Vulnerability-Lookup

CVE-2020-14343 (GCVE-0-2020-14343)

Vulnerability from cvelistv5 – Published: 2021-02-09 00:00 – Updated: 2024-08-04 12:39

Summary

A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.

Severity

No CVSS data available.

CWE

CWE-20

Assigner

redhat

References

5 references

URL	Tags
https://github.com/yaml/pyyaml/issues/420
https://bugzilla.redhat.com/show_bug.cgi?id=1860466
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://github.com/SeldonIO/seldon-core/issues/2252

Impacted products

1 product

Vendor	Product	Version
n/a	PyYAML	Affected: PyYAML 5.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T12:39:36.530Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/yaml/pyyaml/issues/420"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1860466"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/SeldonIO/seldon-core/issues/2252"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "PyYAML",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "PyYAML 5.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-07-06T00:00:00.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "url": "https://github.com/yaml/pyyaml/issues/420"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1860466"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
        },
        {
          "url": "https://github.com/SeldonIO/seldon-core/issues/2252"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2020-14343",
    "datePublished": "2021-02-09T00:00:00.000Z",
    "dateReserved": "2020-06-17T00:00:00.000Z",
    "dateUpdated": "2024-08-04T12:39:36.530Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2020-14343",
      "date": "2026-05-30",
      "epss": "0.13704",
      "percentile": "0.9438"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-14343\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2021-02-09T21:15:12.707\",\"lastModified\":\"2024-11-21T05:03:03.217\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.\"},{\"lang\":\"es\",\"value\":\"Se detect\u00f3 una vulnerabilidad en la biblioteca PyYAML en versiones anteriores a 5.4, donde es susceptible una ejecuci\u00f3n de c\u00f3digo arbitrario cuando se procesan archivos YAML no confiables por medio del m\u00e9todo full_load o con el cargador FullLoader.\u0026#xa0;Unas aplicaciones que usan la biblioteca para procesar entradas que no son confiables pueden ser vulnerables a este fallo.\u0026#xa0;Este fallo le permite a un atacante ejecutar c\u00f3digo arbitrario en el sistema abusando del constructor python/object/new.\u0026#xa0;Este fallo se debe a una correcci\u00f3n incompleta para CVE-2020-1747\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:C/I:C/A:C\",\"baseScore\":10.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:pyyaml:pyyaml:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.1\",\"versionEndExcluding\":\"5.4\",\"matchCriteriaId\":\"5B49BB31-68E9-4F02-8D00-925418F7372C\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C2A5B24D-BDF2-423C-98EA-A40778C01A05\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"04E6C8E9-2024-496C-9BFD-4548A5B44E2E\"}]}]}],\"references\":[{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1860466\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/SeldonIO/seldon-core/issues/2252\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://github.com/yaml/pyyaml/issues/420\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://www.oracle.com/security-alerts/cpuapr2022.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujul2022.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1860466\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/SeldonIO/seldon-core/issues/2252\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/yaml/pyyaml/issues/420\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.oracle.com/security-alerts/cpuapr2022.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujul2022.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]}]}}"
  }
}

SUSE-SU-2022:3231-1

Vulnerability from csaf_suse - Published: 2022-09-09 13:27 - Updated: 2022-09-09 13:27

Summary

Security update for python-PyYAML

Severity

Important

Notes

Title of the patch: Security update for python-PyYAML

Description of the patch: This update for python-PyYAML fixes the following issues: - CVE-2020-14343: Fixed a arbitrary code execution when processing untrusted YAML files through the full_load method or with the FullLoader loader. This Fixes an incomplete solution for CVE-2020-1747 (bnc#1174514).

Patchnames: SUSE-2022-3231,SUSE-SLE-Manager-Tools-12-2022-3231,SUSE-SLE-Module-Adv-Systems-Management-12-2022-3231,SUSE-SLE-Module-Containers-12-2022-3231

CVE-2020-14343

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Recommended 15 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Module for Advanced Systems Management 12:python-PyYAML-5.1.2-26.15.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Advanced Systems Management 12:python-PyYAML-5.1.2-26.15.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Advanced Systems Management 12:python-PyYAML-5.1.2-26.15.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Advanced Systems Management 12:python3-PyYAML-5.1.2-26.15.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Advanced Systems Management 12:python3-PyYAML-5.1.2-26.15.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Advanced Systems Management 12:python3-PyYAML-5.1.2-26.15.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Containers 12:python-PyYAML-5.1.2-26.15.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Manager Client Tools 12:python-PyYAML-5.1.2-26.15.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Manager Client Tools 12:python-PyYAML-5.1.2-26.15.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Manager Client Tools 12:python-PyYAML-5.1.2-26.15.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Manager Client Tools 12:python-PyYAML-5.1.2-26.15.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Manager Client Tools 12:python3-PyYAML-5.1.2-26.15.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Manager Client Tools 12:python3-PyYAML-5.1.2-26.15.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Manager Client Tools 12:python3-PyYAML-5.1.2-26.15.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Manager Client Tools 12:python3-PyYAML-5.1.2-26.15.1.x86_64	—	Vendor Fix

Threats

Impact important

References

8 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/s…	self
https://www.suse.com/support/update/announcement/…	self
https://lists.suse.com/pipermail/sle-security-upd…	self
https://bugzilla.suse.com/1174514	self
https://www.suse.com/security/cve/CVE-2020-14343/	self
https://www.suse.com/security/cve/CVE-2020-14343	external
https://bugzilla.suse.com/1174514	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for python-PyYAML",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for python-PyYAML fixes the following issues:\n\n- CVE-2020-14343: Fixed a arbitrary code execution when processing untrusted YAML files through the full_load method or with the FullLoader loader. This Fixes an incomplete solution for CVE-2020-1747 (bnc#1174514).\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2022-3231,SUSE-SLE-Manager-Tools-12-2022-3231,SUSE-SLE-Module-Adv-Systems-Management-12-2022-3231,SUSE-SLE-Module-Containers-12-2022-3231",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2022_3231-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2022:3231-1",
        "url": "https://www.suse.com/support/update/announcement/2022/suse-su-20223231-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2022:3231-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-September/012200.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1174514",
        "url": "https://bugzilla.suse.com/1174514"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-14343 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-14343/"
      }
    ],
    "title": "Security update for python-PyYAML",
    "tracking": {
      "current_release_date": "2022-09-09T13:27:06Z",
      "generator": {
        "date": "2022-09-09T13:27:06Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2022:3231-1",
      "initial_release_date": "2022-09-09T13:27:06Z",
      "revision_history": [
        {
          "date": "2022-09-09T13:27:06Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-PyYAML-5.1.2-26.15.1.aarch64",
                "product": {
                  "name": "python-PyYAML-5.1.2-26.15.1.aarch64",
                  "product_id": "python-PyYAML-5.1.2-26.15.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python3-PyYAML-5.1.2-26.15.1.aarch64",
                "product": {
                  "name": "python3-PyYAML-5.1.2-26.15.1.aarch64",
                  "product_id": "python3-PyYAML-5.1.2-26.15.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-PyYAML-5.1.2-26.15.1.i586",
                "product": {
                  "name": "python-PyYAML-5.1.2-26.15.1.i586",
                  "product_id": "python-PyYAML-5.1.2-26.15.1.i586"
                }
              },
              {
                "category": "product_version",
                "name": "python3-PyYAML-5.1.2-26.15.1.i586",
                "product": {
                  "name": "python3-PyYAML-5.1.2-26.15.1.i586",
                  "product_id": "python3-PyYAML-5.1.2-26.15.1.i586"
                }
              }
            ],
            "category": "architecture",
            "name": "i586"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-PyYAML-5.1.2-26.15.1.ppc64le",
                "product": {
                  "name": "python-PyYAML-5.1.2-26.15.1.ppc64le",
                  "product_id": "python-PyYAML-5.1.2-26.15.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python3-PyYAML-5.1.2-26.15.1.ppc64le",
                "product": {
                  "name": "python3-PyYAML-5.1.2-26.15.1.ppc64le",
                  "product_id": "python3-PyYAML-5.1.2-26.15.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-PyYAML-5.1.2-26.15.1.s390",
                "product": {
                  "name": "python-PyYAML-5.1.2-26.15.1.s390",
                  "product_id": "python-PyYAML-5.1.2-26.15.1.s390"
                }
              },
              {
                "category": "product_version",
                "name": "python3-PyYAML-5.1.2-26.15.1.s390",
                "product": {
                  "name": "python3-PyYAML-5.1.2-26.15.1.s390",
                  "product_id": "python3-PyYAML-5.1.2-26.15.1.s390"
                }
              }
            ],
            "category": "architecture",
            "name": "s390"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-PyYAML-5.1.2-26.15.1.s390x",
                "product": {
                  "name": "python-PyYAML-5.1.2-26.15.1.s390x",
                  "product_id": "python-PyYAML-5.1.2-26.15.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python3-PyYAML-5.1.2-26.15.1.s390x",
                "product": {
                  "name": "python3-PyYAML-5.1.2-26.15.1.s390x",
                  "product_id": "python3-PyYAML-5.1.2-26.15.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-PyYAML-5.1.2-26.15.1.x86_64",
                "product": {
                  "name": "python-PyYAML-5.1.2-26.15.1.x86_64",
                  "product_id": "python-PyYAML-5.1.2-26.15.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python3-PyYAML-5.1.2-26.15.1.x86_64",
                "product": {
                  "name": "python3-PyYAML-5.1.2-26.15.1.x86_64",
                  "product_id": "python3-PyYAML-5.1.2-26.15.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Manager Client Tools 12",
                "product": {
                  "name": "SUSE Manager Client Tools 12",
                  "product_id": "SUSE Manager Client Tools 12"
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Module for Advanced Systems Management 12",
                "product": {
                  "name": "SUSE Linux Enterprise Module for Advanced Systems Management 12",
                  "product_id": "SUSE Linux Enterprise Module for Advanced Systems Management 12",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-module-adv-systems-management:12"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Module for Containers 12",
                "product": {
                  "name": "SUSE Linux Enterprise Module for Containers 12",
                  "product_id": "SUSE Linux Enterprise Module for Containers 12",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-module-containers:12"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-PyYAML-5.1.2-26.15.1.aarch64 as component of SUSE Manager Client Tools 12",
          "product_id": "SUSE Manager Client Tools 12:python-PyYAML-5.1.2-26.15.1.aarch64"
        },
        "product_reference": "python-PyYAML-5.1.2-26.15.1.aarch64",
        "relates_to_product_reference": "SUSE Manager Client Tools 12"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-PyYAML-5.1.2-26.15.1.ppc64le as component of SUSE Manager Client Tools 12",
          "product_id": "SUSE Manager Client Tools 12:python-PyYAML-5.1.2-26.15.1.ppc64le"
        },
        "product_reference": "python-PyYAML-5.1.2-26.15.1.ppc64le",
        "relates_to_product_reference": "SUSE Manager Client Tools 12"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-PyYAML-5.1.2-26.15.1.s390x as component of SUSE Manager Client Tools 12",
          "product_id": "SUSE Manager Client Tools 12:python-PyYAML-5.1.2-26.15.1.s390x"
        },
        "product_reference": "python-PyYAML-5.1.2-26.15.1.s390x",
        "relates_to_product_reference": "SUSE Manager Client Tools 12"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-PyYAML-5.1.2-26.15.1.x86_64 as component of SUSE Manager Client Tools 12",
          "product_id": "SUSE Manager Client Tools 12:python-PyYAML-5.1.2-26.15.1.x86_64"
        },
        "product_reference": "python-PyYAML-5.1.2-26.15.1.x86_64",
        "relates_to_product_reference": "SUSE Manager Client Tools 12"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-PyYAML-5.1.2-26.15.1.aarch64 as component of SUSE Manager Client Tools 12",
          "product_id": "SUSE Manager Client Tools 12:python3-PyYAML-5.1.2-26.15.1.aarch64"
        },
        "product_reference": "python3-PyYAML-5.1.2-26.15.1.aarch64",
        "relates_to_product_reference": "SUSE Manager Client Tools 12"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-PyYAML-5.1.2-26.15.1.ppc64le as component of SUSE Manager Client Tools 12",
          "product_id": "SUSE Manager Client Tools 12:python3-PyYAML-5.1.2-26.15.1.ppc64le"
        },
        "product_reference": "python3-PyYAML-5.1.2-26.15.1.ppc64le",
        "relates_to_product_reference": "SUSE Manager Client Tools 12"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-PyYAML-5.1.2-26.15.1.s390x as component of SUSE Manager Client Tools 12",
          "product_id": "SUSE Manager Client Tools 12:python3-PyYAML-5.1.2-26.15.1.s390x"
        },
        "product_reference": "python3-PyYAML-5.1.2-26.15.1.s390x",
        "relates_to_product_reference": "SUSE Manager Client Tools 12"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-PyYAML-5.1.2-26.15.1.x86_64 as component of SUSE Manager Client Tools 12",
          "product_id": "SUSE Manager Client Tools 12:python3-PyYAML-5.1.2-26.15.1.x86_64"
        },
        "product_reference": "python3-PyYAML-5.1.2-26.15.1.x86_64",
        "relates_to_product_reference": "SUSE Manager Client Tools 12"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-PyYAML-5.1.2-26.15.1.ppc64le as component of SUSE Linux Enterprise Module for Advanced Systems Management 12",
          "product_id": "SUSE Linux Enterprise Module for Advanced Systems Management 12:python-PyYAML-5.1.2-26.15.1.ppc64le"
        },
        "product_reference": "python-PyYAML-5.1.2-26.15.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Advanced Systems Management 12"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-PyYAML-5.1.2-26.15.1.s390x as component of SUSE Linux Enterprise Module for Advanced Systems Management 12",
          "product_id": "SUSE Linux Enterprise Module for Advanced Systems Management 12:python-PyYAML-5.1.2-26.15.1.s390x"
        },
        "product_reference": "python-PyYAML-5.1.2-26.15.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Advanced Systems Management 12"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-PyYAML-5.1.2-26.15.1.x86_64 as component of SUSE Linux Enterprise Module for Advanced Systems Management 12",
          "product_id": "SUSE Linux Enterprise Module for Advanced Systems Management 12:python-PyYAML-5.1.2-26.15.1.x86_64"
        },
        "product_reference": "python-PyYAML-5.1.2-26.15.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Advanced Systems Management 12"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-PyYAML-5.1.2-26.15.1.ppc64le as component of SUSE Linux Enterprise Module for Advanced Systems Management 12",
          "product_id": "SUSE Linux Enterprise Module for Advanced Systems Management 12:python3-PyYAML-5.1.2-26.15.1.ppc64le"
        },
        "product_reference": "python3-PyYAML-5.1.2-26.15.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Advanced Systems Management 12"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-PyYAML-5.1.2-26.15.1.s390x as component of SUSE Linux Enterprise Module for Advanced Systems Management 12",
          "product_id": "SUSE Linux Enterprise Module for Advanced Systems Management 12:python3-PyYAML-5.1.2-26.15.1.s390x"
        },
        "product_reference": "python3-PyYAML-5.1.2-26.15.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Advanced Systems Management 12"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-PyYAML-5.1.2-26.15.1.x86_64 as component of SUSE Linux Enterprise Module for Advanced Systems Management 12",
          "product_id": "SUSE Linux Enterprise Module for Advanced Systems Management 12:python3-PyYAML-5.1.2-26.15.1.x86_64"
        },
        "product_reference": "python3-PyYAML-5.1.2-26.15.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Advanced Systems Management 12"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-PyYAML-5.1.2-26.15.1.x86_64 as component of SUSE Linux Enterprise Module for Containers 12",
          "product_id": "SUSE Linux Enterprise Module for Containers 12:python-PyYAML-5.1.2-26.15.1.x86_64"
        },
        "product_reference": "python-PyYAML-5.1.2-26.15.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 12"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2020-14343",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-14343"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Advanced Systems Management 12:python-PyYAML-5.1.2-26.15.1.ppc64le",
          "SUSE Linux Enterprise Module for Advanced Systems Management 12:python-PyYAML-5.1.2-26.15.1.s390x",
          "SUSE Linux Enterprise Module for Advanced Systems Management 12:python-PyYAML-5.1.2-26.15.1.x86_64",
          "SUSE Linux Enterprise Module for Advanced Systems Management 12:python3-PyYAML-5.1.2-26.15.1.ppc64le",
          "SUSE Linux Enterprise Module for Advanced Systems Management 12:python3-PyYAML-5.1.2-26.15.1.s390x",
          "SUSE Linux Enterprise Module for Advanced Systems Management 12:python3-PyYAML-5.1.2-26.15.1.x86_64",
          "SUSE Linux Enterprise Module for Containers 12:python-PyYAML-5.1.2-26.15.1.x86_64",
          "SUSE Manager Client Tools 12:python-PyYAML-5.1.2-26.15.1.aarch64",
          "SUSE Manager Client Tools 12:python-PyYAML-5.1.2-26.15.1.ppc64le",
          "SUSE Manager Client Tools 12:python-PyYAML-5.1.2-26.15.1.s390x",
          "SUSE Manager Client Tools 12:python-PyYAML-5.1.2-26.15.1.x86_64",
          "SUSE Manager Client Tools 12:python3-PyYAML-5.1.2-26.15.1.aarch64",
          "SUSE Manager Client Tools 12:python3-PyYAML-5.1.2-26.15.1.ppc64le",
          "SUSE Manager Client Tools 12:python3-PyYAML-5.1.2-26.15.1.s390x",
          "SUSE Manager Client Tools 12:python3-PyYAML-5.1.2-26.15.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-14343",
          "url": "https://www.suse.com/security/cve/CVE-2020-14343"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1174514 for CVE-2020-14343",
          "url": "https://bugzilla.suse.com/1174514"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Advanced Systems Management 12:python-PyYAML-5.1.2-26.15.1.ppc64le",
            "SUSE Linux Enterprise Module for Advanced Systems Management 12:python-PyYAML-5.1.2-26.15.1.s390x",
            "SUSE Linux Enterprise Module for Advanced Systems Management 12:python-PyYAML-5.1.2-26.15.1.x86_64",
            "SUSE Linux Enterprise Module for Advanced Systems Management 12:python3-PyYAML-5.1.2-26.15.1.ppc64le",
            "SUSE Linux Enterprise Module for Advanced Systems Management 12:python3-PyYAML-5.1.2-26.15.1.s390x",
            "SUSE Linux Enterprise Module for Advanced Systems Management 12:python3-PyYAML-5.1.2-26.15.1.x86_64",
            "SUSE Linux Enterprise Module for Containers 12:python-PyYAML-5.1.2-26.15.1.x86_64",
            "SUSE Manager Client Tools 12:python-PyYAML-5.1.2-26.15.1.aarch64",
            "SUSE Manager Client Tools 12:python-PyYAML-5.1.2-26.15.1.ppc64le",
            "SUSE Manager Client Tools 12:python-PyYAML-5.1.2-26.15.1.s390x",
            "SUSE Manager Client Tools 12:python-PyYAML-5.1.2-26.15.1.x86_64",
            "SUSE Manager Client Tools 12:python3-PyYAML-5.1.2-26.15.1.aarch64",
            "SUSE Manager Client Tools 12:python3-PyYAML-5.1.2-26.15.1.ppc64le",
            "SUSE Manager Client Tools 12:python3-PyYAML-5.1.2-26.15.1.s390x",
            "SUSE Manager Client Tools 12:python3-PyYAML-5.1.2-26.15.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Module for Advanced Systems Management 12:python-PyYAML-5.1.2-26.15.1.ppc64le",
            "SUSE Linux Enterprise Module for Advanced Systems Management 12:python-PyYAML-5.1.2-26.15.1.s390x",
            "SUSE Linux Enterprise Module for Advanced Systems Management 12:python-PyYAML-5.1.2-26.15.1.x86_64",
            "SUSE Linux Enterprise Module for Advanced Systems Management 12:python3-PyYAML-5.1.2-26.15.1.ppc64le",
            "SUSE Linux Enterprise Module for Advanced Systems Management 12:python3-PyYAML-5.1.2-26.15.1.s390x",
            "SUSE Linux Enterprise Module for Advanced Systems Management 12:python3-PyYAML-5.1.2-26.15.1.x86_64",
            "SUSE Linux Enterprise Module for Containers 12:python-PyYAML-5.1.2-26.15.1.x86_64",
            "SUSE Manager Client Tools 12:python-PyYAML-5.1.2-26.15.1.aarch64",
            "SUSE Manager Client Tools 12:python-PyYAML-5.1.2-26.15.1.ppc64le",
            "SUSE Manager Client Tools 12:python-PyYAML-5.1.2-26.15.1.s390x",
            "SUSE Manager Client Tools 12:python-PyYAML-5.1.2-26.15.1.x86_64",
            "SUSE Manager Client Tools 12:python3-PyYAML-5.1.2-26.15.1.aarch64",
            "SUSE Manager Client Tools 12:python3-PyYAML-5.1.2-26.15.1.ppc64le",
            "SUSE Manager Client Tools 12:python3-PyYAML-5.1.2-26.15.1.s390x",
            "SUSE Manager Client Tools 12:python3-PyYAML-5.1.2-26.15.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2022-09-09T13:27:06Z",
          "details": "important"
        }
      ],
      "title": "CVE-2020-14343"
    }
  ]
}

WID-SEC-W-2022-0721

Vulnerability from csaf_certbund - Published: 2021-06-29 22:00 - Updated: 2024-12-19 23:00

Summary

Red Hat Enterprise Linux: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Red Hat Enterprise Linux (RHEL) ist eine populäre Linux-Distribution.

Angriff: Ein entfernter, anonymer, authentifizierter oder lokaler Angreifer kann mehrere Schwachstellen in Red Hat Enterprise Linux ausnutzen, um beliebigen Programmcode auszuführen und einen Denial of Service Zustand herzustellen.

Betroffene Betriebssysteme: - Linux - UNIX

CVE-2020-14343

Es existiert eine Schwachstelle in Red Hat Enterprise Linux. Die Schwachstelle besteht in der Komponente "PyYAML library" aufgrund einer unsachgemäßen Eingabevalidierung, wenn nicht vertrauenswürdige YAML-Dateien über die full_load-Methode oder mit dem FullLoader verarbeitet werden. Ein entfernter anonymer Angreifer kann diese Schwachstelle zur Ausführung von beliebigem Code ausnutzen.

Affected products

Known affected 7 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:-`	—
Open Source Arch Linux Open Source	`cpe:/o:archlinux:archlinux:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Red Hat Enterprise Linux 8 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:8`	8

CVE-2021-28211

Es existiert eine Schwachstelle in Red Hat Enterprise Linux. Der Fehler besteht in der Komponente "edk2" aufgrund einer Heap Corruption in der Funktion "LzmaUefiDecompressGetInfo". Ein lokaler Angreifer mit Privilegien kann diese Schwachstelle zur Ausführung von beliebigem Code ausnutzen.

Affected products

Known affected 11 products

Product	Identifier	Version
Avaya Aura Experience Portal Avaya	`cpe:/a:avaya:aura_experience_portal:-`	—
HPE Synergy HPE	`cpe:/h:hpe:synergy:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:-`	—
Open Source Arch Linux Open Source	`cpe:/o:archlinux:archlinux:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
NetApp ActiveIQ Unified Manager NetApp	`cpe:/a:netapp:active_iq_unified_manager:-::~~~vmware_vsphere~~`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Red Hat Enterprise Linux 8 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:8`	8
HPE ProLiant HPE	`cpe:/h:hp:proliant:-`	—

CVE-2021-3514

Es existiert eine Schwachstelle in Red Hat Enterprise Linux. Der Fehler besteht in der Komponente "389-ds-base" bei der Verwendung eines "sync_repl clients" aufgrund einer NULL-Zeiger-Dereferenz. Ein entfernter authentifizierter Angreifer kann diese Schwachstelle ausnutzen, um eine Denial-of-Service-Bedingung auszulösen.

Affected products

Known affected 7 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:-`	—
Open Source Arch Linux Open Source	`cpe:/o:archlinux:archlinux:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Red Hat Enterprise Linux 8 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:8`	8

CVE-2021-3520

Es existiert eine Schwachstelle in Red Hat Enterprise Linux. Der Fehler besteht in der Komponente "lz4" aufgrund eines Integer-Überlaufs, der zum Aufruf von "memmove()" mit einem negativen Größenargument führt. Ein entfernter anonymer Angreifer kann diese Schwachstelle ausnutzen, um eine Denial-of-Service-Bedingung auszulösen und einen Out-of-Bounds-Write zu verursachen.

Affected products

Known affected 9 products

Product	Identifier	Version
Avaya Aura Experience Portal Avaya	`cpe:/a:avaya:aura_experience_portal:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:-`	—
Open Source Arch Linux Open Source	`cpe:/o:archlinux:archlinux:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
NetApp ActiveIQ Unified Manager NetApp	`cpe:/a:netapp:active_iq_unified_manager:-::~~~vmware_vsphere~~`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Red Hat Enterprise Linux 8 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:8`	8

References

32 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://access.redhat.com/errata/RHSA-2021:2575	external
https://access.redhat.com/errata/RHSA-2021:2583	external
https://access.redhat.com/errata/RHSA-2021:2591	external
https://access.redhat.com/errata/RHSA-2021:2595	external
https://linux.oracle.com/errata/ELSA-2021-2575.html	external
https://linux.oracle.com/errata/ELSA-2021-2591.html	external
https://linux.oracle.com/errata/ELSA-2021-2583.html	external
http://linux.oracle.com/errata/ELSA-2021-2595.html	external
https://access.redhat.com/errata/RHSA-2021:2796	external
https://security.archlinux.org/ASA-202107-72	external
https://downloads.avaya.com/css/P8/documents/101076862	external
https://access.redhat.com/errata/RHSA-2021:3016	external
https://access.redhat.com/errata/RHSA-2021:3024	external
https://access.redhat.com/errata/RHSA-2021:3119	external
https://access.redhat.com/errata/RHSA-2021:3229	external
https://access.redhat.com/errata/RHSA-2021:3259	external
https://access.redhat.com/errata/RHSA-2021:3361	external
https://access.redhat.com/errata/RHSA-2021:3556	external
https://security.netapp.com/advisory/ntap-2021110…	external
https://support.hpe.com/hpesc/public/docDisplay?d…	external
https://access.redhat.com/errata/RHSA-2021:4702	external
https://access.redhat.com/errata/RHSA-2022:0056	external
https://access.redhat.com/errata/RHSA-2022:0952	external
https://access.redhat.com/errata/RHSA-2022:1345	external
https://access.redhat.com/errata/RHSA-2022:5606	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://access.redhat.com/errata/RHSA-2022:6407	external
https://access.redhat.com/errata/RHSA-2024:3527	external
https://security.gentoo.org/glsa/202406-04	external
https://alas.aws.amazon.com/AL2/ALAS-2024-2722.html	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Red Hat Enterprise Linux (RHEL) ist eine popul\u00e4re Linux-Distribution.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer, authentifizierter oder lokaler Angreifer kann mehrere Schwachstellen in Red Hat Enterprise Linux ausnutzen, um beliebigen Programmcode auszuf\u00fchren und einen Denial of Service Zustand herzustellen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- UNIX",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2022-0721 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2021/wid-sec-w-2022-0721.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2022-0721 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0721"
      },
      {
        "category": "external",
        "summary": "Red Hat Customer Portal - Security Advisory vom 2021-06-29",
        "url": "https://access.redhat.com/errata/RHSA-2021:2575"
      },
      {
        "category": "external",
        "summary": "Red Hat Customer Portal - Security Advisory vom 2021-06-29",
        "url": "https://access.redhat.com/errata/RHSA-2021:2583"
      },
      {
        "category": "external",
        "summary": "Red Hat Customer Portal - Security Advisory vom 2021-06-29",
        "url": "https://access.redhat.com/errata/RHSA-2021:2591"
      },
      {
        "category": "external",
        "summary": "Red Hat Customer Portal - Security Advisory vom 2021-06-29",
        "url": "https://access.redhat.com/errata/RHSA-2021:2595"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2021-2575 vom 2021-06-30",
        "url": "https://linux.oracle.com/errata/ELSA-2021-2575.html"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2021-2591 vom 2021-06-30",
        "url": "https://linux.oracle.com/errata/ELSA-2021-2591.html"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2021-2583 vom 2021-07-02",
        "url": "https://linux.oracle.com/errata/ELSA-2021-2583.html"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2021-2595 vom 2021-07-03",
        "url": "http://linux.oracle.com/errata/ELSA-2021-2595.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2021:2796 vom 2021-07-21",
        "url": "https://access.redhat.com/errata/RHSA-2021:2796"
      },
      {
        "category": "external",
        "summary": "Arch Linux Security Advisory ASA-202107-72 vom 2021-07-27",
        "url": "https://security.archlinux.org/ASA-202107-72"
      },
      {
        "category": "external",
        "summary": "AVAYA Security Advisory ASA-2021-096 vom 2021-07-30",
        "url": "https://downloads.avaya.com/css/P8/documents/101076862"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2021:3016 vom 2021-08-06",
        "url": "https://access.redhat.com/errata/RHSA-2021:3016"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2021:3024 vom 2021-08-09",
        "url": "https://access.redhat.com/errata/RHSA-2021:3024"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2021:3119 vom 2021-08-10",
        "url": "https://access.redhat.com/errata/RHSA-2021:3119"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2021:3229 vom 2021-08-20",
        "url": "https://access.redhat.com/errata/RHSA-2021:3229"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2021:3259 vom 2021-08-25",
        "url": "https://access.redhat.com/errata/RHSA-2021:3259"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2021:3361 vom 2021-08-31",
        "url": "https://access.redhat.com/errata/RHSA-2021:3361"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2021:3556 vom 2021-09-17",
        "url": "https://access.redhat.com/errata/RHSA-2021:3556"
      },
      {
        "category": "external",
        "summary": "NetApp Security Advisory NTAP-20211104-0005 vom 2021-11-04",
        "url": "https://security.netapp.com/advisory/ntap-20211104-0005/"
      },
      {
        "category": "external",
        "summary": "HP Security Bulletin",
        "url": "https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-hpesbhf04192en_us"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2021:4702 vom 2021-11-16",
        "url": "https://access.redhat.com/errata/RHSA-2021:4702"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2022:0056 vom 2022-03-10",
        "url": "https://access.redhat.com/errata/RHSA-2022:0056"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2022:0952 vom 2022-03-16",
        "url": "https://access.redhat.com/errata/RHSA-2022:0952"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2022:1345 vom 2022-04-13",
        "url": "https://access.redhat.com/errata/RHSA-2022:1345"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2022:5606 vom 2022-07-20",
        "url": "https://access.redhat.com/errata/RHSA-2022:5606"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2022:2841-1 vom 2022-08-18",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-August/011943.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2022:6407 vom 2022-09-09",
        "url": "https://access.redhat.com/errata/RHSA-2022:6407"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2024:3527 vom 2024-05-30",
        "url": "https://access.redhat.com/errata/RHSA-2024:3527"
      },
      {
        "category": "external",
        "summary": "Gentoo Linux Security Advisory GLSA-202406-04 vom 2024-06-22",
        "url": "https://security.gentoo.org/glsa/202406-04"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS-2024-2722 vom 2024-12-20",
        "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2722.html"
      }
    ],
    "source_lang": "en-US",
    "title": "Red Hat Enterprise Linux: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2024-12-19T23:00:00.000+00:00",
      "generator": {
        "date": "2024-12-20T09:20:50.552+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.10"
        }
      },
      "id": "WID-SEC-W-2022-0721",
      "initial_release_date": "2021-06-29T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2021-06-29T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2021-07-01T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Oracle Linux aufgenommen"
        },
        {
          "date": "2021-07-04T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Oracle Linux aufgenommen"
        },
        {
          "date": "2021-07-20T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2021-07-27T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von Arch Linux aufgenommen"
        },
        {
          "date": "2021-08-01T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von AVAYA aufgenommen"
        },
        {
          "date": "2021-08-05T22:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2021-08-08T22:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2021-08-10T22:00:00.000+00:00",
          "number": "9",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2021-08-19T22:00:00.000+00:00",
          "number": "10",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2021-08-24T22:00:00.000+00:00",
          "number": "11",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2021-08-30T22:00:00.000+00:00",
          "number": "12",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2021-09-16T22:00:00.000+00:00",
          "number": "13",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2021-11-03T23:00:00.000+00:00",
          "number": "14",
          "summary": "Neue Updates von NetApp aufgenommen"
        },
        {
          "date": "2021-11-10T23:00:00.000+00:00",
          "number": "15",
          "summary": "Neue Updates von HP aufgenommen"
        },
        {
          "date": "2021-11-16T23:00:00.000+00:00",
          "number": "16",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2022-03-10T23:00:00.000+00:00",
          "number": "17",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2022-03-16T23:00:00.000+00:00",
          "number": "18",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2022-04-13T22:00:00.000+00:00",
          "number": "19",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2022-07-19T22:00:00.000+00:00",
          "number": "20",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2022-08-18T22:00:00.000+00:00",
          "number": "21",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2022-09-11T22:00:00.000+00:00",
          "number": "22",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2024-05-30T22:00:00.000+00:00",
          "number": "23",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2024-06-23T22:00:00.000+00:00",
          "number": "24",
          "summary": "Neue Updates von Gentoo aufgenommen"
        },
        {
          "date": "2024-12-19T23:00:00.000+00:00",
          "number": "25",
          "summary": "Neue Updates von Amazon aufgenommen"
        }
      ],
      "status": "final",
      "version": "25"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Amazon Linux 2",
            "product": {
              "name": "Amazon Linux 2",
              "product_id": "398363",
              "product_identification_helper": {
                "cpe": "cpe:/o:amazon:linux_2:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Amazon"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Avaya Aura Experience Portal",
            "product": {
              "name": "Avaya Aura Experience Portal",
              "product_id": "T015519",
              "product_identification_helper": {
                "cpe": "cpe:/a:avaya:aura_experience_portal:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Avaya"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Gentoo Linux",
            "product": {
              "name": "Gentoo Linux",
              "product_id": "T012167",
              "product_identification_helper": {
                "cpe": "cpe:/o:gentoo:linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Gentoo"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "HPE ProLiant",
            "product": {
              "name": "HPE ProLiant",
              "product_id": "T009310",
              "product_identification_helper": {
                "cpe": "cpe:/h:hp:proliant:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "HPE Synergy",
            "product": {
              "name": "HPE Synergy",
              "product_id": "T019820",
              "product_identification_helper": {
                "cpe": "cpe:/h:hpe:synergy:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "HPE"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "NetApp ActiveIQ Unified Manager",
            "product": {
              "name": "NetApp ActiveIQ Unified Manager",
              "product_id": "658714",
              "product_identification_helper": {
                "cpe": "cpe:/a:netapp:active_iq_unified_manager:-::~~~vmware_vsphere~~"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "NetApp"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Open Source Arch Linux",
            "product": {
              "name": "Open Source Arch Linux",
              "product_id": "T013312",
              "product_identification_helper": {
                "cpe": "cpe:/o:archlinux:archlinux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Oracle Linux",
            "product": {
              "name": "Oracle Linux",
              "product_id": "T004914",
              "product_identification_helper": {
                "cpe": "cpe:/o:oracle:linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Oracle"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux",
                "product": {
                  "name": "Red Hat Enterprise Linux",
                  "product_id": "67646",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:-"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "8",
                "product": {
                  "name": "Red Hat Enterprise Linux 8",
                  "product_id": "T014111",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:8"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Enterprise Linux"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2020-14343",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in Red Hat Enterprise Linux. Die Schwachstelle besteht in der Komponente \"PyYAML library\" aufgrund einer unsachgem\u00e4\u00dfen Eingabevalidierung, wenn nicht vertrauensw\u00fcrdige YAML-Dateien \u00fcber die full_load-Methode oder mit dem FullLoader verarbeitet werden. Ein entfernter anonymer Angreifer kann diese Schwachstelle zur Ausf\u00fchrung von beliebigem Code ausnutzen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T002207",
          "67646",
          "T013312",
          "398363",
          "T012167",
          "T004914",
          "T014111"
        ]
      },
      "release_date": "2021-06-29T22:00:00.000+00:00",
      "title": "CVE-2020-14343"
    },
    {
      "cve": "CVE-2021-28211",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in Red Hat Enterprise Linux. Der Fehler besteht in der Komponente \"edk2\" aufgrund einer Heap Corruption in der Funktion \"LzmaUefiDecompressGetInfo\". Ein lokaler Angreifer mit Privilegien kann diese Schwachstelle zur Ausf\u00fchrung von beliebigem Code ausnutzen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T015519",
          "T019820",
          "T002207",
          "67646",
          "T013312",
          "398363",
          "T012167",
          "658714",
          "T004914",
          "T014111",
          "T009310"
        ]
      },
      "release_date": "2021-06-29T22:00:00.000+00:00",
      "title": "CVE-2021-28211"
    },
    {
      "cve": "CVE-2021-3514",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in Red Hat Enterprise Linux. Der Fehler besteht in der Komponente \"389-ds-base\" bei der Verwendung eines \"sync_repl clients\" aufgrund einer NULL-Zeiger-Dereferenz. Ein entfernter authentifizierter Angreifer kann diese Schwachstelle ausnutzen, um eine Denial-of-Service-Bedingung auszul\u00f6sen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T002207",
          "67646",
          "T013312",
          "398363",
          "T012167",
          "T004914",
          "T014111"
        ]
      },
      "release_date": "2021-06-29T22:00:00.000+00:00",
      "title": "CVE-2021-3514"
    },
    {
      "cve": "CVE-2021-3520",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in Red Hat Enterprise Linux. Der Fehler besteht in der Komponente \"lz4\" aufgrund eines Integer-\u00dcberlaufs, der zum Aufruf von \"memmove()\" mit einem negativen Gr\u00f6\u00dfenargument f\u00fchrt. Ein entfernter anonymer Angreifer kann diese Schwachstelle ausnutzen, um eine Denial-of-Service-Bedingung auszul\u00f6sen und einen Out-of-Bounds-Write zu verursachen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T015519",
          "T002207",
          "67646",
          "T013312",
          "398363",
          "T012167",
          "658714",
          "T004914",
          "T014111"
        ]
      },
      "release_date": "2021-06-29T22:00:00.000+00:00",
      "title": "CVE-2021-3520"
    }
  ]
}

WID-SEC-W-2023-1032

Vulnerability from csaf_certbund - Published: 2023-04-18 22:00 - Updated: 2023-04-18 22:00

Summary

Oracle PeopleSoft: Mehrere Schwachstellen

Severity

Hoch

Notes

Produktbeschreibung: Oracle PeopleSoft ist eine ERP Anwendung.

Angriff: Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle PeopleSoft ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.

Betroffene Betriebssysteme: - UNIX - Linux - Windows

CVE-2023-21992

In Oracle PeopleSoft existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist "HIGH" für "Confidentiality", "Integrity" und "Availability" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert "HOCH" für die Schadenshöhe.

Affected products

Known affected 4 products

Product	Identifier	Version
Oracle PeopleSoft 8.58 Oracle / PeopleSoft	`cpe:/a:oracle:peoplesoft:8.58`	—
Oracle PeopleSoft 8.60 Oracle / PeopleSoft	`cpe:/a:oracle:peoplesoft:8.60`	—
Oracle PeopleSoft 9.2 Oracle / PeopleSoft	`cpe:/a:oracle:peoplesoft:9.2`	—
Oracle PeopleSoft 8.59 Oracle / PeopleSoft	`cpe:/a:oracle:peoplesoft:8.59`	—

CVE-2023-21981

Affected products

Known affected 4 products

Product	Identifier	Version
Oracle PeopleSoft 8.58 Oracle / PeopleSoft	`cpe:/a:oracle:peoplesoft:8.58`	—
Oracle PeopleSoft 8.60 Oracle / PeopleSoft	`cpe:/a:oracle:peoplesoft:8.60`	—
Oracle PeopleSoft 9.2 Oracle / PeopleSoft	`cpe:/a:oracle:peoplesoft:9.2`	—
Oracle PeopleSoft 8.59 Oracle / PeopleSoft	`cpe:/a:oracle:peoplesoft:8.59`	—

CVE-2023-21916

Affected products

Known affected 4 products

Product	Identifier	Version
Oracle PeopleSoft 8.58 Oracle / PeopleSoft	`cpe:/a:oracle:peoplesoft:8.58`	—
Oracle PeopleSoft 8.60 Oracle / PeopleSoft	`cpe:/a:oracle:peoplesoft:8.60`	—
Oracle PeopleSoft 9.2 Oracle / PeopleSoft	`cpe:/a:oracle:peoplesoft:9.2`	—
Oracle PeopleSoft 8.59 Oracle / PeopleSoft	`cpe:/a:oracle:peoplesoft:8.59`	—

CVE-2022-45685

Affected products

Known affected 4 products

Product	Identifier	Version
Oracle PeopleSoft 8.58 Oracle / PeopleSoft	`cpe:/a:oracle:peoplesoft:8.58`	—
Oracle PeopleSoft 8.60 Oracle / PeopleSoft	`cpe:/a:oracle:peoplesoft:8.60`	—
Oracle PeopleSoft 9.2 Oracle / PeopleSoft	`cpe:/a:oracle:peoplesoft:9.2`	—
Oracle PeopleSoft 8.59 Oracle / PeopleSoft	`cpe:/a:oracle:peoplesoft:8.59`	—

CVE-2022-45047

Affected products

Known affected 4 products

Product	Identifier	Version
Oracle PeopleSoft 8.58 Oracle / PeopleSoft	`cpe:/a:oracle:peoplesoft:8.58`	—
Oracle PeopleSoft 8.60 Oracle / PeopleSoft	`cpe:/a:oracle:peoplesoft:8.60`	—
Oracle PeopleSoft 9.2 Oracle / PeopleSoft	`cpe:/a:oracle:peoplesoft:9.2`	—
Oracle PeopleSoft 8.59 Oracle / PeopleSoft	`cpe:/a:oracle:peoplesoft:8.59`	—

CVE-2022-41881

Affected products

Known affected 4 products

Product	Identifier	Version
Oracle PeopleSoft 8.58 Oracle / PeopleSoft	`cpe:/a:oracle:peoplesoft:8.58`	—
Oracle PeopleSoft 8.60 Oracle / PeopleSoft	`cpe:/a:oracle:peoplesoft:8.60`	—
Oracle PeopleSoft 9.2 Oracle / PeopleSoft	`cpe:/a:oracle:peoplesoft:9.2`	—
Oracle PeopleSoft 8.59 Oracle / PeopleSoft	`cpe:/a:oracle:peoplesoft:8.59`	—

CVE-2022-36033

Affected products

Known affected 4 products

Product	Identifier	Version
Oracle PeopleSoft 8.58 Oracle / PeopleSoft	`cpe:/a:oracle:peoplesoft:8.58`	—
Oracle PeopleSoft 8.60 Oracle / PeopleSoft	`cpe:/a:oracle:peoplesoft:8.60`	—
Oracle PeopleSoft 9.2 Oracle / PeopleSoft	`cpe:/a:oracle:peoplesoft:9.2`	—
Oracle PeopleSoft 8.59 Oracle / PeopleSoft	`cpe:/a:oracle:peoplesoft:8.59`	—

CVE-2022-34169

Affected products

Known affected 4 products

Product	Identifier	Version
Oracle PeopleSoft 8.58 Oracle / PeopleSoft	`cpe:/a:oracle:peoplesoft:8.58`	—
Oracle PeopleSoft 8.60 Oracle / PeopleSoft	`cpe:/a:oracle:peoplesoft:8.60`	—
Oracle PeopleSoft 9.2 Oracle / PeopleSoft	`cpe:/a:oracle:peoplesoft:9.2`	—
Oracle PeopleSoft 8.59 Oracle / PeopleSoft	`cpe:/a:oracle:peoplesoft:8.59`	—

CVE-2021-37533

Affected products

Known affected 4 products

Product	Identifier	Version
Oracle PeopleSoft 8.58 Oracle / PeopleSoft	`cpe:/a:oracle:peoplesoft:8.58`	—
Oracle PeopleSoft 8.60 Oracle / PeopleSoft	`cpe:/a:oracle:peoplesoft:8.60`	—
Oracle PeopleSoft 9.2 Oracle / PeopleSoft	`cpe:/a:oracle:peoplesoft:9.2`	—
Oracle PeopleSoft 8.59 Oracle / PeopleSoft	`cpe:/a:oracle:peoplesoft:8.59`	—

CVE-2020-14343

Affected products

Known affected 4 products

Product	Identifier	Version
Oracle PeopleSoft 8.58 Oracle / PeopleSoft	`cpe:/a:oracle:peoplesoft:8.58`	—
Oracle PeopleSoft 8.60 Oracle / PeopleSoft	`cpe:/a:oracle:peoplesoft:8.60`	—
Oracle PeopleSoft 9.2 Oracle / PeopleSoft	`cpe:/a:oracle:peoplesoft:9.2`	—
Oracle PeopleSoft 8.59 Oracle / PeopleSoft	`cpe:/a:oracle:peoplesoft:8.59`	—

References

3 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://www.oracle.com/security-alerts/cpuapr2023…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Oracle PeopleSoft ist eine ERP Anwendung.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle PeopleSoft ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- UNIX\n- Linux\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2023-1032 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1032.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2023-1032 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1032"
      },
      {
        "category": "external",
        "summary": "Oracle Critical Patch Update Advisory - April 2023 - Appendix Oracle PeopleSoft vom 2023-04-18",
        "url": "https://www.oracle.com/security-alerts/cpuapr2023.html#AppendixPS"
      }
    ],
    "source_lang": "en-US",
    "title": "Oracle PeopleSoft: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2023-04-18T22:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T17:49:32.637+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2023-1032",
      "initial_release_date": "2023-04-18T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2023-04-18T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Oracle PeopleSoft 8.58",
                "product": {
                  "name": "Oracle PeopleSoft 8.58",
                  "product_id": "T019029",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:peoplesoft:8.58"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Oracle PeopleSoft 9.2",
                "product": {
                  "name": "Oracle PeopleSoft 9.2",
                  "product_id": "T019030",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:peoplesoft:9.2"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Oracle PeopleSoft 8.59",
                "product": {
                  "name": "Oracle PeopleSoft 8.59",
                  "product_id": "T019905",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:peoplesoft:8.59"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Oracle PeopleSoft 8.60",
                "product": {
                  "name": "Oracle PeopleSoft 8.60",
                  "product_id": "T025008",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:peoplesoft:8.60"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "PeopleSoft"
          }
        ],
        "category": "vendor",
        "name": "Oracle"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-21992",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle PeopleSoft existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T019029",
          "T025008",
          "T019030",
          "T019905"
        ]
      },
      "release_date": "2023-04-18T22:00:00.000+00:00",
      "title": "CVE-2023-21992"
    },
    {
      "cve": "CVE-2023-21981",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle PeopleSoft existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T019029",
          "T025008",
          "T019030",
          "T019905"
        ]
      },
      "release_date": "2023-04-18T22:00:00.000+00:00",
      "title": "CVE-2023-21981"
    },
    {
      "cve": "CVE-2023-21916",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle PeopleSoft existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T019029",
          "T025008",
          "T019030",
          "T019905"
        ]
      },
      "release_date": "2023-04-18T22:00:00.000+00:00",
      "title": "CVE-2023-21916"
    },
    {
      "cve": "CVE-2022-45685",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle PeopleSoft existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T019029",
          "T025008",
          "T019030",
          "T019905"
        ]
      },
      "release_date": "2023-04-18T22:00:00.000+00:00",
      "title": "CVE-2022-45685"
    },
    {
      "cve": "CVE-2022-45047",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle PeopleSoft existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T019029",
          "T025008",
          "T019030",
          "T019905"
        ]
      },
      "release_date": "2023-04-18T22:00:00.000+00:00",
      "title": "CVE-2022-45047"
    },
    {
      "cve": "CVE-2022-41881",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle PeopleSoft existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T019029",
          "T025008",
          "T019030",
          "T019905"
        ]
      },
      "release_date": "2023-04-18T22:00:00.000+00:00",
      "title": "CVE-2022-41881"
    },
    {
      "cve": "CVE-2022-36033",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle PeopleSoft existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T019029",
          "T025008",
          "T019030",
          "T019905"
        ]
      },
      "release_date": "2023-04-18T22:00:00.000+00:00",
      "title": "CVE-2022-36033"
    },
    {
      "cve": "CVE-2022-34169",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle PeopleSoft existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T019029",
          "T025008",
          "T019030",
          "T019905"
        ]
      },
      "release_date": "2023-04-18T22:00:00.000+00:00",
      "title": "CVE-2022-34169"
    },
    {
      "cve": "CVE-2021-37533",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle PeopleSoft existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T019029",
          "T025008",
          "T019030",
          "T019905"
        ]
      },
      "release_date": "2023-04-18T22:00:00.000+00:00",
      "title": "CVE-2021-37533"
    },
    {
      "cve": "CVE-2020-14343",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle PeopleSoft existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T019029",
          "T025008",
          "T019030",
          "T019905"
        ]
      },
      "release_date": "2023-04-18T22:00:00.000+00:00",
      "title": "CVE-2020-14343"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2020-14343 (GCVE-0-2020-14343)

SUSE-SU-2022:3231-1

WID-SEC-W-2022-0721

WID-SEC-W-2023-1032

Tags

Sightings

Nomenclature