Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2021-44549 (GCVE-0-2021-44549)
Vulnerability from cvelistv5 – Published: 2021-12-14 15:15 – Updated: 2024-08-04 04:25
VLAI
EPSS
Title
SMTPS server hostname not checked when making TLS connection to SMTPS server
Summary
Apache Sling Commons Messaging Mail provides a simple layer on top of JavaMail/Jakarta Mail for OSGi to send mails via SMTPS. To reduce the risk of "man in the middle" attacks additional server identity checks must be performed when accessing mail servers. For compatibility reasons these additional checks are disabled by default in JavaMail/Jakarta Mail. The SimpleMailService in Apache Sling Commons Messaging Mail 1.0 lacks an option to enable these checks for the shared mail session. A user could enable these checks nevertheless by accessing the session via the message created by SimpleMessageBuilder and setting the property mail.smtps.ssl.checkserveridentity to true. Apache Sling Commons Messaging Mail 2.0 adds support for enabling server identity checks and these checks are enabled by default. - https://javaee.github.io/javamail/docs/SSLNOTES.txt - https://javaee.github.io/javamail/docs/api/com/sun/mail/smtp/package-summary.html - https://github.com/eclipse-ee4j/mail/issues/429
Severity
No CVSS data available.
CWE
- CWE-295 - Improper Certificate Validation, CWE-297: Improper Validation of Certificate with Host Mismatch
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/l8p9h2bqvkj6rhv4w… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Sling Commons Messaging Mail |
Affected:
Apache Sling Commons Messaging Mail 1.0.0 1.0.0
|
Credits
The issue was reported by Michael Lescisin.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:25:16.815Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/l8p9h2bqvkj6rhv4w8kzctb817415b7f"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Sling Commons Messaging Mail",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Apache Sling Commons Messaging Mail 1.0.0 1.0.0"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "The issue was reported by Michael Lescisin."
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Sling Commons Messaging Mail provides a simple layer on top of JavaMail/Jakarta Mail for OSGi to send mails via SMTPS. To reduce the risk of \"man in the middle\" attacks additional server identity checks must be performed when accessing mail servers. For compatibility reasons these additional checks are disabled by default in JavaMail/Jakarta Mail. The SimpleMailService in Apache Sling Commons Messaging Mail 1.0 lacks an option to enable these checks for the shared mail session. A user could enable these checks nevertheless by accessing the session via the message created by SimpleMessageBuilder and setting the property mail.smtps.ssl.checkserveridentity to true. Apache Sling Commons Messaging Mail 2.0 adds support for enabling server identity checks and these checks are enabled by default. - https://javaee.github.io/javamail/docs/SSLNOTES.txt - https://javaee.github.io/javamail/docs/api/com/sun/mail/smtp/package-summary.html - https://github.com/eclipse-ee4j/mail/issues/429"
}
],
"metrics": [
{
"other": {
"content": {
"other": "low"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295: Improper Certificate Validation, CWE-297: Improper Validation of Certificate with Host Mismatch",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-14T15:15:10.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/l8p9h2bqvkj6rhv4w8kzctb817415b7f"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SMTPS server hostname not checked when making TLS connection to SMTPS server",
"workarounds": [
{
"lang": "en",
"value": "Set the property mail.smtps.ssl.checkserveridentity to true via message\u0027s session."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-44549",
"STATE": "PUBLIC",
"TITLE": "SMTPS server hostname not checked when making TLS connection to SMTPS server"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Sling Commons Messaging Mail",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "Apache Sling Commons Messaging Mail 1.0.0",
"version_value": "1.0.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "The issue was reported by Michael Lescisin."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Sling Commons Messaging Mail provides a simple layer on top of JavaMail/Jakarta Mail for OSGi to send mails via SMTPS. To reduce the risk of \"man in the middle\" attacks additional server identity checks must be performed when accessing mail servers. For compatibility reasons these additional checks are disabled by default in JavaMail/Jakarta Mail. The SimpleMailService in Apache Sling Commons Messaging Mail 1.0 lacks an option to enable these checks for the shared mail session. A user could enable these checks nevertheless by accessing the session via the message created by SimpleMessageBuilder and setting the property mail.smtps.ssl.checkserveridentity to true. Apache Sling Commons Messaging Mail 2.0 adds support for enabling server identity checks and these checks are enabled by default. - https://javaee.github.io/javamail/docs/SSLNOTES.txt - https://javaee.github.io/javamail/docs/api/com/sun/mail/smtp/package-summary.html - https://github.com/eclipse-ee4j/mail/issues/429"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "low"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-295: Improper Certificate Validation, CWE-297: Improper Validation of Certificate with Host Mismatch"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/l8p9h2bqvkj6rhv4w8kzctb817415b7f",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/l8p9h2bqvkj6rhv4w8kzctb817415b7f"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Set the property mail.smtps.ssl.checkserveridentity to true via message\u0027s session."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-44549",
"datePublished": "2021-12-14T15:15:10.000Z",
"dateReserved": "2021-12-04T00:00:00.000Z",
"dateUpdated": "2024-08-04T04:25:16.815Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2021-44549",
"date": "2026-05-28",
"epss": "0.00185",
"percentile": "0.39953"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2021-44549\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2021-12-14T16:15:09.763\",\"lastModified\":\"2024-11-21T06:31:12.580\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Apache Sling Commons Messaging Mail provides a simple layer on top of JavaMail/Jakarta Mail for OSGi to send mails via SMTPS. To reduce the risk of \\\"man in the middle\\\" attacks additional server identity checks must be performed when accessing mail servers. For compatibility reasons these additional checks are disabled by default in JavaMail/Jakarta Mail. The SimpleMailService in Apache Sling Commons Messaging Mail 1.0 lacks an option to enable these checks for the shared mail session. A user could enable these checks nevertheless by accessing the session via the message created by SimpleMessageBuilder and setting the property mail.smtps.ssl.checkserveridentity to true. Apache Sling Commons Messaging Mail 2.0 adds support for enabling server identity checks and these checks are enabled by default. - https://javaee.github.io/javamail/docs/SSLNOTES.txt - https://javaee.github.io/javamail/docs/api/com/sun/mail/smtp/package-summary.html - https://github.com/eclipse-ee4j/mail/issues/429\"},{\"lang\":\"es\",\"value\":\"Apache Sling Commons Messaging Mail proporciona una capa sencilla sobre JavaMail/Jakarta Mail para OSGi para enviar correos por medio de SMTPS. Para reducir el riesgo de ataques de tipo \\\"man in the middle\\\" deben realizarse comprobaciones adicionales de la identidad del servidor cuando accede a los servidores de correo. Por razones de compatibilidad, estas comprobaciones adicionales est\u00e1n deshabilitadas por defecto en JavaMail/Jakarta Mail. El SimpleMailService de Apache Sling Commons Messaging Mail versi\u00f3n 1.0 carece de una opci\u00f3n para habilitar estas comprobaciones para la sesi\u00f3n de correo compartido. Sin embargo, un usuario podr\u00eda habilitar estas comprobaciones accediendo a la sesi\u00f3n por medio del mensaje creado por SimpleMessageBuilder y estableciendo la propiedad mail.smtps.ssl.checkserveridentity a true. Apache Sling Commons Messaging Mail versi\u00f3n 2.0 a\u00f1ade soporte para habilitar las comprobaciones de identidad del servidor y estas comprobaciones est\u00e1n habilitadas por defecto. - https://javaee.github.io/javamail/docs/SSLNOTES.txt - https://javaee.github.io/javamail/docs/api/com/sun/mail/smtp/package-summary.html - https://github.com/eclipse-ee4j/mail/issues/429\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":7.4,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":5.2}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:N\",\"baseScore\":5.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-295\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-295\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:sling_commons_messaging_mail:1.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"32B6D607-277A-4C47-82F7-D205229B331A\"}]}]}],\"references\":[{\"url\":\"https://lists.apache.org/thread/l8p9h2bqvkj6rhv4w8kzctb817415b7f\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"https://lists.apache.org/thread/l8p9h2bqvkj6rhv4w8kzctb817415b7f\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]}]}}"
}
}
WID-SEC-W-2024-3147
Vulnerability from csaf_certbund - Published: 2024-10-10 22:00 - Updated: 2025-11-10 23:00Summary
Red Hat Produkte: Mehrere Schwachstellen
Severity
Hoch
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Red Hat Enterprise Linux (RHEL) ist eine populäre Linux-Distribution.
Red Hat OpenStack ist eine Sammlung von Diensten, um Cloud-Computing in Form von Infrastructure as a Service (IaaS) bereitstellen zu können.
Red Hat OpenShift ist eine "Platform as a Service" (PaaS) Lösung zur Bereitstellung von Applikationen in der Cloud.
Apache Camel ist ein Integrations-Framework, das Enterprise Integration Patterns implementiert.
JBoss Enterprise Application Platform ist eine skalierbare Plattform für Java-Anwendungen, inklusive JBoss Application Server, JBoss Hibernate und Boss Seam.
Red Hat JBoss Data Grid ist eine verteilte In-Memory-Datenbank für den schnellen Zugriff auf große Datenvolumen und Skalierbarkeit.
Angriff: Ein entfernter anonymer Angreifer kann mehrere Schwachstellen in Red Hat-Produkten ausnutzen, um Dateien zu manipulieren, beliebigen Code auszuführen und einen Denial-of-Service-Zustand zu erzeugen.
Betroffene Betriebssysteme: - Sonstiges
- UNIX
- Windows
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Red Hat Enterprise Linux Cryostat 3
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:cryostat_3
|
Cryostat 3 | |
|
Red Hat JBoss Enterprise Application Platform Quarkus <3.2.12.SP1
Red Hat / JBoss Enterprise Application Platform
|
Quarkus <3.2.12.SP1 | ||
|
Red Hat OpenShift
Red Hat / OpenShift
|
cpe:/a:redhat:openshift:-
|
— | |
|
NetApp ActiveIQ Unified Manager
NetApp
|
cpe:/a:netapp:active_iq_unified_manager:-
|
— | |
|
Apache Camel
Apache
|
cpe:/a:apache:camel:-
|
— | |
|
Red Hat JBoss Enterprise Application Platform Quarkus <3.8.6.SP1
Red Hat / JBoss Enterprise Application Platform
|
Quarkus <3.8.6.SP1 | ||
|
Red Hat JBoss Data Grid 8
Red Hat / JBoss Data Grid
|
cpe:/a:redhat:jboss_data_grid:8
|
8 | |
|
Red Hat Enterprise Linux 8
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:8
|
8 | |
|
Red Hat Enterprise Linux 9
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:9
|
9 | |
|
Red Hat Enterprise Linux AI
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:ai
|
AI | |
|
Splunk Splunk Enterprise <9.2.8
Splunk / Splunk Enterprise
|
<9.2.8 | ||
|
Red Hat OpenStack 16.2
Red Hat / OpenStack
|
cpe:/a:redhat:openstack:16.2
|
16.2 | |
|
Red Hat JBoss Enterprise Application Platform <7.4.23
Red Hat / JBoss Enterprise Application Platform
|
<7.4.23 | ||
|
Ubuntu Linux
Ubuntu
|
cpe:/o:canonical:ubuntu_linux:-
|
— | |
|
Red Hat Enterprise Linux 7
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:7
|
7 | |
|
Amazon Linux 2
Amazon
|
cpe:/o:amazon:linux_2:-
|
— | |
|
Red Hat OpenShift Serverless Logic <1.35.0
Red Hat / OpenShift
|
Serverless Logic <1.35.0 | ||
|
Splunk Splunk Enterprise <9.4.4
Splunk / Splunk Enterprise
|
<9.4.4 | ||
|
Splunk Splunk Enterprise <9.3.6
Splunk / Splunk Enterprise
|
<9.3.6 | ||
|
Splunk Splunk Enterprise <10.0.1
Splunk / Splunk Enterprise
|
<10.0.1 |
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Red Hat Enterprise Linux Cryostat 3
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:cryostat_3
|
Cryostat 3 | |
|
Red Hat JBoss Enterprise Application Platform Quarkus <3.2.12.SP1
Red Hat / JBoss Enterprise Application Platform
|
Quarkus <3.2.12.SP1 | ||
|
Red Hat OpenShift
Red Hat / OpenShift
|
cpe:/a:redhat:openshift:-
|
— | |
|
NetApp ActiveIQ Unified Manager
NetApp
|
cpe:/a:netapp:active_iq_unified_manager:-
|
— | |
|
Apache Camel
Apache
|
cpe:/a:apache:camel:-
|
— | |
|
Red Hat JBoss Enterprise Application Platform Quarkus <3.8.6.SP1
Red Hat / JBoss Enterprise Application Platform
|
Quarkus <3.8.6.SP1 | ||
|
Red Hat JBoss Data Grid 8
Red Hat / JBoss Data Grid
|
cpe:/a:redhat:jboss_data_grid:8
|
8 | |
|
Red Hat Enterprise Linux 8
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:8
|
8 | |
|
Red Hat Enterprise Linux 9
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:9
|
9 | |
|
Red Hat Enterprise Linux AI
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:ai
|
AI | |
|
Splunk Splunk Enterprise <9.2.8
Splunk / Splunk Enterprise
|
<9.2.8 | ||
|
Red Hat OpenStack 16.2
Red Hat / OpenStack
|
cpe:/a:redhat:openstack:16.2
|
16.2 | |
|
Red Hat JBoss Enterprise Application Platform <7.4.23
Red Hat / JBoss Enterprise Application Platform
|
<7.4.23 | ||
|
Ubuntu Linux
Ubuntu
|
cpe:/o:canonical:ubuntu_linux:-
|
— | |
|
Red Hat Enterprise Linux 7
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:7
|
7 | |
|
Amazon Linux 2
Amazon
|
cpe:/o:amazon:linux_2:-
|
— | |
|
Red Hat OpenShift Serverless Logic <1.35.0
Red Hat / OpenShift
|
Serverless Logic <1.35.0 | ||
|
Splunk Splunk Enterprise <9.4.4
Splunk / Splunk Enterprise
|
<9.4.4 | ||
|
Splunk Splunk Enterprise <9.3.6
Splunk / Splunk Enterprise
|
<9.3.6 | ||
|
Splunk Splunk Enterprise <10.0.1
Splunk / Splunk Enterprise
|
<10.0.1 |
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Red Hat Enterprise Linux Cryostat 3
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:cryostat_3
|
Cryostat 3 | |
|
Red Hat JBoss Enterprise Application Platform Quarkus <3.2.12.SP1
Red Hat / JBoss Enterprise Application Platform
|
Quarkus <3.2.12.SP1 | ||
|
Red Hat OpenShift
Red Hat / OpenShift
|
cpe:/a:redhat:openshift:-
|
— | |
|
NetApp ActiveIQ Unified Manager
NetApp
|
cpe:/a:netapp:active_iq_unified_manager:-
|
— | |
|
Apache Camel
Apache
|
cpe:/a:apache:camel:-
|
— | |
|
Red Hat JBoss Enterprise Application Platform Quarkus <3.8.6.SP1
Red Hat / JBoss Enterprise Application Platform
|
Quarkus <3.8.6.SP1 | ||
|
Red Hat JBoss Data Grid 8
Red Hat / JBoss Data Grid
|
cpe:/a:redhat:jboss_data_grid:8
|
8 | |
|
Red Hat Enterprise Linux 8
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:8
|
8 | |
|
Red Hat Enterprise Linux 9
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:9
|
9 | |
|
Red Hat Enterprise Linux AI
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:ai
|
AI | |
|
Splunk Splunk Enterprise <9.2.8
Splunk / Splunk Enterprise
|
<9.2.8 | ||
|
Red Hat OpenStack 16.2
Red Hat / OpenStack
|
cpe:/a:redhat:openstack:16.2
|
16.2 | |
|
Red Hat JBoss Enterprise Application Platform <7.4.23
Red Hat / JBoss Enterprise Application Platform
|
<7.4.23 | ||
|
Ubuntu Linux
Ubuntu
|
cpe:/o:canonical:ubuntu_linux:-
|
— | |
|
Red Hat Enterprise Linux 7
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:7
|
7 | |
|
Amazon Linux 2
Amazon
|
cpe:/o:amazon:linux_2:-
|
— | |
|
Red Hat OpenShift Serverless Logic <1.35.0
Red Hat / OpenShift
|
Serverless Logic <1.35.0 | ||
|
Splunk Splunk Enterprise <9.4.4
Splunk / Splunk Enterprise
|
<9.4.4 | ||
|
Splunk Splunk Enterprise <9.3.6
Splunk / Splunk Enterprise
|
<9.3.6 | ||
|
Splunk Splunk Enterprise <10.0.1
Splunk / Splunk Enterprise
|
<10.0.1 |
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Red Hat Enterprise Linux Cryostat 3
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:cryostat_3
|
Cryostat 3 | |
|
Red Hat JBoss Enterprise Application Platform Quarkus <3.2.12.SP1
Red Hat / JBoss Enterprise Application Platform
|
Quarkus <3.2.12.SP1 | ||
|
Red Hat OpenShift
Red Hat / OpenShift
|
cpe:/a:redhat:openshift:-
|
— | |
|
NetApp ActiveIQ Unified Manager
NetApp
|
cpe:/a:netapp:active_iq_unified_manager:-
|
— | |
|
Apache Camel
Apache
|
cpe:/a:apache:camel:-
|
— | |
|
Red Hat JBoss Enterprise Application Platform Quarkus <3.8.6.SP1
Red Hat / JBoss Enterprise Application Platform
|
Quarkus <3.8.6.SP1 | ||
|
Red Hat JBoss Data Grid 8
Red Hat / JBoss Data Grid
|
cpe:/a:redhat:jboss_data_grid:8
|
8 | |
|
Red Hat Enterprise Linux 8
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:8
|
8 | |
|
Red Hat Enterprise Linux 9
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:9
|
9 | |
|
Red Hat Enterprise Linux AI
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:ai
|
AI | |
|
Splunk Splunk Enterprise <9.2.8
Splunk / Splunk Enterprise
|
<9.2.8 | ||
|
Red Hat OpenStack 16.2
Red Hat / OpenStack
|
cpe:/a:redhat:openstack:16.2
|
16.2 | |
|
Red Hat JBoss Enterprise Application Platform <7.4.23
Red Hat / JBoss Enterprise Application Platform
|
<7.4.23 | ||
|
Ubuntu Linux
Ubuntu
|
cpe:/o:canonical:ubuntu_linux:-
|
— | |
|
Red Hat Enterprise Linux 7
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:7
|
7 | |
|
Amazon Linux 2
Amazon
|
cpe:/o:amazon:linux_2:-
|
— | |
|
Red Hat OpenShift Serverless Logic <1.35.0
Red Hat / OpenShift
|
Serverless Logic <1.35.0 | ||
|
Splunk Splunk Enterprise <9.4.4
Splunk / Splunk Enterprise
|
<9.4.4 | ||
|
Splunk Splunk Enterprise <9.3.6
Splunk / Splunk Enterprise
|
<9.3.6 | ||
|
Splunk Splunk Enterprise <10.0.1
Splunk / Splunk Enterprise
|
<10.0.1 |
References
16 references
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Red Hat Enterprise Linux (RHEL) ist eine popul\u00e4re Linux-Distribution.\r\nRed Hat OpenStack ist eine Sammlung von Diensten, um Cloud-Computing in Form von Infrastructure as a Service (IaaS) bereitstellen zu k\u00f6nnen.\r\nRed Hat OpenShift ist eine \"Platform as a Service\" (PaaS) L\u00f6sung zur Bereitstellung von Applikationen in der Cloud.\r\nApache Camel ist ein Integrations-Framework, das Enterprise Integration Patterns implementiert.\r\nJBoss Enterprise Application Platform ist eine skalierbare Plattform f\u00fcr Java-Anwendungen, inklusive JBoss Application Server, JBoss Hibernate und Boss Seam.\r\nRed Hat JBoss Data Grid ist eine verteilte In-Memory-Datenbank f\u00fcr den schnellen Zugriff auf gro\u00dfe Datenvolumen und Skalierbarkeit.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter anonymer Angreifer kann mehrere Schwachstellen in Red Hat-Produkten ausnutzen, um Dateien zu manipulieren, beliebigen Code auszuf\u00fchren und einen Denial-of-Service-Zustand zu erzeugen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Sonstiges\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2024-3147 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-3147.json"
},
{
"category": "self",
"summary": "WID-SEC-2024-3147 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-3147"
},
{
"category": "external",
"summary": "Red Hat Security Advisory vom 2024-10-10",
"url": "https://access.redhat.com/errata/RHSA-2024:7670"
},
{
"category": "external",
"summary": "Red Hat Security Advisory vom 2024-10-10",
"url": "https://access.redhat.com/errata/RHSA-2024:7676"
},
{
"category": "external",
"summary": "Red Hat Security Advisory vom 2024-10-10",
"url": "https://access.redhat.com/errata/RHSA-2024:7972"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2024:8093 vom 2024-10-14",
"url": "https://access.redhat.com/errata/RHSA-2024:8093"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2024:8329 vom 2024-10-22",
"url": "https://access.redhat.com/errata/RHSA-2024:8329"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2024:9571 vom 2024-11-13",
"url": "https://access.redhat.com/errata/RHSA-2024:9571"
},
{
"category": "external",
"summary": "Amazon Linux Security Advisory ALAS-2024-2693 vom 2024-11-15",
"url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2693.html"
},
{
"category": "external",
"summary": "NetApp Security Advisory NTAP-20241213-0010 vom 2024-12-13",
"url": "https://security.netapp.com/advisory/ntap-20241213-0010/"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:0664 vom 2025-01-23",
"url": "https://access.redhat.com/errata/RHSA-2025:0664"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:7620 vom 2025-05-14",
"url": "https://access.redhat.com/errata/RHSA-2025:7620"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7629-2 vom 2025-09-03",
"url": "https://ubuntu.com/security/notices/USN-7629-2"
},
{
"category": "external",
"summary": "Splunk Security Advisory SVD-2025-1007 vom 2025-10-01",
"url": "https://advisory.splunk.com//advisories/SVD-2025-1007"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:20052 vom 2025-11-10",
"url": "https://access.redhat.com/errata/RHSA-2025:20052"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:20057 vom 2025-11-10",
"url": "https://access.redhat.com/errata/RHSA-2025:20057"
}
],
"source_lang": "en-US",
"title": "Red Hat Produkte: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2025-11-10T23:00:00.000+00:00",
"generator": {
"date": "2025-11-11T07:07:22.554+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.4.0"
}
},
"id": "WID-SEC-W-2024-3147",
"initial_release_date": "2024-10-10T22:00:00.000+00:00",
"revision_history": [
{
"date": "2024-10-10T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2024-10-14T22:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2024-10-15T22:00:00.000+00:00",
"number": "3",
"summary": "Anpassung im Text"
},
{
"date": "2024-10-22T22:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2024-11-13T23:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2024-11-17T23:00:00.000+00:00",
"number": "6",
"summary": "Neue Updates von Amazon aufgenommen"
},
{
"date": "2024-12-12T23:00:00.000+00:00",
"number": "7",
"summary": "Neue Updates von NetApp aufgenommen"
},
{
"date": "2025-01-23T23:00:00.000+00:00",
"number": "8",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2025-05-14T22:00:00.000+00:00",
"number": "9",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2025-09-02T22:00:00.000+00:00",
"number": "10",
"summary": "Neue Updates von Ubuntu aufgenommen"
},
{
"date": "2025-10-01T22:00:00.000+00:00",
"number": "11",
"summary": "Neue Updates von Splunk-SVD aufgenommen"
},
{
"date": "2025-11-10T23:00:00.000+00:00",
"number": "12",
"summary": "Neue Updates von Red Hat aufgenommen"
}
],
"status": "final",
"version": "12"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Amazon Linux 2",
"product": {
"name": "Amazon Linux 2",
"product_id": "398363",
"product_identification_helper": {
"cpe": "cpe:/o:amazon:linux_2:-"
}
}
}
],
"category": "vendor",
"name": "Amazon"
},
{
"branches": [
{
"category": "product_name",
"name": "Apache Camel",
"product": {
"name": "Apache Camel",
"product_id": "T038266",
"product_identification_helper": {
"cpe": "cpe:/a:apache:camel:-"
}
}
}
],
"category": "vendor",
"name": "Apache"
},
{
"branches": [
{
"category": "product_name",
"name": "NetApp ActiveIQ Unified Manager",
"product": {
"name": "NetApp ActiveIQ Unified Manager",
"product_id": "T016960",
"product_identification_helper": {
"cpe": "cpe:/a:netapp:active_iq_unified_manager:-"
}
}
}
],
"category": "vendor",
"name": "NetApp"
},
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
},
{
"category": "product_version",
"name": "Cryostat 3",
"product": {
"name": "Red Hat Enterprise Linux Cryostat 3",
"product_id": "T036943",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:cryostat_3"
}
}
},
{
"category": "product_version",
"name": "7",
"product": {
"name": "Red Hat Enterprise Linux 7",
"product_id": "T038260",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7"
}
}
},
{
"category": "product_version",
"name": "8",
"product": {
"name": "Red Hat Enterprise Linux 8",
"product_id": "T038261",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:8"
}
}
},
{
"category": "product_version",
"name": "9",
"product": {
"name": "Red Hat Enterprise Linux 9",
"product_id": "T038262",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:9"
}
}
},
{
"category": "product_version",
"name": "AI",
"product": {
"name": "Red Hat Enterprise Linux AI",
"product_id": "T038263",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:ai"
}
}
}
],
"category": "product_name",
"name": "Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "8",
"product": {
"name": "Red Hat JBoss Data Grid 8",
"product_id": "T038268",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_data_grid:8"
}
}
}
],
"category": "product_name",
"name": "JBoss Data Grid"
},
{
"branches": [
{
"category": "product_version_range",
"name": "Quarkus \u003c3.8.6.SP1",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform Quarkus \u003c3.8.6.SP1",
"product_id": "T038267"
}
},
{
"category": "product_version",
"name": "Quarkus 3.8.6.SP1",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform Quarkus 3.8.6.SP1",
"product_id": "T038267-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:quarkus__3.8.6.sp1"
}
}
},
{
"category": "product_version_range",
"name": "Quarkus \u003c3.2.12.SP1",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform Quarkus \u003c3.2.12.SP1",
"product_id": "T038269"
}
},
{
"category": "product_version",
"name": "Quarkus 3.2.12.SP1",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform Quarkus 3.2.12.SP1",
"product_id": "T038269-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:quarkus__3.2.12.sp1"
}
}
},
{
"category": "product_version_range",
"name": "\u003c7.4.23",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform \u003c7.4.23",
"product_id": "T045348"
}
},
{
"category": "product_version",
"name": "7.4.23",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 7.4.23",
"product_id": "T045348-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4.23"
}
}
}
],
"category": "product_name",
"name": "JBoss Enterprise Application Platform"
},
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift",
"product": {
"name": "Red Hat OpenShift",
"product_id": "T038265",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:-"
}
}
},
{
"category": "product_version_range",
"name": "Serverless Logic \u003c1.35.0",
"product": {
"name": "Red Hat OpenShift Serverless Logic \u003c1.35.0",
"product_id": "T040597"
}
},
{
"category": "product_version",
"name": "Serverless Logic 1.35.0",
"product": {
"name": "Red Hat OpenShift Serverless Logic 1.35.0",
"product_id": "T040597-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:serverless_logic__1.35.0"
}
}
}
],
"category": "product_name",
"name": "OpenShift"
},
{
"branches": [
{
"category": "product_version",
"name": "16.2",
"product": {
"name": "Red Hat OpenStack 16.2",
"product_id": "T038264",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:16.2"
}
}
}
],
"category": "product_name",
"name": "OpenStack"
}
],
"category": "vendor",
"name": "Red Hat"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c10.0.1",
"product": {
"name": "Splunk Splunk Enterprise \u003c10.0.1",
"product_id": "T047323"
}
},
{
"category": "product_version",
"name": "10.0.1",
"product": {
"name": "Splunk Splunk Enterprise 10.0.1",
"product_id": "T047323-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:splunk:splunk:10.0.1"
}
}
},
{
"category": "product_version_range",
"name": "\u003c9.4.4",
"product": {
"name": "Splunk Splunk Enterprise \u003c9.4.4",
"product_id": "T047324"
}
},
{
"category": "product_version",
"name": "9.4.4",
"product": {
"name": "Splunk Splunk Enterprise 9.4.4",
"product_id": "T047324-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:splunk:splunk:9.4.4"
}
}
},
{
"category": "product_version_range",
"name": "\u003c9.3.6",
"product": {
"name": "Splunk Splunk Enterprise \u003c9.3.6",
"product_id": "T047325"
}
},
{
"category": "product_version",
"name": "9.3.6",
"product": {
"name": "Splunk Splunk Enterprise 9.3.6",
"product_id": "T047325-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:splunk:splunk:9.3.6"
}
}
},
{
"category": "product_version_range",
"name": "\u003c9.2.8",
"product": {
"name": "Splunk Splunk Enterprise \u003c9.2.8",
"product_id": "T047326"
}
},
{
"category": "product_version",
"name": "9.2.8",
"product": {
"name": "Splunk Splunk Enterprise 9.2.8",
"product_id": "T047326-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:splunk:splunk:9.2.8"
}
}
}
],
"category": "product_name",
"name": "Splunk Enterprise"
}
],
"category": "vendor",
"name": "Splunk"
},
{
"branches": [
{
"category": "product_name",
"name": "Ubuntu Linux",
"product": {
"name": "Ubuntu Linux",
"product_id": "T000126",
"product_identification_helper": {
"cpe": "cpe:/o:canonical:ubuntu_linux:-"
}
}
}
],
"category": "vendor",
"name": "Ubuntu"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-44549",
"product_status": {
"known_affected": [
"67646",
"T036943",
"T038269",
"T038265",
"T016960",
"T038266",
"T038267",
"T038268",
"T038261",
"T038262",
"T038263",
"T047326",
"T038264",
"T045348",
"T000126",
"T038260",
"398363",
"T040597",
"T047324",
"T047325",
"T047323"
]
},
"release_date": "2024-10-10T22:00:00.000+00:00",
"title": "CVE-2021-44549"
},
{
"cve": "CVE-2024-40094",
"product_status": {
"known_affected": [
"67646",
"T036943",
"T038269",
"T038265",
"T016960",
"T038266",
"T038267",
"T038268",
"T038261",
"T038262",
"T038263",
"T047326",
"T038264",
"T045348",
"T000126",
"T038260",
"398363",
"T040597",
"T047324",
"T047325",
"T047323"
]
},
"release_date": "2024-10-10T22:00:00.000+00:00",
"title": "CVE-2024-40094"
},
{
"cve": "CVE-2024-47561",
"product_status": {
"known_affected": [
"67646",
"T036943",
"T038269",
"T038265",
"T016960",
"T038266",
"T038267",
"T038268",
"T038261",
"T038262",
"T038263",
"T047326",
"T038264",
"T045348",
"T000126",
"T038260",
"398363",
"T040597",
"T047324",
"T047325",
"T047323"
]
},
"release_date": "2024-10-10T22:00:00.000+00:00",
"title": "CVE-2024-47561"
},
{
"cve": "CVE-2024-7254",
"product_status": {
"known_affected": [
"67646",
"T036943",
"T038269",
"T038265",
"T016960",
"T038266",
"T038267",
"T038268",
"T038261",
"T038262",
"T038263",
"T047326",
"T038264",
"T045348",
"T000126",
"T038260",
"398363",
"T040597",
"T047324",
"T047325",
"T047323"
]
},
"release_date": "2024-10-10T22:00:00.000+00:00",
"title": "CVE-2024-7254"
}
]
}
WID-SEC-W-2024-3302
Vulnerability from csaf_certbund - Published: 2024-10-29 23:00 - Updated: 2024-10-29 23:00Summary
Keycloak: Schwachstelle ermöglicht Offenlegung von Informationen
Severity
Hoch
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Keycloak ermöglicht Single Sign-On mit Identity and Access Management für moderne Anwendungen und Dienste.
Angriff: Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Keycloak ausnutzen, um Informationen offenzulegen.
Betroffene Betriebssysteme: - UNIX
Es besteht eine Schwachstelle in Keycloak. Dieser Fehler existiert wegen deaktivierter Server-Identitätsprüfungen in der Komponente SimpleMailService, was unsichere SMTPS-Verbindungen ermöglicht. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um Man-in-the-Middle-Angriffe durchzuführen und vertrauliche Informationen während der E-Mail-Übertragung abzufangen.
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source Keycloak <26.0.4
Open Source / Keycloak
|
<26.0.4 |
References
3 references
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Keycloak erm\u00f6glicht Single Sign-On mit Identity and Access Management f\u00fcr moderne Anwendungen und Dienste.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Keycloak ausnutzen, um Informationen offenzulegen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- UNIX",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2024-3302 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-3302.json"
},
{
"category": "self",
"summary": "WID-SEC-2024-3302 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-3302"
},
{
"category": "external",
"summary": "Keycloak Release Notes vom 2024-10-29",
"url": "https://www.keycloak.org/2024/10/keycloak-2604-released"
}
],
"source_lang": "en-US",
"title": "Keycloak: Schwachstelle erm\u00f6glicht Offenlegung von Informationen",
"tracking": {
"current_release_date": "2024-10-29T23:00:00.000+00:00",
"generator": {
"date": "2024-10-30T12:08:09.823+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.8"
}
},
"id": "WID-SEC-W-2024-3302",
"initial_release_date": "2024-10-29T23:00:00.000+00:00",
"revision_history": [
{
"date": "2024-10-29T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c26.0.4",
"product": {
"name": "Open Source Keycloak \u003c26.0.4",
"product_id": "T038693"
}
},
{
"category": "product_version",
"name": "26.0.4",
"product": {
"name": "Open Source Keycloak 26.0.4",
"product_id": "T038693-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:keycloak:keycloak:26.0.4"
}
}
}
],
"category": "product_name",
"name": "Keycloak"
}
],
"category": "vendor",
"name": "Open Source"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-44549",
"notes": [
{
"category": "description",
"text": "Es besteht eine Schwachstelle in Keycloak. Dieser Fehler existiert wegen deaktivierter Server-Identit\u00e4tspr\u00fcfungen in der Komponente SimpleMailService, was unsichere SMTPS-Verbindungen erm\u00f6glicht. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um Man-in-the-Middle-Angriffe durchzuf\u00fchren und vertrauliche Informationen w\u00e4hrend der E-Mail-\u00dcbertragung abzufangen."
}
],
"product_status": {
"known_affected": [
"T038693"
]
},
"release_date": "2024-10-29T23:00:00.000+00:00",
"title": "CVE-2021-44549"
}
]
}
WID-SEC-W-2024-3347
Vulnerability from csaf_certbund - Published: 2021-12-16 23:00 - Updated: 2024-11-05 23:00Summary
Apache Sling: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen
Severity
Mittel
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Apache Sling ist ein Open Source-Webframework für die Java-Plattform.
Angriff: Ein entfernter Angreifer kann eine Schwachstelle in Apache Sling ausnutzen, um Sicherheitsvorkehrungen zu umgehen.
Betroffene Betriebssysteme: - Linux
- Sonstiges
- UNIX
- Windows
Es existiert eine Schwachstelle in Apache Sling. Der Fehler besteht aufgrund einer unsachgemäßen Zertifikatsvalidierung in der Komponente Commons Messaging Mail. Ein entfernter Angreifer kann diese Schwachstelle ausnutzen, um Sicherheitsmaßnahmen zu umgehen.
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Apache Sling <2.0
Apache / Sling
|
<2.0 |
References
7 references
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Apache Sling ist ein Open Source-Webframework f\u00fcr die Java-Plattform.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter Angreifer kann eine Schwachstelle in Apache Sling ausnutzen, um Sicherheitsvorkehrungen zu umgehen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- Sonstiges\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2024-3347 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2021/wid-sec-w-2024-3347.json"
},
{
"category": "self",
"summary": "WID-SEC-2024-3347 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-3347"
},
{
"category": "external",
"summary": "GitHub Advisory Database vom 2021-12-16",
"url": "https://github.com/advisories/GHSA-c69w-jj56-834w"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2024:8887 vom 2024-11-05",
"url": "https://access.redhat.com/errata/RHSA-2024:8887"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2024:8886 vom 2024-11-05",
"url": "https://access.redhat.com/errata/RHSA-2024:8886"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2024:8885 vom 2024-11-05",
"url": "https://access.redhat.com/errata/RHSA-2024:8885"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2024:8884 vom 2024-11-05",
"url": "https://access.redhat.com/errata/RHSA-2024:8884"
}
],
"source_lang": "en-US",
"title": "Apache Sling: Schwachstelle erm\u00f6glicht Umgehen von Sicherheitsvorkehrungen",
"tracking": {
"current_release_date": "2024-11-05T23:00:00.000+00:00",
"generator": {
"date": "2024-11-06T11:45:51.356+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.8"
}
},
"id": "WID-SEC-W-2024-3347",
"initial_release_date": "2021-12-16T23:00:00.000+00:00",
"revision_history": [
{
"date": "2021-12-16T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2024-11-05T23:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Red Hat aufgenommen"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c2.0",
"product": {
"name": "Apache Sling \u003c2.0",
"product_id": "T021370"
}
},
{
"category": "product_version",
"name": "2",
"product": {
"name": "Apache Sling 2.0",
"product_id": "T021370-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:apache:sling:2.0"
}
}
}
],
"category": "product_name",
"name": "Sling"
}
],
"category": "vendor",
"name": "Apache"
},
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-44549",
"notes": [
{
"category": "description",
"text": "Es existiert eine Schwachstelle in Apache Sling. Der Fehler besteht aufgrund einer unsachgem\u00e4\u00dfen Zertifikatsvalidierung in der Komponente Commons Messaging Mail. Ein entfernter Angreifer kann diese Schwachstelle ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen."
}
],
"product_status": {
"known_affected": [
"67646",
"T021370"
]
},
"release_date": "2021-12-16T23:00:00.000+00:00",
"title": "CVE-2021-44549"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…