Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2021-42392 (GCVE-0-2021-42392)
Vulnerability from cvelistv5 – Published: 2022-01-07 00:00 – Updated: 2024-08-04 03:30
VLAI
EPSS
Summary
The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution.
Severity
No CVSS data available.
CWE
Assigner
References
7 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| h2database | h2 |
Affected:
1.1.000 , < *
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:30:38.345Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6"
},
{
"name": "[debian-lts-announce] 20220215 [SECURITY] [DLA 2923-1] h2database security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/02/msg00017.html"
},
{
"name": "DSA-5076",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5076"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220119-0001/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.secpod.com/blog/log4shell-critical-remote-code-execution-vulnerability-in-h2database-console/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "h2",
"vendor": "h2database",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "1.1.000",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-24T00:00:00.000Z",
"orgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d",
"shortName": "JFROG"
},
"references": [
{
"url": "https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6"
},
{
"name": "[debian-lts-announce] 20220215 [SECURITY] [DLA 2923-1] h2database security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/02/msg00017.html"
},
{
"name": "DSA-5076",
"tags": [
"vendor-advisory"
],
"url": "https://www.debian.org/security/2022/dsa-5076"
},
{
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"url": "https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/"
},
{
"url": "https://security.netapp.com/advisory/ntap-20220119-0001/"
},
{
"url": "https://www.secpod.com/blog/log4shell-critical-remote-code-execution-vulnerability-in-h2database-console/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d",
"assignerShortName": "JFROG",
"cveId": "CVE-2021-42392",
"datePublished": "2022-01-07T00:00:00.000Z",
"dateReserved": "2021-10-14T00:00:00.000Z",
"dateUpdated": "2024-08-04T03:30:38.345Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2021-42392",
"date": "2026-05-27",
"epss": "0.90592",
"percentile": "0.99631"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2021-42392\",\"sourceIdentifier\":\"reefs@jfrog.com\",\"published\":\"2022-01-10T14:10:23.643\",\"lastModified\":\"2024-11-21T06:27:43.510\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution.\"},{\"lang\":\"es\",\"value\":\"El m\u00e9todo org.h2.util.JdbcUtils.getConnection de la base de datos H2 toma como par\u00e1metros el nombre de la clase del controlador y la URL de la base de datos. Un atacante puede pasar un nombre de controlador JNDI y una URL que conlleve a un servidor LDAP o RMI, causando una ejecuci\u00f3n de c\u00f3digo remota. Esto puede ser explotado mediante varios vectores de ataque, sobre todo mediante la Consola H2 que conlleva a una ejecuci\u00f3n de c\u00f3digo remoto no autenticado\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:C/I:C/A:C\",\"baseScore\":10.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"reefs@jfrog.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:h2database:h2:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.1.000\",\"versionEndIncluding\":\"2.0.204\",\"matchCriteriaId\":\"6770600B-79F8-4C9A-A455-CC0F0604D864\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DEECE5FC-CACF-4496-A3E7-164736409252\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FA6FEEC2-9F11-4643-8827-749718254FED\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B4367D9B-BF81-47AD-A840-AC46317C774D\"}]}]}],\"references\":[{\"url\":\"https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6\",\"source\":\"reefs@jfrog.com\",\"tags\":[\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/\",\"source\":\"reefs@jfrog.com\",\"tags\":[\"Exploit\",\"Technical Description\",\"Vendor Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2022/02/msg00017.html\",\"source\":\"reefs@jfrog.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20220119-0001/\",\"source\":\"reefs@jfrog.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2022/dsa-5076\",\"source\":\"reefs@jfrog.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuapr2022.html\",\"source\":\"reefs@jfrog.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.secpod.com/blog/log4shell-critical-remote-code-execution-vulnerability-in-h2database-console/\",\"source\":\"reefs@jfrog.com\"},{\"url\":\"https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Technical Description\",\"Vendor Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2022/02/msg00017.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20220119-0001/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2022/dsa-5076\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuapr2022.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.secpod.com/blog/log4shell-critical-remote-code-execution-vulnerability-in-h2database-console/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
}
}
RHSA-2022:6782
Vulnerability from csaf_redhat - Published: 2022-10-04 16:02 - Updated: 2026-05-14 22:32Summary
Red Hat Security Advisory: Red Hat Single Sign-On 7.5.3 security update on RHEL 7
Severity
Moderate
Notes
Topic: New Red Hat Single Sign-On 7.5.3 packages are now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat Single Sign-On 7.5 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
This release of Red Hat Single Sign-On 7.5.3 on RHEL 7 serves as a replacement for Red Hat Single Sign-On 7.5.2, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518)
* wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled (CVE-2022-0866)
* xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr (CVE-2022-0084)
* netty: control chars in header names may lead to HTTP request smuggling (CVE-2021-43797)
* keycloak-saml-core: keycloak: Uploading of SAML javascript protocol mapper scripts through the admin (CVE-2022-2668)
* keycloak: Stored XSS in groups dropdown (CVE-2022-0225)
* h2: Remote Code Execution in Console (CVE-2021-42392)
* keycloak-core: keycloak: improper input validation permits script injection (CVE-2022-2256)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the Jackson Databind package. This cause of the issue is due to a Java StackOverflow exception and a denial of service via a significant depth of nested objects.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in h2. The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. This flaw allows an attacker to use this URL to send another server’s code, causing remote code execution. This issue is exploited through various attack vectors, most notably through the H2 Console, which leads to unauthenticated remote code execution.
9.8 (Critical)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in Netty, specifically in the netty-codec-http package. This flaw allows unauthorized control characters at the beginning and end of a request, does not follow the specification, and can cause HTTP request smuggling.
6.5 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in XNIO, specifically in the notifyReadClosed method. The issue revealed this method was logging a message to another expected end. This flaw allows an attacker to send flawed requests to a server, possibly causing log contention-related performance concerns or an unwanted disk fill-up.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating a new group from the admin console, leading to a stored Cross-site scripting (XSS) attack.
5.7 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Wildfly, where it returns an incorrect caller principal under certain heavily concurrent situations when Elytron Security is used. This flaw allows an attacker to gain improper access to information they should not have.
CWE-1220 - Insufficient Granularity of Access ControlAffected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A Stored Cross-site scripting (XSS) vulnerability was found in keycloak. This flaw allows a privileged attacker to execute malicious scripts in the admin console, abusing the default roles functionality.
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in keycloak. The vulnerability allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled.
6.4 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
49 references
Acknowledgments
NRMC team (Nasdaq)
Johan Nilsson
Schindler Elevator Ltd., Switzerland
Oliver Bieri
NETAŞ PENTEST TEAM
Aytaç Kalıncı
Ilker Bulgurcu
Yasin Yılmaz
Red Hat
Marek Posolda
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "New Red Hat Single Sign-On 7.5.3 packages are now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Single Sign-On 7.5 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.5.3 on RHEL 7 serves as a replacement for Red Hat Single Sign-On 7.5.2, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518)\n\n* wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled (CVE-2022-0866)\n\n* xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr (CVE-2022-0084)\n\n* netty: control chars in header names may lead to HTTP request smuggling (CVE-2021-43797)\n\n* keycloak-saml-core: keycloak: Uploading of SAML javascript protocol mapper scripts through the admin (CVE-2022-2668)\n\n* keycloak: Stored XSS in groups dropdown (CVE-2022-0225)\n\n* h2: Remote Code Execution in Console (CVE-2021-42392)\n\n* keycloak-core: keycloak: improper input validation permits script injection (CVE-2022-2256)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:6782",
"url": "https://access.redhat.com/errata/RHSA-2022:6782"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2031958",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031958"
},
{
"category": "external",
"summary": "2039403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2039403"
},
{
"category": "external",
"summary": "2040268",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040268"
},
{
"category": "external",
"summary": "2060929",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060929"
},
{
"category": "external",
"summary": "2064226",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064226"
},
{
"category": "external",
"summary": "2064698",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064698"
},
{
"category": "external",
"summary": "2101942",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2101942"
},
{
"category": "external",
"summary": "2115392",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2115392"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_6782.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.5.3 security update on RHEL 7",
"tracking": {
"current_release_date": "2026-05-14T22:32:45+00:00",
"generator": {
"date": "2026-05-14T22:32:45+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2022:6782",
"initial_release_date": "2022-10-04T16:02:49+00:00",
"revision_history": [
{
"date": "2022-10-04T16:02:49+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-10-04T16:02:49+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-14T22:32:45+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Single Sign-On 7.5 for RHEL 7 Server",
"product": {
"name": "Red Hat Single Sign-On 7.5 for RHEL 7 Server",
"product_id": "7Server-RHSSO-7.5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.5::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat Single Sign-On"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.src",
"product": {
"name": "rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.src",
"product_id": "rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-keycloak@15.0.8-1.redhat_00001.1.el7sso?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.noarch",
"product": {
"name": "rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.noarch",
"product_id": "rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-keycloak@15.0.8-1.redhat_00001.1.el7sso?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el7sso.noarch",
"product": {
"name": "rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el7sso.noarch",
"product_id": "rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el7sso.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-keycloak-server@15.0.8-1.redhat_00001.1.el7sso?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.noarch as a component of Red Hat Single Sign-On 7.5 for RHEL 7 Server",
"product_id": "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.noarch"
},
"product_reference": "rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.noarch",
"relates_to_product_reference": "7Server-RHSSO-7.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.src as a component of Red Hat Single Sign-On 7.5 for RHEL 7 Server",
"product_id": "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.src"
},
"product_reference": "rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.src",
"relates_to_product_reference": "7Server-RHSSO-7.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el7sso.noarch as a component of Red Hat Single Sign-On 7.5 for RHEL 7 Server",
"product_id": "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el7sso.noarch"
},
"product_reference": "rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el7sso.noarch",
"relates_to_product_reference": "7Server-RHSSO-7.5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-36518",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-03-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2064698"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Jackson Databind package. This cause of the issue is due to a Java StackOverflow exception and a denial of service via a significant depth of nested objects.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: denial of service via a large depth of nested objects",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "CodeReady Studio is no longer supported and therefore this flaw will not be addressed in CodeReady Studio.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-36518"
},
{
"category": "external",
"summary": "RHBZ#2064698",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064698"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-36518",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36518"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-36518",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36518"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-57j2-w4cx-62h2",
"url": "https://github.com/advisories/GHSA-57j2-w4cx-62h2"
}
],
"release_date": "2020-08-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-10-04T16:02:49+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:6782"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: denial of service via a large depth of nested objects"
},
{
"cve": "CVE-2021-42392",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-01-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2039403"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in h2. The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. This flaw allows an attacker to use this URL to send another server\u2019s code, causing remote code execution. This issue is exploited through various attack vectors, most notably through the H2 Console, which leads to unauthenticated remote code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "h2: Remote Code Execution in Console",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift Container Platform (OCP) the openshift4/ose-metering-presto container image ships the vulnerable version of h2, but as it uses default configuration the impact by this vulnerability is LOW. Additionally, the Presto component is part of the OCP Metering stack and since the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected component is marked as wontfix.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-42392"
},
{
"category": "external",
"summary": "RHBZ#2039403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2039403"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-42392",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-42392"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-42392",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42392"
},
{
"category": "external",
"summary": "https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6",
"url": "https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6"
}
],
"release_date": "2022-01-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-10-04T16:02:49+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:6782"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "h2: Remote Code Execution in Console"
},
{
"cve": "CVE-2021-43797",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2021-12-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2031958"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty, specifically in the netty-codec-http package. This flaw allows unauthorized control characters at the beginning and end of a request, does not follow the specification, and can cause HTTP request smuggling.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: control chars in header names may lead to HTTP request smuggling",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of netty-codec-http package.\nSince the release of OCP 4.6, the Metering product has been deprecated, hence the affected components are marked as wontfix.\nThe openshift4/ose-logging-elasticsearch6 container is marked as Out of support scope because since the release of OCP 4.7 the logging functionality is delivered as an OpenShift Logging product and OCP 4.6 is already in the Maintenance Support phase.\nA fix was introduced in netty-codec-http version 4.1.72.Final.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-43797"
},
{
"category": "external",
"summary": "RHBZ#2031958",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031958"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-43797",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-43797"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-43797",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43797"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq",
"url": "https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq"
}
],
"release_date": "2021-12-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-10-04T16:02:49+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:6782"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "netty: control chars in header names may lead to HTTP request smuggling"
},
{
"cve": "CVE-2022-0084",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2022-03-15T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2064226"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in XNIO, specifically in the notifyReadClosed method. The issue revealed this method was logging a message to another expected end. This flaw allows an attacker to send flawed requests to a server, possibly causing log contention-related performance concerns or an unwanted disk fill-up.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Although the CVSS stands for 7.5 score, the impact remains Moderate as it demands previous knowledge of the environment to trigger the Denial of Service (DoS)",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-0084"
},
{
"category": "external",
"summary": "RHBZ#2064226",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064226"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-0084",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0084"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0084",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0084"
}
],
"release_date": "2022-03-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-10-04T16:02:49+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:6782"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr"
},
{
"acknowledgments": [
{
"names": [
"Johan Nilsson"
],
"organization": "NRMC team (Nasdaq)"
}
],
"cve": "CVE-2022-0225",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2022-01-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2040268"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating a new group from the admin console, leading to a stored Cross-site scripting (XSS) attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Stored XSS in groups dropdown",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-0225"
},
{
"category": "external",
"summary": "RHBZ#2040268",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040268"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-0225",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0225"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0225",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0225"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-755v-r4x4-qf7m",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-755v-r4x4-qf7m"
}
],
"release_date": "2022-01-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-10-04T16:02:49+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:6782"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Stored XSS in groups dropdown"
},
{
"acknowledgments": [
{
"names": [
"Oliver Bieri"
],
"organization": "Schindler Elevator Ltd., Switzerland"
}
],
"cve": "CVE-2022-0866",
"cwe": {
"id": "CWE-1220",
"name": "Insufficient Granularity of Access Control"
},
"discovery_date": "2022-02-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2060929"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Wildfly, where it returns an incorrect caller principal under certain heavily concurrent situations when Elytron Security is used. This flaw allows an attacker to gain improper access to information they should not have.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "JBoss EAP 7.1 until 7.4 is not affected by default as it comes with Legacy Security enabled out-of-the-box. This only affects application scope range and the methods mentioned, no access to server data.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-0866"
},
{
"category": "external",
"summary": "RHBZ#2060929",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060929"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-0866",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0866"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0866",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0866"
}
],
"release_date": "2022-05-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-10-04T16:02:49+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:6782"
},
{
"category": "workaround",
"details": "In order to avoid the possibility of information access, review application source code for \u0027@RunAs\u0027 and \u0027run-as-principal\u0027 usage. Also, make sure the application is using or not Elytron Security. It\u0027s possible to investigate by checking if the commands from \u0027$JBOSS_HOME/docs/examples/enable-elytron.cli\u0027 or similar were executed.",
"product_ids": [
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el7sso.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled"
},
{
"acknowledgments": [
{
"names": [
"Ayta\u00e7 Kal\u0131nc\u0131",
"Ilker Bulgurcu",
"Yasin Y\u0131lmaz"
],
"organization": "NETA\u015e PENTEST TEAM"
}
],
"cve": "CVE-2022-2256",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2022-06-27T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2101942"
}
],
"notes": [
{
"category": "description",
"text": "A Stored Cross-site scripting (XSS) vulnerability was found in keycloak. This flaw allows a privileged attacker to execute malicious scripts in the admin console, abusing the default roles functionality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: improper input validation permits script injection",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-2256"
},
{
"category": "external",
"summary": "RHBZ#2101942",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2101942"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-2256",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2256"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2256",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2256"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-w9mf-83w3-fv49",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-w9mf-83w3-fv49"
}
],
"release_date": "2022-06-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-10-04T16:02:49+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:6782"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "keycloak: improper input validation permits script injection"
},
{
"acknowledgments": [
{
"names": [
"Marek Posolda"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2022-2668",
"cwe": {
"id": "CWE-440",
"name": "Expected Behavior Violation"
},
"discovery_date": "2022-08-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2115392"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in keycloak. The vulnerability allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Uploading of SAML javascript protocol mapper scripts through the admin console",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-2668"
},
{
"category": "external",
"summary": "RHBZ#2115392",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2115392"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-2668",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2668"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2668",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2668"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-wf7g-7h6h-678v",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-wf7g-7h6h-678v"
}
],
"release_date": "2022-08-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-10-04T16:02:49+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:6782"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Uploading of SAML javascript protocol mapper scripts through the admin console"
}
]
}
RHSA-2022:6783
Vulnerability from csaf_redhat - Published: 2022-10-04 15:35 - Updated: 2026-05-14 22:32Summary
Red Hat Security Advisory: Red Hat Single Sign-On 7.5.3 security update on RHEL 8
Severity
Moderate
Notes
Topic: New Red Hat Single Sign-On 7.5.3 packages are now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat Single Sign-On 7.5 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
This release of Red Hat Single Sign-On 7.5.3 on RHEL 8 serves as a replacement for Red Hat Single Sign-On 7.5.2, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518)
* wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled (CVE-2022-0866)
* xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr (CVE-2022-0084)
* netty: control chars in header names may lead to HTTP request smuggling (CVE-2021-43797)
* keycloak-saml-core: keycloak: Uploading of SAML javascript protocol mapper scripts through the admin (CVE-2022-2668)
* keycloak: Stored XSS in groups dropdown (CVE-2022-0225)
* h2: Remote Code Execution in Console (CVE-2021-42392)
* keycloak-core: keycloak: improper input validation permits script injection (CVE-2022-2256)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the Jackson Databind package. This cause of the issue is due to a Java StackOverflow exception and a denial of service via a significant depth of nested objects.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in h2. The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. This flaw allows an attacker to use this URL to send another server’s code, causing remote code execution. This issue is exploited through various attack vectors, most notably through the H2 Console, which leads to unauthenticated remote code execution.
9.8 (Critical)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in Netty, specifically in the netty-codec-http package. This flaw allows unauthorized control characters at the beginning and end of a request, does not follow the specification, and can cause HTTP request smuggling.
6.5 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in XNIO, specifically in the notifyReadClosed method. The issue revealed this method was logging a message to another expected end. This flaw allows an attacker to send flawed requests to a server, possibly causing log contention-related performance concerns or an unwanted disk fill-up.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating a new group from the admin console, leading to a stored Cross-site scripting (XSS) attack.
5.7 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Wildfly, where it returns an incorrect caller principal under certain heavily concurrent situations when Elytron Security is used. This flaw allows an attacker to gain improper access to information they should not have.
CWE-1220 - Insufficient Granularity of Access ControlAffected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A Stored Cross-site scripting (XSS) vulnerability was found in keycloak. This flaw allows a privileged attacker to execute malicious scripts in the admin console, abusing the default roles functionality.
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in keycloak. The vulnerability allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled.
6.4 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
49 references
Acknowledgments
NRMC team (Nasdaq)
Johan Nilsson
Schindler Elevator Ltd., Switzerland
Oliver Bieri
NETAŞ PENTEST TEAM
Aytaç Kalıncı
Ilker Bulgurcu
Yasin Yılmaz
Red Hat
Marek Posolda
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "New Red Hat Single Sign-On 7.5.3 packages are now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Single Sign-On 7.5 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.5.3 on RHEL 8 serves as a replacement for Red Hat Single Sign-On 7.5.2, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518)\n\n* wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled (CVE-2022-0866)\n\n* xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr (CVE-2022-0084)\n\n* netty: control chars in header names may lead to HTTP request smuggling (CVE-2021-43797)\n\n* keycloak-saml-core: keycloak: Uploading of SAML javascript protocol mapper scripts through the admin (CVE-2022-2668)\n\n* keycloak: Stored XSS in groups dropdown (CVE-2022-0225)\n\n* h2: Remote Code Execution in Console (CVE-2021-42392)\n\n* keycloak-core: keycloak: improper input validation permits script injection (CVE-2022-2256)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:6783",
"url": "https://access.redhat.com/errata/RHSA-2022:6783"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2031958",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031958"
},
{
"category": "external",
"summary": "2039403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2039403"
},
{
"category": "external",
"summary": "2040268",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040268"
},
{
"category": "external",
"summary": "2060929",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060929"
},
{
"category": "external",
"summary": "2064226",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064226"
},
{
"category": "external",
"summary": "2064698",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064698"
},
{
"category": "external",
"summary": "2101942",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2101942"
},
{
"category": "external",
"summary": "2115392",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2115392"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_6783.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.5.3 security update on RHEL 8",
"tracking": {
"current_release_date": "2026-05-14T22:32:46+00:00",
"generator": {
"date": "2026-05-14T22:32:46+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2022:6783",
"initial_release_date": "2022-10-04T15:35:14+00:00",
"revision_history": [
{
"date": "2022-10-04T15:35:14+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-10-04T15:35:14+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-14T22:32:46+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Single Sign-On 7.5 for RHEL 8",
"product": {
"name": "Red Hat Single Sign-On 7.5 for RHEL 8",
"product_id": "8Base-RHSSO-7.5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.5::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat Single Sign-On"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.src",
"product": {
"name": "rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.src",
"product_id": "rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-keycloak@15.0.8-1.redhat_00001.1.el8sso?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.noarch",
"product": {
"name": "rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.noarch",
"product_id": "rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-keycloak@15.0.8-1.redhat_00001.1.el8sso?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el8sso.noarch",
"product": {
"name": "rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el8sso.noarch",
"product_id": "rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el8sso.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-keycloak-server@15.0.8-1.redhat_00001.1.el8sso?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.noarch as a component of Red Hat Single Sign-On 7.5 for RHEL 8",
"product_id": "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.noarch"
},
"product_reference": "rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.noarch",
"relates_to_product_reference": "8Base-RHSSO-7.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.src as a component of Red Hat Single Sign-On 7.5 for RHEL 8",
"product_id": "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.src"
},
"product_reference": "rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.src",
"relates_to_product_reference": "8Base-RHSSO-7.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el8sso.noarch as a component of Red Hat Single Sign-On 7.5 for RHEL 8",
"product_id": "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el8sso.noarch"
},
"product_reference": "rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el8sso.noarch",
"relates_to_product_reference": "8Base-RHSSO-7.5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-36518",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-03-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2064698"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Jackson Databind package. This cause of the issue is due to a Java StackOverflow exception and a denial of service via a significant depth of nested objects.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: denial of service via a large depth of nested objects",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "CodeReady Studio is no longer supported and therefore this flaw will not be addressed in CodeReady Studio.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-36518"
},
{
"category": "external",
"summary": "RHBZ#2064698",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064698"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-36518",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36518"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-36518",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36518"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-57j2-w4cx-62h2",
"url": "https://github.com/advisories/GHSA-57j2-w4cx-62h2"
}
],
"release_date": "2020-08-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-10-04T15:35:14+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:6783"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: denial of service via a large depth of nested objects"
},
{
"cve": "CVE-2021-42392",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-01-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2039403"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in h2. The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. This flaw allows an attacker to use this URL to send another server\u2019s code, causing remote code execution. This issue is exploited through various attack vectors, most notably through the H2 Console, which leads to unauthenticated remote code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "h2: Remote Code Execution in Console",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift Container Platform (OCP) the openshift4/ose-metering-presto container image ships the vulnerable version of h2, but as it uses default configuration the impact by this vulnerability is LOW. Additionally, the Presto component is part of the OCP Metering stack and since the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected component is marked as wontfix.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-42392"
},
{
"category": "external",
"summary": "RHBZ#2039403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2039403"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-42392",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-42392"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-42392",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42392"
},
{
"category": "external",
"summary": "https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6",
"url": "https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6"
}
],
"release_date": "2022-01-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-10-04T15:35:14+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:6783"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "h2: Remote Code Execution in Console"
},
{
"cve": "CVE-2021-43797",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2021-12-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2031958"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty, specifically in the netty-codec-http package. This flaw allows unauthorized control characters at the beginning and end of a request, does not follow the specification, and can cause HTTP request smuggling.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: control chars in header names may lead to HTTP request smuggling",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of netty-codec-http package.\nSince the release of OCP 4.6, the Metering product has been deprecated, hence the affected components are marked as wontfix.\nThe openshift4/ose-logging-elasticsearch6 container is marked as Out of support scope because since the release of OCP 4.7 the logging functionality is delivered as an OpenShift Logging product and OCP 4.6 is already in the Maintenance Support phase.\nA fix was introduced in netty-codec-http version 4.1.72.Final.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-43797"
},
{
"category": "external",
"summary": "RHBZ#2031958",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031958"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-43797",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-43797"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-43797",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43797"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq",
"url": "https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq"
}
],
"release_date": "2021-12-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-10-04T15:35:14+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:6783"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "netty: control chars in header names may lead to HTTP request smuggling"
},
{
"cve": "CVE-2022-0084",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2022-03-15T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2064226"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in XNIO, specifically in the notifyReadClosed method. The issue revealed this method was logging a message to another expected end. This flaw allows an attacker to send flawed requests to a server, possibly causing log contention-related performance concerns or an unwanted disk fill-up.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Although the CVSS stands for 7.5 score, the impact remains Moderate as it demands previous knowledge of the environment to trigger the Denial of Service (DoS)",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-0084"
},
{
"category": "external",
"summary": "RHBZ#2064226",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064226"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-0084",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0084"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0084",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0084"
}
],
"release_date": "2022-03-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-10-04T15:35:14+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:6783"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr"
},
{
"acknowledgments": [
{
"names": [
"Johan Nilsson"
],
"organization": "NRMC team (Nasdaq)"
}
],
"cve": "CVE-2022-0225",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2022-01-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2040268"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating a new group from the admin console, leading to a stored Cross-site scripting (XSS) attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Stored XSS in groups dropdown",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-0225"
},
{
"category": "external",
"summary": "RHBZ#2040268",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040268"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-0225",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0225"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0225",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0225"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-755v-r4x4-qf7m",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-755v-r4x4-qf7m"
}
],
"release_date": "2022-01-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-10-04T15:35:14+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:6783"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Stored XSS in groups dropdown"
},
{
"acknowledgments": [
{
"names": [
"Oliver Bieri"
],
"organization": "Schindler Elevator Ltd., Switzerland"
}
],
"cve": "CVE-2022-0866",
"cwe": {
"id": "CWE-1220",
"name": "Insufficient Granularity of Access Control"
},
"discovery_date": "2022-02-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2060929"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Wildfly, where it returns an incorrect caller principal under certain heavily concurrent situations when Elytron Security is used. This flaw allows an attacker to gain improper access to information they should not have.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "JBoss EAP 7.1 until 7.4 is not affected by default as it comes with Legacy Security enabled out-of-the-box. This only affects application scope range and the methods mentioned, no access to server data.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-0866"
},
{
"category": "external",
"summary": "RHBZ#2060929",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060929"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-0866",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0866"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0866",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0866"
}
],
"release_date": "2022-05-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-10-04T15:35:14+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:6783"
},
{
"category": "workaround",
"details": "In order to avoid the possibility of information access, review application source code for \u0027@RunAs\u0027 and \u0027run-as-principal\u0027 usage. Also, make sure the application is using or not Elytron Security. It\u0027s possible to investigate by checking if the commands from \u0027$JBOSS_HOME/docs/examples/enable-elytron.cli\u0027 or similar were executed.",
"product_ids": [
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el8sso.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled"
},
{
"acknowledgments": [
{
"names": [
"Ayta\u00e7 Kal\u0131nc\u0131",
"Ilker Bulgurcu",
"Yasin Y\u0131lmaz"
],
"organization": "NETA\u015e PENTEST TEAM"
}
],
"cve": "CVE-2022-2256",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2022-06-27T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2101942"
}
],
"notes": [
{
"category": "description",
"text": "A Stored Cross-site scripting (XSS) vulnerability was found in keycloak. This flaw allows a privileged attacker to execute malicious scripts in the admin console, abusing the default roles functionality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: improper input validation permits script injection",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-2256"
},
{
"category": "external",
"summary": "RHBZ#2101942",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2101942"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-2256",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2256"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2256",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2256"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-w9mf-83w3-fv49",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-w9mf-83w3-fv49"
}
],
"release_date": "2022-06-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-10-04T15:35:14+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:6783"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "keycloak: improper input validation permits script injection"
},
{
"acknowledgments": [
{
"names": [
"Marek Posolda"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2022-2668",
"cwe": {
"id": "CWE-440",
"name": "Expected Behavior Violation"
},
"discovery_date": "2022-08-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2115392"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in keycloak. The vulnerability allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Uploading of SAML javascript protocol mapper scripts through the admin console",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-2668"
},
{
"category": "external",
"summary": "RHBZ#2115392",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2115392"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-2668",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2668"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2668",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2668"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-wf7g-7h6h-678v",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-wf7g-7h6h-678v"
}
],
"release_date": "2022-08-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-10-04T15:35:14+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:6783"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.8-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Uploading of SAML javascript protocol mapper scripts through the admin console"
}
]
}
RHSA-2022:6787
Vulnerability from csaf_redhat - Published: 2022-10-04 15:53 - Updated: 2026-05-14 22:32Summary
Red Hat Security Advisory: Red Hat Single Sign-On 7.5.3 security update
Severity
Moderate
Notes
Topic: A security update is now available for Red Hat Single Sign-On 7.5 from the Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat Single Sign-On 7.5 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
This release of Red Hat Single Sign-On 7.5.3 serves as a replacement for Red Hat Single Sign-On 7.5.2, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518)
* h2: Remote Code Execution in Console (CVE-2021-42392)
* netty: control chars in header names may lead to HTTP request smuggling (CVE-2021-43797)
* xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr (CVE-2022-0084)
* keycloak: Stored XSS in groups dropdown (CVE-2022-0225)
* wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled (CVE-2022-0866)
* keycloak-saml-core: keycloak: Uploading of SAML javascript protocol mapper scripts through the admin (CVE-2022-2668)
* keycloak-core: keycloak: improper input validation permits script injection (CVE-2022-2256)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the Jackson Databind package. This cause of the issue is due to a Java StackOverflow exception and a denial of service via a significant depth of nested objects.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in h2. The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. This flaw allows an attacker to use this URL to send another server’s code, causing remote code execution. This issue is exploited through various attack vectors, most notably through the H2 Console, which leads to unauthenticated remote code execution.
9.8 (Critical)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in Netty, specifically in the netty-codec-http package. This flaw allows unauthorized control characters at the beginning and end of a request, does not follow the specification, and can cause HTTP request smuggling.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in XNIO, specifically in the notifyReadClosed method. The issue revealed this method was logging a message to another expected end. This flaw allows an attacker to send flawed requests to a server, possibly causing log contention-related performance concerns or an unwanted disk fill-up.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating a new group from the admin console, leading to a stored Cross-site scripting (XSS) attack.
5.7 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Wildfly, where it returns an incorrect caller principal under certain heavily concurrent situations when Elytron Security is used. This flaw allows an attacker to gain improper access to information they should not have.
CWE-1220 - Insufficient Granularity of Access ControlAffected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A Stored Cross-site scripting (XSS) vulnerability was found in keycloak. This flaw allows a privileged attacker to execute malicious scripts in the admin console, abusing the default roles functionality.
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in keycloak. The vulnerability allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled.
6.4 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
50 references
Acknowledgments
NRMC team (Nasdaq)
Johan Nilsson
Schindler Elevator Ltd., Switzerland
Oliver Bieri
NETAŞ PENTEST TEAM
Aytaç Kalıncı
Ilker Bulgurcu
Yasin Yılmaz
Red Hat
Marek Posolda
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "A security update is now available for Red Hat Single Sign-On 7.5 from the Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Single Sign-On 7.5 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.5.3 serves as a replacement for Red Hat Single Sign-On 7.5.2, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518)\n\n* h2: Remote Code Execution in Console (CVE-2021-42392)\n\n* netty: control chars in header names may lead to HTTP request smuggling (CVE-2021-43797)\n\n* xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr (CVE-2022-0084)\n\n* keycloak: Stored XSS in groups dropdown (CVE-2022-0225)\n\n* wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled (CVE-2022-0866)\n\n* keycloak-saml-core: keycloak: Uploading of SAML javascript protocol mapper scripts through the admin (CVE-2022-2668)\n\n* keycloak-core: keycloak: improper input validation permits script injection (CVE-2022-2256)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:6787",
"url": "https://access.redhat.com/errata/RHSA-2022:6787"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/products/red-hat-single-sign-on/",
"url": "https://access.redhat.com/products/red-hat-single-sign-on/"
},
{
"category": "external",
"summary": "2031958",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031958"
},
{
"category": "external",
"summary": "2039403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2039403"
},
{
"category": "external",
"summary": "2040268",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040268"
},
{
"category": "external",
"summary": "2060929",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060929"
},
{
"category": "external",
"summary": "2064226",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064226"
},
{
"category": "external",
"summary": "2064698",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064698"
},
{
"category": "external",
"summary": "2101942",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2101942"
},
{
"category": "external",
"summary": "2115392",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2115392"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_6787.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.5.3 security update",
"tracking": {
"current_release_date": "2026-05-14T22:32:46+00:00",
"generator": {
"date": "2026-05-14T22:32:46+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2022:6787",
"initial_release_date": "2022-10-04T15:53:11+00:00",
"revision_history": [
{
"date": "2022-10-04T15:53:11+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-10-04T15:53:11+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-14T22:32:46+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Single Sign-On 7",
"product": {
"name": "Red Hat Single Sign-On 7",
"product_id": "Red Hat Single Sign-On 7",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7"
}
}
}
],
"category": "product_family",
"name": "Red Hat Single Sign-On"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-36518",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-03-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2064698"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Jackson Databind package. This cause of the issue is due to a Java StackOverflow exception and a denial of service via a significant depth of nested objects.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: denial of service via a large depth of nested objects",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "CodeReady Studio is no longer supported and therefore this flaw will not be addressed in CodeReady Studio.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-36518"
},
{
"category": "external",
"summary": "RHBZ#2064698",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064698"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-36518",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36518"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-36518",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36518"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-57j2-w4cx-62h2",
"url": "https://github.com/advisories/GHSA-57j2-w4cx-62h2"
}
],
"release_date": "2020-08-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-10-04T15:53:11+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:6787"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: denial of service via a large depth of nested objects"
},
{
"cve": "CVE-2021-42392",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-01-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2039403"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in h2. The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. This flaw allows an attacker to use this URL to send another server\u2019s code, causing remote code execution. This issue is exploited through various attack vectors, most notably through the H2 Console, which leads to unauthenticated remote code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "h2: Remote Code Execution in Console",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift Container Platform (OCP) the openshift4/ose-metering-presto container image ships the vulnerable version of h2, but as it uses default configuration the impact by this vulnerability is LOW. Additionally, the Presto component is part of the OCP Metering stack and since the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected component is marked as wontfix.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-42392"
},
{
"category": "external",
"summary": "RHBZ#2039403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2039403"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-42392",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-42392"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-42392",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42392"
},
{
"category": "external",
"summary": "https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6",
"url": "https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6"
}
],
"release_date": "2022-01-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-10-04T15:53:11+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:6787"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "h2: Remote Code Execution in Console"
},
{
"cve": "CVE-2021-43797",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2021-12-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2031958"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty, specifically in the netty-codec-http package. This flaw allows unauthorized control characters at the beginning and end of a request, does not follow the specification, and can cause HTTP request smuggling.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: control chars in header names may lead to HTTP request smuggling",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of netty-codec-http package.\nSince the release of OCP 4.6, the Metering product has been deprecated, hence the affected components are marked as wontfix.\nThe openshift4/ose-logging-elasticsearch6 container is marked as Out of support scope because since the release of OCP 4.7 the logging functionality is delivered as an OpenShift Logging product and OCP 4.6 is already in the Maintenance Support phase.\nA fix was introduced in netty-codec-http version 4.1.72.Final.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-43797"
},
{
"category": "external",
"summary": "RHBZ#2031958",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031958"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-43797",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-43797"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-43797",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43797"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq",
"url": "https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq"
}
],
"release_date": "2021-12-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-10-04T15:53:11+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:6787"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "netty: control chars in header names may lead to HTTP request smuggling"
},
{
"cve": "CVE-2022-0084",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2022-03-15T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2064226"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in XNIO, specifically in the notifyReadClosed method. The issue revealed this method was logging a message to another expected end. This flaw allows an attacker to send flawed requests to a server, possibly causing log contention-related performance concerns or an unwanted disk fill-up.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Although the CVSS stands for 7.5 score, the impact remains Moderate as it demands previous knowledge of the environment to trigger the Denial of Service (DoS)",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-0084"
},
{
"category": "external",
"summary": "RHBZ#2064226",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064226"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-0084",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0084"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0084",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0084"
}
],
"release_date": "2022-03-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-10-04T15:53:11+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:6787"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr"
},
{
"acknowledgments": [
{
"names": [
"Johan Nilsson"
],
"organization": "NRMC team (Nasdaq)"
}
],
"cve": "CVE-2022-0225",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2022-01-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2040268"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating a new group from the admin console, leading to a stored Cross-site scripting (XSS) attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Stored XSS in groups dropdown",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-0225"
},
{
"category": "external",
"summary": "RHBZ#2040268",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040268"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-0225",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0225"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0225",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0225"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-755v-r4x4-qf7m",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-755v-r4x4-qf7m"
}
],
"release_date": "2022-01-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-10-04T15:53:11+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:6787"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Stored XSS in groups dropdown"
},
{
"acknowledgments": [
{
"names": [
"Oliver Bieri"
],
"organization": "Schindler Elevator Ltd., Switzerland"
}
],
"cve": "CVE-2022-0866",
"cwe": {
"id": "CWE-1220",
"name": "Insufficient Granularity of Access Control"
},
"discovery_date": "2022-02-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2060929"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Wildfly, where it returns an incorrect caller principal under certain heavily concurrent situations when Elytron Security is used. This flaw allows an attacker to gain improper access to information they should not have.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "JBoss EAP 7.1 until 7.4 is not affected by default as it comes with Legacy Security enabled out-of-the-box. This only affects application scope range and the methods mentioned, no access to server data.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-0866"
},
{
"category": "external",
"summary": "RHBZ#2060929",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060929"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-0866",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0866"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0866",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0866"
}
],
"release_date": "2022-05-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-10-04T15:53:11+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:6787"
},
{
"category": "workaround",
"details": "In order to avoid the possibility of information access, review application source code for \u0027@RunAs\u0027 and \u0027run-as-principal\u0027 usage. Also, make sure the application is using or not Elytron Security. It\u0027s possible to investigate by checking if the commands from \u0027$JBOSS_HOME/docs/examples/enable-elytron.cli\u0027 or similar were executed.",
"product_ids": [
"Red Hat Single Sign-On 7"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled"
},
{
"acknowledgments": [
{
"names": [
"Ayta\u00e7 Kal\u0131nc\u0131",
"Ilker Bulgurcu",
"Yasin Y\u0131lmaz"
],
"organization": "NETA\u015e PENTEST TEAM"
}
],
"cve": "CVE-2022-2256",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2022-06-27T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2101942"
}
],
"notes": [
{
"category": "description",
"text": "A Stored Cross-site scripting (XSS) vulnerability was found in keycloak. This flaw allows a privileged attacker to execute malicious scripts in the admin console, abusing the default roles functionality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: improper input validation permits script injection",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-2256"
},
{
"category": "external",
"summary": "RHBZ#2101942",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2101942"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-2256",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2256"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2256",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2256"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-w9mf-83w3-fv49",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-w9mf-83w3-fv49"
}
],
"release_date": "2022-06-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-10-04T15:53:11+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:6787"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "keycloak: improper input validation permits script injection"
},
{
"acknowledgments": [
{
"names": [
"Marek Posolda"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2022-2668",
"cwe": {
"id": "CWE-440",
"name": "Expected Behavior Violation"
},
"discovery_date": "2022-08-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2115392"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in keycloak. The vulnerability allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Uploading of SAML javascript protocol mapper scripts through the admin console",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-2668"
},
{
"category": "external",
"summary": "RHBZ#2115392",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2115392"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-2668",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2668"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2668",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2668"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-wf7g-7h6h-678v",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-wf7g-7h6h-678v"
}
],
"release_date": "2022-08-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-10-04T15:53:11+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:6787"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Uploading of SAML javascript protocol mapper scripts through the admin console"
}
]
}
RHSA-2022:7409
Vulnerability from csaf_redhat - Published: 2022-11-03 14:54 - Updated: 2026-05-14 22:32Summary
Red Hat Security Advisory: Red Hat Single Sign-On 7.6.1 security update on RHEL 7
Severity
Moderate
Notes
Topic: New Red Hat Single Sign-On 7.6.1 packages are now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
This release of Red Hat Single Sign-On 7.6.1 on RHEL 7 serves as a replacement for Red Hat Single Sign-On 7.6.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518)
* h2: Remote Code Execution in Console (CVE-2021-42392)
* netty: control chars in header names may lead to HTTP request smuggling (CVE-2021-43797)
* xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr (CVE-2022-0084)
* keycloak: Stored XSS in groups dropdown (CVE-2022-0225)
* wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled (CVE-2022-0866)
* keycloak: Uploading of SAML javascript protocol mapper scripts through the admin console (CVE-2022-2668)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the Jackson Databind package. This cause of the issue is due to a Java StackOverflow exception and a denial of service via a significant depth of nested objects.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in h2. The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. This flaw allows an attacker to use this URL to send another server’s code, causing remote code execution. This issue is exploited through various attack vectors, most notably through the H2 Console, which leads to unauthenticated remote code execution.
9.8 (Critical)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Low
The OWASP Java HTML Sanitizer before 20211018.1 does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements.
9.8 (Critical)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Netty, specifically in the netty-codec-http package. This flaw allows unauthorized control characters at the beginning and end of a request, does not follow the specification, and can cause HTTP request smuggling.
6.5 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in XNIO, specifically in the notifyReadClosed method. The issue revealed this method was logging a message to another expected end. This flaw allows an attacker to send flawed requests to a server, possibly causing log contention-related performance concerns or an unwanted disk fill-up.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating a new group from the admin console, leading to a stored Cross-site scripting (XSS) attack.
5.7 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the jboss-client. A memory leak on the JBoss client-side occurs when using UserTransaction repeatedly, leading to an information leakage vulnerability.
6.5 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in Wildfly, where it returns an incorrect caller principal under certain heavily concurrent situations when Elytron Security is used. This flaw allows an attacker to gain improper access to information they should not have.
CWE-1220 - Insufficient Granularity of Access ControlAffected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Undertow. For an AJP 400 response, EAP 7 is improperly sending two response packets, and those packets have the reuse flag set even though JBoss EAP closes the connection. A failure occurs when the connection is reused after a 400 by CPING since it reads in the second SEND_HEADERS response packet instead of a CPONG.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in keycloak. The vulnerability allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled.
6.4 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
In Apache ActiveMQ Artemis prior to 2.20.0 or 2.19.1, an attacker could partially disrupt availability (DoS) through uncontrolled resource consumption of memory.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
60 references
Acknowledgments
NRMC team (Nasdaq)
Johan Nilsson
Schindler Elevator Ltd., Switzerland
Oliver Bieri
Red Hat
Marek Posolda
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "New Red Hat Single Sign-On 7.6.1 packages are now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.6.1 on RHEL 7 serves as a replacement for Red Hat Single Sign-On 7.6.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518)\n\n* h2: Remote Code Execution in Console (CVE-2021-42392)\n\n* netty: control chars in header names may lead to HTTP request smuggling (CVE-2021-43797)\n\n* xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr (CVE-2022-0084)\n\n* keycloak: Stored XSS in groups dropdown (CVE-2022-0225)\n\n* wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled (CVE-2022-0866)\n\n* keycloak: Uploading of SAML javascript protocol mapper scripts through the admin console (CVE-2022-2668)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:7409",
"url": "https://access.redhat.com/errata/RHSA-2022:7409"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2031958",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031958"
},
{
"category": "external",
"summary": "2039403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2039403"
},
{
"category": "external",
"summary": "2040268",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040268"
},
{
"category": "external",
"summary": "2060929",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060929"
},
{
"category": "external",
"summary": "2064226",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064226"
},
{
"category": "external",
"summary": "2064698",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064698"
},
{
"category": "external",
"summary": "2115392",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2115392"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_7409.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.6.1 security update on RHEL 7",
"tracking": {
"current_release_date": "2026-05-14T22:32:48+00:00",
"generator": {
"date": "2026-05-14T22:32:48+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2022:7409",
"initial_release_date": "2022-11-03T14:54:26+00:00",
"revision_history": [
{
"date": "2022-11-03T14:54:26+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-11-03T14:54:26+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-14T22:32:48+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Single Sign-On 7.6 for RHEL 7 Server",
"product": {
"name": "Red Hat Single Sign-On 7.6 for RHEL 7 Server",
"product_id": "7Server-RHSSO-7.6",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat Single Sign-On"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src",
"product": {
"name": "rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src",
"product_id": "rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-keycloak@18.0.3-1.redhat_00001.1.el7sso?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch",
"product": {
"name": "rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch",
"product_id": "rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-keycloak@18.0.3-1.redhat_00001.1.el7sso?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch",
"product": {
"name": "rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch",
"product_id": "rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-keycloak-server@18.0.3-1.redhat_00001.1.el7sso?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch as a component of Red Hat Single Sign-On 7.6 for RHEL 7 Server",
"product_id": "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch"
},
"product_reference": "rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch",
"relates_to_product_reference": "7Server-RHSSO-7.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src as a component of Red Hat Single Sign-On 7.6 for RHEL 7 Server",
"product_id": "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src"
},
"product_reference": "rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src",
"relates_to_product_reference": "7Server-RHSSO-7.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch as a component of Red Hat Single Sign-On 7.6 for RHEL 7 Server",
"product_id": "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch"
},
"product_reference": "rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch",
"relates_to_product_reference": "7Server-RHSSO-7.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-36518",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-03-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2064698"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Jackson Databind package. This cause of the issue is due to a Java StackOverflow exception and a denial of service via a significant depth of nested objects.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: denial of service via a large depth of nested objects",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "CodeReady Studio is no longer supported and therefore this flaw will not be addressed in CodeReady Studio.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-36518"
},
{
"category": "external",
"summary": "RHBZ#2064698",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064698"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-36518",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36518"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-36518",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36518"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-57j2-w4cx-62h2",
"url": "https://github.com/advisories/GHSA-57j2-w4cx-62h2"
}
],
"release_date": "2020-08-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-03T14:54:26+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7409"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: denial of service via a large depth of nested objects"
},
{
"cve": "CVE-2021-42392",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-01-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2039403"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in h2. The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. This flaw allows an attacker to use this URL to send another server\u2019s code, causing remote code execution. This issue is exploited through various attack vectors, most notably through the H2 Console, which leads to unauthenticated remote code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "h2: Remote Code Execution in Console",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift Container Platform (OCP) the openshift4/ose-metering-presto container image ships the vulnerable version of h2, but as it uses default configuration the impact by this vulnerability is LOW. Additionally, the Presto component is part of the OCP Metering stack and since the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected component is marked as wontfix.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-42392"
},
{
"category": "external",
"summary": "RHBZ#2039403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2039403"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-42392",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-42392"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-42392",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42392"
},
{
"category": "external",
"summary": "https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6",
"url": "https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6"
}
],
"release_date": "2022-01-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-03T14:54:26+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7409"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "h2: Remote Code Execution in Console"
},
{
"cve": "CVE-2021-42575",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2021-11-29T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2027195"
}
],
"notes": [
{
"category": "description",
"text": "The OWASP Java HTML Sanitizer before 20211018.1 does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "owasp-java-html-sanitizer: improper policies enforcement may lead to remote code execution",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-42575"
},
{
"category": "external",
"summary": "RHBZ#2027195",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2027195"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-42575",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-42575"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-42575",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42575"
}
],
"release_date": "2021-10-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-03T14:54:26+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7409"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "owasp-java-html-sanitizer: improper policies enforcement may lead to remote code execution"
},
{
"cve": "CVE-2021-43797",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2021-12-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2031958"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty, specifically in the netty-codec-http package. This flaw allows unauthorized control characters at the beginning and end of a request, does not follow the specification, and can cause HTTP request smuggling.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: control chars in header names may lead to HTTP request smuggling",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of netty-codec-http package.\nSince the release of OCP 4.6, the Metering product has been deprecated, hence the affected components are marked as wontfix.\nThe openshift4/ose-logging-elasticsearch6 container is marked as Out of support scope because since the release of OCP 4.7 the logging functionality is delivered as an OpenShift Logging product and OCP 4.6 is already in the Maintenance Support phase.\nA fix was introduced in netty-codec-http version 4.1.72.Final.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-43797"
},
{
"category": "external",
"summary": "RHBZ#2031958",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031958"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-43797",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-43797"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-43797",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43797"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq",
"url": "https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq"
}
],
"release_date": "2021-12-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-03T14:54:26+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7409"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "netty: control chars in header names may lead to HTTP request smuggling"
},
{
"cve": "CVE-2022-0084",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2022-03-15T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2064226"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in XNIO, specifically in the notifyReadClosed method. The issue revealed this method was logging a message to another expected end. This flaw allows an attacker to send flawed requests to a server, possibly causing log contention-related performance concerns or an unwanted disk fill-up.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Although the CVSS stands for 7.5 score, the impact remains Moderate as it demands previous knowledge of the environment to trigger the Denial of Service (DoS)",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-0084"
},
{
"category": "external",
"summary": "RHBZ#2064226",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064226"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-0084",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0084"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0084",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0084"
}
],
"release_date": "2022-03-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-03T14:54:26+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7409"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr"
},
{
"acknowledgments": [
{
"names": [
"Johan Nilsson"
],
"organization": "NRMC team (Nasdaq)"
}
],
"cve": "CVE-2022-0225",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2022-01-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2040268"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating a new group from the admin console, leading to a stored Cross-site scripting (XSS) attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Stored XSS in groups dropdown",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-0225"
},
{
"category": "external",
"summary": "RHBZ#2040268",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040268"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-0225",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0225"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0225",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0225"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-755v-r4x4-qf7m",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-755v-r4x4-qf7m"
}
],
"release_date": "2022-01-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-03T14:54:26+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7409"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Stored XSS in groups dropdown"
},
{
"cve": "CVE-2022-0853",
"cwe": {
"id": "CWE-401",
"name": "Missing Release of Memory after Effective Lifetime"
},
"discovery_date": "2022-03-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2060725"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the jboss-client. A memory leak on the JBoss client-side occurs when using UserTransaction repeatedly, leading to an information leakage vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jboss-client: memory leakage in remote client transaction",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-0853"
},
{
"category": "external",
"summary": "RHBZ#2060725",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060725"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-0853",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0853"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0853",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0853"
}
],
"release_date": "2022-03-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-03T14:54:26+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7409"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jboss-client: memory leakage in remote client transaction"
},
{
"acknowledgments": [
{
"names": [
"Oliver Bieri"
],
"organization": "Schindler Elevator Ltd., Switzerland"
}
],
"cve": "CVE-2022-0866",
"cwe": {
"id": "CWE-1220",
"name": "Insufficient Granularity of Access Control"
},
"discovery_date": "2022-02-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2060929"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Wildfly, where it returns an incorrect caller principal under certain heavily concurrent situations when Elytron Security is used. This flaw allows an attacker to gain improper access to information they should not have.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "JBoss EAP 7.1 until 7.4 is not affected by default as it comes with Legacy Security enabled out-of-the-box. This only affects application scope range and the methods mentioned, no access to server data.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-0866"
},
{
"category": "external",
"summary": "RHBZ#2060929",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060929"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-0866",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0866"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0866",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0866"
}
],
"release_date": "2022-05-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-03T14:54:26+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7409"
},
{
"category": "workaround",
"details": "In order to avoid the possibility of information access, review application source code for \u0027@RunAs\u0027 and \u0027run-as-principal\u0027 usage. Also, make sure the application is using or not Elytron Security. It\u0027s possible to investigate by checking if the commands from \u0027$JBOSS_HOME/docs/examples/enable-elytron.cli\u0027 or similar were executed.",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled"
},
{
"cve": "CVE-2022-1319",
"cwe": {
"id": "CWE-252",
"name": "Unchecked Return Value"
},
"discovery_date": "2022-04-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2073890"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Undertow. For an AJP 400 response, EAP 7 is improperly sending two response packets, and those packets have the reuse flag set even though JBoss EAP closes the connection. A failure occurs when the connection is reused after a 400 by CPING since it reads in the second SEND_HEADERS response packet instead of a CPONG.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "undertow: Double AJP response for 400 from EAP 7 results in CPING failures",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1319"
},
{
"category": "external",
"summary": "RHBZ#2073890",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073890"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1319",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1319"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1319",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1319"
}
],
"release_date": "2022-04-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-03T14:54:26+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7409"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "undertow: Double AJP response for 400 from EAP 7 results in CPING failures"
},
{
"acknowledgments": [
{
"names": [
"Marek Posolda"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2022-2668",
"cwe": {
"id": "CWE-440",
"name": "Expected Behavior Violation"
},
"discovery_date": "2022-08-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2115392"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in keycloak. The vulnerability allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Uploading of SAML javascript protocol mapper scripts through the admin console",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-2668"
},
{
"category": "external",
"summary": "RHBZ#2115392",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2115392"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-2668",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2668"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2668",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2668"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-wf7g-7h6h-678v",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-wf7g-7h6h-678v"
}
],
"release_date": "2022-08-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-03T14:54:26+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7409"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Uploading of SAML javascript protocol mapper scripts through the admin console"
},
{
"cve": "CVE-2022-23913",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2022-02-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2063601"
}
],
"notes": [
{
"category": "description",
"text": "In Apache ActiveMQ Artemis prior to 2.20.0 or 2.19.1, an attacker could partially disrupt availability (DoS) through uncontrolled resource consumption of memory.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "artemis-commons: Apache ActiveMQ Artemis DoS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-23913"
},
{
"category": "external",
"summary": "RHBZ#2063601",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2063601"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-23913",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23913"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23913",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23913"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/fjynj57rd99s814rdn5hzvmx8lz403q2",
"url": "https://lists.apache.org/thread/fjynj57rd99s814rdn5hzvmx8lz403q2"
}
],
"release_date": "2022-02-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-03T14:54:26+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7409"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "artemis-commons: Apache ActiveMQ Artemis DoS"
}
]
}
RHSA-2022:7410
Vulnerability from csaf_redhat - Published: 2022-11-03 14:54 - Updated: 2026-05-14 22:32Summary
Red Hat Security Advisory: Red Hat Single Sign-On 7.6.1 security update on RHEL 8
Severity
Moderate
Notes
Topic: New Red Hat Single Sign-On 7.6.1 packages are now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of none. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
This release of Red Hat Single Sign-On 7.6.1 on RHEL 8 serves as a replacement for Red Hat Single Sign-On 7.6.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518)
* h2: Remote Code Execution in Console (CVE-2021-42392)
* netty: control chars in header names may lead to HTTP request smuggling (CVE-2021-43797)
* xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr (CVE-2022-0084)
* keycloak: Stored XSS in groups dropdown (CVE-2022-0225)
* wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled (CVE-2022-0866)
* keycloak: Uploading of SAML javascript protocol mapper scripts through the admin console (CVE-2022-2668)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the Jackson Databind package. This cause of the issue is due to a Java StackOverflow exception and a denial of service via a significant depth of nested objects.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in h2. The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. This flaw allows an attacker to use this URL to send another server’s code, causing remote code execution. This issue is exploited through various attack vectors, most notably through the H2 Console, which leads to unauthenticated remote code execution.
9.8 (Critical)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Low
The OWASP Java HTML Sanitizer before 20211018.1 does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements.
9.8 (Critical)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Netty, specifically in the netty-codec-http package. This flaw allows unauthorized control characters at the beginning and end of a request, does not follow the specification, and can cause HTTP request smuggling.
6.5 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in XNIO, specifically in the notifyReadClosed method. The issue revealed this method was logging a message to another expected end. This flaw allows an attacker to send flawed requests to a server, possibly causing log contention-related performance concerns or an unwanted disk fill-up.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating a new group from the admin console, leading to a stored Cross-site scripting (XSS) attack.
5.7 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the jboss-client. A memory leak on the JBoss client-side occurs when using UserTransaction repeatedly, leading to an information leakage vulnerability.
6.5 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in Wildfly, where it returns an incorrect caller principal under certain heavily concurrent situations when Elytron Security is used. This flaw allows an attacker to gain improper access to information they should not have.
CWE-1220 - Insufficient Granularity of Access ControlAffected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Undertow. For an AJP 400 response, EAP 7 is improperly sending two response packets, and those packets have the reuse flag set even though JBoss EAP closes the connection. A failure occurs when the connection is reused after a 400 by CPING since it reads in the second SEND_HEADERS response packet instead of a CPONG.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in keycloak. The vulnerability allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled.
6.4 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
In Apache ActiveMQ Artemis prior to 2.20.0 or 2.19.1, an attacker could partially disrupt availability (DoS) through uncontrolled resource consumption of memory.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
60 references
Acknowledgments
NRMC team (Nasdaq)
Johan Nilsson
Schindler Elevator Ltd., Switzerland
Oliver Bieri
Red Hat
Marek Posolda
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "New Red Hat Single Sign-On 7.6.1 packages are now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of none. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.6.1 on RHEL 8 serves as a replacement for Red Hat Single Sign-On 7.6.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518)\n\n* h2: Remote Code Execution in Console (CVE-2021-42392)\n\n* netty: control chars in header names may lead to HTTP request smuggling (CVE-2021-43797)\n\n* xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr (CVE-2022-0084)\n\n* keycloak: Stored XSS in groups dropdown (CVE-2022-0225)\n\n* wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled (CVE-2022-0866)\n\n* keycloak: Uploading of SAML javascript protocol mapper scripts through the admin console (CVE-2022-2668)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:7410",
"url": "https://access.redhat.com/errata/RHSA-2022:7410"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2031958",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031958"
},
{
"category": "external",
"summary": "2039403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2039403"
},
{
"category": "external",
"summary": "2040268",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040268"
},
{
"category": "external",
"summary": "2060929",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060929"
},
{
"category": "external",
"summary": "2064226",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064226"
},
{
"category": "external",
"summary": "2064698",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064698"
},
{
"category": "external",
"summary": "2115392",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2115392"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_7410.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.6.1 security update on RHEL 8",
"tracking": {
"current_release_date": "2026-05-14T22:32:51+00:00",
"generator": {
"date": "2026-05-14T22:32:51+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2022:7410",
"initial_release_date": "2022-11-03T14:54:28+00:00",
"revision_history": [
{
"date": "2022-11-03T14:54:28+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-11-03T14:54:28+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-14T22:32:51+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Single Sign-On 7.6 for RHEL 8",
"product": {
"name": "Red Hat Single Sign-On 7.6 for RHEL 8",
"product_id": "8Base-RHSSO-7.6",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat Single Sign-On"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src",
"product": {
"name": "rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src",
"product_id": "rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-keycloak@18.0.3-1.redhat_00001.1.el8sso?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch",
"product": {
"name": "rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch",
"product_id": "rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-keycloak@18.0.3-1.redhat_00001.1.el8sso?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch",
"product": {
"name": "rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch",
"product_id": "rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-keycloak-server@18.0.3-1.redhat_00001.1.el8sso?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch as a component of Red Hat Single Sign-On 7.6 for RHEL 8",
"product_id": "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch"
},
"product_reference": "rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch",
"relates_to_product_reference": "8Base-RHSSO-7.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src as a component of Red Hat Single Sign-On 7.6 for RHEL 8",
"product_id": "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src"
},
"product_reference": "rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src",
"relates_to_product_reference": "8Base-RHSSO-7.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch as a component of Red Hat Single Sign-On 7.6 for RHEL 8",
"product_id": "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch"
},
"product_reference": "rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch",
"relates_to_product_reference": "8Base-RHSSO-7.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-36518",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-03-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2064698"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Jackson Databind package. This cause of the issue is due to a Java StackOverflow exception and a denial of service via a significant depth of nested objects.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: denial of service via a large depth of nested objects",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "CodeReady Studio is no longer supported and therefore this flaw will not be addressed in CodeReady Studio.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-36518"
},
{
"category": "external",
"summary": "RHBZ#2064698",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064698"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-36518",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36518"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-36518",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36518"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-57j2-w4cx-62h2",
"url": "https://github.com/advisories/GHSA-57j2-w4cx-62h2"
}
],
"release_date": "2020-08-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-03T14:54:28+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7410"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: denial of service via a large depth of nested objects"
},
{
"cve": "CVE-2021-42392",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-01-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2039403"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in h2. The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. This flaw allows an attacker to use this URL to send another server\u2019s code, causing remote code execution. This issue is exploited through various attack vectors, most notably through the H2 Console, which leads to unauthenticated remote code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "h2: Remote Code Execution in Console",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift Container Platform (OCP) the openshift4/ose-metering-presto container image ships the vulnerable version of h2, but as it uses default configuration the impact by this vulnerability is LOW. Additionally, the Presto component is part of the OCP Metering stack and since the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected component is marked as wontfix.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-42392"
},
{
"category": "external",
"summary": "RHBZ#2039403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2039403"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-42392",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-42392"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-42392",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42392"
},
{
"category": "external",
"summary": "https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6",
"url": "https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6"
}
],
"release_date": "2022-01-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-03T14:54:28+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7410"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "h2: Remote Code Execution in Console"
},
{
"cve": "CVE-2021-42575",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2021-11-29T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2027195"
}
],
"notes": [
{
"category": "description",
"text": "The OWASP Java HTML Sanitizer before 20211018.1 does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "owasp-java-html-sanitizer: improper policies enforcement may lead to remote code execution",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-42575"
},
{
"category": "external",
"summary": "RHBZ#2027195",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2027195"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-42575",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-42575"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-42575",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42575"
}
],
"release_date": "2021-10-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-03T14:54:28+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7410"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "owasp-java-html-sanitizer: improper policies enforcement may lead to remote code execution"
},
{
"cve": "CVE-2021-43797",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2021-12-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2031958"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty, specifically in the netty-codec-http package. This flaw allows unauthorized control characters at the beginning and end of a request, does not follow the specification, and can cause HTTP request smuggling.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: control chars in header names may lead to HTTP request smuggling",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of netty-codec-http package.\nSince the release of OCP 4.6, the Metering product has been deprecated, hence the affected components are marked as wontfix.\nThe openshift4/ose-logging-elasticsearch6 container is marked as Out of support scope because since the release of OCP 4.7 the logging functionality is delivered as an OpenShift Logging product and OCP 4.6 is already in the Maintenance Support phase.\nA fix was introduced in netty-codec-http version 4.1.72.Final.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-43797"
},
{
"category": "external",
"summary": "RHBZ#2031958",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031958"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-43797",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-43797"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-43797",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43797"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq",
"url": "https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq"
}
],
"release_date": "2021-12-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-03T14:54:28+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7410"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "netty: control chars in header names may lead to HTTP request smuggling"
},
{
"cve": "CVE-2022-0084",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2022-03-15T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2064226"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in XNIO, specifically in the notifyReadClosed method. The issue revealed this method was logging a message to another expected end. This flaw allows an attacker to send flawed requests to a server, possibly causing log contention-related performance concerns or an unwanted disk fill-up.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Although the CVSS stands for 7.5 score, the impact remains Moderate as it demands previous knowledge of the environment to trigger the Denial of Service (DoS)",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-0084"
},
{
"category": "external",
"summary": "RHBZ#2064226",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064226"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-0084",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0084"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0084",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0084"
}
],
"release_date": "2022-03-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-03T14:54:28+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7410"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr"
},
{
"acknowledgments": [
{
"names": [
"Johan Nilsson"
],
"organization": "NRMC team (Nasdaq)"
}
],
"cve": "CVE-2022-0225",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2022-01-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2040268"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating a new group from the admin console, leading to a stored Cross-site scripting (XSS) attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Stored XSS in groups dropdown",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-0225"
},
{
"category": "external",
"summary": "RHBZ#2040268",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040268"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-0225",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0225"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0225",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0225"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-755v-r4x4-qf7m",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-755v-r4x4-qf7m"
}
],
"release_date": "2022-01-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-03T14:54:28+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7410"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Stored XSS in groups dropdown"
},
{
"cve": "CVE-2022-0853",
"cwe": {
"id": "CWE-401",
"name": "Missing Release of Memory after Effective Lifetime"
},
"discovery_date": "2022-03-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2060725"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the jboss-client. A memory leak on the JBoss client-side occurs when using UserTransaction repeatedly, leading to an information leakage vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jboss-client: memory leakage in remote client transaction",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-0853"
},
{
"category": "external",
"summary": "RHBZ#2060725",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060725"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-0853",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0853"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0853",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0853"
}
],
"release_date": "2022-03-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-03T14:54:28+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7410"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jboss-client: memory leakage in remote client transaction"
},
{
"acknowledgments": [
{
"names": [
"Oliver Bieri"
],
"organization": "Schindler Elevator Ltd., Switzerland"
}
],
"cve": "CVE-2022-0866",
"cwe": {
"id": "CWE-1220",
"name": "Insufficient Granularity of Access Control"
},
"discovery_date": "2022-02-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2060929"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Wildfly, where it returns an incorrect caller principal under certain heavily concurrent situations when Elytron Security is used. This flaw allows an attacker to gain improper access to information they should not have.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "JBoss EAP 7.1 until 7.4 is not affected by default as it comes with Legacy Security enabled out-of-the-box. This only affects application scope range and the methods mentioned, no access to server data.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-0866"
},
{
"category": "external",
"summary": "RHBZ#2060929",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060929"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-0866",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0866"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0866",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0866"
}
],
"release_date": "2022-05-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-03T14:54:28+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7410"
},
{
"category": "workaround",
"details": "In order to avoid the possibility of information access, review application source code for \u0027@RunAs\u0027 and \u0027run-as-principal\u0027 usage. Also, make sure the application is using or not Elytron Security. It\u0027s possible to investigate by checking if the commands from \u0027$JBOSS_HOME/docs/examples/enable-elytron.cli\u0027 or similar were executed.",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled"
},
{
"cve": "CVE-2022-1319",
"cwe": {
"id": "CWE-252",
"name": "Unchecked Return Value"
},
"discovery_date": "2022-04-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2073890"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Undertow. For an AJP 400 response, EAP 7 is improperly sending two response packets, and those packets have the reuse flag set even though JBoss EAP closes the connection. A failure occurs when the connection is reused after a 400 by CPING since it reads in the second SEND_HEADERS response packet instead of a CPONG.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "undertow: Double AJP response for 400 from EAP 7 results in CPING failures",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1319"
},
{
"category": "external",
"summary": "RHBZ#2073890",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073890"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1319",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1319"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1319",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1319"
}
],
"release_date": "2022-04-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-03T14:54:28+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7410"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "undertow: Double AJP response for 400 from EAP 7 results in CPING failures"
},
{
"acknowledgments": [
{
"names": [
"Marek Posolda"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2022-2668",
"cwe": {
"id": "CWE-440",
"name": "Expected Behavior Violation"
},
"discovery_date": "2022-08-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2115392"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in keycloak. The vulnerability allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Uploading of SAML javascript protocol mapper scripts through the admin console",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-2668"
},
{
"category": "external",
"summary": "RHBZ#2115392",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2115392"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-2668",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2668"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2668",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2668"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-wf7g-7h6h-678v",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-wf7g-7h6h-678v"
}
],
"release_date": "2022-08-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-03T14:54:28+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7410"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Uploading of SAML javascript protocol mapper scripts through the admin console"
},
{
"cve": "CVE-2022-23913",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2022-02-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2063601"
}
],
"notes": [
{
"category": "description",
"text": "In Apache ActiveMQ Artemis prior to 2.20.0 or 2.19.1, an attacker could partially disrupt availability (DoS) through uncontrolled resource consumption of memory.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "artemis-commons: Apache ActiveMQ Artemis DoS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-23913"
},
{
"category": "external",
"summary": "RHBZ#2063601",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2063601"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-23913",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23913"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23913",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23913"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/fjynj57rd99s814rdn5hzvmx8lz403q2",
"url": "https://lists.apache.org/thread/fjynj57rd99s814rdn5hzvmx8lz403q2"
}
],
"release_date": "2022-02-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-03T14:54:28+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7410"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "artemis-commons: Apache ActiveMQ Artemis DoS"
}
]
}
RHSA-2022:7411
Vulnerability from csaf_redhat - Published: 2022-11-03 14:55 - Updated: 2026-05-14 22:32Summary
Red Hat Security Advisory: Red Hat Single Sign-On 7.6.1 security update on RHEL 9
Severity
Moderate
Notes
Topic: New Red Hat Single Sign-On 7.6.1 packages are now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
This release of Red Hat Single Sign-On 7.6.1 on RHEL 9 serves as a replacement for Red Hat Single Sign-On 7.6.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518)
* h2: Remote Code Execution in Console (CVE-2021-42392)
* netty: control chars in header names may lead to HTTP request smuggling (CVE-2021-43797)
* xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr (CVE-2022-0084)
* keycloak: Stored XSS in groups dropdown (CVE-2022-0225)
* wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled (CVE-2022-0866)
* keycloak: Uploading of SAML javascript protocol mapper scripts through the admin console (CVE-2022-2668)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the Jackson Databind package. This cause of the issue is due to a Java StackOverflow exception and a denial of service via a significant depth of nested objects.
7.5 (High)
Affected products
Fixed
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in h2. The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. This flaw allows an attacker to use this URL to send another server’s code, causing remote code execution. This issue is exploited through various attack vectors, most notably through the H2 Console, which leads to unauthenticated remote code execution.
9.8 (Critical)
Affected products
Fixed
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Low
The OWASP Java HTML Sanitizer before 20211018.1 does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements.
9.8 (Critical)
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64 | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch | — | ||
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch | — | ||
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src | — | ||
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch | — |
Threats
Impact
Moderate
A flaw was found in Netty, specifically in the netty-codec-http package. This flaw allows unauthorized control characters at the beginning and end of a request, does not follow the specification, and can cause HTTP request smuggling.
6.5 (Medium)
Affected products
Fixed
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in XNIO, specifically in the notifyReadClosed method. The issue revealed this method was logging a message to another expected end. This flaw allows an attacker to send flawed requests to a server, possibly causing log contention-related performance concerns or an unwanted disk fill-up.
7.5 (High)
Affected products
Fixed
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating a new group from the admin console, leading to a stored Cross-site scripting (XSS) attack.
5.7 (Medium)
Affected products
Fixed
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the jboss-client. A memory leak on the JBoss client-side occurs when using UserTransaction repeatedly, leading to an information leakage vulnerability.
6.5 (Medium)
Affected products
Fixed
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in Wildfly, where it returns an incorrect caller principal under certain heavily concurrent situations when Elytron Security is used. This flaw allows an attacker to gain improper access to information they should not have.
CWE-1220 - Insufficient Granularity of Access ControlAffected products
Fixed
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Undertow. For an AJP 400 response, EAP 7 is improperly sending two response packets, and those packets have the reuse flag set even though JBoss EAP closes the connection. A failure occurs when the connection is reused after a 400 by CPING since it reads in the second SEND_HEADERS response packet instead of a CPONG.
7.5 (High)
Affected products
Fixed
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in keycloak. The vulnerability allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled.
6.4 (Medium)
Affected products
Fixed
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
In Apache ActiveMQ Artemis prior to 2.20.0 or 2.19.1, an attacker could partially disrupt availability (DoS) through uncontrolled resource consumption of memory.
7.5 (High)
Affected products
Fixed
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
61 references
Acknowledgments
NRMC team (Nasdaq)
Johan Nilsson
Schindler Elevator Ltd., Switzerland
Oliver Bieri
Red Hat
Marek Posolda
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "New Red Hat Single Sign-On 7.6.1 packages are now available for Red Hat Enterprise Linux 9.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.6.1 on RHEL 9 serves as a replacement for Red Hat Single Sign-On 7.6.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518)\n\n* h2: Remote Code Execution in Console (CVE-2021-42392)\n\n* netty: control chars in header names may lead to HTTP request smuggling (CVE-2021-43797)\n\n* xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr (CVE-2022-0084)\n\n* keycloak: Stored XSS in groups dropdown (CVE-2022-0225)\n\n* wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled (CVE-2022-0866)\n\n* keycloak: Uploading of SAML javascript protocol mapper scripts through the admin console (CVE-2022-2668)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:7411",
"url": "https://access.redhat.com/errata/RHSA-2022:7411"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/articles/11258",
"url": "https://access.redhat.com/articles/11258"
},
{
"category": "external",
"summary": "2031958",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031958"
},
{
"category": "external",
"summary": "2039403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2039403"
},
{
"category": "external",
"summary": "2040268",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040268"
},
{
"category": "external",
"summary": "2060929",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060929"
},
{
"category": "external",
"summary": "2064226",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064226"
},
{
"category": "external",
"summary": "2064698",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064698"
},
{
"category": "external",
"summary": "2115392",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2115392"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_7411.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.6.1 security update on RHEL 9",
"tracking": {
"current_release_date": "2026-05-14T22:32:53+00:00",
"generator": {
"date": "2026-05-14T22:32:53+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2022:7411",
"initial_release_date": "2022-11-03T14:55:02+00:00",
"revision_history": [
{
"date": "2022-11-03T14:55:02+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-11-03T14:55:02+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-14T22:32:53+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Single Sign-On 7.6 for RHEL 9",
"product": {
"name": "Red Hat Single Sign-On 7.6 for RHEL 9",
"product_id": "9Base-RHSSO-7.6",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat Single Sign-On"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src",
"product": {
"name": "rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src",
"product_id": "rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-keycloak@18.0.3-1.redhat_00001.1.el9sso?arch=src"
}
}
},
{
"category": "product_version",
"name": "rh-sso7-0:1-5.el9sso.src",
"product": {
"name": "rh-sso7-0:1-5.el9sso.src",
"product_id": "rh-sso7-0:1-5.el9sso.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7@1-5.el9sso?arch=src"
}
}
},
{
"category": "product_version",
"name": "rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src",
"product": {
"name": "rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src",
"product_id": "rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-javapackages-tools@6.0.0-7.el9sso?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"product": {
"name": "rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"product_id": "rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-keycloak@18.0.3-1.redhat_00001.1.el9sso?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"product": {
"name": "rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"product_id": "rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-keycloak-server@18.0.3-1.redhat_00001.1.el9sso?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch",
"product": {
"name": "rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch",
"product_id": "rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-javapackages-filesystem@6.0.0-7.el9sso?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch",
"product": {
"name": "rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch",
"product_id": "rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-javapackages-tools@6.0.0-7.el9sso?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch",
"product": {
"name": "rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch",
"product_id": "rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-python3-javapackages@6.0.0-7.el9sso?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-sso7-0:1-5.el9sso.x86_64",
"product": {
"name": "rh-sso7-0:1-5.el9sso.x86_64",
"product_id": "rh-sso7-0:1-5.el9sso.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7@1-5.el9sso?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "rh-sso7-runtime-0:1-5.el9sso.x86_64",
"product": {
"name": "rh-sso7-runtime-0:1-5.el9sso.x86_64",
"product_id": "rh-sso7-runtime-0:1-5.el9sso.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-runtime@1-5.el9sso?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-0:1-5.el9sso.src as a component of Red Hat Single Sign-On 7.6 for RHEL 9",
"product_id": "9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src"
},
"product_reference": "rh-sso7-0:1-5.el9sso.src",
"relates_to_product_reference": "9Base-RHSSO-7.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-0:1-5.el9sso.x86_64 as a component of Red Hat Single Sign-On 7.6 for RHEL 9",
"product_id": "9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64"
},
"product_reference": "rh-sso7-0:1-5.el9sso.x86_64",
"relates_to_product_reference": "9Base-RHSSO-7.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch as a component of Red Hat Single Sign-On 7.6 for RHEL 9",
"product_id": "9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch"
},
"product_reference": "rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch",
"relates_to_product_reference": "9Base-RHSSO-7.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch as a component of Red Hat Single Sign-On 7.6 for RHEL 9",
"product_id": "9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch"
},
"product_reference": "rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch",
"relates_to_product_reference": "9Base-RHSSO-7.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src as a component of Red Hat Single Sign-On 7.6 for RHEL 9",
"product_id": "9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src"
},
"product_reference": "rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src",
"relates_to_product_reference": "9Base-RHSSO-7.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch as a component of Red Hat Single Sign-On 7.6 for RHEL 9",
"product_id": "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch"
},
"product_reference": "rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"relates_to_product_reference": "9Base-RHSSO-7.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src as a component of Red Hat Single Sign-On 7.6 for RHEL 9",
"product_id": "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src"
},
"product_reference": "rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src",
"relates_to_product_reference": "9Base-RHSSO-7.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch as a component of Red Hat Single Sign-On 7.6 for RHEL 9",
"product_id": "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch"
},
"product_reference": "rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"relates_to_product_reference": "9Base-RHSSO-7.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch as a component of Red Hat Single Sign-On 7.6 for RHEL 9",
"product_id": "9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch"
},
"product_reference": "rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch",
"relates_to_product_reference": "9Base-RHSSO-7.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-runtime-0:1-5.el9sso.x86_64 as a component of Red Hat Single Sign-On 7.6 for RHEL 9",
"product_id": "9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64"
},
"product_reference": "rh-sso7-runtime-0:1-5.el9sso.x86_64",
"relates_to_product_reference": "9Base-RHSSO-7.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-36518",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-03-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2064698"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Jackson Databind package. This cause of the issue is due to a Java StackOverflow exception and a denial of service via a significant depth of nested objects.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: denial of service via a large depth of nested objects",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "CodeReady Studio is no longer supported and therefore this flaw will not be addressed in CodeReady Studio.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64",
"9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-36518"
},
{
"category": "external",
"summary": "RHBZ#2064698",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064698"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-36518",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36518"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-36518",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36518"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-57j2-w4cx-62h2",
"url": "https://github.com/advisories/GHSA-57j2-w4cx-62h2"
}
],
"release_date": "2020-08-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-03T14:55:02+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64",
"9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7411"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64",
"9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: denial of service via a large depth of nested objects"
},
{
"cve": "CVE-2021-42392",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-01-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2039403"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in h2. The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. This flaw allows an attacker to use this URL to send another server\u2019s code, causing remote code execution. This issue is exploited through various attack vectors, most notably through the H2 Console, which leads to unauthenticated remote code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "h2: Remote Code Execution in Console",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift Container Platform (OCP) the openshift4/ose-metering-presto container image ships the vulnerable version of h2, but as it uses default configuration the impact by this vulnerability is LOW. Additionally, the Presto component is part of the OCP Metering stack and since the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected component is marked as wontfix.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64",
"9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-42392"
},
{
"category": "external",
"summary": "RHBZ#2039403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2039403"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-42392",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-42392"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-42392",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42392"
},
{
"category": "external",
"summary": "https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6",
"url": "https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6"
}
],
"release_date": "2022-01-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-03T14:55:02+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64",
"9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7411"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64",
"9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "h2: Remote Code Execution in Console"
},
{
"cve": "CVE-2021-42575",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2021-11-29T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2027195"
}
],
"notes": [
{
"category": "description",
"text": "The OWASP Java HTML Sanitizer before 20211018.1 does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "owasp-java-html-sanitizer: improper policies enforcement may lead to remote code execution",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64"
],
"known_not_affected": [
"9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-42575"
},
{
"category": "external",
"summary": "RHBZ#2027195",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2027195"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-42575",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-42575"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-42575",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42575"
}
],
"release_date": "2021-10-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-03T14:55:02+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7411"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64",
"9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "owasp-java-html-sanitizer: improper policies enforcement may lead to remote code execution"
},
{
"cve": "CVE-2021-43797",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2021-12-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2031958"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty, specifically in the netty-codec-http package. This flaw allows unauthorized control characters at the beginning and end of a request, does not follow the specification, and can cause HTTP request smuggling.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: control chars in header names may lead to HTTP request smuggling",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of netty-codec-http package.\nSince the release of OCP 4.6, the Metering product has been deprecated, hence the affected components are marked as wontfix.\nThe openshift4/ose-logging-elasticsearch6 container is marked as Out of support scope because since the release of OCP 4.7 the logging functionality is delivered as an OpenShift Logging product and OCP 4.6 is already in the Maintenance Support phase.\nA fix was introduced in netty-codec-http version 4.1.72.Final.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64",
"9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-43797"
},
{
"category": "external",
"summary": "RHBZ#2031958",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031958"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-43797",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-43797"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-43797",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43797"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq",
"url": "https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq"
}
],
"release_date": "2021-12-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-03T14:55:02+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64",
"9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7411"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64",
"9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "netty: control chars in header names may lead to HTTP request smuggling"
},
{
"cve": "CVE-2022-0084",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2022-03-15T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2064226"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in XNIO, specifically in the notifyReadClosed method. The issue revealed this method was logging a message to another expected end. This flaw allows an attacker to send flawed requests to a server, possibly causing log contention-related performance concerns or an unwanted disk fill-up.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Although the CVSS stands for 7.5 score, the impact remains Moderate as it demands previous knowledge of the environment to trigger the Denial of Service (DoS)",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64",
"9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-0084"
},
{
"category": "external",
"summary": "RHBZ#2064226",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064226"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-0084",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0084"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0084",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0084"
}
],
"release_date": "2022-03-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-03T14:55:02+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64",
"9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7411"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64",
"9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr"
},
{
"acknowledgments": [
{
"names": [
"Johan Nilsson"
],
"organization": "NRMC team (Nasdaq)"
}
],
"cve": "CVE-2022-0225",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2022-01-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2040268"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating a new group from the admin console, leading to a stored Cross-site scripting (XSS) attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Stored XSS in groups dropdown",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64",
"9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-0225"
},
{
"category": "external",
"summary": "RHBZ#2040268",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040268"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-0225",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0225"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0225",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0225"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-755v-r4x4-qf7m",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-755v-r4x4-qf7m"
}
],
"release_date": "2022-01-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-03T14:55:02+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64",
"9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7411"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64",
"9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Stored XSS in groups dropdown"
},
{
"cve": "CVE-2022-0853",
"cwe": {
"id": "CWE-401",
"name": "Missing Release of Memory after Effective Lifetime"
},
"discovery_date": "2022-03-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2060725"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the jboss-client. A memory leak on the JBoss client-side occurs when using UserTransaction repeatedly, leading to an information leakage vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jboss-client: memory leakage in remote client transaction",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64",
"9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-0853"
},
{
"category": "external",
"summary": "RHBZ#2060725",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060725"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-0853",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0853"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0853",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0853"
}
],
"release_date": "2022-03-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-03T14:55:02+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64",
"9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7411"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64",
"9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jboss-client: memory leakage in remote client transaction"
},
{
"acknowledgments": [
{
"names": [
"Oliver Bieri"
],
"organization": "Schindler Elevator Ltd., Switzerland"
}
],
"cve": "CVE-2022-0866",
"cwe": {
"id": "CWE-1220",
"name": "Insufficient Granularity of Access Control"
},
"discovery_date": "2022-02-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2060929"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Wildfly, where it returns an incorrect caller principal under certain heavily concurrent situations when Elytron Security is used. This flaw allows an attacker to gain improper access to information they should not have.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "JBoss EAP 7.1 until 7.4 is not affected by default as it comes with Legacy Security enabled out-of-the-box. This only affects application scope range and the methods mentioned, no access to server data.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64",
"9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-0866"
},
{
"category": "external",
"summary": "RHBZ#2060929",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060929"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-0866",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0866"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0866",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0866"
}
],
"release_date": "2022-05-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-03T14:55:02+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64",
"9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7411"
},
{
"category": "workaround",
"details": "In order to avoid the possibility of information access, review application source code for \u0027@RunAs\u0027 and \u0027run-as-principal\u0027 usage. Also, make sure the application is using or not Elytron Security. It\u0027s possible to investigate by checking if the commands from \u0027$JBOSS_HOME/docs/examples/enable-elytron.cli\u0027 or similar were executed.",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64",
"9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64",
"9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled"
},
{
"cve": "CVE-2022-1319",
"cwe": {
"id": "CWE-252",
"name": "Unchecked Return Value"
},
"discovery_date": "2022-04-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2073890"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Undertow. For an AJP 400 response, EAP 7 is improperly sending two response packets, and those packets have the reuse flag set even though JBoss EAP closes the connection. A failure occurs when the connection is reused after a 400 by CPING since it reads in the second SEND_HEADERS response packet instead of a CPONG.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "undertow: Double AJP response for 400 from EAP 7 results in CPING failures",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64",
"9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1319"
},
{
"category": "external",
"summary": "RHBZ#2073890",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073890"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1319",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1319"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1319",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1319"
}
],
"release_date": "2022-04-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-03T14:55:02+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64",
"9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7411"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64",
"9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "undertow: Double AJP response for 400 from EAP 7 results in CPING failures"
},
{
"acknowledgments": [
{
"names": [
"Marek Posolda"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2022-2668",
"cwe": {
"id": "CWE-440",
"name": "Expected Behavior Violation"
},
"discovery_date": "2022-08-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2115392"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in keycloak. The vulnerability allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Uploading of SAML javascript protocol mapper scripts through the admin console",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64",
"9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-2668"
},
{
"category": "external",
"summary": "RHBZ#2115392",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2115392"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-2668",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2668"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2668",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2668"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-wf7g-7h6h-678v",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-wf7g-7h6h-678v"
}
],
"release_date": "2022-08-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-03T14:55:02+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64",
"9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7411"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64",
"9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Uploading of SAML javascript protocol mapper scripts through the admin console"
},
{
"cve": "CVE-2022-23913",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2022-02-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2063601"
}
],
"notes": [
{
"category": "description",
"text": "In Apache ActiveMQ Artemis prior to 2.20.0 or 2.19.1, an attacker could partially disrupt availability (DoS) through uncontrolled resource consumption of memory.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "artemis-commons: Apache ActiveMQ Artemis DoS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64",
"9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-23913"
},
{
"category": "external",
"summary": "RHBZ#2063601",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2063601"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-23913",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23913"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23913",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23913"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/fjynj57rd99s814rdn5hzvmx8lz403q2",
"url": "https://lists.apache.org/thread/fjynj57rd99s814rdn5hzvmx8lz403q2"
}
],
"release_date": "2022-02-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-03T14:55:02+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64",
"9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7411"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-0:1-5.el9sso.x86_64",
"9Base-RHSSO-7.6:rh-sso7-javapackages-filesystem-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:6.0.0-7.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.3-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:6.0.0-7.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-runtime-0:1-5.el9sso.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "artemis-commons: Apache ActiveMQ Artemis DoS"
}
]
}
RHSA-2022:7417
Vulnerability from csaf_redhat - Published: 2022-11-03 15:14 - Updated: 2026-05-14 22:32Summary
Red Hat Security Advisory: Red Hat Single Sign-On 7.6.1 security update
Severity
Moderate
Notes
Topic: A security update is now available for Red Hat Single Sign-On 7.6 from the Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
This release of Red Hat Single Sign-On 7.6.1 serves as a replacement for Red Hat Single Sign-On 7.6.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518)
* h2: Remote Code Execution in Console (CVE-2021-42392)
* netty: control chars in header names may lead to HTTP request smuggling (CVE-2021-43797)
* xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr (CVE-2022-0084)
* keycloak: Stored XSS in groups dropdown (CVE-2022-0225)
* wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled (CVE-2022-0866)
* keycloak: Uploading of SAML javascript protocol mapper scripts through the admin console (CVE-2022-2668)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the Jackson Databind package. This cause of the issue is due to a Java StackOverflow exception and a denial of service via a significant depth of nested objects.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7.6.1
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7.6.1
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in h2. The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. This flaw allows an attacker to use this URL to send another server’s code, causing remote code execution. This issue is exploited through various attack vectors, most notably through the H2 Console, which leads to unauthenticated remote code execution.
9.8 (Critical)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7.6.1
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7.6.1
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
The OWASP Java HTML Sanitizer before 20211018.1 does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements.
9.8 (Critical)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7.6.1
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7.6.1
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Netty, specifically in the netty-codec-http package. This flaw allows unauthorized control characters at the beginning and end of a request, does not follow the specification, and can cause HTTP request smuggling.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7.6.1
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7.6.1
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in XNIO, specifically in the notifyReadClosed method. The issue revealed this method was logging a message to another expected end. This flaw allows an attacker to send flawed requests to a server, possibly causing log contention-related performance concerns or an unwanted disk fill-up.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7.6.1
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7.6.1
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating a new group from the admin console, leading to a stored Cross-site scripting (XSS) attack.
5.7 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7.6.1
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7.6.1
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the jboss-client. A memory leak on the JBoss client-side occurs when using UserTransaction repeatedly, leading to an information leakage vulnerability.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7.6.1
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7.6.1
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in Wildfly, where it returns an incorrect caller principal under certain heavily concurrent situations when Elytron Security is used. This flaw allows an attacker to gain improper access to information they should not have.
CWE-1220 - Insufficient Granularity of Access ControlAffected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7.6.1
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7.6.1
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Undertow. For an AJP 400 response, EAP 7 is improperly sending two response packets, and those packets have the reuse flag set even though JBoss EAP closes the connection. A failure occurs when the connection is reused after a 400 by CPING since it reads in the second SEND_HEADERS response packet instead of a CPONG.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7.6.1
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7.6.1
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in keycloak. The vulnerability allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled.
6.4 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7.6.1
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7.6.1
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
In Apache ActiveMQ Artemis prior to 2.20.0 or 2.19.1, an attacker could partially disrupt availability (DoS) through uncontrolled resource consumption of memory.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7.6.1
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7.6.1
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
61 references
Acknowledgments
NRMC team (Nasdaq)
Johan Nilsson
Schindler Elevator Ltd., Switzerland
Oliver Bieri
Red Hat
Marek Posolda
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "A security update is now available for Red Hat Single Sign-On 7.6 from the Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.6.1 serves as a replacement for Red Hat Single Sign-On 7.6.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518)\n\n* h2: Remote Code Execution in Console (CVE-2021-42392)\n\n* netty: control chars in header names may lead to HTTP request smuggling (CVE-2021-43797)\n\n* xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr (CVE-2022-0084)\n\n* keycloak: Stored XSS in groups dropdown (CVE-2022-0225)\n\n* wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled (CVE-2022-0866)\n\n* keycloak: Uploading of SAML javascript protocol mapper scripts through the admin console (CVE-2022-2668)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:7417",
"url": "https://access.redhat.com/errata/RHSA-2022:7417"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso\u0026downloadType=securityPatches\u0026version=7.6",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso\u0026downloadType=securityPatches\u0026version=7.6"
},
{
"category": "external",
"summary": "2031958",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031958"
},
{
"category": "external",
"summary": "2039403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2039403"
},
{
"category": "external",
"summary": "2040268",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040268"
},
{
"category": "external",
"summary": "2060929",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060929"
},
{
"category": "external",
"summary": "2064226",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064226"
},
{
"category": "external",
"summary": "2064698",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064698"
},
{
"category": "external",
"summary": "2115392",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2115392"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_7417.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.6.1 security update",
"tracking": {
"current_release_date": "2026-05-14T22:32:49+00:00",
"generator": {
"date": "2026-05-14T22:32:49+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2022:7417",
"initial_release_date": "2022-11-03T15:14:51+00:00",
"revision_history": [
{
"date": "2022-11-03T15:14:51+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-11-03T15:14:51+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-14T22:32:49+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Single Sign-On 7.6.1",
"product": {
"name": "Red Hat Single Sign-On 7.6.1",
"product_id": "Red Hat Single Sign-On 7.6.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6.1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Single Sign-On"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-36518",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-03-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2064698"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Jackson Databind package. This cause of the issue is due to a Java StackOverflow exception and a denial of service via a significant depth of nested objects.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: denial of service via a large depth of nested objects",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "CodeReady Studio is no longer supported and therefore this flaw will not be addressed in CodeReady Studio.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7.6.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-36518"
},
{
"category": "external",
"summary": "RHBZ#2064698",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064698"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-36518",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36518"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-36518",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36518"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-57j2-w4cx-62h2",
"url": "https://github.com/advisories/GHSA-57j2-w4cx-62h2"
}
],
"release_date": "2020-08-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-03T15:14:51+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat Single Sign-On 7.6.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7417"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7.6.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: denial of service via a large depth of nested objects"
},
{
"cve": "CVE-2021-42392",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-01-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2039403"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in h2. The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. This flaw allows an attacker to use this URL to send another server\u2019s code, causing remote code execution. This issue is exploited through various attack vectors, most notably through the H2 Console, which leads to unauthenticated remote code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "h2: Remote Code Execution in Console",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift Container Platform (OCP) the openshift4/ose-metering-presto container image ships the vulnerable version of h2, but as it uses default configuration the impact by this vulnerability is LOW. Additionally, the Presto component is part of the OCP Metering stack and since the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected component is marked as wontfix.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7.6.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-42392"
},
{
"category": "external",
"summary": "RHBZ#2039403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2039403"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-42392",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-42392"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-42392",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42392"
},
{
"category": "external",
"summary": "https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6",
"url": "https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6"
}
],
"release_date": "2022-01-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-03T15:14:51+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat Single Sign-On 7.6.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7417"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7.6.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "h2: Remote Code Execution in Console"
},
{
"cve": "CVE-2021-42575",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2021-11-29T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2027195"
}
],
"notes": [
{
"category": "description",
"text": "The OWASP Java HTML Sanitizer before 20211018.1 does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "owasp-java-html-sanitizer: improper policies enforcement may lead to remote code execution",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7.6.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-42575"
},
{
"category": "external",
"summary": "RHBZ#2027195",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2027195"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-42575",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-42575"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-42575",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42575"
}
],
"release_date": "2021-10-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-03T15:14:51+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat Single Sign-On 7.6.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7417"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7.6.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "owasp-java-html-sanitizer: improper policies enforcement may lead to remote code execution"
},
{
"cve": "CVE-2021-43797",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2021-12-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2031958"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty, specifically in the netty-codec-http package. This flaw allows unauthorized control characters at the beginning and end of a request, does not follow the specification, and can cause HTTP request smuggling.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: control chars in header names may lead to HTTP request smuggling",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of netty-codec-http package.\nSince the release of OCP 4.6, the Metering product has been deprecated, hence the affected components are marked as wontfix.\nThe openshift4/ose-logging-elasticsearch6 container is marked as Out of support scope because since the release of OCP 4.7 the logging functionality is delivered as an OpenShift Logging product and OCP 4.6 is already in the Maintenance Support phase.\nA fix was introduced in netty-codec-http version 4.1.72.Final.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7.6.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-43797"
},
{
"category": "external",
"summary": "RHBZ#2031958",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031958"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-43797",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-43797"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-43797",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43797"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq",
"url": "https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq"
}
],
"release_date": "2021-12-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-03T15:14:51+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat Single Sign-On 7.6.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7417"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7.6.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "netty: control chars in header names may lead to HTTP request smuggling"
},
{
"cve": "CVE-2022-0084",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2022-03-15T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2064226"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in XNIO, specifically in the notifyReadClosed method. The issue revealed this method was logging a message to another expected end. This flaw allows an attacker to send flawed requests to a server, possibly causing log contention-related performance concerns or an unwanted disk fill-up.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Although the CVSS stands for 7.5 score, the impact remains Moderate as it demands previous knowledge of the environment to trigger the Denial of Service (DoS)",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7.6.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-0084"
},
{
"category": "external",
"summary": "RHBZ#2064226",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064226"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-0084",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0084"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0084",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0084"
}
],
"release_date": "2022-03-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-03T15:14:51+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat Single Sign-On 7.6.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7417"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7.6.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr"
},
{
"acknowledgments": [
{
"names": [
"Johan Nilsson"
],
"organization": "NRMC team (Nasdaq)"
}
],
"cve": "CVE-2022-0225",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2022-01-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2040268"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating a new group from the admin console, leading to a stored Cross-site scripting (XSS) attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Stored XSS in groups dropdown",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7.6.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-0225"
},
{
"category": "external",
"summary": "RHBZ#2040268",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040268"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-0225",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0225"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0225",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0225"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-755v-r4x4-qf7m",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-755v-r4x4-qf7m"
}
],
"release_date": "2022-01-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-03T15:14:51+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat Single Sign-On 7.6.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7417"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7.6.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Stored XSS in groups dropdown"
},
{
"cve": "CVE-2022-0853",
"cwe": {
"id": "CWE-401",
"name": "Missing Release of Memory after Effective Lifetime"
},
"discovery_date": "2022-03-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2060725"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the jboss-client. A memory leak on the JBoss client-side occurs when using UserTransaction repeatedly, leading to an information leakage vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jboss-client: memory leakage in remote client transaction",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7.6.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-0853"
},
{
"category": "external",
"summary": "RHBZ#2060725",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060725"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-0853",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0853"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0853",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0853"
}
],
"release_date": "2022-03-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-03T15:14:51+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat Single Sign-On 7.6.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7417"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7.6.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jboss-client: memory leakage in remote client transaction"
},
{
"acknowledgments": [
{
"names": [
"Oliver Bieri"
],
"organization": "Schindler Elevator Ltd., Switzerland"
}
],
"cve": "CVE-2022-0866",
"cwe": {
"id": "CWE-1220",
"name": "Insufficient Granularity of Access Control"
},
"discovery_date": "2022-02-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2060929"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Wildfly, where it returns an incorrect caller principal under certain heavily concurrent situations when Elytron Security is used. This flaw allows an attacker to gain improper access to information they should not have.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "JBoss EAP 7.1 until 7.4 is not affected by default as it comes with Legacy Security enabled out-of-the-box. This only affects application scope range and the methods mentioned, no access to server data.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7.6.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-0866"
},
{
"category": "external",
"summary": "RHBZ#2060929",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060929"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-0866",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0866"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0866",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0866"
}
],
"release_date": "2022-05-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-03T15:14:51+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat Single Sign-On 7.6.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7417"
},
{
"category": "workaround",
"details": "In order to avoid the possibility of information access, review application source code for \u0027@RunAs\u0027 and \u0027run-as-principal\u0027 usage. Also, make sure the application is using or not Elytron Security. It\u0027s possible to investigate by checking if the commands from \u0027$JBOSS_HOME/docs/examples/enable-elytron.cli\u0027 or similar were executed.",
"product_ids": [
"Red Hat Single Sign-On 7.6.1"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7.6.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled"
},
{
"cve": "CVE-2022-1319",
"cwe": {
"id": "CWE-252",
"name": "Unchecked Return Value"
},
"discovery_date": "2022-04-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2073890"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Undertow. For an AJP 400 response, EAP 7 is improperly sending two response packets, and those packets have the reuse flag set even though JBoss EAP closes the connection. A failure occurs when the connection is reused after a 400 by CPING since it reads in the second SEND_HEADERS response packet instead of a CPONG.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "undertow: Double AJP response for 400 from EAP 7 results in CPING failures",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7.6.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1319"
},
{
"category": "external",
"summary": "RHBZ#2073890",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073890"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1319",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1319"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1319",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1319"
}
],
"release_date": "2022-04-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-03T15:14:51+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat Single Sign-On 7.6.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7417"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7.6.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "undertow: Double AJP response for 400 from EAP 7 results in CPING failures"
},
{
"acknowledgments": [
{
"names": [
"Marek Posolda"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2022-2668",
"cwe": {
"id": "CWE-440",
"name": "Expected Behavior Violation"
},
"discovery_date": "2022-08-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2115392"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in keycloak. The vulnerability allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Uploading of SAML javascript protocol mapper scripts through the admin console",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7.6.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-2668"
},
{
"category": "external",
"summary": "RHBZ#2115392",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2115392"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-2668",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2668"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2668",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2668"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-wf7g-7h6h-678v",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-wf7g-7h6h-678v"
}
],
"release_date": "2022-08-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-03T15:14:51+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat Single Sign-On 7.6.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7417"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7.6.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Uploading of SAML javascript protocol mapper scripts through the admin console"
},
{
"cve": "CVE-2022-23913",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2022-02-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2063601"
}
],
"notes": [
{
"category": "description",
"text": "In Apache ActiveMQ Artemis prior to 2.20.0 or 2.19.1, an attacker could partially disrupt availability (DoS) through uncontrolled resource consumption of memory.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "artemis-commons: Apache ActiveMQ Artemis DoS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7.6.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-23913"
},
{
"category": "external",
"summary": "RHBZ#2063601",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2063601"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-23913",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23913"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23913",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23913"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/fjynj57rd99s814rdn5hzvmx8lz403q2",
"url": "https://lists.apache.org/thread/fjynj57rd99s814rdn5hzvmx8lz403q2"
}
],
"release_date": "2022-02-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-03T15:14:51+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat Single Sign-On 7.6.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7417"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7.6.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "artemis-commons: Apache ActiveMQ Artemis DoS"
}
]
}
RHSA-2025:1747
Vulnerability from csaf_redhat - Published: 2025-02-24 00:08 - Updated: 2026-05-23 14:36Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.3.12 security update
Severity
Critical
Notes
Topic: A security update is now available for Red Hat JBoss Enterprise Application Platform 7.3 for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat
JBoss Enterprise Application Platform 7.3.12 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.3.11, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.3.12 Release Notes for information about the most significant bug fixes and enhancements included in this release.
Security Fix(es):
* velocity: arbitrary code execution when attacker is able to modify templates [eap-7.3.z] (CVE-2020-13936)
* CXF: Apache CXF: directory listing / code exfiltration [eap-7.3.z] (CVE-2022-46363)
* sshd-common: mina-sshd: Java unsafe deserialization vulnerability [eap-7.3.z] (CVE-2022-45047)
* log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value [eap-7.3.z] (CVE-2021-44228)
* commons-text: apache-commons-text: variable interpolation RCE [eap-7.3.z] (CVE-2022-42889)
* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) [eap-7.3.z] (CVE-2021-45046)
* org.jboss.hal-hal-parent: minimist: prototype pollution [eap-7.3.z] (CVE-2021-44906)
* jackson-databind: use of deeply nested arrays [eap-7.3.z] (CVE-2022-42004)
* snakeyaml: Constructor Deserialization Remote Code Execution [eap-7.3.z] (CVE-2022-1471)
* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS [eap-7.3.z] (CVE-2022-41881)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS [eap-7.3.z] (CVE-2022-42003)
* jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos [eap-7.3.z] (CVE-2022-45693)
* h2: Remote Code Execution in Console [eap-7.3.z] (CVE-2021-42392)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in velocity. An attacker, able to modify Velocity templates, may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
8.8 (High)
Affected products
Fixed
52 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in h2. The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. This flaw allows an attacker to use this URL to send another server’s code, causing remote code execution. This issue is exploited through various attack vectors, most notably through the H2 Console, which leads to unauthenticated remote code execution.
9.8 (Critical)
Affected products
Fixed
52 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.
9.8 (Critical)
Affected products
Fixed
52 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Exploit Status
CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Impact
Critical
An Uncontrolled Resource Consumption flaw was found in minimist. The original fix for CVE-2020-7598 was incomplete as it was still possible to bypass in some cases. This flaw (CVE-2021-44906) allows an attacker to trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.
CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')Affected products
Fixed
52 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.
8.1 (High)
Affected products
Fixed
52 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Exploit Status
CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Impact
Moderate
A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).
9.8 (Critical)
Affected products
Fixed
27 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src | — |
Vendor Fix
fix
|
Known not affected
25 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Threats
Impact
Important
A flaw was found in codec-haproxy from the Netty project. This flaw allows an attacker to build a malformed crafted message and cause infinite recursion, causing stack exhaustion and leading to a denial of service (DoS).
7.5 (High)
Affected products
Fixed
52 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.
7.5 (High)
Affected products
Fixed
27 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
Known not affected
25 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Threats
Impact
Moderate
A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.
7.5 (High)
Affected products
Fixed
27 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
Known not affected
25 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Threats
Impact
Moderate
A flaw was found in Apache Commons Text packages 1.5 through 1.9. The affected versions allow an attacker to benefit from a variable interpolation process contained in Apache Commons Text, which can cause properties to be dynamically defined. Server applications are vulnerable to remote code execution (RCE) and unintentional contact with untrusted remote servers.
9.8 (Critical)
Affected products
Fixed
52 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Critical
A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.
9.8 (Critical)
Affected products
Fixed
52 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.
7.5 (High)
Affected products
Fixed
27 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
Known not affected
25 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Threats
Impact
Moderate
A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.
7.5 (High)
Affected products
Fixed
52 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
87 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.3 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat\nJBoss Enterprise Application Platform 7.3.12 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.3.11, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.3.12 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* velocity: arbitrary code execution when attacker is able to modify templates [eap-7.3.z] (CVE-2020-13936)\n\n* CXF: Apache CXF: directory listing / code exfiltration [eap-7.3.z] (CVE-2022-46363)\n\n* sshd-common: mina-sshd: Java unsafe deserialization vulnerability [eap-7.3.z] (CVE-2022-45047)\n\n* log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value [eap-7.3.z] (CVE-2021-44228)\n\n* commons-text: apache-commons-text: variable interpolation RCE [eap-7.3.z] (CVE-2022-42889)\n\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) [eap-7.3.z] (CVE-2021-45046)\n\n* org.jboss.hal-hal-parent: minimist: prototype pollution [eap-7.3.z] (CVE-2021-44906)\n\n* jackson-databind: use of deeply nested arrays [eap-7.3.z] (CVE-2022-42004)\n\n* snakeyaml: Constructor Deserialization Remote Code Execution [eap-7.3.z] (CVE-2022-1471)\n\n* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS [eap-7.3.z] (CVE-2022-41881)\n\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS [eap-7.3.z] (CVE-2022-42003)\n\n* jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos [eap-7.3.z] (CVE-2022-45693)\n\n* h2: Remote Code Execution in Console [eap-7.3.z] (CVE-2021-42392)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:1747",
"url": "https://access.redhat.com/errata/RHSA-2025:1747"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009",
"url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.3",
"url": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.3"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/index",
"url": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/index"
},
{
"category": "external",
"summary": "1937440",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1937440"
},
{
"category": "external",
"summary": "2030932",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932"
},
{
"category": "external",
"summary": "2032580",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580"
},
{
"category": "external",
"summary": "2039403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2039403"
},
{
"category": "external",
"summary": "2066009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009"
},
{
"category": "external",
"summary": "2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "2135435",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135435"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "2153379",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153379"
},
{
"category": "external",
"summary": "2155681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
},
{
"category": "external",
"summary": "2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "JBEAP-28581",
"url": "https://issues.redhat.com/browse/JBEAP-28581"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_1747.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.3.12 security update",
"tracking": {
"current_release_date": "2026-05-23T14:36:04+00:00",
"generator": {
"date": "2026-05-23T14:36:04+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2025:1747",
"initial_release_date": "2025-02-24T00:08:38+00:00",
"revision_history": [
{
"date": "2025-02-24T00:08:38+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-02-24T00:08:38+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-23T14:36:04+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Enterprise Application Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"product_id": "eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hal-console@3.2.17-1.Final_redhat_00001.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"product": {
"name": "eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"product_id": "eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-databind@2.10.4-4.redhat_00004.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"product": {
"name": "eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"product_id": "eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-netty@4.1.63-4.Final_redhat_00002.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"product_id": "eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-snakeyaml@1.33.0-1.SP1_redhat_00001.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"product": {
"name": "eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"product_id": "eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jettison@1.5.2-2.redhat_00002.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"product": {
"name": "eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"product_id": "eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-modules-base@2.10.4-4.redhat_00004.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"product": {
"name": "eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"product_id": "eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-annotations@2.10.4-2.redhat_00004.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"product": {
"name": "eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"product_id": "eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-core@2.10.4-2.redhat_00004.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"product": {
"name": "eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"product_id": "eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-jaxrs-providers@2.10.4-2.redhat_00004.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"product": {
"name": "eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"product_id": "eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-modules-java8@2.10.4-2.redhat_00004.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"product": {
"name": "eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"product_id": "eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly@7.3.12-3.GA_redhat_00002.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"product_id": "eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy@3.11.6-1.Final_redhat_00001.1.el7eap?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hal-console@3.2.17-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"product": {
"name": "eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"product_id": "eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-databind@2.10.4-4.redhat_00004.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"product": {
"name": "eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"product_id": "eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-netty@4.1.63-4.Final_redhat_00002.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"product": {
"name": "eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"product_id": "eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-netty-all@4.1.63-4.Final_redhat_00002.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-snakeyaml@1.33.0-1.SP1_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"product": {
"name": "eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"product_id": "eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jettison@1.5.2-2.redhat_00002.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"product": {
"name": "eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"product_id": "eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-module-jaxb-annotations@2.10.4-4.redhat_00004.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"product": {
"name": "eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"product_id": "eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-modules-base@2.10.4-4.redhat_00004.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"product": {
"name": "eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"product_id": "eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-annotations@2.10.4-2.redhat_00004.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"product": {
"name": "eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"product_id": "eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-core@2.10.4-2.redhat_00004.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"product": {
"name": "eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"product_id": "eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-jaxrs-base@2.10.4-2.redhat_00004.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"product": {
"name": "eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"product_id": "eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-jaxrs-json-provider@2.10.4-2.redhat_00004.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"product": {
"name": "eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"product_id": "eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-datatype-jdk8@2.10.4-2.redhat_00004.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"product": {
"name": "eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"product_id": "eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-datatype-jsr310@2.10.4-2.redhat_00004.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"product": {
"name": "eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"product_id": "eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-modules-java8@2.10.4-2.redhat_00004.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"product": {
"name": "eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"product_id": "eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly@7.3.12-3.GA_redhat_00002.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"product": {
"name": "eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"product_id": "eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk11@7.3.12-3.GA_redhat_00002.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"product": {
"name": "eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"product_id": "eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk8@7.3.12-3.GA_redhat_00002.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"product": {
"name": "eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"product_id": "eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-javadocs@7.3.12-3.GA_redhat_00002.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"product": {
"name": "eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"product_id": "eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-modules@7.3.12-3.GA_redhat_00002.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy@3.11.6-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-atom-provider@3.11.6-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-cdi@3.11.6-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-client@3.11.6-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-client-microprofile@3.11.6-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-crypto@3.11.6-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-jackson-provider@3.11.6-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-jackson2-provider@3.11.6-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-jaxb-provider@3.11.6-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-jaxrs@3.11.6-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-jettison-provider@3.11.6-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-jose-jwt@3.11.6-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-jsapi@3.11.6-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-json-binding-provider@3.11.6-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-json-p-provider@3.11.6-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-multipart-provider@3.11.6-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-rxjava2@3.11.6-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-spring@3.11.6-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-validator-provider-11@3.11.6-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-yaml-provider@3.11.6-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch"
},
"product_reference": "eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src"
},
"product_reference": "eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch"
},
"product_reference": "eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src"
},
"product_reference": "eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch"
},
"product_reference": "eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src"
},
"product_reference": "eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch"
},
"product_reference": "eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch"
},
"product_reference": "eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch"
},
"product_reference": "eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch"
},
"product_reference": "eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src"
},
"product_reference": "eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch"
},
"product_reference": "eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch"
},
"product_reference": "eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src"
},
"product_reference": "eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch"
},
"product_reference": "eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src"
},
"product_reference": "eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch"
},
"product_reference": "eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src"
},
"product_reference": "eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch"
},
"product_reference": "eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src"
},
"product_reference": "eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch"
},
"product_reference": "eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
},
"product_reference": "eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src"
},
"product_reference": "eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
},
"product_reference": "eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
},
"product_reference": "eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
},
"product_reference": "eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
},
"product_reference": "eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-13936",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"discovery_date": "2021-03-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1937440"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in velocity. An attacker, able to modify Velocity templates, may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "velocity: arbitrary code execution when attacker is able to modify templates",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift Container Platform (OCP) openshift-logging/elasticsearch6-rhel8 container does contain a vulnerable version of velocity. The references to the library only occur in the x-pack component which is an enterprise-only feature of Elasticsearch - hence it has been marked as wontfix as this time and may be fixed in a future release. Additionally the hive container only references velocity in the testutils of the code but the code still exists in the container, as such it has been given a Moderate impact.\n\n* Velocity as shipped with Red Hat Enterprise Linux 6 is not affected because it does not contain the vulnerable code.\n\n* Velocity as shipped with Red Hat Enterprise Linux 7 contains a vulnerable version, but it is used as a dependency for IdM/ipa, which does not use the vulnerable functionality. It has been marked as Moderate for this reason.\n\n* Although velocity shipped in Red Hat Enterprise Linux 8\u0027s pki-deps:10.6 for IdM/ipa is a vulnerable version, the vulnerable code is not used by pki. It has been marked as Low for this reason.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-13936"
},
{
"category": "external",
"summary": "RHBZ#1937440",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1937440"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-13936",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-13936"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-13936",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13936"
}
],
"release_date": "2021-03-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-02-24T00:08:38+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:1747"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "velocity: arbitrary code execution when attacker is able to modify templates"
},
{
"cve": "CVE-2021-42392",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-01-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2039403"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in h2. The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. This flaw allows an attacker to use this URL to send another server\u2019s code, causing remote code execution. This issue is exploited through various attack vectors, most notably through the H2 Console, which leads to unauthenticated remote code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "h2: Remote Code Execution in Console",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift Container Platform (OCP) the openshift4/ose-metering-presto container image ships the vulnerable version of h2, but as it uses default configuration the impact by this vulnerability is LOW. Additionally, the Presto component is part of the OCP Metering stack and since the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected component is marked as wontfix.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-42392"
},
{
"category": "external",
"summary": "RHBZ#2039403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2039403"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-42392",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-42392"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-42392",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42392"
},
{
"category": "external",
"summary": "https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6",
"url": "https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6"
}
],
"release_date": "2022-01-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-02-24T00:08:38+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:1747"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "h2: Remote Code Execution in Console"
},
{
"cve": "CVE-2021-44228",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2021-12-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2030932"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue only affects log4j versions between 2.0 and 2.14.1. In order to exploit this flaw you need:\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n\nIn Red Hat OpenShift Logging the vulnerable log4j library is shipped in the Elasticsearch components. Because Elasticsearch is not susceptible to remote code execution with this vulnerability due to use of the Java Security Manager and because access to these components is limited, the impact by this vulnerability is reduced to Moderate.\n\nAs per upstream applications using Log4j 1.x may be impacted by this flaw if their configuration uses JNDI. However, the risk is much lower. This flaw in Log4j 1.x is tracked via https://access.redhat.com/security/cve/CVE-2021-4104 and has been rated as having Moderate security impact.\n\nCodeReady Studio version 12.21.1 was released containing a fix for this vulnerability.\n\nThe following products are NOT affected by this flaw and have been explicitly listed here for the benefit of our customers.\n- Red Hat Enterprise Linux\n- Red Hat Advanced Cluster Management for Kubernetes \n- Red Hat Advanced Cluster Security for Kubernetes\n- Red Hat Ansible Automation Platform (Engine and Tower)\n- Red Hat Certificate System\n- Red Hat Directory Server\n- Red Hat Identity Management\n- Red Hat CloudForms \n- Red Hat Update Infrastructure\n- Red Hat Satellite\n- Red Hat Ceph Storage\n- Red Hat Gluster Storage\n- Red Hat OpenShift Data Foundation\n- Red Hat OpenStack Platform\n- Red Hat Virtualization\n- Red Hat Single Sign-On\n- Red Hat 3scale API Management",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44228"
},
{
"category": "external",
"summary": "RHBZ#2030932",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932"
},
{
"category": "external",
"summary": "RHSB-2021-009",
"url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44228",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44228"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q",
"url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q"
},
{
"category": "external",
"summary": "https://logging.apache.org/log4j/2.x/security.html",
"url": "https://logging.apache.org/log4j/2.x/security.html"
},
{
"category": "external",
"summary": "https://www.lunasec.io/docs/blog/log4j-zero-day/",
"url": "https://www.lunasec.io/docs/blog/log4j-zero-day/"
},
{
"category": "external",
"summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"release_date": "2021-12-10T02:01:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-02-24T00:08:38+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:1747"
},
{
"category": "workaround",
"details": "For Log4j versions \u003e=2.10\nset the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true\n\nFor Log4j versions \u003e=2.7 and \u003c=2.14.1\nall PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m\n\nFor Log4j versions \u003e=2.0-beta9 and \u003c=2.10.0\nremove the JndiLookup class from the classpath. For example: \n```\nzip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class\n```\n\nOn OpenShift 4 and in OpenShift Logging, the above mitigation can be applied by following the steps in this article: https://access.redhat.com/solutions/6578421\n\nOn OpenShift 3.11, mitigation to the affected Elasticsearch component can be applied by following the steps in this article: https://access.redhat.com/solutions/6578441",
"product_ids": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
}
],
"threats": [
{
"category": "exploit_status",
"date": "2021-12-10T00:00:00+00:00",
"details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"category": "impact",
"details": "Critical"
}
],
"title": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value"
},
{
"cve": "CVE-2021-44906",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2022-03-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2066009"
}
],
"notes": [
{
"category": "description",
"text": "An Uncontrolled Resource Consumption flaw was found in minimist. The original fix for CVE-2020-7598 was incomplete as it was still possible to bypass in some cases. This flaw (CVE-2021-44906) allows an attacker to trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "minimist: prototype pollution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "As minimist is an argument parsing module for nodejs, exploitation of this vulnerability requires an attacker to influence which arguments are passed to nodejs when running a script. Red Hat products and services are designed in such a way that gaining this ability is not trivial. Additionally, the impact is limited by only enabling the pollution of functions, and not all generic objects.\n\nWithin Red Hat Satellite 6 this flaw has been rated as having a security impact of Low. It is not currently planned to be addressed there, as the minimist library is only included in the -doc subpackage and is part of test fixtures that are not in the execution path used by the rabl gem.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44906"
},
{
"category": "external",
"summary": "RHBZ#2066009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44906",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44906"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-xvch-5gv4-984h",
"url": "https://github.com/advisories/GHSA-xvch-5gv4-984h"
}
],
"release_date": "2022-03-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-02-24T00:08:38+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:1747"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "minimist: prototype pollution"
},
{
"cve": "CVE-2021-45046",
"cwe": {
"id": "CWE-917",
"name": "Improper Neutralization of Special Elements used in an Expression Language Statement (\u0027Expression Language Injection\u0027)"
},
"discovery_date": "2021-12-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2032580"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-45046"
},
{
"category": "external",
"summary": "RHBZ#2032580",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-45046"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2021-44228",
"url": "https://access.redhat.com/security/cve/CVE-2021-44228"
},
{
"category": "external",
"summary": "https://logging.apache.org/log4j/2.x/security.html",
"url": "https://logging.apache.org/log4j/2.x/security.html"
},
{
"category": "external",
"summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4",
"url": "https://www.openwall.com/lists/oss-security/2021/12/14/4"
},
{
"category": "external",
"summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"release_date": "2021-12-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-02-24T00:08:38+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:1747"
},
{
"category": "workaround",
"details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).",
"product_ids": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
}
],
"threats": [
{
"category": "exploit_status",
"date": "2023-05-01T00:00:00+00:00",
"details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"category": "impact",
"details": "Moderate"
}
],
"title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)"
},
{
"cve": "CVE-2022-1471",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-12-01T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2150009"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "SnakeYaml: Constructor Deserialization Remote Code Execution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In the Red Hat Process Automation 7 (RHPAM) the untrusted, malicious YAML file for deserialization by the vulnerable Snakeyaml\u0027s SafeConstructor class must be provided intentionally by the RHPAM user which requires high privileges. The potential attack complexity is also high because it depends on conditions that are beyond the attacker\u0027s control. Due to that the impact for RHPAM is reduced to Low.\n\nRed Hat Fuse 7 does not expose by default any endpoint that passes incoming data/request into vulnerable Snakeyaml\u0027s Constructor class nor pass untrusted data to this class. When this class is used, it\u2019s still only used to parse internal configuration, hence the impact by this vulnerability to Red Hat Fuse 7 is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src"
],
"known_not_affected": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1471"
},
{
"category": "external",
"summary": "RHBZ#2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1471",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1471"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471"
},
{
"category": "external",
"summary": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2",
"url": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2"
}
],
"release_date": "2022-10-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-02-24T00:08:38+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:1747"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "SnakeYaml: Constructor Deserialization Remote Code Execution"
},
{
"cve": "CVE-2022-41881",
"cwe": {
"id": "CWE-674",
"name": "Uncontrolled Recursion"
},
"discovery_date": "2022-12-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2153379"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in codec-haproxy from the Netty project. This flaw allows an attacker to build a malformed crafted message and cause infinite recursion, causing stack exhaustion and leading to a denial of service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41881"
},
{
"category": "external",
"summary": "RHBZ#2153379",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153379"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41881",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41881"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41881",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41881"
}
],
"release_date": "2022-12-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-02-24T00:08:38+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:1747"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS"
},
{
"cve": "CVE-2022-42003",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135244"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
],
"known_not_affected": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42003"
},
{
"category": "external",
"summary": "RHBZ#2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-02-24T00:08:38+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:1747"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS"
},
{
"cve": "CVE-2022-42004",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135247"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: use of deeply nested arrays",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
],
"known_not_affected": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42004"
},
{
"category": "external",
"summary": "RHBZ#2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-02-24T00:08:38+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:1747"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: use of deeply nested arrays"
},
{
"cve": "CVE-2022-42889",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"discovery_date": "2022-10-15T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135435"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Commons Text packages 1.5 through 1.9. The affected versions allow an attacker to benefit from a variable interpolation process contained in Apache Commons Text, which can cause properties to be dynamically defined. Server applications are vulnerable to remote code execution (RCE) and unintentional contact with untrusted remote servers.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-commons-text: variable interpolation RCE",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In order to carry successful exploitation of this vulnerability, the following conditions must be in place on the affected target:\n - Usage of specific methods that interpolate the variables as described in the flaw\n - Usage of external input for those methods\n - Usage of that external input has to be unsanitized/no \"allow list\"/etc.\n\nThe following products have *Low* impact because they have maven references to the affected package but do not ship it nor use the code:\n- Red Hat EAP Expansion Pack (EAP-XP)\n- Red Hat Camel-K\n- Red Hat Camel-Quarkus\n\nRed Hat Satellite ships Candlepin that embeds Apache Commons Text, however, it is not vulnerable to the flaw since the library has not been exposed in the product code. In Candlepin, the Commons Text is being pulled for the Liquibase and ActiveMQ Artemis libraries as a dependency. Red Hat Product Security has evaluated and rated the impact of the flaw as Low for Satellite since there was no harm identified to the confidentiality, integrity, or availability of systems.\n\n- The OCP has a *Moderate* impact because the affected library is a third-party library in the OCP jenkins-2-plugin component which reduces the possibilities of successful exploitation.\n- The OCP-4.8 is affected by this CVE and is in an extended life phase. For versions of products in the Extended Life Phase, Red Hat will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42889"
},
{
"category": "external",
"summary": "RHBZ#2135435",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135435"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42889",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42889"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42889",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42889"
},
{
"category": "external",
"summary": "https://blogs.apache.org/security/entry/cve-2022-42889",
"url": "https://blogs.apache.org/security/entry/cve-2022-42889"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om",
"url": "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om"
},
{
"category": "external",
"summary": "https://seclists.org/oss-sec/2022/q4/22",
"url": "https://seclists.org/oss-sec/2022/q4/22"
}
],
"release_date": "2022-10-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-02-24T00:08:38+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:1747"
},
{
"category": "workaround",
"details": "This flaw may be avoided by ensuring that any external inputs used with the Commons-Text lookup methods are sanitized properly. Untrusted input should always be thoroughly sanitized before using in any potentially risky situations.",
"product_ids": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "apache-commons-text: variable interpolation RCE"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-02-24T00:08:38+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:1747"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
},
{
"cve": "CVE-2022-45693",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-12-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155970"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat has determined the impact of this flaw to be Moderate; a successful attack using this flaw would require the processing of untrusted, unsanitized, or unrestricted user inputs, which runs counter to established Red Hat security practices.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
],
"known_not_affected": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45693"
},
{
"category": "external",
"summary": "RHBZ#2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45693",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45693"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-02-24T00:08:38+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:1747"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos"
},
{
"cve": "CVE-2022-46363",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155681"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: directory listing / code exfiltration",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46363"
},
{
"category": "external",
"summary": "RHBZ#2155681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46363",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46363"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c",
"url": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-02-24T00:08:38+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:1747"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "CXF: directory listing / code exfiltration"
}
]
}
WID-SEC-W-2022-0098
Vulnerability from csaf_certbund - Published: 2022-01-06 23:00 - Updated: 2024-06-13 22:00Summary
H2: Schwachstelle ermöglicht Codeausführung
Severity
Hoch
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: H2 ist eine in Java geschriebene, einbettbare Datenbank.
Angriff: Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in H2 ausnutzen, um beliebigen Programmcode auszuführen.
Betroffene Betriebssysteme: - Sonstiges
Es existiert eine Schwachstelle in H2 im Zusammenhang mit Java JNDI URLs. Ein entfernter authentisierter Angreifer kann diese Schwachstelle zur Ausführung von beliebigem Code ausnutzen.
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Debian Linux
Debian
|
cpe:/o:debian:debian_linux:-
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Ubuntu Linux
Ubuntu
|
cpe:/o:canonical:ubuntu_linux:-
|
— |
References
18 references
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "H2 ist eine in Java geschriebene, einbettbare Datenbank.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in H2 ausnutzen, um beliebigen Programmcode auszuf\u00fchren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Sonstiges",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2022-0098 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2022-0098.json"
},
{
"category": "self",
"summary": "WID-SEC-2022-0098 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0098"
},
{
"category": "external",
"summary": "GitHub Advisory Database vom 2022-01-06",
"url": "https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2022:4918 vom 2022-06-06",
"url": "https://access.redhat.com/errata/RHSA-2022:4918"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2022:4922 vom 2022-06-06",
"url": "https://access.redhat.com/errata/RHSA-2022:4922"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2022:4919 vom 2022-06-06",
"url": "https://access.redhat.com/errata/RHSA-2022:4919"
},
{
"category": "external",
"summary": "Debian Security Advisory DLA-2923 vom 2022-02-15",
"url": "https://lists.debian.org/debian-lts-announce/2022/02/msg00017.html"
},
{
"category": "external",
"summary": "Debian Security Advisory DSA-5076 vom 2022-02-15",
"url": "https://lists.debian.org/debian-security-announce/2022/msg00043.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2022:1013 vom 2022-03-22",
"url": "https://access.redhat.com/errata/RHSA-2022:1013"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-5365-1 vom 2022-04-05",
"url": "https://ubuntu.com/security/notices/USN-5365-1"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2022:6787 vom 2022-10-04",
"url": "https://access.redhat.com/errata/RHSA-2022:6787"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2022:6782 vom 2022-10-04",
"url": "https://access.redhat.com/errata/RHSA-2022:6782"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2022:6783 vom 2022-10-04",
"url": "https://access.redhat.com/errata/RHSA-2022:6783"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2022:7417 vom 2022-11-03",
"url": "https://access.redhat.com/errata/RHSA-2022:7417"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2022:7409 vom 2022-11-03",
"url": "https://access.redhat.com/errata/RHSA-2022:7409"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2022:7410 vom 2022-11-03",
"url": "https://access.redhat.com/errata/RHSA-2022:7410"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2022:7411 vom 2022-11-03",
"url": "https://access.redhat.com/errata/RHSA-2022:7411"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-6834-1 vom 2024-06-13",
"url": "https://www.google.com/url?q=https%3A%2F%2Fubuntu.com%2Fsecurity%2Fnotices%2FUSN-6834-1\u0026%3Bsource=gmail\u0026%3Bust=1718378370385000\u0026%3Busg=AOvVaw0RVF_FMFfBi3o2pZ10vhWK"
}
],
"source_lang": "en-US",
"title": "H2: Schwachstelle erm\u00f6glicht Codeausf\u00fchrung",
"tracking": {
"current_release_date": "2024-06-13T22:00:00.000+00:00",
"generator": {
"date": "2024-08-15T17:26:30.439+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.5"
}
},
"id": "WID-SEC-W-2022-0098",
"initial_release_date": "2022-01-06T23:00:00.000+00:00",
"revision_history": [
{
"date": "2022-01-06T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2022-01-09T23:00:00.000+00:00",
"number": "2",
"summary": "Korrektur"
},
{
"date": "2022-02-14T23:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von Debian aufgenommen"
},
{
"date": "2022-02-15T23:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von Debian aufgenommen"
},
{
"date": "2022-03-22T23:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2022-04-05T22:00:00.000+00:00",
"number": "6",
"summary": "Neue Updates von Ubuntu aufgenommen"
},
{
"date": "2022-06-06T22:00:00.000+00:00",
"number": "7",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2022-10-04T22:00:00.000+00:00",
"number": "8",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2022-11-03T23:00:00.000+00:00",
"number": "9",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2024-06-13T22:00:00.000+00:00",
"number": "10",
"summary": "Neue Updates von Ubuntu aufgenommen"
}
],
"status": "final",
"version": "10"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Debian Linux",
"product": {
"name": "Debian Linux",
"product_id": "2951",
"product_identification_helper": {
"cpe": "cpe:/o:debian:debian_linux:-"
}
}
}
],
"category": "vendor",
"name": "Debian"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c2.0.206",
"product": {
"name": "Open Source H2 \u003c2.0.206",
"product_id": "419070"
}
}
],
"category": "product_name",
"name": "H2"
}
],
"category": "vendor",
"name": "Open Source"
},
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
}
],
"category": "vendor",
"name": "Red Hat"
},
{
"branches": [
{
"category": "product_name",
"name": "Ubuntu Linux",
"product": {
"name": "Ubuntu Linux",
"product_id": "T000126",
"product_identification_helper": {
"cpe": "cpe:/o:canonical:ubuntu_linux:-"
}
}
}
],
"category": "vendor",
"name": "Ubuntu"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-42392",
"notes": [
{
"category": "description",
"text": "Es existiert eine Schwachstelle in H2 im Zusammenhang mit Java JNDI URLs. Ein entfernter authentisierter Angreifer kann diese Schwachstelle zur Ausf\u00fchrung von beliebigem Code ausnutzen."
}
],
"product_status": {
"known_affected": [
"2951",
"67646",
"T000126"
]
},
"release_date": "2022-01-06T23:00:00.000+00:00",
"title": "CVE-2021-42392"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…