::el9
        cpe:/a:redhat:satellite_capsule:6.16::el8
        cpe:/a:redhat:satellite:6.16::el8
        cpe:/a:redhat:satellite:6.16::el9
    Create a notification for this product.
    Red Hat Red Hat Satellite 6.17 for RHEL 9 Unaffected: 0:3.14.0.11-1.el9sat , < * (rpm)
        cpe:/a:redhat:satellite_capsule:6.17::el9
        cpe:/a:redhat:satellite:6.17::el9
        cpe:/a:redhat:satellite_utils:6.17::el9
    Create a notification for this product.
    Red Hat Red Hat Satellite 6.18 for RHEL 9 Unaffected: 0:3.16.0.7-1.el9sat , < * (rpm)
        cpe:/a:redhat:satellite_capsule:6.18::el9
        cpe:/a:redhat:satellite:6.18::el9
        cpe:/a:redhat:satellite_utils:6.18::el9
    Create a notification for this product.
    Red Hat Red Hat Satellite 6.18 for RHEL 9 Unaffected: 0:4.18.0.4-1.el9sat , < * (rpm)
        cpe:/a:redhat:satellite_capsule:6.18::el9
        cpe:/a:redhat:satellite:6.18::el9
        cpe:/a:redhat:satellite_utils:6.18::el9
    Create a notification for this product.
    Red Hat Red Hat Satellite 6.18 for RHEL 9 Unaffected: 0:6.18.1-1.el9sat , < * (rpm)
        cpe:/a:redhat:satellite_capsule:6.18::el9
        cpe:/a:redhat:satellite:6.18::el9
        cpe:/a:redhat:satellite_utils:6.18::el9
    Create a notification for this product.
    Date Public
    2025-08-29 06:12
    Credits
    Red Hat would like to thank Ohad Levy (Redhat) for reporting this issue.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-9572",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-27T18:42:27.523966Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-27T18:42:37.881Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/theforeman/foreman",
              "defaultStatus": "unaffected",
              "packageName": "foreman",
              "product": "Foreman",
              "vendor": "The Foreman",
              "versions": [
                {
                  "lessThan": "3.16.2",
                  "status": "affected",
                  "version": "1.22.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:satellite:6.15::el8",
                "cpe:/a:redhat:satellite_utils:6.15::el8",
                "cpe:/a:redhat:satellite_capsule:6.15::el8"
              ],
              "defaultStatus": "affected",
              "packageName": "foreman",
              "product": "Red Hat Satellite 6.15 for RHEL 8",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "0:3.9.1.14-1.el8sat",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:satellite:6.15::el8",
                "cpe:/a:redhat:satellite_utils:6.15::el8",
                "cpe:/a:redhat:satellite_capsule:6.15::el8"
              ],
              "defaultStatus": "affected",
              "packageName": "satellite",
              "product": "Red Hat Satellite 6.15 for RHEL 8",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "0:6.15.5.7-1.el8sat",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:satellite_utils:6.16::el8",
                "cpe:/a:redhat:satellite_capsule:6.16::el9",
                "cpe:/a:redhat:satellite_utils:6.16::el9",
                "cpe:/a:redhat:satellite_capsule:6.16::el8",
                "cpe:/a:redhat:satellite:6.16::el8",
                "cpe:/a:redhat:satellite:6.16::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "foreman",
              "product": "Red Hat Satellite 6.16 for RHEL 8",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "0:3.12.0.12-1.el8sat",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:satellite_utils:6.16::el8",
                "cpe:/a:redhat:satellite_capsule:6.16::el9",
                "cpe:/a:redhat:satellite_utils:6.16::el9",
                "cpe:/a:redhat:satellite_capsule:6.16::el8",
                "cpe:/a:redhat:satellite:6.16::el8",
                "cpe:/a:redhat:satellite:6.16::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "satellite",
              "product": "Red Hat Satellite 6.16 for RHEL 8",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "0:6.16.5.6-1.el8sat",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:satellite_utils:6.16::el8",
                "cpe:/a:redhat:satellite_capsule:6.16::el9",
                "cpe:/a:redhat:satellite_utils:6.16::el9",
                "cpe:/a:redhat:satellite_capsule:6.16::el8",
                "cpe:/a:redhat:satellite:6.16::el8",
                "cpe:/a:redhat:satellite:6.16::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "foreman",
              "product": "Red Hat Satellite 6.16 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "0:3.12.0.12-1.el9sat",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:satellite_utils:6.16::el8",
                "cpe:/a:redhat:satellite_capsule:6.16::el9",
                "cpe:/a:redhat:satellite_utils:6.16::el9",
                "cpe:/a:redhat:satellite_capsule:6.16::el8",
                "cpe:/a:redhat:satellite:6.16::el8",
                "cpe:/a:redhat:satellite:6.16::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "satellite",
              "product": "Red Hat Satellite 6.16 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "0:6.16.5.6-1.el9sat",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:satellite_capsule:6.17::el9",
                "cpe:/a:redhat:satellite:6.17::el9",
                "cpe:/a:redhat:satellite_utils:6.17::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "foreman",
              "product": "Red Hat Satellite 6.17 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "0:3.14.0.11-1.el9sat",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:satellite_capsule:6.18::el9",
                "cpe:/a:redhat:satellite:6.18::el9",
                "cpe:/a:redhat:satellite_utils:6.18::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "foreman",
              "product": "Red Hat Satellite 6.18 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "0:3.16.0.7-1.el9sat",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:satellite_capsule:6.18::el9",
                "cpe:/a:redhat:satellite:6.18::el9",
                "cpe:/a:redhat:satellite_utils:6.18::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "rubygem-katello",
              "product": "Red Hat Satellite 6.18 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "0:4.18.0.4-1.el9sat",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:satellite_capsule:6.18::el9",
                "cpe:/a:redhat:satellite:6.18::el9",
                "cpe:/a:redhat:satellite_utils:6.18::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "satellite",
              "product": "Red Hat Satellite 6.18 for RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "0:6.18.1-1.el9sat",
                  "versionType": "rpm"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Red Hat would like to thank Ohad Levy (Redhat) for reporting this issue."
            }
          ],
          "datePublic": "2025-08-29T06:12:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "n authorization flaw in Foreman\u0027s GraphQL API allows low-privileged users to access metadata beyond their assigned permissions. Unlike the REST API, which correctly enforces access controls, the GraphQL endpoint does not apply proper filtering, leading to an authorization bypass."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Moderate"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-24T11:28:32.518Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2025:21886",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2025:21886"
            },
            {
              "name": "RHSA-2025:21893",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2025:21893"
            },
            {
              "name": "RHSA-2025:21894",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2025:21894"
            },
            {
              "name": "RHSA-2025:21897",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2025:21897"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2025-9572"
            },
            {
              "name": "RHBZ#2391715",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2391715"
            },
            {
              "url": "https://theforeman.org/security.html#2025-9572"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-08-29T00:00:00.000Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2025-08-29T06:12:00.000Z",
              "value": "Made public."
            }
          ],
          "title": "Foreman: satellite: graphql api permission bypass leads to information disclosure",
          "workarounds": [
            {
              "lang": "en",
              "value": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-863: Incorrect Authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2025-9572",
        "datePublished": "2026-02-27T07:28:44.391Z",
        "dateReserved": "2025-08-28T08:47:45.693Z",
        "dateUpdated": "2026-03-24T11:28:32.518Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2020-10716 (GCVE-0-2020-10716)

    Vulnerability from cvelistv5 – Published: 2021-05-27 18:46 – Updated: 2024-08-04 11:14
    VLAI
    Summary
    A flaw was found in Red Hat Satellite's Job Invocation, where the "User Input" entry was not properly restricted to the view. This flaw allows a malicious Satellite user to scan through the Job Invocation, with the ability to search for passwords and other sensitive data. This flaw affects tfm-rubygem-foreman_ansible versions before 4.0.3.4.
    Severity
    No CVSS data available.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    n/a rubygem-foreman_ansible Affected: tfm-rubygem-foreman_ansible 4.0.3.4
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T11:14:14.168Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1827300"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1814998"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "rubygem-foreman_ansible",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "tfm-rubygem-foreman_ansible 4.0.3.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in Red Hat Satellite\u0027s Job Invocation, where the \"User Input\" entry was not properly restricted to the view. This flaw allows a malicious Satellite user to scan through the Job Invocation, with the ability to search for passwords and other sensitive data. This flaw affects tfm-rubygem-foreman_ansible versions before 4.0.3.4."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "CWE-285",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-05-27T18:46:07.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1827300"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1814998"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2020-10716",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "rubygem-foreman_ansible",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "tfm-rubygem-foreman_ansible 4.0.3.4"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A flaw was found in Red Hat Satellite\u0027s Job Invocation, where the \"User Input\" entry was not properly restricted to the view. This flaw allows a malicious Satellite user to scan through the Job Invocation, with the ability to search for passwords and other sensitive data. This flaw affects tfm-rubygem-foreman_ansible versions before 4.0.3.4."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-285"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1827300",
                  "refsource": "MISC",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1827300"
                },
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1814998",
                  "refsource": "MISC",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1814998"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2020-10716",
        "datePublished": "2021-05-27T18:46:07.000Z",
        "dateReserved": "2020-03-20T00:00:00.000Z",
        "dateUpdated": "2024-08-04T11:14:14.168Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-10693 (GCVE-0-2020-10693)

    Vulnerability from cvelistv5 – Published: 2020-05-06 13:03 – Updated: 2024-08-04 11:06
    VLAI
    Summary
    A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Hibernate hibernate-validator Affected: 6.1.2.Final
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T11:06:11.169Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "[portals-pluto-dev] 20210714 [jira] [Created] (PLUTO-791) Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a%40%3Cpluto-dev.portals.apache.org%3E"
              },
              {
                "name": "[portals-pluto-dev] 20210714 [jira] [Closed] (PLUTO-791) Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c%40%3Cpluto-dev.portals.apache.org%3E"
              },
              {
                "name": "[portals-pluto-scm] 20210714 [portals-pluto] branch master updated: PLUTO-791 Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4%40%3Cpluto-scm.portals.apache.org%3E"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10693"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "hibernate-validator",
              "vendor": "Hibernate",
              "versions": [
                {
                  "status": "affected",
                  "version": "6.1.2.Final"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-19T23:20:51.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "[portals-pluto-dev] 20210714 [jira] [Created] (PLUTO-791) Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a%40%3Cpluto-dev.portals.apache.org%3E"
            },
            {
              "name": "[portals-pluto-dev] 20210714 [jira] [Closed] (PLUTO-791) Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c%40%3Cpluto-dev.portals.apache.org%3E"
            },
            {
              "name": "[portals-pluto-scm] 20210714 [portals-pluto] branch master updated: PLUTO-791 Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4%40%3Cpluto-scm.portals.apache.org%3E"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10693"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2020-10693",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "hibernate-validator",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "6.1.2.Final"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Hibernate"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages."
                }
              ]
            },
            "impact": {
              "cvss": [
                [
                  {
                    "vectorString": "5.3/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                    "version": "3.0"
                  }
                ]
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-20"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "[portals-pluto-dev] 20210714 [jira] [Created] (PLUTO-791) Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a@%3Cpluto-dev.portals.apache.org%3E"
                },
                {
                  "name": "[portals-pluto-dev] 20210714 [jira] [Closed] (PLUTO-791) Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c@%3Cpluto-dev.portals.apache.org%3E"
                },
                {
                  "name": "[portals-pluto-scm] 20210714 [portals-pluto] branch master updated: PLUTO-791 Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4@%3Cpluto-scm.portals.apache.org%3E"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
                },
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10693",
                  "refsource": "CONFIRM",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10693"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2020-10693",
        "datePublished": "2020-05-06T13:03:33.000Z",
        "dateReserved": "2020-03-20T00:00:00.000Z",
        "dateUpdated": "2024-08-04T11:06:11.169Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-1000632 (GCVE-0-2018-1000632)

    Vulnerability from cvelistv5 – Published: 2018-08-20 19:00 – Updated: 2024-08-05 12:40
    VLAI
    Summary
    dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    URL Tags
    https://lists.debian.org/debian-lts-announce/2018… mailing-listx_refsource_MLIST
    https://access.redhat.com/errata/RHSA-2019:0364 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:0362 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:0365 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:0380 vendor-advisoryx_refsource_REDHAT
    https://lists.apache.org/thread.html/708d94141126… mailing-listx_refsource_MLIST
    https://access.redhat.com/errata/RHSA-2019:1160 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:1162 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:1159 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:1161 vendor-advisoryx_refsource_REDHAT
    https://lists.apache.org/thread.html/7f6e120e6ed4… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/4a77652531d6… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/5a020ecaa3c7… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/00571f362a7a… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/d7d960b2778e… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/9d4c1af6f702… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/7e9e78f0e428… mailing-listx_refsource_MLIST
    https://access.redhat.com/errata/RHSA-2019:3172 vendor-advisoryx_refsource_REDHAT
    https://www.oracle.com/security-alerts/cpuapr2020.html x_refsource_MISC
    https://www.oracle.com/security-alerts/cpujul2020.html x_refsource_MISC
    https://www.oracle.com/technetwork/security-advis… x_refsource_CONFIRM
    https://github.com/dom4j/dom4j/issues/48 x_refsource_CONFIRM
    https://github.com/dom4j/dom4j/commit/e598eb43d41… x_refsource_CONFIRM
    https://ihacktoprotect.com/post/dom4j-xml-injection/ x_refsource_MISC
    https://security.netapp.com/advisory/ntap-2019053… x_refsource_CONFIRM
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
    https://www.oracle.com/security-alerts/cpuApr2021.html x_refsource_MISC
    https://lists.apache.org/thread.html/rb1b990d7920… mailing-listx_refsource_MLIST
    Date Public
    2018-07-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T12:40:47.850Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "[debian-lts-announce] 20180924 [SECURITY] [DLA 1517-1] dom4j security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2018/09/msg00028.html"
              },
              {
                "name": "RHSA-2019:0364",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:0364"
              },
              {
                "name": "RHSA-2019:0362",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:0362"
              },
              {
                "name": "RHSA-2019:0365",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:0365"
              },
              {
                "name": "RHSA-2019:0380",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:0380"
              },
              {
                "name": "[lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E"
              },
              {
                "name": "RHSA-2019:1160",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:1160"
              },
              {
                "name": "RHSA-2019:1162",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:1162"
              },
              {
                "name": "RHSA-2019:1159",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:1159"
              },
              {
                "name": "RHSA-2019:1161",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:1161"
              },
              {
                "name": "[maven-dev] 20190531 proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/7f6e120e6ed473f4e00dde4c398fc6698eb383bd7857d20513e989ce%40%3Cdev.maven.apache.org%3E"
              },
              {
                "name": "[maven-dev] 20190531 Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/4a77652531d62299a30815cf5f233af183425db8e3c9a824a814e768%40%3Cdev.maven.apache.org%3E"
              },
              {
                "name": "[maven-commits] 20190531 [maven-archetype] 01/01: ARCHETYPE-567: switch to dom4j 2.1.1 (and Java 8) dom4j 2.1.1 requires Java 8 dom4j 2.0.2 would retain Java 7 but is vulnerable to CVE-2018-1000632 dom4j 2.0.3 fixes CVE-2018-1000632 but has been pending for ~1 year",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/5a020ecaa3c701f408f612f7ba2ee37a021644c4a39da2079ed3ddbc%40%3Ccommits.maven.apache.org%3E"
              },
              {
                "name": "[maven-commits] 20190601 [maven-archetype] 01/01: ARCHETYPE-567: switch to dom4j 2.1.1 (and Java 8) dom4j 2.1.1 requires Java 8 dom4j 2.0.2 would retain Java 7 but is vulnerable to CVE-2018-1000632 dom4j 2.0.3 fixes CVE-2018-1000632 but has been pending for ~1 year",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/00571f362a7a2470fba50a31282c65637c40d2e21ebe6ee535a4ed74%40%3Ccommits.maven.apache.org%3E"
              },
              {
                "name": "[maven-dev] 20190603 Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/d7d960b2778e35ec9b4d40c8efd468c7ce7163bcf6489b633491c89f%40%3Cdev.maven.apache.org%3E"
              },
              {
                "name": "[maven-commits] 20190604 [maven-archetype] branch master updated: ARCHETYPE-567: switch to dom4j 2.1.1 (and Java 8) dom4j 2.1.1 requires Java 8 dom4j 2.0.2 would retain Java 7 but is vulnerable to CVE-2018-1000632 dom4j 2.0.3 fixes CVE-2018-1000632 but has been pending for ~1 year",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/9d4c1af6f702c3d6d6f229de57112ddccac8ce44446a01b7937ab9e0%40%3Ccommits.maven.apache.org%3E"
              },
              {
                "name": "[maven-dev] 20190610 Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/7e9e78f0e4288fac6591992836d2a80d4df19161e54bd71ab4b8e458%40%3Cdev.maven.apache.org%3E"
              },
              {
                "name": "RHSA-2019:3172",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3172"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/dom4j/dom4j/issues/48"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://ihacktoprotect.com/post/dom4j-xml-injection/"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20190530-0001/"
              },
              {
                "name": "FEDORA-2021-f28c870528",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IOOVVCRQE6ATFD2JM2EMDXOQXTRIVZGP/"
              },
              {
                "name": "FEDORA-2021-8015a8cdc4",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJULAHVR3I5SX7OSMXAG75IMNSAYOXGA/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
              },
              {
                "name": "[freemarker-notifications] 20210906 [jira] [Created] (FREEMARKER-190) The jar dom4j has known security issue that Freemarker compiles dependend on it",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51%40%3Cnotifications.freemarker.apache.org%3E"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "dateAssigned": "2018-08-19T00:00:00.000Z",
          "datePublic": "2018-07-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-09-07T05:06:02.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "name": "[debian-lts-announce] 20180924 [SECURITY] [DLA 1517-1] dom4j security update",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2018/09/msg00028.html"
            },
            {
              "name": "RHSA-2019:0364",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:0364"
            },
            {
              "name": "RHSA-2019:0362",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:0362"
            },
            {
              "name": "RHSA-2019:0365",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:0365"
            },
            {
              "name": "RHSA-2019:0380",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:0380"
            },
            {
              "name": "[lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E"
            },
            {
              "name": "RHSA-2019:1160",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:1160"
            },
            {
              "name": "RHSA-2019:1162",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:1162"
            },
            {
              "name": "RHSA-2019:1159",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:1159"
            },
            {
              "name": "RHSA-2019:1161",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:1161"
            },
            {
              "name": "[maven-dev] 20190531 proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/7f6e120e6ed473f4e00dde4c398fc6698eb383bd7857d20513e989ce%40%3Cdev.maven.apache.org%3E"
            },
            {
              "name": "[maven-dev] 20190531 Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/4a77652531d62299a30815cf5f233af183425db8e3c9a824a814e768%40%3Cdev.maven.apache.org%3E"
            },
            {
              "name": "[maven-commits] 20190531 [maven-archetype] 01/01: ARCHETYPE-567: switch to dom4j 2.1.1 (and Java 8) dom4j 2.1.1 requires Java 8 dom4j 2.0.2 would retain Java 7 but is vulnerable to CVE-2018-1000632 dom4j 2.0.3 fixes CVE-2018-1000632 but has been pending for ~1 year",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/5a020ecaa3c701f408f612f7ba2ee37a021644c4a39da2079ed3ddbc%40%3Ccommits.maven.apache.org%3E"
            },
            {
              "name": "[maven-commits] 20190601 [maven-archetype] 01/01: ARCHETYPE-567: switch to dom4j 2.1.1 (and Java 8) dom4j 2.1.1 requires Java 8 dom4j 2.0.2 would retain Java 7 but is vulnerable to CVE-2018-1000632 dom4j 2.0.3 fixes CVE-2018-1000632 but has been pending for ~1 year",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/00571f362a7a2470fba50a31282c65637c40d2e21ebe6ee535a4ed74%40%3Ccommits.maven.apache.org%3E"
            },
            {
              "name": "[maven-dev] 20190603 Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/d7d960b2778e35ec9b4d40c8efd468c7ce7163bcf6489b633491c89f%40%3Cdev.maven.apache.org%3E"
            },
            {
              "name": "[maven-commits] 20190604 [maven-archetype] branch master updated: ARCHETYPE-567: switch to dom4j 2.1.1 (and Java 8) dom4j 2.1.1 requires Java 8 dom4j 2.0.2 would retain Java 7 but is vulnerable to CVE-2018-1000632 dom4j 2.0.3 fixes CVE-2018-1000632 but has been pending for ~1 year",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/9d4c1af6f702c3d6d6f229de57112ddccac8ce44446a01b7937ab9e0%40%3Ccommits.maven.apache.org%3E"
            },
            {
              "name": "[maven-dev] 20190610 Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/7e9e78f0e4288fac6591992836d2a80d4df19161e54bd71ab4b8e458%40%3Cdev.maven.apache.org%3E"
            },
            {
              "name": "RHSA-2019:3172",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3172"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/dom4j/dom4j/issues/48"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://ihacktoprotect.com/post/dom4j-xml-injection/"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20190530-0001/"
            },
            {
              "name": "FEDORA-2021-f28c870528",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IOOVVCRQE6ATFD2JM2EMDXOQXTRIVZGP/"
            },
            {
              "name": "FEDORA-2021-8015a8cdc4",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJULAHVR3I5SX7OSMXAG75IMNSAYOXGA/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
            },
            {
              "name": "[freemarker-notifications] 20210906 [jira] [Created] (FREEMARKER-190) The jar dom4j has known security issue that Freemarker compiles dependend on it",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51%40%3Cnotifications.freemarker.apache.org%3E"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "DATE_ASSIGNED": "2018-08-19T17:09:33.115822",
              "DATE_REQUESTED": "2018-07-30T13:22:12",
              "ID": "CVE-2018-1000632",
              "REQUESTER": "mario.s.s.areias@gmail.com",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "[debian-lts-announce] 20180924 [SECURITY] [DLA 1517-1] dom4j security update",
                  "refsource": "MLIST",
                  "url": "https://lists.debian.org/debian-lts-announce/2018/09/msg00028.html"
                },
                {
                  "name": "RHSA-2019:0364",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:0364"
                },
                {
                  "name": "RHSA-2019:0362",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:0362"
                },
                {
                  "name": "RHSA-2019:0365",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:0365"
                },
                {
                  "name": "RHSA-2019:0380",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:0380"
                },
                {
                  "name": "[lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E"
                },
                {
                  "name": "RHSA-2019:1160",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:1160"
                },
                {
                  "name": "RHSA-2019:1162",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:1162"
                },
                {
                  "name": "RHSA-2019:1159",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:1159"
                },
                {
                  "name": "RHSA-2019:1161",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:1161"
                },
                {
                  "name": "[maven-dev] 20190531 proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/7f6e120e6ed473f4e00dde4c398fc6698eb383bd7857d20513e989ce@%3Cdev.maven.apache.org%3E"
                },
                {
                  "name": "[maven-dev] 20190531 Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/4a77652531d62299a30815cf5f233af183425db8e3c9a824a814e768@%3Cdev.maven.apache.org%3E"
                },
                {
                  "name": "[maven-commits] 20190531 [maven-archetype] 01/01: ARCHETYPE-567: switch to dom4j 2.1.1 (and Java 8) dom4j 2.1.1 requires Java 8 dom4j 2.0.2 would retain Java 7 but is vulnerable to CVE-2018-1000632 dom4j 2.0.3 fixes CVE-2018-1000632 but has been pending for ~1 year",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/5a020ecaa3c701f408f612f7ba2ee37a021644c4a39da2079ed3ddbc@%3Ccommits.maven.apache.org%3E"
                },
                {
                  "name": "[maven-commits] 20190601 [maven-archetype] 01/01: ARCHETYPE-567: switch to dom4j 2.1.1 (and Java 8) dom4j 2.1.1 requires Java 8 dom4j 2.0.2 would retain Java 7 but is vulnerable to CVE-2018-1000632 dom4j 2.0.3 fixes CVE-2018-1000632 but has been pending for ~1 year",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/00571f362a7a2470fba50a31282c65637c40d2e21ebe6ee535a4ed74@%3Ccommits.maven.apache.org%3E"
                },
                {
                  "name": "[maven-dev] 20190603 Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/d7d960b2778e35ec9b4d40c8efd468c7ce7163bcf6489b633491c89f@%3Cdev.maven.apache.org%3E"
                },
                {
                  "name": "[maven-commits] 20190604 [maven-archetype] branch master updated: ARCHETYPE-567: switch to dom4j 2.1.1 (and Java 8) dom4j 2.1.1 requires Java 8 dom4j 2.0.2 would retain Java 7 but is vulnerable to CVE-2018-1000632 dom4j 2.0.3 fixes CVE-2018-1000632 but has been pending for ~1 year",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/9d4c1af6f702c3d6d6f229de57112ddccac8ce44446a01b7937ab9e0@%3Ccommits.maven.apache.org%3E"
                },
                {
                  "name": "[maven-dev] 20190610 Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/7e9e78f0e4288fac6591992836d2a80d4df19161e54bd71ab4b8e458@%3Cdev.maven.apache.org%3E"
                },
                {
                  "name": "RHSA-2019:3172",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3172"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuapr2020.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujul2020.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
                },
                {
                  "name": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
                },
                {
                  "name": "https://github.com/dom4j/dom4j/issues/48",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/dom4j/dom4j/issues/48"
                },
                {
                  "name": "https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387"
                },
                {
                  "name": "https://ihacktoprotect.com/post/dom4j-xml-injection/",
                  "refsource": "MISC",
                  "url": "https://ihacktoprotect.com/post/dom4j-xml-injection/"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20190530-0001/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20190530-0001/"
                },
                {
                  "name": "FEDORA-2021-f28c870528",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOOVVCRQE6ATFD2JM2EMDXOQXTRIVZGP/"
                },
                {
                  "name": "FEDORA-2021-8015a8cdc4",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KJULAHVR3I5SX7OSMXAG75IMNSAYOXGA/"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
                },
                {
                  "name": "[freemarker-notifications] 20210906 [jira] [Created] (FREEMARKER-190) The jar dom4j has known security issue that Freemarker compiles dependend on it",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51@%3Cnotifications.freemarker.apache.org%3E"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2018-1000632",
        "datePublished": "2018-08-20T19:00:00.000Z",
        "dateReserved": "2018-07-30T00:00:00.000Z",
        "dateUpdated": "2024-08-05T12:40:47.850Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2016-8639 (GCVE-0-2016-8639)

    Vulnerability from cvelistv5 – Published: 2018-08-01 13:00 – Updated: 2024-08-06 02:27
    VLAI
    Summary
    It was found that foreman before 1.13.0 is vulnerable to a stored XSS via an organization or location name. This could allow an attacker with privileges to set the organization or location name to display arbitrary HTML including scripting code within the web interface.
    CWE
    Assigner
    References
    Impacted products
    Date Public
    2016-05-12 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T02:27:41.125Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8639"
              },
              {
                "name": "RHSA-2018:0336",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:0336"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/theforeman/foreman/pull/3523"
              },
              {
                "name": "94263",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/94263"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://projects.theforeman.org/issues/15037"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "foreman",
              "vendor": "The Foreman Project",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.13.0"
                }
              ]
            }
          ],
          "datePublic": "2016-05-12T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "It was found that foreman before 1.13.0 is vulnerable to a stored XSS via an organization or location name. This could allow an attacker with privileges to set the organization or location name to display arbitrary HTML including scripting code within the web interface."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-08-02T09:57:01.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8639"
            },
            {
              "name": "RHSA-2018:0336",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:0336"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/theforeman/foreman/pull/3523"
            },
            {
              "name": "94263",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/94263"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://projects.theforeman.org/issues/15037"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2016-8639",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "foreman",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "1.13.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "The Foreman Project"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "It was found that foreman before 1.13.0 is vulnerable to a stored XSS via an organization or location name. This could allow an attacker with privileges to set the organization or location name to display arbitrary HTML including scripting code within the web interface."
                }
              ]
            },
            "impact": {
              "cvss": [
                [
                  {
                    "vectorString": "6.1/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                    "version": "3.0"
                  }
                ],
                [
                  {
                    "vectorString": "4.9/AV:N/AC:M/Au:S/C:P/I:P/A:N",
                    "version": "2.0"
                  }
                ]
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8639",
                  "refsource": "CONFIRM",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8639"
                },
                {
                  "name": "RHSA-2018:0336",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:0336"
                },
                {
                  "name": "https://github.com/theforeman/foreman/pull/3523",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/theforeman/foreman/pull/3523"
                },
                {
                  "name": "94263",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/94263"
                },
                {
                  "name": "https://projects.theforeman.org/issues/15037",
                  "refsource": "CONFIRM",
                  "url": "https://projects.theforeman.org/issues/15037"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2016-8639",
        "datePublished": "2018-08-01T13:00:00.000Z",
        "dateReserved": "2016-10-12T00:00:00.000Z",
        "dateUpdated": "2024-08-06T02:27:41.125Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2016-9595 (GCVE-0-2016-9595)

    Vulnerability from cvelistv5 – Published: 2018-07-27 18:00 – Updated: 2024-08-06 02:59
    VLAI
    Summary
    A flaw was found in katello-debug before 3.4.0 where certain scripts and log files used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.
    CWE
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2018:0336 vendor-advisoryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2… x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Foreman katello-debug Affected: 3.4.0
    Create a notification for this product.
    Date Public
    2018-07-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T02:59:02.231Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2018:0336",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:0336"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9595"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "katello-debug",
              "vendor": "Foreman",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.4.0"
                }
              ]
            }
          ],
          "datePublic": "2018-07-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in katello-debug before 3.4.0 where certain scripts and log files used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-377",
                  "description": "CWE-377",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-07-28T09:57:01.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2018:0336",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:0336"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9595"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2016-9595",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "katello-debug",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "3.4.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Foreman"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A flaw was found in katello-debug before 3.4.0 where certain scripts and log files used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files."
                }
              ]
            },
            "impact": {
              "cvss": [
                [
                  {
                    "vectorString": "7.3/CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
                    "version": "3.0"
                  }
                ],
                [
                  {
                    "vectorString": "6.9/AV:L/AC:M/Au:N/C:C/I:C/A:C",
                    "version": "2.0"
                  }
                ]
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-377"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "RHSA-2018:0336",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:0336"
                },
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9595",
                  "refsource": "CONFIRM",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9595"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2016-9595",
        "datePublished": "2018-07-27T18:00:00.000Z",
        "dateReserved": "2016-11-23T00:00:00.000Z",
        "dateUpdated": "2024-08-06T02:59:02.231Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2016-1000338 (GCVE-0-2016-1000338)

    Vulnerability from cvelistv5 – Published: 2018-06-01 00:00 – Updated: 2024-08-06 03:55
    VLAI
    Summary
    In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Date Public
    2016-10-14 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T03:55:27.500Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "[debian-lts-announce] 20180707 [SECURITY] [DLA 1418-1] bouncycastle security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html"
              },
              {
                "name": "RHSA-2018:2669",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2669"
              },
              {
                "name": "USN-3727-1",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://usn.ubuntu.com/3727-1/"
              },
              {
                "name": "RHSA-2018:2927",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2927"
              },
              {
                "name": "[lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/bcgit/bc-java/commit/b0c3ce99d43d73a096268831d0d120ffc89eac7f#diff-3679f5a9d2b939d0d3ee1601a7774fb0"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20231006-0011/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2016-10-14T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of \u0027invisible\u0027 data into a signed structure."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-10-06T14:06:34.847Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "name": "[debian-lts-announce] 20180707 [SECURITY] [DLA 1418-1] bouncycastle security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html"
            },
            {
              "name": "RHSA-2018:2669",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2669"
            },
            {
              "name": "USN-3727-1",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://usn.ubuntu.com/3727-1/"
            },
            {
              "name": "RHSA-2018:2927",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2927"
            },
            {
              "name": "[lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E"
            },
            {
              "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
            },
            {
              "url": "https://github.com/bcgit/bc-java/commit/b0c3ce99d43d73a096268831d0d120ffc89eac7f#diff-3679f5a9d2b939d0d3ee1601a7774fb0"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20231006-0011/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2016-1000338",
        "datePublished": "2018-06-01T00:00:00.000Z",
        "dateReserved": "2018-06-01T00:00:00.000Z",
        "dateUpdated": "2024-08-06T03:55:27.500Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-10237 (GCVE-0-2018-10237)

    Vulnerability from cvelistv5 – Published: 2018-04-26 21:00 – Updated: 2024-08-05 07:32
    VLAI
    Summary
    Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2018:2428 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2740 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2741 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2742 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2598 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2643 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2424 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2423 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2425 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2927 vendor-advisoryx_refsource_REDHAT
    http://www.securitytracker.com/id/1041707 vdb-entryx_refsource_SECTRACK
    https://access.redhat.com/errata/RHSA-2018:2743 vendor-advisoryx_refsource_REDHAT
    https://lists.apache.org/thread.html/cc48fe770c45… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/19fa48533bc7… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/ff8dcfe29377… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/3ddd79c801ed… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/3d5dbdd92ac9… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/33c6bccfeb7a… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/053d9ce4d579… mailing-listx_refsource_MLIST
    https://access.redhat.com/errata/RHSA-2019:2858 vendor-advisoryx_refsource_REDHAT
    https://lists.apache.org/thread.html/b0656d359c7d… mailing-listx_refsource_MLIST
    https://access.redhat.com/errata/RHSA-2019:3149 vendor-advisoryx_refsource_REDHAT
    https://lists.apache.org/thread.html/519eb0fd4564… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/f9bc3e55f4e2… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r27eb79a87a7… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r95799427b33… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/rc78f6e84f82… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/ra0adb9653c7… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/rd0c8ec6e044… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r38e2ab87528… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r2ea4e5e5aa8… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r43491b25b2e… mailing-listx_refsource_MLIST
    https://www.oracle.com/security-alerts/cpuapr2020.html x_refsource_MISC
    https://lists.apache.org/thread.html/rc8467f357b9… mailing-listx_refsource_MLIST
    https://www.oracle.com/security-alerts/cpujul2020.html x_refsource_MISC
    https://groups.google.com/d/topic/guava-announce/… x_refsource_CONFIRM
    https://lists.apache.org/thread.html/r02e39d7beb3… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r02e39d7beb3… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r50fc0bcc734… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/rdc56c15693c… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/ra8906723927… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/ra4f44016926… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/rb3da574c34b… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r223bc776a07… mailing-listx_refsource_MLIST
    https://www.oracle.com/security-alerts/cpujan2021.html x_refsource_MISC
    https://lists.apache.org/thread.html/r841c5e14e1b… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r22c8173b804… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r352e40ca987… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r30e7d7b6bfa… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r3c3b33ee5be… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/rd01f5ff0164… mailing-listx_refsource_MLIST
    https://www.oracle.com/security-alerts/cpuoct2021.html x_refsource_MISC
    https://security.netapp.com/advisory/ntap-2022062… x_refsource_CONFIRM
    Date Public
    2018-04-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T07:32:01.750Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2018:2428",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2428"
              },
              {
                "name": "RHSA-2018:2740",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2740"
              },
              {
                "name": "RHSA-2018:2741",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2741"
              },
              {
                "name": "RHSA-2018:2742",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2742"
              },
              {
                "name": "RHSA-2018:2598",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2598"
              },
              {
                "name": "RHSA-2018:2643",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2643"
              },
              {
                "name": "RHSA-2018:2424",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2424"
              },
              {
                "name": "RHSA-2018:2423",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2423"
              },
              {
                "name": "RHSA-2018:2425",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2425"
              },
              {
                "name": "RHSA-2018:2927",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2927"
              },
              {
                "name": "1041707",
                "tags": [
                  "vdb-entry",
                  "x_refsource_SECTRACK",
                  "x_transferred"
                ],
                "url": "http://www.securitytracker.com/id/1041707"
              },
              {
                "name": "RHSA-2018:2743",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2743"
              },
              {
                "name": "[hadoop-hdfs-dev] 20190401 Update guava to 27.0-jre in hadoop-project",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/cc48fe770c45a74dc3b37ed0817393e0c96701fc49bc431ed922f3cc%40%3Chdfs-dev.hadoop.apache.org%3E"
              },
              {
                "name": "[hadoop-common-dev] 20190401 Update guava to 27.0-jre in hadoop-project",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/19fa48533bc7ea1accf6b12746a74ed888ae6e49a5cf81ae4f807495%40%3Ccommon-dev.hadoop.apache.org%3E"
              },
              {
                "name": "[pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E"
              },
              {
                "name": "[activemq-issues] 20190516 [jira] [Created] (AMQ-7208) Security Issue related to Guava 18.0",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/3ddd79c801edd99c0978e83dbe2168ebd36fd42acfa5dac38fb03dd6%40%3Cissues.activemq.apache.org%3E"
              },
              {
                "name": "[activemq-gitbox] 20190530 [GitHub] [activemq-artemis] brusdev opened a new pull request #2687: ARTEMIS-2359 Upgrade to Guava 24.1",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/3d5dbdd92ac9ceaef90e40f78599f9109f2f345252e0ac9d98e7e084%40%3Cgitbox.activemq.apache.org%3E"
              },
              {
                "name": "[cassandra-commits] 20190612 [jira] [Assigned] (CASSANDRA-14760) CVE-2018-10237 Security vulnerability in 3.11.3",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/33c6bccfeb7adf644d4d79894ca8f09370be6ed4b20632c2e228d085%40%3Ccommits.cassandra.apache.org%3E"
              },
              {
                "name": "[activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E"
              },
              {
                "name": "RHSA-2019:2858",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2858"
              },
              {
                "name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"
              },
              {
                "name": "RHSA-2019:3149",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3149"
              },
              {
                "name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"
              },
              {
                "name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"
              },
              {
                "name": "[cxf-dev] 20200206 [GitHub] [cxf] davidkarlsen opened a new pull request #638: upgrade guava, CVE-2018-10237",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r27eb79a87a760335226dbfa6a7b7bffea539a535f8e80c41e482106d%40%3Cdev.cxf.apache.org%3E"
              },
              {
                "name": "[cxf-dev] 20200206 [GitHub] [cxf] reta commented on a change in pull request #638: upgrade guava, CVE-2018-10237",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r95799427b335807a4c54776908125c3e66597b65845ae50096d9278a%40%3Cdev.cxf.apache.org%3E"
              },
              {
                "name": "[cxf-dev] 20200211 [GitHub] [cxf] coheigea commented on a change in pull request #638: upgrade guava, CVE-2018-10237",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rc78f6e84f82cc662860e96526d8ab969f34dbe12dc560e22d9d147a3%40%3Cdev.cxf.apache.org%3E"
              },
              {
                "name": "[kafka-users] 20200413 CVEs for the dependency software guava and rocksdbjni of Kafka",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/ra0adb9653c7de9539b93cc8434143b655f753b9f60580ff260becb2b%40%3Cusers.kafka.apache.org%3E"
              },
              {
                "name": "[cxf-dev] 20200420 [GitHub] [cxf] coheigea commented on a change in pull request #638: upgrade guava, CVE-2018-10237",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rd0c8ec6e044aa2958dd0549ebf8ecead7f5968c9474ba73a504161b2%40%3Cdev.cxf.apache.org%3E"
              },
              {
                "name": "[cxf-dev] 20200420 [GitHub] [cxf] reta commented on a change in pull request #638: upgrade guava, CVE-2018-10237",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r38e2ab87528d3c904e7fac496e8fd766b9277656ff95b97d6b6b6dcd%40%3Cdev.cxf.apache.org%3E"
              },
              {
                "name": "[cxf-dev] 20200420 [GitHub] [cxf] andrei-ivanov commented on a change in pull request #638: upgrade guava, CVE-2018-10237",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r2ea4e5e5aa8ad73b001a466c582899620961f47d77a40af712c1fdf9%40%3Cdev.cxf.apache.org%3E"
              },
              {
                "name": "[syncope-dev] 20200423 Re: Time to cut 2.1.6 / 2.0.15?",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r43491b25b2e5c368c34b106a82eff910a5cea3e90de82ad75cc16540%40%3Cdev.syncope.apache.org%3E"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
              },
              {
                "name": "[hadoop-common-dev] 20200623 Update guava to 27.0-jre in hadoop branch-2.10",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rc8467f357b943ceaa86f289f8bc1a5d1c7955b75d3bac1426f2d4ac1%40%3Ccommon-dev.hadoop.apache.org%3E"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://groups.google.com/d/topic/guava-announce/xqWALw4W1vs/discussion"
              },
              {
                "name": "[flink-dev] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb%40%3Cdev.flink.apache.org%3E"
              },
              {
                "name": "[flink-user] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb%40%3Cuser.flink.apache.org%3E"
              },
              {
                "name": "[flink-dev] 20200806 [jira] [Created] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r50fc0bcc734dd82e691d36d209258683141bfc0083739a77e56ad92d%40%3Cdev.flink.apache.org%3E"
              },
              {
                "name": "[flink-issues] 20200806 [jira] [Created] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rdc56c15693c236e31e1e95f847b8e5e74fc0a05741d47488e7fc8c45%40%3Cissues.flink.apache.org%3E"
              },
              {
                "name": "[flink-issues] 20200814 [jira] [Commented] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/ra8906723927aef2a599398c238eacfc845b74d812e0093ec2fc70a7d%40%3Cissues.flink.apache.org%3E"
              },
              {
                "name": "[lucene-issues] 20201022 [jira] [Created] (SOLR-14960) Solr-clustering is bringing in CVE-2018-10237 vulnerable guava",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/ra4f44016926dcb034b3b230280a18102062f94ae55b8a31bb92fed84%40%3Cissues.lucene.apache.org%3E"
              },
              {
                "name": "[lucene-issues] 20201022 [jira] [Updated] (SOLR-14960) Solr-clustering is bringing in CVE-2018-10237 vulnerable guava",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rb3da574c34bc6bd37972d2266af3093b90d7e437460423c24f477919%40%3Cissues.lucene.apache.org%3E"
              },
              {
                "name": "[lucene-issues] 20201022 [jira] [Resolved] (SOLR-14960) Solr-clustering is bringing in CVE-2018-10237 vulnerable guava",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r223bc776a077d0795786c38cbc6e7dd808fce1a9161b00ba9c0a5d55%40%3Cissues.lucene.apache.org%3E"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
              },
              {
                "name": "[maven-issues] 20210122 [GitHub] [maven-indexer] akurtakov opened a new pull request #75: Remove guava dependency from indexer-core",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r841c5e14e1b55281523ebcde661ece00b38a0569e00ef5e12bd5f6ba%40%3Cissues.maven.apache.org%3E"
              },
              {
                "name": "[flink-issues] 20210212 [jira] [Closed] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r22c8173b804cd4a420c43064ba4e363d0022aa421008b1989f7354d4%40%3Cissues.flink.apache.org%3E"
              },
              {
                "name": "[samza-commits] 20210310 [GitHub] [samza] Telesia opened a new pull request #1471: SAMZA-2630: Upgrade dependencies for security fixes",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21%40%3Ccommits.samza.apache.org%3E"
              },
              {
                "name": "[storm-issues] 20210315 [jira] [Created] (STORM-3754) Upgrade Guava version because of security vulnerability",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r30e7d7b6bfa630dacc41649a0e96dad75165d50474c1241068aa0f94%40%3Cissues.storm.apache.org%3E"
              },
              {
                "name": "[pulsar-commits] 20210406 [GitHub] [pulsar] lhotari opened a new pull request #10149: Upgrade jclouds to 2.3.0 to fix security vulnerabilities",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r3c3b33ee5bef0c67391d27a97cbfd89d44f328cf072b601b58d4e748%40%3Ccommits.pulsar.apache.org%3E"
              },
              {
                "name": "[arrow-github] 20210610 [GitHub] [arrow] projjal opened a new pull request #10501: ARROW-13032: Update guava version",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rd01f5ff0164c468ec7abc96ff7646cea3cce6378da2e4aa29c6bcb95%40%3Cgithub.arrow.apache.org%3E"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20220629-0008/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2018-04-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-06-29T18:07:18.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "name": "RHSA-2018:2428",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2428"
            },
            {
              "name": "RHSA-2018:2740",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2740"
            },
            {
              "name": "RHSA-2018:2741",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2741"
            },
            {
              "name": "RHSA-2018:2742",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2742"
            },
            {
              "name": "RHSA-2018:2598",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2598"
            },
            {
              "name": "RHSA-2018:2643",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2643"
            },
            {
              "name": "RHSA-2018:2424",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2424"
            },
            {
              "name": "RHSA-2018:2423",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2423"
            },
            {
              "name": "RHSA-2018:2425",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2425"
            },
            {
              "name": "RHSA-2018:2927",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2927"
            },
            {
              "name": "1041707",
              "tags": [
                "vdb-entry",
                "x_refsource_SECTRACK"
              ],
              "url": "http://www.securitytracker.com/id/1041707"
            },
            {
              "name": "RHSA-2018:2743",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2743"
            },
            {
              "name": "[hadoop-hdfs-dev] 20190401 Update guava to 27.0-jre in hadoop-project",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/cc48fe770c45a74dc3b37ed0817393e0c96701fc49bc431ed922f3cc%40%3Chdfs-dev.hadoop.apache.org%3E"
            },
            {
              "name": "[hadoop-common-dev] 20190401 Update guava to 27.0-jre in hadoop-project",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/19fa48533bc7ea1accf6b12746a74ed888ae6e49a5cf81ae4f807495%40%3Ccommon-dev.hadoop.apache.org%3E"
            },
            {
              "name": "[pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E"
            },
            {
              "name": "[activemq-issues] 20190516 [jira] [Created] (AMQ-7208) Security Issue related to Guava 18.0",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/3ddd79c801edd99c0978e83dbe2168ebd36fd42acfa5dac38fb03dd6%40%3Cissues.activemq.apache.org%3E"
            },
            {
              "name": "[activemq-gitbox] 20190530 [GitHub] [activemq-artemis] brusdev opened a new pull request #2687: ARTEMIS-2359 Upgrade to Guava 24.1",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/3d5dbdd92ac9ceaef90e40f78599f9109f2f345252e0ac9d98e7e084%40%3Cgitbox.activemq.apache.org%3E"
            },
            {
              "name": "[cassandra-commits] 20190612 [jira] [Assigned] (CASSANDRA-14760) CVE-2018-10237 Security vulnerability in 3.11.3",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/33c6bccfeb7adf644d4d79894ca8f09370be6ed4b20632c2e228d085%40%3Ccommits.cassandra.apache.org%3E"
            },
            {
              "name": "[activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E"
            },
            {
              "name": "RHSA-2019:2858",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2858"
            },
            {
              "name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"
            },
            {
              "name": "RHSA-2019:3149",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3149"
            },
            {
              "name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"
            },
            {
              "name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"
            },
            {
              "name": "[cxf-dev] 20200206 [GitHub] [cxf] davidkarlsen opened a new pull request #638: upgrade guava, CVE-2018-10237",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r27eb79a87a760335226dbfa6a7b7bffea539a535f8e80c41e482106d%40%3Cdev.cxf.apache.org%3E"
            },
            {
              "name": "[cxf-dev] 20200206 [GitHub] [cxf] reta commented on a change in pull request #638: upgrade guava, CVE-2018-10237",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r95799427b335807a4c54776908125c3e66597b65845ae50096d9278a%40%3Cdev.cxf.apache.org%3E"
            },
            {
              "name": "[cxf-dev] 20200211 [GitHub] [cxf] coheigea commented on a change in pull request #638: upgrade guava, CVE-2018-10237",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rc78f6e84f82cc662860e96526d8ab969f34dbe12dc560e22d9d147a3%40%3Cdev.cxf.apache.org%3E"
            },
            {
              "name": "[kafka-users] 20200413 CVEs for the dependency software guava and rocksdbjni of Kafka",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/ra0adb9653c7de9539b93cc8434143b655f753b9f60580ff260becb2b%40%3Cusers.kafka.apache.org%3E"
            },
            {
              "name": "[cxf-dev] 20200420 [GitHub] [cxf] coheigea commented on a change in pull request #638: upgrade guava, CVE-2018-10237",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rd0c8ec6e044aa2958dd0549ebf8ecead7f5968c9474ba73a504161b2%40%3Cdev.cxf.apache.org%3E"
            },
            {
              "name": "[cxf-dev] 20200420 [GitHub] [cxf] reta commented on a change in pull request #638: upgrade guava, CVE-2018-10237",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r38e2ab87528d3c904e7fac496e8fd766b9277656ff95b97d6b6b6dcd%40%3Cdev.cxf.apache.org%3E"
            },
            {
              "name": "[cxf-dev] 20200420 [GitHub] [cxf] andrei-ivanov commented on a change in pull request #638: upgrade guava, CVE-2018-10237",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r2ea4e5e5aa8ad73b001a466c582899620961f47d77a40af712c1fdf9%40%3Cdev.cxf.apache.org%3E"
            },
            {
              "name": "[syncope-dev] 20200423 Re: Time to cut 2.1.6 / 2.0.15?",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r43491b25b2e5c368c34b106a82eff910a5cea3e90de82ad75cc16540%40%3Cdev.syncope.apache.org%3E"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
            },
            {
              "name": "[hadoop-common-dev] 20200623 Update guava to 27.0-jre in hadoop branch-2.10",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rc8467f357b943ceaa86f289f8bc1a5d1c7955b75d3bac1426f2d4ac1%40%3Ccommon-dev.hadoop.apache.org%3E"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://groups.google.com/d/topic/guava-announce/xqWALw4W1vs/discussion"
            },
            {
              "name": "[flink-dev] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb%40%3Cdev.flink.apache.org%3E"
            },
            {
              "name": "[flink-user] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb%40%3Cuser.flink.apache.org%3E"
            },
            {
              "name": "[flink-dev] 20200806 [jira] [Created] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r50fc0bcc734dd82e691d36d209258683141bfc0083739a77e56ad92d%40%3Cdev.flink.apache.org%3E"
            },
            {
              "name": "[flink-issues] 20200806 [jira] [Created] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rdc56c15693c236e31e1e95f847b8e5e74fc0a05741d47488e7fc8c45%40%3Cissues.flink.apache.org%3E"
            },
            {
              "name": "[flink-issues] 20200814 [jira] [Commented] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/ra8906723927aef2a599398c238eacfc845b74d812e0093ec2fc70a7d%40%3Cissues.flink.apache.org%3E"
            },
            {
              "name": "[lucene-issues] 20201022 [jira] [Created] (SOLR-14960) Solr-clustering is bringing in CVE-2018-10237 vulnerable guava",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/ra4f44016926dcb034b3b230280a18102062f94ae55b8a31bb92fed84%40%3Cissues.lucene.apache.org%3E"
            },
            {
              "name": "[lucene-issues] 20201022 [jira] [Updated] (SOLR-14960) Solr-clustering is bringing in CVE-2018-10237 vulnerable guava",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rb3da574c34bc6bd37972d2266af3093b90d7e437460423c24f477919%40%3Cissues.lucene.apache.org%3E"
            },
            {
              "name": "[lucene-issues] 20201022 [jira] [Resolved] (SOLR-14960) Solr-clustering is bringing in CVE-2018-10237 vulnerable guava",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r223bc776a077d0795786c38cbc6e7dd808fce1a9161b00ba9c0a5d55%40%3Cissues.lucene.apache.org%3E"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
            },
            {
              "name": "[maven-issues] 20210122 [GitHub] [maven-indexer] akurtakov opened a new pull request #75: Remove guava dependency from indexer-core",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r841c5e14e1b55281523ebcde661ece00b38a0569e00ef5e12bd5f6ba%40%3Cissues.maven.apache.org%3E"
            },
            {
              "name": "[flink-issues] 20210212 [jira] [Closed] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r22c8173b804cd4a420c43064ba4e363d0022aa421008b1989f7354d4%40%3Cissues.flink.apache.org%3E"
            },
            {
              "name": "[samza-commits] 20210310 [GitHub] [samza] Telesia opened a new pull request #1471: SAMZA-2630: Upgrade dependencies for security fixes",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21%40%3Ccommits.samza.apache.org%3E"
            },
            {
              "name": "[storm-issues] 20210315 [jira] [Created] (STORM-3754) Upgrade Guava version because of security vulnerability",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r30e7d7b6bfa630dacc41649a0e96dad75165d50474c1241068aa0f94%40%3Cissues.storm.apache.org%3E"
            },
            {
              "name": "[pulsar-commits] 20210406 [GitHub] [pulsar] lhotari opened a new pull request #10149: Upgrade jclouds to 2.3.0 to fix security vulnerabilities",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r3c3b33ee5bef0c67391d27a97cbfd89d44f328cf072b601b58d4e748%40%3Ccommits.pulsar.apache.org%3E"
            },
            {
              "name": "[arrow-github] 20210610 [GitHub] [arrow] projjal opened a new pull request #10501: ARROW-13032: Update guava version",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rd01f5ff0164c468ec7abc96ff7646cea3cce6378da2e4aa29c6bcb95%40%3Cgithub.arrow.apache.org%3E"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20220629-0008/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2018-10237",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "RHSA-2018:2428",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2428"
                },
                {
                  "name": "RHSA-2018:2740",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2740"
                },
                {
                  "name": "RHSA-2018:2741",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2741"
                },
                {
                  "name": "RHSA-2018:2742",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2742"
                },
                {
                  "name": "RHSA-2018:2598",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2598"
                },
                {
                  "name": "RHSA-2018:2643",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2643"
                },
                {
                  "name": "RHSA-2018:2424",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2424"
                },
                {
                  "name": "RHSA-2018:2423",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2423"
                },
                {
                  "name": "RHSA-2018:2425",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2425"
                },
                {
                  "name": "RHSA-2018:2927",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2927"
                },
                {
                  "name": "1041707",
                  "refsource": "SECTRACK",
                  "url": "http://www.securitytracker.com/id/1041707"
                },
                {
                  "name": "RHSA-2018:2743",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2743"
                },
                {
                  "name": "[hadoop-hdfs-dev] 20190401 Update guava to 27.0-jre in hadoop-project",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/cc48fe770c45a74dc3b37ed0817393e0c96701fc49bc431ed922f3cc@%3Chdfs-dev.hadoop.apache.org%3E"
                },
                {
                  "name": "[hadoop-common-dev] 20190401 Update guava to 27.0-jre in hadoop-project",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/19fa48533bc7ea1accf6b12746a74ed888ae6e49a5cf81ae4f807495@%3Ccommon-dev.hadoop.apache.org%3E"
                },
                {
                  "name": "[pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E"
                },
                {
                  "name": "[activemq-issues] 20190516 [jira] [Created] (AMQ-7208) Security Issue related to Guava 18.0",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/3ddd79c801edd99c0978e83dbe2168ebd36fd42acfa5dac38fb03dd6@%3Cissues.activemq.apache.org%3E"
                },
                {
                  "name": "[activemq-gitbox] 20190530 [GitHub] [activemq-artemis] brusdev opened a new pull request #2687: ARTEMIS-2359 Upgrade to Guava 24.1",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/3d5dbdd92ac9ceaef90e40f78599f9109f2f345252e0ac9d98e7e084@%3Cgitbox.activemq.apache.org%3E"
                },
                {
                  "name": "[cassandra-commits] 20190612 [jira] [Assigned] (CASSANDRA-14760) CVE-2018-10237 Security vulnerability in 3.11.3",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/33c6bccfeb7adf644d4d79894ca8f09370be6ed4b20632c2e228d085@%3Ccommits.cassandra.apache.org%3E"
                },
                {
                  "name": "[activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E"
                },
                {
                  "name": "RHSA-2019:2858",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2858"
                },
                {
                  "name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E"
                },
                {
                  "name": "RHSA-2019:3149",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3149"
                },
                {
                  "name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E"
                },
                {
                  "name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E"
                },
                {
                  "name": "[cxf-dev] 20200206 [GitHub] [cxf] davidkarlsen opened a new pull request #638: upgrade guava, CVE-2018-10237",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r27eb79a87a760335226dbfa6a7b7bffea539a535f8e80c41e482106d@%3Cdev.cxf.apache.org%3E"
                },
                {
                  "name": "[cxf-dev] 20200206 [GitHub] [cxf] reta commented on a change in pull request #638: upgrade guava, CVE-2018-10237",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r95799427b335807a4c54776908125c3e66597b65845ae50096d9278a@%3Cdev.cxf.apache.org%3E"
                },
                {
                  "name": "[cxf-dev] 20200211 [GitHub] [cxf] coheigea commented on a change in pull request #638: upgrade guava, CVE-2018-10237",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rc78f6e84f82cc662860e96526d8ab969f34dbe12dc560e22d9d147a3@%3Cdev.cxf.apache.org%3E"
                },
                {
                  "name": "[kafka-users] 20200413 CVEs for the dependency software guava and rocksdbjni of Kafka",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/ra0adb9653c7de9539b93cc8434143b655f753b9f60580ff260becb2b@%3Cusers.kafka.apache.org%3E"
                },
                {
                  "name": "[cxf-dev] 20200420 [GitHub] [cxf] coheigea commented on a change in pull request #638: upgrade guava, CVE-2018-10237",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rd0c8ec6e044aa2958dd0549ebf8ecead7f5968c9474ba73a504161b2@%3Cdev.cxf.apache.org%3E"
                },
                {
                  "name": "[cxf-dev] 20200420 [GitHub] [cxf] reta commented on a change in pull request #638: upgrade guava, CVE-2018-10237",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r38e2ab87528d3c904e7fac496e8fd766b9277656ff95b97d6b6b6dcd@%3Cdev.cxf.apache.org%3E"
                },
                {
                  "name": "[cxf-dev] 20200420 [GitHub] [cxf] andrei-ivanov commented on a change in pull request #638: upgrade guava, CVE-2018-10237",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r2ea4e5e5aa8ad73b001a466c582899620961f47d77a40af712c1fdf9@%3Cdev.cxf.apache.org%3E"
                },
                {
                  "name": "[syncope-dev] 20200423 Re: Time to cut 2.1.6 / 2.0.15?",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r43491b25b2e5c368c34b106a82eff910a5cea3e90de82ad75cc16540@%3Cdev.syncope.apache.org%3E"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuapr2020.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
                },
                {
                  "name": "[hadoop-common-dev] 20200623 Update guava to 27.0-jre in hadoop branch-2.10",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rc8467f357b943ceaa86f289f8bc1a5d1c7955b75d3bac1426f2d4ac1@%3Ccommon-dev.hadoop.apache.org%3E"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujul2020.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
                },
                {
                  "name": "https://groups.google.com/d/topic/guava-announce/xqWALw4W1vs/discussion",
                  "refsource": "CONFIRM",
                  "url": "https://groups.google.com/d/topic/guava-announce/xqWALw4W1vs/discussion"
                },
                {
                  "name": "[flink-dev] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb@%3Cdev.flink.apache.org%3E"
                },
                {
                  "name": "[flink-user] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb@%3Cuser.flink.apache.org%3E"
                },
                {
                  "name": "[flink-dev] 20200806 [jira] [Created] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r50fc0bcc734dd82e691d36d209258683141bfc0083739a77e56ad92d@%3Cdev.flink.apache.org%3E"
                },
                {
                  "name": "[flink-issues] 20200806 [jira] [Created] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rdc56c15693c236e31e1e95f847b8e5e74fc0a05741d47488e7fc8c45@%3Cissues.flink.apache.org%3E"
                },
                {
                  "name": "[flink-issues] 20200814 [jira] [Commented] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/ra8906723927aef2a599398c238eacfc845b74d812e0093ec2fc70a7d@%3Cissues.flink.apache.org%3E"
                },
                {
                  "name": "[lucene-issues] 20201022 [jira] [Created] (SOLR-14960) Solr-clustering is bringing in CVE-2018-10237 vulnerable guava",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/ra4f44016926dcb034b3b230280a18102062f94ae55b8a31bb92fed84@%3Cissues.lucene.apache.org%3E"
                },
                {
                  "name": "[lucene-issues] 20201022 [jira] [Updated] (SOLR-14960) Solr-clustering is bringing in CVE-2018-10237 vulnerable guava",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rb3da574c34bc6bd37972d2266af3093b90d7e437460423c24f477919@%3Cissues.lucene.apache.org%3E"
                },
                {
                  "name": "[lucene-issues] 20201022 [jira] [Resolved] (SOLR-14960) Solr-clustering is bringing in CVE-2018-10237 vulnerable guava",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r223bc776a077d0795786c38cbc6e7dd808fce1a9161b00ba9c0a5d55@%3Cissues.lucene.apache.org%3E"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujan2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
                },
                {
                  "name": "[maven-issues] 20210122 [GitHub] [maven-indexer] akurtakov opened a new pull request #75: Remove guava dependency from indexer-core",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r841c5e14e1b55281523ebcde661ece00b38a0569e00ef5e12bd5f6ba@%3Cissues.maven.apache.org%3E"
                },
                {
                  "name": "[flink-issues] 20210212 [jira] [Closed] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r22c8173b804cd4a420c43064ba4e363d0022aa421008b1989f7354d4@%3Cissues.flink.apache.org%3E"
                },
                {
                  "name": "[samza-commits] 20210310 [GitHub] [samza] Telesia opened a new pull request #1471: SAMZA-2630: Upgrade dependencies for security fixes",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21@%3Ccommits.samza.apache.org%3E"
                },
                {
                  "name": "[storm-issues] 20210315 [jira] [Created] (STORM-3754) Upgrade Guava version because of security vulnerability",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r30e7d7b6bfa630dacc41649a0e96dad75165d50474c1241068aa0f94@%3Cissues.storm.apache.org%3E"
                },
                {
                  "name": "[pulsar-commits] 20210406 [GitHub] [pulsar] lhotari opened a new pull request #10149: Upgrade jclouds to 2.3.0 to fix security vulnerabilities",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r3c3b33ee5bef0c67391d27a97cbfd89d44f328cf072b601b58d4e748@%3Ccommits.pulsar.apache.org%3E"
                },
                {
                  "name": "[arrow-github] 20210610 [GitHub] [arrow] projjal opened a new pull request #10501: ARROW-13032: Update guava version",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rd01f5ff0164c468ec7abc96ff7646cea3cce6378da2e4aa29c6bcb95@%3Cgithub.arrow.apache.org%3E"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20220629-0008/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20220629-0008/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2018-10237",
        "datePublished": "2018-04-26T21:00:00.000Z",
        "dateReserved": "2018-04-20T00:00:00.000Z",
        "dateUpdated": "2024-08-05T07:32:01.750Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-5382 (GCVE-0-2018-5382)

    Vulnerability from cvelistv5 – Published: 2018-04-16 13:00 – Updated: 2024-09-16 16:27
    VLAI
    Title
    Bouncy Castle BKS-V1 keystore files vulnerable to trivial hash collisions
    Summary
    The default BKS keystore use an HMAC that is only 16 bits long, which can allow an attacker to compromise the integrity of a BKS keystore. Bouncy Castle release 1.47 changes the BKS format to a format which uses a 160 bit HMAC instead. This applies to any BKS keystore generated prior to BC 1.47. For situations where people need to create the files for legacy reasons a specific keystore type "BKS-V1" was introduced in 1.49. It should be noted that the use of "BKS-V1" is discouraged by the library authors and should only be used where it is otherwise safe to do so, as in where the use of a 16 bit checksum for the file integrity check is not going to cause a security issue in itself.
    Severity
    No CVSS data available.
    CWE
    • CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
    Assigner
    References
    Impacted products
    Vendor Product Version
    Legion of the Bouncy Castle Bouncy Castle Affected: all , < 1.47 (custom)
    Create a notification for this product.
    Date Public
    2012-03-20 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T05:33:44.404Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "103453",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/103453"
              },
              {
                "name": "RHSA-2018:2927",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2927"
              },
              {
                "name": "VU#306792",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_CERT-VN",
                  "x_transferred"
                ],
                "url": "https://www.kb.cert.org/vuls/id/306792"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.bouncycastle.org/releasenotes.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Bouncy Castle",
              "vendor": "Legion of the Bouncy Castle",
              "versions": [
                {
                  "lessThan": "1.47",
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2012-03-20T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The default BKS keystore use an HMAC that is only 16 bits long, which can allow an attacker to compromise the integrity of a BKS keystore. Bouncy Castle release 1.47 changes the BKS format to a format which uses a 160 bit HMAC instead. This applies to any BKS keystore generated prior to BC 1.47. For situations where people need to create the files for legacy reasons a specific keystore type \"BKS-V1\" was introduced in 1.49. It should be noted that the use of \"BKS-V1\" is discouraged by the library authors and should only be used where it is otherwise safe to do so, as in where the use of a 16 bit checksum for the file integrity check is not going to cause a security issue in itself."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-327",
                  "description": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-04-02T18:52:28.000Z",
            "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
            "shortName": "certcc"
          },
          "references": [
            {
              "name": "103453",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/103453"
            },
            {
              "name": "RHSA-2018:2927",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2927"
            },
            {
              "name": "VU#306792",
              "tags": [
                "third-party-advisory",
                "x_refsource_CERT-VN"
              ],
              "url": "https://www.kb.cert.org/vuls/id/306792"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.bouncycastle.org/releasenotes.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Bouncy Castle BKS-V1 keystore files vulnerable to trivial hash collisions",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cert@cert.org",
              "DATE_PUBLIC": "2012-03-20T00:00:00.000Z",
              "ID": "CVE-2018-5382",
              "STATE": "PUBLIC",
              "TITLE": "Bouncy Castle BKS-V1 keystore files vulnerable to trivial hash collisions"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Bouncy Castle",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_name": "all",
                                "version_value": "1.47"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Legion of the Bouncy Castle"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The default BKS keystore use an HMAC that is only 16 bits long, which can allow an attacker to compromise the integrity of a BKS keystore. Bouncy Castle release 1.47 changes the BKS format to a format which uses a 160 bit HMAC instead. This applies to any BKS keystore generated prior to BC 1.47. For situations where people need to create the files for legacy reasons a specific keystore type \"BKS-V1\" was introduced in 1.49. It should be noted that the use of \"BKS-V1\" is discouraged by the library authors and should only be used where it is otherwise safe to do so, as in where the use of a 16 bit checksum for the file integrity check is not going to cause a security issue in itself."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "103453",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/103453"
                },
                {
                  "name": "RHSA-2018:2927",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2927"
                },
                {
                  "name": "VU#306792",
                  "refsource": "CERT-VN",
                  "url": "https://www.kb.cert.org/vuls/id/306792"
                },
                {
                  "name": "https://www.bouncycastle.org/releasenotes.html",
                  "refsource": "MISC",
                  "url": "https://www.bouncycastle.org/releasenotes.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuoct2020.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "assignerShortName": "certcc",
        "cveId": "CVE-2018-5382",
        "datePublished": "2018-04-16T13:00:00.000Z",
        "dateReserved": "2018-01-12T00:00:00.000Z",
        "dateUpdated": "2024-09-16T16:27:56.228Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-2667 (GCVE-0-2017-2667)

    Vulnerability from cvelistv5 – Published: 2018-03-12 15:00 – Updated: 2024-08-05 14:02
    VLAI
    Summary
    Hammer CLI, a CLI utility for Foreman, before version 0.10.0, did not explicitly set the verify_ssl flag for apipie-bindings that disable it by default. As a result the server certificates are not checked and connections are prone to man-in-the-middle attacks.
    Severity
    No CVSS data available.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Foreman Hammer CLI Affected: 0.10.0
    Create a notification for this product.
    Date Public
    2017-03-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T14:02:07.434Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1436262"
              },
              {
                "name": "RHSA-2018:0336",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:0336"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://projects.theforeman.org/issues/19033"
              },
              {
                "name": "97153",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/97153"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Hammer CLI",
              "vendor": "Foreman",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.10.0"
                }
              ]
            }
          ],
          "datePublic": "2017-03-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Hammer CLI, a CLI utility for Foreman, before version 0.10.0, did not explicitly set the verify_ssl flag for apipie-bindings that disable it by default. As a result the server certificates are not checked and connections are prone to man-in-the-middle attacks."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-345",
                  "description": "CWE-345",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-03-13T09:57:01.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1436262"
            },
            {
              "name": "RHSA-2018:0336",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:0336"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://projects.theforeman.org/issues/19033"
            },
            {
              "name": "97153",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/97153"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2017-2667",
        "datePublished": "2018-03-12T15:00:00.000Z",
        "dateReserved": "2016-12-01T00:00:00.000Z",
        "dateUpdated": "2024-08-05T14:02:07.434Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-15095 (GCVE-0-2017-15095)

    Vulnerability from cvelistv5 – Published: 2018-02-06 15:00 – Updated: 2024-09-16 22:57
    VLAI
    Summary
    A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
    Severity
    No CVSS data available.
    CWE
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2018:1448 vendor-advisoryx_refsource_REDHAT
    http://www.securityfocus.com/bid/103880 vdb-entryx_refsource_BID
    https://access.redhat.com/errata/RHSA-2018:0479 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:0481 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:1449 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:1450 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:0577 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:0576 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2017:3190 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:1451 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2017:3189 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2927 vendor-advisoryx_refsource_REDHAT
    http://www.securitytracker.com/id/1039769 vdb-entryx_refsource_SECTRACK
    https://access.redhat.com/errata/RHSA-2018:0342 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:0480 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:1447 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:0478 vendor-advisoryx_refsource_REDHAT
    https://www.debian.org/security/2017/dsa-4037 vendor-advisoryx_refsource_DEBIAN
    https://access.redhat.com/errata/RHSA-2019:2858 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:3149 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:3892 vendor-advisoryx_refsource_REDHAT
    https://lists.apache.org/thread.html/f095a791bda6… mailing-listx_refsource_MLIST
    https://lists.debian.org/debian-lts-announce/2020… mailing-listx_refsource_MLIST
    http://www.oracle.com/technetwork/security-adviso… x_refsource_CONFIRM
    http://www.oracle.com/technetwork/security-adviso… x_refsource_CONFIRM
    http://www.oracle.com/technetwork/security-adviso… x_refsource_CONFIRM
    https://www.oracle.com/technetwork/security-advis… x_refsource_CONFIRM
    https://www.oracle.com/technetwork/security-advis… x_refsource_MISC
    https://www.oracle.com/security-alerts/cpuoct2020.html x_refsource_MISC
    https://security.netapp.com/advisory/ntap-2017121… x_refsource_CONFIRM
    https://github.com/FasterXML/jackson-databind/iss… x_refsource_CONFIRM
    https://github.com/FasterXML/jackson-databind/iss… x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    FasterXML jackson-databind Affected: before 2.8.10
    Affected: before 2.9.1
    Create a notification for this product.
    Date Public
    2017-06-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T19:50:14.982Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2018:1448",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:1448"
              },
              {
                "name": "103880",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/103880"
              },
              {
                "name": "RHSA-2018:0479",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:0479"
              },
              {
                "name": "RHSA-2018:0481",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:0481"
              },
              {
                "name": "RHSA-2018:1449",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:1449"
              },
              {
                "name": "RHSA-2018:1450",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:1450"
              },
              {
                "name": "RHSA-2018:0577",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:0577"
              },
              {
                "name": "RHSA-2018:0576",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:0576"
              },
              {
                "name": "RHSA-2017:3190",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:3190"
              },
              {
                "name": "RHSA-2018:1451",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:1451"
              },
              {
                "name": "RHSA-2017:3189",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:3189"
              },
              {
                "name": "RHSA-2018:2927",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2927"
              },
              {
                "name": "1039769",
                "tags": [
                  "vdb-entry",
                  "x_refsource_SECTRACK",
                  "x_transferred"
                ],
                "url": "http://www.securitytracker.com/id/1039769"
              },
              {
                "name": "RHSA-2018:0342",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:0342"
              },
              {
                "name": "RHSA-2018:0480",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:0480"
              },
              {
                "name": "RHSA-2018:1447",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:1447"
              },
              {
                "name": "RHSA-2018:0478",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:0478"
              },
              {
                "name": "DSA-4037",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2017/dsa-4037"
              },
              {
                "name": "RHSA-2019:2858",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:2858"
              },
              {
                "name": "RHSA-2019:3149",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3149"
              },
              {
                "name": "RHSA-2019:3892",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:3892"
              },
              {
                "name": "[lucene-solr-user] 20191219 Re: CVE-2017-7525 fix for Solr 7.7.x",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629%40%3Csolr-user.lucene.apache.org%3E"
              },
              {
                "name": "[debian-lts-announce] 20200131 [SECURITY] [DLA 2091-1] libjackson-json-java security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20171214-0003/"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/FasterXML/jackson-databind/issues/1737"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/FasterXML/jackson-databind/issues/1680"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jackson-databind",
              "vendor": "FasterXML",
              "versions": [
                {
                  "status": "affected",
                  "version": "before 2.8.10"
                },
                {
                  "status": "affected",
                  "version": "before 2.9.1"
                }
              ]
            }
          ],
          "datePublic": "2017-06-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-184",
                  "description": "CWE-184",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-10-20T21:14:51.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2018:1448",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:1448"
            },
            {
              "name": "103880",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/103880"
            },
            {
              "name": "RHSA-2018:0479",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:0479"
            },
            {
              "name": "RHSA-2018:0481",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:0481"
            },
            {
              "name": "RHSA-2018:1449",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:1449"
            },
            {
              "name": "RHSA-2018:1450",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:1450"
            },
            {
              "name": "RHSA-2018:0577",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:0577"
            },
            {
              "name": "RHSA-2018:0576",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:0576"
            },
            {
              "name": "RHSA-2017:3190",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:3190"
            },
            {
              "name": "RHSA-2018:1451",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:1451"
            },
            {
              "name": "RHSA-2017:3189",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:3189"
            },
            {
              "name": "RHSA-2018:2927",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2927"
            },
            {
              "name": "1039769",
              "tags": [
                "vdb-entry",
                "x_refsource_SECTRACK"
              ],
              "url": "http://www.securitytracker.com/id/1039769"
            },
            {
              "name": "RHSA-2018:0342",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:0342"
            },
            {
              "name": "RHSA-2018:0480",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:0480"
            },
            {
              "name": "RHSA-2018:1447",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:1447"
            },
            {
              "name": "RHSA-2018:0478",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:0478"
            },
            {
              "name": "DSA-4037",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2017/dsa-4037"
            },
            {
              "name": "RHSA-2019:2858",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:2858"
            },
            {
              "name": "RHSA-2019:3149",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3149"
            },
            {
              "name": "RHSA-2019:3892",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:3892"
            },
            {
              "name": "[lucene-solr-user] 20191219 Re: CVE-2017-7525 fix for Solr 7.7.x",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629%40%3Csolr-user.lucene.apache.org%3E"
            },
            {
              "name": "[debian-lts-announce] 20200131 [SECURITY] [DLA 2091-1] libjackson-json-java security update",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20171214-0003/"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/FasterXML/jackson-databind/issues/1737"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/FasterXML/jackson-databind/issues/1680"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "DATE_PUBLIC": "2017-06-27T00:00:00",
              "ID": "CVE-2017-15095",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "jackson-databind",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "before 2.8.10"
                              },
                              {
                                "version_value": "before 2.9.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "FasterXML"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-184"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "RHSA-2018:1448",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:1448"
                },
                {
                  "name": "103880",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/103880"
                },
                {
                  "name": "RHSA-2018:0479",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:0479"
                },
                {
                  "name": "RHSA-2018:0481",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:0481"
                },
                {
                  "name": "RHSA-2018:1449",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:1449"
                },
                {
                  "name": "RHSA-2018:1450",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:1450"
                },
                {
                  "name": "RHSA-2018:0577",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:0577"
                },
                {
                  "name": "RHSA-2018:0576",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:0576"
                },
                {
                  "name": "RHSA-2017:3190",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:3190"
                },
                {
                  "name": "RHSA-2018:1451",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:1451"
                },
                {
                  "name": "RHSA-2017:3189",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:3189"
                },
                {
                  "name": "RHSA-2018:2927",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2927"
                },
                {
                  "name": "1039769",
                  "refsource": "SECTRACK",
                  "url": "http://www.securitytracker.com/id/1039769"
                },
                {
                  "name": "RHSA-2018:0342",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:0342"
                },
                {
                  "name": "RHSA-2018:0480",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:0480"
                },
                {
                  "name": "RHSA-2018:1447",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:1447"
                },
                {
                  "name": "RHSA-2018:0478",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:0478"
                },
                {
                  "name": "DSA-4037",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2017/dsa-4037"
                },
                {
                  "name": "RHSA-2019:2858",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:2858"
                },
                {
                  "name": "RHSA-2019:3149",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3149"
                },
                {
                  "name": "RHSA-2019:3892",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:3892"
                },
                {
                  "name": "[lucene-solr-user] 20191219 Re: CVE-2017-7525 fix for Solr 7.7.x",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629@%3Csolr-user.lucene.apache.org%3E"
                },
                {
                  "name": "[debian-lts-announce] 20200131 [SECURITY] [DLA 2091-1] libjackson-json-java security update",
                  "refsource": "MLIST",
                  "url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html"
                },
                {
                  "name": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html",
                  "refsource": "CONFIRM",
                  "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
                },
                {
                  "name": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html",
                  "refsource": "CONFIRM",
                  "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
                },
                {
                  "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html",
                  "refsource": "CONFIRM",
                  "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
                },
                {
                  "name": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
                },
                {
                  "name": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuoct2020.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20171214-0003/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20171214-0003/"
                },
                {
                  "name": "https://github.com/FasterXML/jackson-databind/issues/1737",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/FasterXML/jackson-databind/issues/1737"
                },
                {
                  "name": "https://github.com/FasterXML/jackson-databind/issues/1680",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/FasterXML/jackson-databind/issues/1680"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2017-15095",
        "datePublished": "2018-02-06T15:00:00.000Z",
        "dateReserved": "2017-10-08T00:00:00.000Z",
        "dateUpdated": "2024-09-16T22:57:07.488Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-7536 (GCVE-0-2017-7536)

    Vulnerability from cvelistv5 – Published: 2018-01-10 15:00 – Updated: 2024-09-16 17:32
    VLAI
    Summary
    In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().
    Severity
    No CVSS data available.
    CWE
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2017:2809 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:3817 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2740 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2017:2810 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2741 vendor-advisoryx_refsource_REDHAT
    http://www.securitytracker.com/id/1039744 vdb-entryx_refsource_SECTRACK
    https://access.redhat.com/errata/RHSA-2018:2742 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2017:3458 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2017:2808 vendor-advisoryx_refsource_REDHAT
    http://www.securityfocus.com/bid/101048 vdb-entryx_refsource_BID
    https://access.redhat.com/errata/RHSA-2017:3455 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2927 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2017:3456 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2743 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2017:3454 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2017:3141 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2017:2811 vendor-advisoryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=1465573 x_refsource_CONFIRM
    https://lists.apache.org/thread.html/9317fd092b25… mailing-listx_refsource_MLIST
    Impacted products
    Vendor Product Version
    Red Hat, Inc. hibernate-validator Affected: 5.2.x before 5.2.5 final
    Affected: 5.3.x
    Affected: 5.4.x
    Create a notification for this product.
    Date Public
    2017-06-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T16:04:11.963Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2017:2809",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:2809"
              },
              {
                "name": "RHSA-2018:3817",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:3817"
              },
              {
                "name": "RHSA-2018:2740",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2740"
              },
              {
                "name": "RHSA-2017:2810",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:2810"
              },
              {
                "name": "RHSA-2018:2741",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2741"
              },
              {
                "name": "1039744",
                "tags": [
                  "vdb-entry",
                  "x_refsource_SECTRACK",
                  "x_transferred"
                ],
                "url": "http://www.securitytracker.com/id/1039744"
              },
              {
                "name": "RHSA-2018:2742",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2742"
              },
              {
                "name": "RHSA-2017:3458",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:3458"
              },
              {
                "name": "RHSA-2017:2808",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:2808"
              },
              {
                "name": "101048",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/101048"
              },
              {
                "name": "RHSA-2017:3455",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:3455"
              },
              {
                "name": "RHSA-2018:2927",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2927"
              },
              {
                "name": "RHSA-2017:3456",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:3456"
              },
              {
                "name": "RHSA-2018:2743",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2743"
              },
              {
                "name": "RHSA-2017:3454",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:3454"
              },
              {
                "name": "RHSA-2017:3141",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:3141"
              },
              {
                "name": "RHSA-2017:2811",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:2811"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1465573"
              },
              {
                "name": "[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "hibernate-validator",
              "vendor": "Red Hat, Inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "5.2.x before 5.2.5 final"
                },
                {
                  "status": "affected",
                  "version": "5.3.x"
                },
                {
                  "status": "affected",
                  "version": "5.4.x"
                }
              ]
            }
          ],
          "datePublic": "2017-06-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager\u0027s reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue()."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-592",
                  "description": "CWE-592",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-11-16T01:07:02.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2017:2809",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:2809"
            },
            {
              "name": "RHSA-2018:3817",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:3817"
            },
            {
              "name": "RHSA-2018:2740",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2740"
            },
            {
              "name": "RHSA-2017:2810",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:2810"
            },
            {
              "name": "RHSA-2018:2741",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2741"
            },
            {
              "name": "1039744",
              "tags": [
                "vdb-entry",
                "x_refsource_SECTRACK"
              ],
              "url": "http://www.securitytracker.com/id/1039744"
            },
            {
              "name": "RHSA-2018:2742",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2742"
            },
            {
              "name": "RHSA-2017:3458",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:3458"
            },
            {
              "name": "RHSA-2017:2808",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:2808"
            },
            {
              "name": "101048",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/101048"
            },
            {
              "name": "RHSA-2017:3455",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:3455"
            },
            {
              "name": "RHSA-2018:2927",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2927"
            },
            {
              "name": "RHSA-2017:3456",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:3456"
            },
            {
              "name": "RHSA-2018:2743",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2743"
            },
            {
              "name": "RHSA-2017:3454",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:3454"
            },
            {
              "name": "RHSA-2017:3141",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:3141"
            },
            {
              "name": "RHSA-2017:2811",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:2811"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1465573"
            },
            {
              "name": "[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "DATE_PUBLIC": "2017-06-27T00:00:00",
              "ID": "CVE-2017-7536",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "hibernate-validator",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "5.2.x before 5.2.5 final"
                              },
                              {
                                "version_value": "5.3.x"
                              },
                              {
                                "version_value": "5.4.x"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Red Hat, Inc."
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager\u0027s reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue()."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-592"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "RHSA-2017:2809",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:2809"
                },
                {
                  "name": "RHSA-2018:3817",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:3817"
                },
                {
                  "name": "RHSA-2018:2740",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2740"
                },
                {
                  "name": "RHSA-2017:2810",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:2810"
                },
                {
                  "name": "RHSA-2018:2741",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2741"
                },
                {
                  "name": "1039744",
                  "refsource": "SECTRACK",
                  "url": "http://www.securitytracker.com/id/1039744"
                },
                {
                  "name": "RHSA-2018:2742",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2742"
                },
                {
                  "name": "RHSA-2017:3458",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:3458"
                },
                {
                  "name": "RHSA-2017:2808",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:2808"
                },
                {
                  "name": "101048",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/101048"
                },
                {
                  "name": "RHSA-2017:3455",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:3455"
                },
                {
                  "name": "RHSA-2018:2927",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2927"
                },
                {
                  "name": "RHSA-2017:3456",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:3456"
                },
                {
                  "name": "RHSA-2018:2743",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2743"
                },
                {
                  "name": "RHSA-2017:3454",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:3454"
                },
                {
                  "name": "RHSA-2017:3141",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:3141"
                },
                {
                  "name": "RHSA-2017:2811",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:2811"
                },
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1465573",
                  "refsource": "CONFIRM",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1465573"
                },
                {
                  "name": "[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2017-7536",
        "datePublished": "2018-01-10T15:00:00.000Z",
        "dateReserved": "2017-04-05T00:00:00.000Z",
        "dateUpdated": "2024-09-16T17:32:38.135Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-15100 (GCVE-0-2017-15100)

    Vulnerability from cvelistv5 – Published: 2017-11-27 14:00 – Updated: 2024-08-05 19:50
    VLAI
    Summary
    An attacker submitting facts to the Foreman server containing HTML can cause a stored XSS on certain pages: (1) Facts page, when clicking on the "chart" button and hovering over the chart; (2) Trends page, when checking the graph for a trend based on a such fact; (3) Statistics page, for facts that are aggregated on this page.
    Severity
    No CVSS data available.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Foreman Project Foreman Affected: 1.2 and later, a fix is planned for 1.16.0
    Create a notification for this product.
    Date Public
    2017-10-31 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T19:50:16.130Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/theforeman/foreman/pull/4967"
              },
              {
                "name": "RHSA-2018:2927",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2927"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://projects.theforeman.org/issues/21519"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Foreman",
              "vendor": "Foreman Project",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.2 and later, a fix is planned for 1.16.0"
                }
              ]
            }
          ],
          "datePublic": "2017-10-31T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "An attacker submitting facts to the Foreman server containing HTML can cause a stored XSS on certain pages: (1) Facts page, when clicking on the \"chart\" button and hovering over the chart; (2) Trends page, when checking the graph for a trend based on a such fact; (3) Statistics page, for facts that are aggregated on this page."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-10-17T09:57:01.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/theforeman/foreman/pull/4967"
            },
            {
              "name": "RHSA-2018:2927",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2927"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://projects.theforeman.org/issues/21519"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2017-15100",
        "datePublished": "2017-11-27T14:00:00.000Z",
        "dateReserved": "2017-10-08T00:00:00.000Z",
        "dateUpdated": "2024-08-05T19:50:16.130Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-5929 (GCVE-0-2017-5929)

    Vulnerability from cvelistv5 – Published: 2017-03-13 06:14 – Updated: 2024-08-05 15:18
    VLAI
    Summary
    QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2017:1832 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2017:1675 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2927 vendor-advisoryx_refsource_REDHAT
    https://logback.qos.ch/news.html x_refsource_CONFIRM
    https://access.redhat.com/errata/RHSA-2017:1676 vendor-advisoryx_refsource_REDHAT
    https://lists.apache.org/thread.html/a6db61616180… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/18d509024d9a… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/fa4eaaa6ff41… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r967953a14e0… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/rbb4dfca2f7e… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/re9b78772729… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r2c2d57ca180… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/rd2227af3c9a… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r0bb19330e48… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r46736428935… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r397bf637832… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/rc5f0cc2f3b1… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r718f27bed89… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r2a08573ddee… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/ra007cec726a… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r632ec30791b… mailing-listx_refsource_MLIST
    Date Public
    2017-03-13 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T15:18:48.814Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2017:1832",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:1832"
              },
              {
                "name": "RHSA-2017:1675",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:1675"
              },
              {
                "name": "RHSA-2018:2927",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2927"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://logback.qos.ch/news.html"
              },
              {
                "name": "RHSA-2017:1676",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:1676"
              },
              {
                "name": "[cassandra-commits] 20191112 [jira] [Created] (CASSANDRA-15411) [9.8] [CVE-2017-5929] [Cassandra] [2.2.5]",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/a6db61616180d73711d6db25703085940026e2dbc40f153f9d22b203%40%3Ccommits.cassandra.apache.org%3E"
              },
              {
                "name": "[cassandra-commits] 20191112 [jira] [Updated] (CASSANDRA-15411) [9.8] [CVE-2017-5929] [Cassandra] [2.2.5]",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/18d509024d9aeb07f0e9579066f80bf5d4dcf20467b0c240043890d1%40%3Ccommits.cassandra.apache.org%3E"
              },
              {
                "name": "[cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15421) CVE-2017-5929(QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/fa4eaaa6ff41ac6f79811e053c152ee89b7c5da8a6ac848ae97df67f%40%3Ccommits.cassandra.apache.org%3E"
              },
              {
                "name": "[brooklyn-dev] 20200420 [GitHub] [brooklyn-server] duncangrant opened a new pull request #1091: Update library versions due to CVEs",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r967953a14e05016bc4bcae9ef3dd92e770181158b4246976ed8295c9%40%3Cdev.brooklyn.apache.org%3E"
              },
              {
                "name": "[mnemonic-dev] 20201202 [GitHub] [mnemonic] yzz127 opened a new pull request #152: MNEMONIC-553: Fix for CVE-2017-5929",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rbb4dfca2f7e3e8f3570eec21c79832d33a51dfde6762725660b60169%40%3Cdev.mnemonic.apache.org%3E"
              },
              {
                "name": "[mnemonic-dev] 20201204 [GitHub] [mnemonic] bigdata-memory merged pull request #152: MNEMONIC-553: Fix for CVE-2017-5929",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/re9b787727291786dfe088e3cd078c7d195c0b5781e15d3cd24a3b2fc%40%3Cdev.mnemonic.apache.org%3E"
              },
              {
                "name": "[mnemonic-commits] 20201204 [mnemonic] branch master updated: MNEMONIC-553: Fix for CVE-2017-5929",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r2c2d57ca180e8173c90fe313ddf8eabbdcf8e3ae196f8b9f42599790%40%3Ccommits.mnemonic.apache.org%3E"
              },
              {
                "name": "[cassandra-commits] 20210108 [jira] [Updated] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rd2227af3c9ada2a72dc72ed05517f5857a34d487580e1f2803922ff9%40%3Ccommits.cassandra.apache.org%3E"
              },
              {
                "name": "[cassandra-commits] 20210108 [jira] [Updated] (CASSANDRA-15421) CVE-2017-5929 in 3.11.x (QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r0bb19330e48d5ad784fa20dacba9e5538d8d60f5cd9142e0f1432b4b%40%3Ccommits.cassandra.apache.org%3E"
              },
              {
                "name": "[cassandra-commits] 20210108 [jira] [Commented] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r4673642893562c58cbee60c151ded6c077e8a2d02296e862224a9161%40%3Ccommits.cassandra.apache.org%3E"
              },
              {
                "name": "[cassandra-commits] 20210111 [jira] [Commented] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r397bf63783240fbb5713389d3f889d287ae0c11509006700ac720037%40%3Ccommits.cassandra.apache.org%3E"
              },
              {
                "name": "[cassandra-commits] 20210111 [jira] [Updated] (CASSANDRA-15411) [9.8] [CVE-2017-5929] [Cassandra] [2.2.5]",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rc5f0cc2f3b153bdf15ee7389d78585829abc9c7af4d322ba1085dd3e%40%3Ccommits.cassandra.apache.org%3E"
              },
              {
                "name": "[cassandra-commits] 20210111 [jira] [Updated] (CASSANDRA-15421) CVE-2017-5929 in 3.11.x (QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r718f27bed898008a8e037d9cc848cfc1df4d18abcbaee0cb0c142cfb%40%3Ccommits.cassandra.apache.org%3E"
              },
              {
                "name": "[cassandra-commits] 20210111 [jira] [Assigned] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r2a08573ddee4a86dc96d469485a5843a01710ee0dc2078dfca410c79%40%3Ccommits.cassandra.apache.org%3E"
              },
              {
                "name": "[cassandra-commits] 20210111 [jira] [Updated] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/ra007cec726a3927c918ec94c4316d05d1829c49eae8dc3648adc35e2%40%3Ccommits.cassandra.apache.org%3E"
              },
              {
                "name": "[cassandra-commits] 20210923 [jira] [Updated] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r632ec30791b441e2eb5a3129532bf1b689bf181d0ef7daf50bcf0fd6%40%3Ccommits.cassandra.apache.org%3E"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2017-03-13T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-09-23T15:06:07.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "name": "RHSA-2017:1832",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:1832"
            },
            {
              "name": "RHSA-2017:1675",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:1675"
            },
            {
              "name": "RHSA-2018:2927",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2927"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://logback.qos.ch/news.html"
            },
            {
              "name": "RHSA-2017:1676",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:1676"
            },
            {
              "name": "[cassandra-commits] 20191112 [jira] [Created] (CASSANDRA-15411) [9.8] [CVE-2017-5929] [Cassandra] [2.2.5]",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/a6db61616180d73711d6db25703085940026e2dbc40f153f9d22b203%40%3Ccommits.cassandra.apache.org%3E"
            },
            {
              "name": "[cassandra-commits] 20191112 [jira] [Updated] (CASSANDRA-15411) [9.8] [CVE-2017-5929] [Cassandra] [2.2.5]",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/18d509024d9aeb07f0e9579066f80bf5d4dcf20467b0c240043890d1%40%3Ccommits.cassandra.apache.org%3E"
            },
            {
              "name": "[cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15421) CVE-2017-5929(QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/fa4eaaa6ff41ac6f79811e053c152ee89b7c5da8a6ac848ae97df67f%40%3Ccommits.cassandra.apache.org%3E"
            },
            {
              "name": "[brooklyn-dev] 20200420 [GitHub] [brooklyn-server] duncangrant opened a new pull request #1091: Update library versions due to CVEs",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r967953a14e05016bc4bcae9ef3dd92e770181158b4246976ed8295c9%40%3Cdev.brooklyn.apache.org%3E"
            },
            {
              "name": "[mnemonic-dev] 20201202 [GitHub] [mnemonic] yzz127 opened a new pull request #152: MNEMONIC-553: Fix for CVE-2017-5929",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rbb4dfca2f7e3e8f3570eec21c79832d33a51dfde6762725660b60169%40%3Cdev.mnemonic.apache.org%3E"
            },
            {
              "name": "[mnemonic-dev] 20201204 [GitHub] [mnemonic] bigdata-memory merged pull request #152: MNEMONIC-553: Fix for CVE-2017-5929",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/re9b787727291786dfe088e3cd078c7d195c0b5781e15d3cd24a3b2fc%40%3Cdev.mnemonic.apache.org%3E"
            },
            {
              "name": "[mnemonic-commits] 20201204 [mnemonic] branch master updated: MNEMONIC-553: Fix for CVE-2017-5929",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r2c2d57ca180e8173c90fe313ddf8eabbdcf8e3ae196f8b9f42599790%40%3Ccommits.mnemonic.apache.org%3E"
            },
            {
              "name": "[cassandra-commits] 20210108 [jira] [Updated] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rd2227af3c9ada2a72dc72ed05517f5857a34d487580e1f2803922ff9%40%3Ccommits.cassandra.apache.org%3E"
            },
            {
              "name": "[cassandra-commits] 20210108 [jira] [Updated] (CASSANDRA-15421) CVE-2017-5929 in 3.11.x (QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r0bb19330e48d5ad784fa20dacba9e5538d8d60f5cd9142e0f1432b4b%40%3Ccommits.cassandra.apache.org%3E"
            },
            {
              "name": "[cassandra-commits] 20210108 [jira] [Commented] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r4673642893562c58cbee60c151ded6c077e8a2d02296e862224a9161%40%3Ccommits.cassandra.apache.org%3E"
            },
            {
              "name": "[cassandra-commits] 20210111 [jira] [Commented] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r397bf63783240fbb5713389d3f889d287ae0c11509006700ac720037%40%3Ccommits.cassandra.apache.org%3E"
            },
            {
              "name": "[cassandra-commits] 20210111 [jira] [Updated] (CASSANDRA-15411) [9.8] [CVE-2017-5929] [Cassandra] [2.2.5]",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rc5f0cc2f3b153bdf15ee7389d78585829abc9c7af4d322ba1085dd3e%40%3Ccommits.cassandra.apache.org%3E"
            },
            {
              "name": "[cassandra-commits] 20210111 [jira] [Updated] (CASSANDRA-15421) CVE-2017-5929 in 3.11.x (QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r718f27bed898008a8e037d9cc848cfc1df4d18abcbaee0cb0c142cfb%40%3Ccommits.cassandra.apache.org%3E"
            },
            {
              "name": "[cassandra-commits] 20210111 [jira] [Assigned] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r2a08573ddee4a86dc96d469485a5843a01710ee0dc2078dfca410c79%40%3Ccommits.cassandra.apache.org%3E"
            },
            {
              "name": "[cassandra-commits] 20210111 [jira] [Updated] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/ra007cec726a3927c918ec94c4316d05d1829c49eae8dc3648adc35e2%40%3Ccommits.cassandra.apache.org%3E"
            },
            {
              "name": "[cassandra-commits] 20210923 [jira] [Updated] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r632ec30791b441e2eb5a3129532bf1b689bf181d0ef7daf50bcf0fd6%40%3Ccommits.cassandra.apache.org%3E"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2017-5929",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "RHSA-2017:1832",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:1832"
                },
                {
                  "name": "RHSA-2017:1675",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:1675"
                },
                {
                  "name": "RHSA-2018:2927",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2927"
                },
                {
                  "name": "https://logback.qos.ch/news.html",
                  "refsource": "CONFIRM",
                  "url": "https://logback.qos.ch/news.html"
                },
                {
                  "name": "RHSA-2017:1676",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:1676"
                },
                {
                  "name": "[cassandra-commits] 20191112 [jira] [Created] (CASSANDRA-15411) [9.8] [CVE-2017-5929] [Cassandra] [2.2.5]",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/a6db61616180d73711d6db25703085940026e2dbc40f153f9d22b203@%3Ccommits.cassandra.apache.org%3E"
                },
                {
                  "name": "[cassandra-commits] 20191112 [jira] [Updated] (CASSANDRA-15411) [9.8] [CVE-2017-5929] [Cassandra] [2.2.5]",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/18d509024d9aeb07f0e9579066f80bf5d4dcf20467b0c240043890d1@%3Ccommits.cassandra.apache.org%3E"
                },
                {
                  "name": "[cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15421) CVE-2017-5929(QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.)",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/fa4eaaa6ff41ac6f79811e053c152ee89b7c5da8a6ac848ae97df67f@%3Ccommits.cassandra.apache.org%3E"
                },
                {
                  "name": "[brooklyn-dev] 20200420 [GitHub] [brooklyn-server] duncangrant opened a new pull request #1091: Update library versions due to CVEs",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r967953a14e05016bc4bcae9ef3dd92e770181158b4246976ed8295c9@%3Cdev.brooklyn.apache.org%3E"
                },
                {
                  "name": "[mnemonic-dev] 20201202 [GitHub] [mnemonic] yzz127 opened a new pull request #152: MNEMONIC-553: Fix for CVE-2017-5929",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rbb4dfca2f7e3e8f3570eec21c79832d33a51dfde6762725660b60169@%3Cdev.mnemonic.apache.org%3E"
                },
                {
                  "name": "[mnemonic-dev] 20201204 [GitHub] [mnemonic] bigdata-memory merged pull request #152: MNEMONIC-553: Fix for CVE-2017-5929",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/re9b787727291786dfe088e3cd078c7d195c0b5781e15d3cd24a3b2fc@%3Cdev.mnemonic.apache.org%3E"
                },
                {
                  "name": "[mnemonic-commits] 20201204 [mnemonic] branch master updated: MNEMONIC-553: Fix for CVE-2017-5929",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r2c2d57ca180e8173c90fe313ddf8eabbdcf8e3ae196f8b9f42599790@%3Ccommits.mnemonic.apache.org%3E"
                },
                {
                  "name": "[cassandra-commits] 20210108 [jira] [Updated] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rd2227af3c9ada2a72dc72ed05517f5857a34d487580e1f2803922ff9@%3Ccommits.cassandra.apache.org%3E"
                },
                {
                  "name": "[cassandra-commits] 20210108 [jira] [Updated] (CASSANDRA-15421) CVE-2017-5929 in 3.11.x (QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.)",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r0bb19330e48d5ad784fa20dacba9e5538d8d60f5cd9142e0f1432b4b@%3Ccommits.cassandra.apache.org%3E"
                },
                {
                  "name": "[cassandra-commits] 20210108 [jira] [Commented] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r4673642893562c58cbee60c151ded6c077e8a2d02296e862224a9161@%3Ccommits.cassandra.apache.org%3E"
                },
                {
                  "name": "[cassandra-commits] 20210111 [jira] [Commented] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r397bf63783240fbb5713389d3f889d287ae0c11509006700ac720037@%3Ccommits.cassandra.apache.org%3E"
                },
                {
                  "name": "[cassandra-commits] 20210111 [jira] [Updated] (CASSANDRA-15411) [9.8] [CVE-2017-5929] [Cassandra] [2.2.5]",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rc5f0cc2f3b153bdf15ee7389d78585829abc9c7af4d322ba1085dd3e@%3Ccommits.cassandra.apache.org%3E"
                },
                {
                  "name": "[cassandra-commits] 20210111 [jira] [Updated] (CASSANDRA-15421) CVE-2017-5929 in 3.11.x (QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.)",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r718f27bed898008a8e037d9cc848cfc1df4d18abcbaee0cb0c142cfb@%3Ccommits.cassandra.apache.org%3E"
                },
                {
                  "name": "[cassandra-commits] 20210111 [jira] [Assigned] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r2a08573ddee4a86dc96d469485a5843a01710ee0dc2078dfca410c79@%3Ccommits.cassandra.apache.org%3E"
                },
                {
                  "name": "[cassandra-commits] 20210111 [jira] [Updated] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/ra007cec726a3927c918ec94c4316d05d1829c49eae8dc3648adc35e2@%3Ccommits.cassandra.apache.org%3E"
                },
                {
                  "name": "[cassandra-commits] 20210923 [jira] [Updated] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r632ec30791b441e2eb5a3129532bf1b689bf181d0ef7daf50bcf0fd6@%3Ccommits.cassandra.apache.org%3E"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2017-5929",
        "datePublished": "2017-03-13T06:14:00.000Z",
        "dateReserved": "2017-02-07T00:00:00.000Z",
        "dateUpdated": "2024-08-05T15:18:48.814Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }