Vulnerability-Lookup

CVE-2022-0839 (GCVE-0-2022-0839)

Vulnerability from cvelistv5 – Published: 2022-03-04 14:25 – Updated: 2025-11-03 19:26

Title

Improper Restriction of XML External Entity Reference in liquibase/liquibase

Summary

Improper Restriction of XML External Entity Reference in GitHub repository liquibase/liquibase prior to 4.8.0.

Severity ?

7.3 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE

CWE-611 - Improper Restriction of XML External Entity Reference

Assigner

@huntrdev

References

URL

	Vendor	Product	Version
	liquibase	liquibase/liquibase	Affected: unspecified , < 4.8.0 (custom)

OXAS-ADV-2025-0001

Vulnerability from csaf_ox - Published: 2025-01-27 - Updated: 2025-04-07

Summary

OX App Suite Security Advisory OXAS-ADV-2025-0001

Notes

This content is licensed under the Creative Commons Attribution-NoDerivatives 4.0 International License (https://creativecommons.org/licenses/by-nd/4.0/). If you distribute this content, you must provide attribution to Open-Xchange GmbH and provide a link to the original. You may not distribute a modified version of this content.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "CRITICAL"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Open-Xchange GmbH. All rights reserved.",
      "tlp": {
        "label": "GREEN",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution-NoDerivatives 4.0 International License (https://creativecommons.org/licenses/by-nd/4.0/). If you distribute this content, you must provide attribution to Open-Xchange GmbH and provide a link to the original. You may not distribute a modified version of this content.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "name": "Open-Xchange GmbH",
      "namespace": "https://open-xchange.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Release Notes",
        "url": "https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6304_7.10.6_2025-02-03.pdf"
      },
      {
        "category": "self",
        "summary": "Canonical CSAF document",
        "url": "https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2025/oxas-adv-2025-0001.json"
      },
      {
        "category": "self",
        "summary": "Markdown representation",
        "url": "https://documentation.open-xchange.com/appsuite/security/advisories/md/2025/oxas-adv-2025-0001.md"
      },
      {
        "category": "self",
        "summary": "HTML representation",
        "url": "https://documentation.open-xchange.com/appsuite/security/advisories/html/2025/oxas-adv-2025-0001.html"
      },
      {
        "category": "self",
        "summary": "Plain-text representation",
        "url": "https://documentation.open-xchange.com/appsuite/security/advisories/txt/2025/oxas-adv-2025-0001.txt"
      }
    ],
    "title": "OX App Suite Security Advisory OXAS-ADV-2025-0001",
    "tracking": {
      "current_release_date": "2025-04-07T00:00:00+00:00",
      "generator": {
        "date": "2025-04-07T06:54:13+00:00",
        "engine": {
          "name": "OX CSAF",
          "version": "1.0.0"
        }
      },
      "id": "OXAS-ADV-2025-0001",
      "initial_release_date": "2025-01-27T00:00:00+01:00",
      "revision_history": [
        {
          "date": "2025-01-27T00:00:00+01:00",
          "number": "1",
          "summary": "Initial release"
        },
        {
          "date": "2025-04-07T00:00:00+00:00",
          "number": "2",
          "summary": "Public release"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "7.10.6-rev49",
                "product": {
                  "name": "OX App Suite frontend 7.10.6-rev49",
                  "product_id": "OXAS-FRONTEND_7.10.6-rev49",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:7.10.6:rev49:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.10.6-rev50",
                "product": {
                  "name": "OX App Suite frontend 7.10.6-rev50",
                  "product_id": "OXAS-FRONTEND_7.10.6-rev50",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:7.10.6:rev50:*:*:*:*:*:*",
                    "x_generic_uris": [
                      {
                        "namespace": "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
                        "uri": "urn:open-xchange:app_suite:patch-id:6304"
                      }
                    ]
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "OX App Suite frontend"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "7.10.6-rev15",
                "product": {
                  "name": "OX App Suite office 7.10.6-rev15",
                  "product_id": "OXAS-OFFICE_7.10.6-rev15",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:office:7.10.6:rev15:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.10.6-rev16",
                "product": {
                  "name": "OX App Suite office 7.10.6-rev16",
                  "product_id": "OXAS-OFFICE_7.10.6-rev16",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:office:7.10.6:rev16:*:*:*:*:*:*",
                    "x_generic_uris": [
                      {
                        "namespace": "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
                        "uri": "urn:open-xchange:app_suite:patch-id:6304"
                      }
                    ]
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.10.6-rev11",
                "product": {
                  "name": "OX App Suite office 7.10.6-rev11",
                  "product_id": "OXAS-OFFICE_7.10.6-rev11",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:office:7.10.6:rev11:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.10.6-rev12",
                "product": {
                  "name": "OX App Suite office 7.10.6-rev12",
                  "product_id": "OXAS-OFFICE_7.10.6-rev12",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:office:7.10.6:rev12:*:*:*:*:*:*",
                    "x_generic_uris": [
                      {
                        "namespace": "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
                        "uri": "urn:open-xchange:app_suite:patch-id:6304"
                      }
                    ]
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "OX App Suite office"
          }
        ],
        "category": "vendor",
        "name": "Open-Xchange GmbH"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-47875",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "discovery_date": "2024-12-13T10:21:37.494000+01:00",
      "ids": [
        {
          "system_name": "GitLab Issue",
          "text": "appsuite/web-apps/ui#785"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The DOMPurify third-party library has been updated to resolve known vulnerabilities."
        }
      ],
      "product_status": {
        "first_fixed": [
          "OXAS-FRONTEND_7.10.6-rev50"
        ],
        "last_affected": [
          "OXAS-FRONTEND_7.10.6-rev49"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-01-08T08:55:19.495000+01:00",
          "details": "Third-party libraries have been updated.",
          "product_ids": [
            "OXAS-FRONTEND_7.10.6-rev49"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10.0,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "OXAS-FRONTEND_7.10.6-rev49"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "This is done as a precautionary measure, at this time none of the related vulnerabilities is known to be exploitable in context of OX App Suite."
        },
        {
          "category": "exploit_status",
          "details": "No publicly available exploits are known."
        }
      ],
      "title": "Vulnerable DOMPurify shipped with App Suite 7.10.6 and 7.6.3"
    },
    {
      "cve": "CVE-2022-0839",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "discovery_date": "2023-09-12T10:35:52+02:00",
      "ids": [
        {
          "system_name": "JIRA OX Bug",
          "text": "DOCS-5081"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Several third-party libraries have been updated to resolve known vulnerabilities. This includes H2, Xalan, Liquibase and Spring Boot."
        }
      ],
      "product_status": {
        "first_fixed": [
          "OXAS-OFFICE_7.10.6-rev16"
        ],
        "last_affected": [
          "OXAS-OFFICE_7.10.6-rev15"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-12-03T16:27:44+01:00",
          "details": "Third-party libraries have been updated.",
          "product_ids": [
            "OXAS-OFFICE_7.10.6-rev15"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "OXAS-OFFICE_7.10.6-rev15"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "This is done as a precautionary measure, at this time none of the related vulnerabilities is known to be exploitable in context of OX App Suite."
        },
        {
          "category": "exploit_status",
          "details": "No publicly available exploits are known."
        }
      ],
      "title": "Resolving third-party vulnerabilities in the office master (7.10.6) repo"
    },
    {
      "cve": "CVE-2021-23358",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "discovery_date": "2024-12-12T10:50:59+01:00",
      "ids": [
        {
          "system_name": "JIRA OX Bug",
          "text": "DOCS-5338"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Several third-party libraries have been updated to resolve known vulnerabilities. This includes grunt, dompurify, codecept, underscore and requirejs."
        }
      ],
      "product_status": {
        "first_fixed": [
          "OXAS-OFFICE_7.10.6-rev12"
        ],
        "last_affected": [
          "OXAS-OFFICE_7.10.6-rev11"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-01-27T16:08:03+01:00",
          "details": "Third-party libraries have been updated.",
          "product_ids": [
            "OXAS-OFFICE_7.10.6-rev11"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "OXAS-OFFICE_7.10.6-rev11"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "This is done as a precautionary measure, at this time none of the related vulnerabilities is known to be exploitable in context of OX App Suite."
        },
        {
          "category": "exploit_status",
          "details": "No publicly available exploits are known."
        }
      ],
      "title": "Resolving third-party vulnerabilities in the office-ui master (7.10.6) repo"
    }
  ]
}

GHSA-JVFV-HRRC-6Q72

Vulnerability from github – Published: 2022-03-05 00:00 – Updated: 2025-11-03 22:28

Summary

Improper Restriction of XML External Entity Reference in Liquibase

Details

The XMLChangeLogSAXParser() function in Liquibase prior to version 4.8.0 contains an issue that may lead to to Improper Restriction of XML External Entity Reference.

Severity ?

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.liquibase:liquibase-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-0839"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-07T16:29:11Z",
    "nvd_published_at": "2022-03-04T15:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "The XMLChangeLogSAXParser() function in Liquibase prior to version 4.8.0 contains an issue that may lead to to Improper Restriction of XML External Entity Reference.",
  "id": "GHSA-jvfv-hrrc-6q72",
  "modified": "2025-11-03T22:28:08Z",
  "published": "2022-03-05T00:00:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0839"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liquibase/liquibase/commit/33d9d925082097fb1a3d2fc8e44423d964cd9381"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/liquibase/liquibase"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/f1ae5779-b406-4594-a8a3-d089c68d6e70"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Apr/14"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Restriction of XML External Entity Reference in Liquibase"
}

GSD-2022-0839

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Improper Restriction of XML External Entity Reference in GitHub repository liquibase/liquibase prior to 4.8.0.

Aliases

CVE-2022-0839

Aliases

CVE-2022-0839

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-0839",
    "description": "Improper Restriction of XML External Entity Reference in GitHub repository liquibase/liquibase prior to 4.8.0.",
    "id": "GSD-2022-0839",
    "references": [
      "https://access.redhat.com/errata/RHBA-2022:5452",
      "https://access.redhat.com/errata/RHBA-2022:5454"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-0839"
      ],
      "details": "Improper Restriction of XML External Entity Reference in GitHub repository liquibase/liquibase prior to 4.8.0.",
      "id": "GSD-2022-0839",
      "modified": "2023-12-13T01:19:11.320046Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@huntr.dev",
        "ID": "CVE-2022-0839",
        "STATE": "PUBLIC",
        "TITLE": "Improper Restriction of XML External Entity Reference in liquibase/liquibase"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "liquibase/liquibase",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_value": "4.8.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "liquibase"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Improper Restriction of XML External Entity Reference in GitHub repository liquibase/liquibase prior to 4.8.0."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 7.3,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
          "version": "3.0"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-611 Improper Restriction of XML External Entity Reference"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://huntr.dev/bounties/f1ae5779-b406-4594-a8a3-d089c68d6e70",
            "refsource": "CONFIRM",
            "url": "https://huntr.dev/bounties/f1ae5779-b406-4594-a8a3-d089c68d6e70"
          },
          {
            "name": "https://github.com/liquibase/liquibase/commit/33d9d925082097fb1a3d2fc8e44423d964cd9381",
            "refsource": "MISC",
            "url": "https://github.com/liquibase/liquibase/commit/33d9d925082097fb1a3d2fc8e44423d964cd9381"
          },
          {
            "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
            "refsource": "MISC",
            "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
          }
        ]
      },
      "source": {
        "advisory": "f1ae5779-b406-4594-a8a3-d089c68d6e70",
        "discovery": "EXTERNAL"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "(,4.8.0)",
          "affected_versions": "All versions before 4.8.0",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2022-03-08",
          "description": "The `XMLChangeLogSAXParser()` function in Liquibase prior to version 4.8.0 contains an issue that may lead to to Improper Restriction of XML External Entity Reference.",
          "fixed_versions": [
            "4.8.0"
          ],
          "identifier": "CVE-2022-0839",
          "identifiers": [
            "GHSA-jvfv-hrrc-6q72",
            "CVE-2022-0839"
          ],
          "not_impacted": "All versions starting from 4.8.0",
          "package_slug": "maven/org.liquibase/liquibase-core",
          "pubdate": "2022-03-05",
          "solution": "Upgrade to version 4.8.0 or above.",
          "title": "Improper Restriction of XML External Entity Reference in Liquibase",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-0839",
            "https://github.com/liquibase/liquibase/commit/33d9d925082097fb1a3d2fc8e44423d964cd9381",
            "https://huntr.dev/bounties/f1ae5779-b406-4594-a8a3-d089c68d6e70",
            "https://github.com/advisories/GHSA-jvfv-hrrc-6q72"
          ],
          "uuid": "4969cfed-8b57-4f47-9199-429646bfb780"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:liquibase:liquibase:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "4.8.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:oracle:sqlcl:19c:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@huntr.dev",
          "ID": "CVE-2022-0839"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Improper Restriction of XML External Entity Reference in GitHub repository liquibase/liquibase prior to 4.8.0."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-611"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/liquibase/liquibase/commit/33d9d925082097fb1a3d2fc8e44423d964cd9381",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/liquibase/liquibase/commit/33d9d925082097fb1a3d2fc8e44423d964cd9381"
            },
            {
              "name": "https://huntr.dev/bounties/f1ae5779-b406-4594-a8a3-d089c68d6e70",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://huntr.dev/bounties/f1ae5779-b406-4594-a8a3-d089c68d6e70"
            },
            {
              "name": "N/A",
              "refsource": "N/A",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2023-02-22T17:45Z",
      "publishedDate": "2022-03-04T15:15Z"
    }
  }
}

FKIE_CVE-2022-0839

Vulnerability from fkie_nvd - Published: 2022-03-04 15:15 - Updated: 2025-11-03 20:15

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

Improper Restriction of XML External Entity Reference in GitHub repository liquibase/liquibase prior to 4.8.0.

References

URL	Tags
security@huntr.dev	https://github.com/liquibase/liquibase/commit/33d9d925082097fb1a3d2fc8e44423d964cd9381	Patch
security@huntr.dev	https://huntr.dev/bounties/f1ae5779-b406-4594-a8a3-d089c68d6e70	Exploit, Patch, Third Party Advisory
security@huntr.dev	https://www.oracle.com/security-alerts/cpujul2022.html	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://seclists.org/fulldisclosure/2025/Apr/14
af854a3a-2127-422b-91ae-364da2661108	https://github.com/liquibase/liquibase/commit/33d9d925082097fb1a3d2fc8e44423d964cd9381	Patch
af854a3a-2127-422b-91ae-364da2661108	https://huntr.dev/bounties/f1ae5779-b406-4594-a8a3-d089c68d6e70	Exploit, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.oracle.com/security-alerts/cpujul2022.html	Patch, Third Party Advisory

Impacted products

	Vendor	Product	Version
	liquibase	liquibase	*
	oracle	sqlcl	19c

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:liquibase:liquibase:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E7182354-CBC3-4D65-952D-B3A42FBDA74D",
              "versionEndExcluding": "4.8.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:oracle:sqlcl:19c:*:*:*:*:*:*:*",
              "matchCriteriaId": "8ED7C03D-9CC5-41CA-8639-4055169DF369",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Improper Restriction of XML External Entity Reference in GitHub repository liquibase/liquibase prior to 4.8.0."
    },
    {
      "lang": "es",
      "value": "Una Restricci\u00f3n Inapropiada de la Referencia de Entidad Externa XML en el repositorio de GitHub liquibase/liquibase versiones anteriores a 4.8.0"
    }
  ],
  "id": "CVE-2022-0839",
  "lastModified": "2025-11-03T20:15:52.180",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 7.3,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.4,
        "source": "security@huntr.dev",
        "type": "Secondary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-03-04T15:15:09.097",
  "references": [
    {
      "source": "security@huntr.dev",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/liquibase/liquibase/commit/33d9d925082097fb1a3d2fc8e44423d964cd9381"
    },
    {
      "source": "security@huntr.dev",
      "tags": [
        "Exploit",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://huntr.dev/bounties/f1ae5779-b406-4594-a8a3-d089c68d6e70"
    },
    {
      "source": "security@huntr.dev",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://seclists.org/fulldisclosure/2025/Apr/14"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/liquibase/liquibase/commit/33d9d925082097fb1a3d2fc8e44423d964cd9381"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://huntr.dev/bounties/f1ae5779-b406-4594-a8a3-d089c68d6e70"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
    }
  ],
  "sourceIdentifier": "security@huntr.dev",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-611"
        }
      ],
      "source": "security@huntr.dev",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-611"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Secondary"
    }
  ]
}

RHBA-2022:5454

Vulnerability from csaf_redhat - Published: 2022-06-30 18:33 - Updated: 2025-11-21 17:23

Summary

Red Hat Bug Fix Advisory: Red Hat Single Sign-On 7.6.0 update on RHEL 8

Notes

Topic

New Red Hat Single Sign-On 7.6.0 packages are now available for Red Hat Enterprise Linux 8.

Details

Red Hat Single Sign-On 7.6.0 update on RHEL 8

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "New Red Hat Single Sign-On 7.6.0 packages are now available for Red Hat Enterprise Linux 8.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat Single Sign-On 7.6.0 update on RHEL 8",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHBA-2022:5454",
        "url": "https://access.redhat.com/errata/RHBA-2022:5454"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhba-2022_5454.json"
      }
    ],
    "title": "Red Hat Bug Fix Advisory: Red Hat Single Sign-On 7.6.0 update on RHEL 8",
    "tracking": {
      "current_release_date": "2025-11-21T17:23:13+00:00",
      "generator": {
        "date": "2025-11-21T17:23:13+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.12"
        }
      },
      "id": "RHBA-2022:5454",
      "initial_release_date": "2022-06-30T18:33:11+00:00",
      "revision_history": [
        {
          "date": "2022-06-30T18:33:11+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2022-06-30T18:33:11+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-11-21T17:23:13+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Single Sign-On 7.6 for RHEL 8",
                "product": {
                  "name": "Red Hat Single Sign-On 7.6 for RHEL 8",
                  "product_id": "8Base-RHSSO-7.6",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Single Sign-On"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el8sso.src",
                "product": {
                  "name": "rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el8sso.src",
                  "product_id": "rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el8sso.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rh-sso7-keycloak@18.0.0-2.redhat_00001.1.el8sso?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rh-sso7-0:1-4.el8sso.src",
                "product": {
                  "name": "rh-sso7-0:1-4.el8sso.src",
                  "product_id": "rh-sso7-0:1-4.el8sso.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rh-sso7@1-4.el8sso?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rh-sso7-javapackages-tools-0:3.4.1-5.15.6.el8sso.src",
                "product": {
                  "name": "rh-sso7-javapackages-tools-0:3.4.1-5.15.6.el8sso.src",
                  "product_id": "rh-sso7-javapackages-tools-0:3.4.1-5.15.6.el8sso.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rh-sso7-javapackages-tools@3.4.1-5.15.6.el8sso?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el8sso.noarch",
                "product": {
                  "name": "rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el8sso.noarch",
                  "product_id": "rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el8sso.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rh-sso7-keycloak@18.0.0-2.redhat_00001.1.el8sso?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rh-sso7-keycloak-server-0:18.0.0-2.redhat_00001.1.el8sso.noarch",
                "product": {
                  "name": "rh-sso7-keycloak-server-0:18.0.0-2.redhat_00001.1.el8sso.noarch",
                  "product_id": "rh-sso7-keycloak-server-0:18.0.0-2.redhat_00001.1.el8sso.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rh-sso7-keycloak-server@18.0.0-2.redhat_00001.1.el8sso?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rh-sso7-javapackages-tools-0:3.4.1-5.15.6.el8sso.noarch",
                "product": {
                  "name": "rh-sso7-javapackages-tools-0:3.4.1-5.15.6.el8sso.noarch",
                  "product_id": "rh-sso7-javapackages-tools-0:3.4.1-5.15.6.el8sso.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rh-sso7-javapackages-tools@3.4.1-5.15.6.el8sso?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rh-sso7-python3-javapackages-0:3.4.1-5.15.6.el8sso.noarch",
                "product": {
                  "name": "rh-sso7-python3-javapackages-0:3.4.1-5.15.6.el8sso.noarch",
                  "product_id": "rh-sso7-python3-javapackages-0:3.4.1-5.15.6.el8sso.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rh-sso7-python3-javapackages@3.4.1-5.15.6.el8sso?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rh-sso7-0:1-4.el8sso.x86_64",
                "product": {
                  "name": "rh-sso7-0:1-4.el8sso.x86_64",
                  "product_id": "rh-sso7-0:1-4.el8sso.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rh-sso7@1-4.el8sso?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rh-sso7-runtime-0:1-4.el8sso.x86_64",
                "product": {
                  "name": "rh-sso7-runtime-0:1-4.el8sso.x86_64",
                  "product_id": "rh-sso7-runtime-0:1-4.el8sso.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rh-sso7-runtime@1-4.el8sso?arch=x86_64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rh-sso7-0:1-4.el8sso.src as a component of Red Hat Single Sign-On 7.6 for RHEL 8",
          "product_id": "8Base-RHSSO-7.6:rh-sso7-0:1-4.el8sso.src"
        },
        "product_reference": "rh-sso7-0:1-4.el8sso.src",
        "relates_to_product_reference": "8Base-RHSSO-7.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rh-sso7-0:1-4.el8sso.x86_64 as a component of Red Hat Single Sign-On 7.6 for RHEL 8",
          "product_id": "8Base-RHSSO-7.6:rh-sso7-0:1-4.el8sso.x86_64"
        },
        "product_reference": "rh-sso7-0:1-4.el8sso.x86_64",
        "relates_to_product_reference": "8Base-RHSSO-7.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rh-sso7-javapackages-tools-0:3.4.1-5.15.6.el8sso.noarch as a component of Red Hat Single Sign-On 7.6 for RHEL 8",
          "product_id": "8Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:3.4.1-5.15.6.el8sso.noarch"
        },
        "product_reference": "rh-sso7-javapackages-tools-0:3.4.1-5.15.6.el8sso.noarch",
        "relates_to_product_reference": "8Base-RHSSO-7.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rh-sso7-javapackages-tools-0:3.4.1-5.15.6.el8sso.src as a component of Red Hat Single Sign-On 7.6 for RHEL 8",
          "product_id": "8Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:3.4.1-5.15.6.el8sso.src"
        },
        "product_reference": "rh-sso7-javapackages-tools-0:3.4.1-5.15.6.el8sso.src",
        "relates_to_product_reference": "8Base-RHSSO-7.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el8sso.noarch as a component of Red Hat Single Sign-On 7.6 for RHEL 8",
          "product_id": "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el8sso.noarch"
        },
        "product_reference": "rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el8sso.noarch",
        "relates_to_product_reference": "8Base-RHSSO-7.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el8sso.src as a component of Red Hat Single Sign-On 7.6 for RHEL 8",
          "product_id": "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el8sso.src"
        },
        "product_reference": "rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el8sso.src",
        "relates_to_product_reference": "8Base-RHSSO-7.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rh-sso7-keycloak-server-0:18.0.0-2.redhat_00001.1.el8sso.noarch as a component of Red Hat Single Sign-On 7.6 for RHEL 8",
          "product_id": "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.0-2.redhat_00001.1.el8sso.noarch"
        },
        "product_reference": "rh-sso7-keycloak-server-0:18.0.0-2.redhat_00001.1.el8sso.noarch",
        "relates_to_product_reference": "8Base-RHSSO-7.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rh-sso7-python3-javapackages-0:3.4.1-5.15.6.el8sso.noarch as a component of Red Hat Single Sign-On 7.6 for RHEL 8",
          "product_id": "8Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:3.4.1-5.15.6.el8sso.noarch"
        },
        "product_reference": "rh-sso7-python3-javapackages-0:3.4.1-5.15.6.el8sso.noarch",
        "relates_to_product_reference": "8Base-RHSSO-7.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rh-sso7-runtime-0:1-4.el8sso.x86_64 as a component of Red Hat Single Sign-On 7.6 for RHEL 8",
          "product_id": "8Base-RHSSO-7.6:rh-sso7-runtime-0:1-4.el8sso.x86_64"
        },
        "product_reference": "rh-sso7-runtime-0:1-4.el8sso.x86_64",
        "relates_to_product_reference": "8Base-RHSSO-7.6"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Geir Emblemsv\u00e5g",
            "Hallvard Nyg\u00e5rd",
            "Johannes Knutsen"
          ]
        }
      ],
      "cve": "CVE-2021-3856",
      "cwe": {
        "id": "CWE-22",
        "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
      },
      "discovery_date": "2021-10-04T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2010164"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending requests for theme resources with a relative path from an external HTTP client, the client will receive the content of random files if available.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "keycloak-services: ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHSSO-7.6:rh-sso7-0:1-4.el8sso.src",
          "8Base-RHSSO-7.6:rh-sso7-0:1-4.el8sso.x86_64",
          "8Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:3.4.1-5.15.6.el8sso.noarch",
          "8Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:3.4.1-5.15.6.el8sso.src",
          "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el8sso.noarch",
          "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el8sso.src",
          "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.0-2.redhat_00001.1.el8sso.noarch",
          "8Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:3.4.1-5.15.6.el8sso.noarch",
          "8Base-RHSSO-7.6:rh-sso7-runtime-0:1-4.el8sso.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2021-3856"
        },
        {
          "category": "external",
          "summary": "RHBZ#2010164",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010164"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2021-3856",
          "url": "https://www.cve.org/CVERecord?id=CVE-2021-3856"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3856",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3856"
        }
      ],
      "release_date": "2021-10-04T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-06-30T18:33:11+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-RHSSO-7.6:rh-sso7-0:1-4.el8sso.src",
            "8Base-RHSSO-7.6:rh-sso7-0:1-4.el8sso.x86_64",
            "8Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:3.4.1-5.15.6.el8sso.noarch",
            "8Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:3.4.1-5.15.6.el8sso.src",
            "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el8sso.noarch",
            "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el8sso.src",
            "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.0-2.redhat_00001.1.el8sso.noarch",
            "8Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:3.4.1-5.15.6.el8sso.noarch",
            "8Base-RHSSO-7.6:rh-sso7-runtime-0:1-4.el8sso.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHBA-2022:5454"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "8Base-RHSSO-7.6:rh-sso7-0:1-4.el8sso.src",
            "8Base-RHSSO-7.6:rh-sso7-0:1-4.el8sso.x86_64",
            "8Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:3.4.1-5.15.6.el8sso.noarch",
            "8Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:3.4.1-5.15.6.el8sso.src",
            "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el8sso.noarch",
            "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el8sso.src",
            "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.0-2.redhat_00001.1.el8sso.noarch",
            "8Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:3.4.1-5.15.6.el8sso.noarch",
            "8Base-RHSSO-7.6:rh-sso7-runtime-0:1-4.el8sso.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "keycloak-services: ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader"
    },
    {
      "cve": "CVE-2022-0839",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "discovery_date": "2022-03-19T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2081484"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Liquiibase\u0027s XMLChangeLogSAXParser() function. It uses SAXParser with no FEATURE_SECURE_PROCESSING set, which could possibly allow XML External Entity (XXE) attacks.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "liquibase: Improper Restriction of XML External Entity",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "The impact to Satellite up to 6.11 is very low, as it does not use custom or external XSD in Candlepin\u0027s liquibase changelog files. Satellite 6.12 and later versions are not affected by this flaw.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHSSO-7.6:rh-sso7-0:1-4.el8sso.src",
          "8Base-RHSSO-7.6:rh-sso7-0:1-4.el8sso.x86_64",
          "8Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:3.4.1-5.15.6.el8sso.noarch",
          "8Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:3.4.1-5.15.6.el8sso.src",
          "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el8sso.noarch",
          "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el8sso.src",
          "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.0-2.redhat_00001.1.el8sso.noarch",
          "8Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:3.4.1-5.15.6.el8sso.noarch",
          "8Base-RHSSO-7.6:rh-sso7-runtime-0:1-4.el8sso.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-0839"
        },
        {
          "category": "external",
          "summary": "RHBZ#2081484",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2081484"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-0839",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-0839"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0839",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0839"
        },
        {
          "category": "external",
          "summary": "https://huntr.dev/bounties/f1ae5779-b406-4594-a8a3-d089c68d6e70",
          "url": "https://huntr.dev/bounties/f1ae5779-b406-4594-a8a3-d089c68d6e70"
        }
      ],
      "release_date": "2022-01-15T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-06-30T18:33:11+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-RHSSO-7.6:rh-sso7-0:1-4.el8sso.src",
            "8Base-RHSSO-7.6:rh-sso7-0:1-4.el8sso.x86_64",
            "8Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:3.4.1-5.15.6.el8sso.noarch",
            "8Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:3.4.1-5.15.6.el8sso.src",
            "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el8sso.noarch",
            "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el8sso.src",
            "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.0-2.redhat_00001.1.el8sso.noarch",
            "8Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:3.4.1-5.15.6.el8sso.noarch",
            "8Base-RHSSO-7.6:rh-sso7-runtime-0:1-4.el8sso.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHBA-2022:5454"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "8Base-RHSSO-7.6:rh-sso7-0:1-4.el8sso.src",
            "8Base-RHSSO-7.6:rh-sso7-0:1-4.el8sso.x86_64",
            "8Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:3.4.1-5.15.6.el8sso.noarch",
            "8Base-RHSSO-7.6:rh-sso7-javapackages-tools-0:3.4.1-5.15.6.el8sso.src",
            "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el8sso.noarch",
            "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el8sso.src",
            "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.0-2.redhat_00001.1.el8sso.noarch",
            "8Base-RHSSO-7.6:rh-sso7-python3-javapackages-0:3.4.1-5.15.6.el8sso.noarch",
            "8Base-RHSSO-7.6:rh-sso7-runtime-0:1-4.el8sso.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "liquibase: Improper Restriction of XML External Entity"
    }
  ]
}

RHEA-2022:5463

Vulnerability from csaf_redhat - Published: 2022-06-30 18:46 - Updated: 2025-11-21 17:24

Summary

Red Hat Enhancement Advisory: Red Hat Single Sign-On 7.6.0 update

Notes

Topic

New Red Hat Single Sign-On 7.6.0 packages are available from the Customer Portal.

Details

Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.6.0 serves as a replacement for Red Hat Single Sign-On 7.5, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "New Red Hat Single Sign-On 7.6.0 packages are available from the Customer Portal.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.6.0 serves as a replacement for Red Hat Single Sign-On 7.5, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHEA-2022:5463",
        "url": "https://access.redhat.com/errata/RHEA-2022:5463"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhea-2022_5463.json"
      }
    ],
    "title": "Red Hat Enhancement Advisory: Red Hat Single Sign-On 7.6.0 update",
    "tracking": {
      "current_release_date": "2025-11-21T17:24:26+00:00",
      "generator": {
        "date": "2025-11-21T17:24:26+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.12"
        }
      },
      "id": "RHEA-2022:5463",
      "initial_release_date": "2022-06-30T18:46:29+00:00",
      "revision_history": [
        {
          "date": "2022-06-30T18:46:29+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2022-06-30T18:46:29+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-11-21T17:24:26+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Single Sign-On 7",
                "product": {
                  "name": "Red Hat Single Sign-On 7",
                  "product_id": "Red Hat Single Sign-On 7",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6.0"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Single Sign-On"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-0839",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "discovery_date": "2022-03-19T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2081484"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Liquiibase\u0027s XMLChangeLogSAXParser() function. It uses SAXParser with no FEATURE_SECURE_PROCESSING set, which could possibly allow XML External Entity (XXE) attacks.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "liquibase: Improper Restriction of XML External Entity",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "The impact to Satellite up to 6.11 is very low, as it does not use custom or external XSD in Candlepin\u0027s liquibase changelog files. Satellite 6.12 and later versions are not affected by this flaw.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Single Sign-On 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-0839"
        },
        {
          "category": "external",
          "summary": "RHBZ#2081484",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2081484"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-0839",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-0839"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0839",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0839"
        },
        {
          "category": "external",
          "summary": "https://huntr.dev/bounties/f1ae5779-b406-4594-a8a3-d089c68d6e70",
          "url": "https://huntr.dev/bounties/f1ae5779-b406-4594-a8a3-d089c68d6e70"
        }
      ],
      "release_date": "2022-01-15T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-06-30T18:46:29+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
          "product_ids": [
            "Red Hat Single Sign-On 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHEA-2022:5463"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "Red Hat Single Sign-On 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "liquibase: Improper Restriction of XML External Entity"
    }
  ]
}

RHBA-2022:5452

Vulnerability from csaf_redhat - Published: 2022-06-30 18:33 - Updated: 2025-11-21 17:23

Summary

Red Hat Bug Fix Advisory: Red Hat Single Sign-On 7.6.0 update on RHEL 7

Notes

Topic

New Red Hat Single Sign-On 7.6.0 packages are now available for Red Hat Enterprise Linux 7.

Details

Red Hat Single Sign-On 7.6.0 update on RHEL 7

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "New Red Hat Single Sign-On 7.6.0 packages are now available for Red Hat Enterprise Linux 7.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat Single Sign-On 7.6.0 update on RHEL 7",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHBA-2022:5452",
        "url": "https://access.redhat.com/errata/RHBA-2022:5452"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhba-2022_5452.json"
      }
    ],
    "title": "Red Hat Bug Fix Advisory: Red Hat Single Sign-On 7.6.0 update on RHEL 7",
    "tracking": {
      "current_release_date": "2025-11-21T17:23:13+00:00",
      "generator": {
        "date": "2025-11-21T17:23:13+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.12"
        }
      },
      "id": "RHBA-2022:5452",
      "initial_release_date": "2022-06-30T18:33:28+00:00",
      "revision_history": [
        {
          "date": "2022-06-30T18:33:28+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2022-06-30T18:33:28+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-11-21T17:23:13+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Single Sign-On 7.6 for RHEL 7 Server",
                "product": {
                  "name": "Red Hat Single Sign-On 7.6 for RHEL 7 Server",
                  "product_id": "7Server-RHSSO-7.6",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Single Sign-On"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el7sso.src",
                "product": {
                  "name": "rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el7sso.src",
                  "product_id": "rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el7sso.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rh-sso7-keycloak@18.0.0-2.redhat_00001.1.el7sso?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rh-sso7-0:1-4.el7sso.src",
                "product": {
                  "name": "rh-sso7-0:1-4.el7sso.src",
                  "product_id": "rh-sso7-0:1-4.el7sso.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rh-sso7@1-4.el7sso?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rh-sso7-javapackages-tools-0:3.4.1-5.15.3.jbcs.el7.src",
                "product": {
                  "name": "rh-sso7-javapackages-tools-0:3.4.1-5.15.3.jbcs.el7.src",
                  "product_id": "rh-sso7-javapackages-tools-0:3.4.1-5.15.3.jbcs.el7.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rh-sso7-javapackages-tools@3.4.1-5.15.3.jbcs.el7?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el7sso.noarch",
                "product": {
                  "name": "rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el7sso.noarch",
                  "product_id": "rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el7sso.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rh-sso7-keycloak@18.0.0-2.redhat_00001.1.el7sso?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rh-sso7-keycloak-server-0:18.0.0-2.redhat_00001.1.el7sso.noarch",
                "product": {
                  "name": "rh-sso7-keycloak-server-0:18.0.0-2.redhat_00001.1.el7sso.noarch",
                  "product_id": "rh-sso7-keycloak-server-0:18.0.0-2.redhat_00001.1.el7sso.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rh-sso7-keycloak-server@18.0.0-2.redhat_00001.1.el7sso?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rh-sso7-javapackages-tools-0:3.4.1-5.15.3.jbcs.el7.noarch",
                "product": {
                  "name": "rh-sso7-javapackages-tools-0:3.4.1-5.15.3.jbcs.el7.noarch",
                  "product_id": "rh-sso7-javapackages-tools-0:3.4.1-5.15.3.jbcs.el7.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rh-sso7-javapackages-tools@3.4.1-5.15.3.jbcs.el7?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rh-sso7-python-javapackages-0:3.4.1-5.15.3.jbcs.el7.noarch",
                "product": {
                  "name": "rh-sso7-python-javapackages-0:3.4.1-5.15.3.jbcs.el7.noarch",
                  "product_id": "rh-sso7-python-javapackages-0:3.4.1-5.15.3.jbcs.el7.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rh-sso7-python-javapackages@3.4.1-5.15.3.jbcs.el7?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rh-sso7-0:1-4.el7sso.x86_64",
                "product": {
                  "name": "rh-sso7-0:1-4.el7sso.x86_64",
                  "product_id": "rh-sso7-0:1-4.el7sso.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rh-sso7@1-4.el7sso?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rh-sso7-runtime-0:1-4.el7sso.x86_64",
                "product": {
                  "name": "rh-sso7-runtime-0:1-4.el7sso.x86_64",
                  "product_id": "rh-sso7-runtime-0:1-4.el7sso.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rh-sso7-runtime@1-4.el7sso?arch=x86_64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rh-sso7-0:1-4.el7sso.src as a component of Red Hat Single Sign-On 7.6 for RHEL 7 Server",
          "product_id": "7Server-RHSSO-7.6:rh-sso7-0:1-4.el7sso.src"
        },
        "product_reference": "rh-sso7-0:1-4.el7sso.src",
        "relates_to_product_reference": "7Server-RHSSO-7.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rh-sso7-0:1-4.el7sso.x86_64 as a component of Red Hat Single Sign-On 7.6 for RHEL 7 Server",
          "product_id": "7Server-RHSSO-7.6:rh-sso7-0:1-4.el7sso.x86_64"
        },
        "product_reference": "rh-sso7-0:1-4.el7sso.x86_64",
        "relates_to_product_reference": "7Server-RHSSO-7.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rh-sso7-javapackages-tools-0:3.4.1-5.15.3.jbcs.el7.noarch as a component of Red Hat Single Sign-On 7.6 for RHEL 7 Server",
          "product_id": "7Server-RHSSO-7.6:rh-sso7-javapackages-tools-0:3.4.1-5.15.3.jbcs.el7.noarch"
        },
        "product_reference": "rh-sso7-javapackages-tools-0:3.4.1-5.15.3.jbcs.el7.noarch",
        "relates_to_product_reference": "7Server-RHSSO-7.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rh-sso7-javapackages-tools-0:3.4.1-5.15.3.jbcs.el7.src as a component of Red Hat Single Sign-On 7.6 for RHEL 7 Server",
          "product_id": "7Server-RHSSO-7.6:rh-sso7-javapackages-tools-0:3.4.1-5.15.3.jbcs.el7.src"
        },
        "product_reference": "rh-sso7-javapackages-tools-0:3.4.1-5.15.3.jbcs.el7.src",
        "relates_to_product_reference": "7Server-RHSSO-7.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el7sso.noarch as a component of Red Hat Single Sign-On 7.6 for RHEL 7 Server",
          "product_id": "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el7sso.noarch"
        },
        "product_reference": "rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el7sso.noarch",
        "relates_to_product_reference": "7Server-RHSSO-7.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el7sso.src as a component of Red Hat Single Sign-On 7.6 for RHEL 7 Server",
          "product_id": "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el7sso.src"
        },
        "product_reference": "rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el7sso.src",
        "relates_to_product_reference": "7Server-RHSSO-7.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rh-sso7-keycloak-server-0:18.0.0-2.redhat_00001.1.el7sso.noarch as a component of Red Hat Single Sign-On 7.6 for RHEL 7 Server",
          "product_id": "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.0-2.redhat_00001.1.el7sso.noarch"
        },
        "product_reference": "rh-sso7-keycloak-server-0:18.0.0-2.redhat_00001.1.el7sso.noarch",
        "relates_to_product_reference": "7Server-RHSSO-7.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rh-sso7-python-javapackages-0:3.4.1-5.15.3.jbcs.el7.noarch as a component of Red Hat Single Sign-On 7.6 for RHEL 7 Server",
          "product_id": "7Server-RHSSO-7.6:rh-sso7-python-javapackages-0:3.4.1-5.15.3.jbcs.el7.noarch"
        },
        "product_reference": "rh-sso7-python-javapackages-0:3.4.1-5.15.3.jbcs.el7.noarch",
        "relates_to_product_reference": "7Server-RHSSO-7.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rh-sso7-runtime-0:1-4.el7sso.x86_64 as a component of Red Hat Single Sign-On 7.6 for RHEL 7 Server",
          "product_id": "7Server-RHSSO-7.6:rh-sso7-runtime-0:1-4.el7sso.x86_64"
        },
        "product_reference": "rh-sso7-runtime-0:1-4.el7sso.x86_64",
        "relates_to_product_reference": "7Server-RHSSO-7.6"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Geir Emblemsv\u00e5g",
            "Hallvard Nyg\u00e5rd",
            "Johannes Knutsen"
          ]
        }
      ],
      "cve": "CVE-2021-3856",
      "cwe": {
        "id": "CWE-22",
        "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
      },
      "discovery_date": "2021-10-04T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2010164"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending requests for theme resources with a relative path from an external HTTP client, the client will receive the content of random files if available.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "keycloak-services: ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "7Server-RHSSO-7.6:rh-sso7-0:1-4.el7sso.src",
          "7Server-RHSSO-7.6:rh-sso7-0:1-4.el7sso.x86_64",
          "7Server-RHSSO-7.6:rh-sso7-javapackages-tools-0:3.4.1-5.15.3.jbcs.el7.noarch",
          "7Server-RHSSO-7.6:rh-sso7-javapackages-tools-0:3.4.1-5.15.3.jbcs.el7.src",
          "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el7sso.noarch",
          "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el7sso.src",
          "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.0-2.redhat_00001.1.el7sso.noarch",
          "7Server-RHSSO-7.6:rh-sso7-python-javapackages-0:3.4.1-5.15.3.jbcs.el7.noarch",
          "7Server-RHSSO-7.6:rh-sso7-runtime-0:1-4.el7sso.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2021-3856"
        },
        {
          "category": "external",
          "summary": "RHBZ#2010164",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010164"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2021-3856",
          "url": "https://www.cve.org/CVERecord?id=CVE-2021-3856"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3856",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3856"
        }
      ],
      "release_date": "2021-10-04T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-06-30T18:33:28+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "7Server-RHSSO-7.6:rh-sso7-0:1-4.el7sso.src",
            "7Server-RHSSO-7.6:rh-sso7-0:1-4.el7sso.x86_64",
            "7Server-RHSSO-7.6:rh-sso7-javapackages-tools-0:3.4.1-5.15.3.jbcs.el7.noarch",
            "7Server-RHSSO-7.6:rh-sso7-javapackages-tools-0:3.4.1-5.15.3.jbcs.el7.src",
            "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el7sso.noarch",
            "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el7sso.src",
            "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.0-2.redhat_00001.1.el7sso.noarch",
            "7Server-RHSSO-7.6:rh-sso7-python-javapackages-0:3.4.1-5.15.3.jbcs.el7.noarch",
            "7Server-RHSSO-7.6:rh-sso7-runtime-0:1-4.el7sso.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHBA-2022:5452"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "7Server-RHSSO-7.6:rh-sso7-0:1-4.el7sso.src",
            "7Server-RHSSO-7.6:rh-sso7-0:1-4.el7sso.x86_64",
            "7Server-RHSSO-7.6:rh-sso7-javapackages-tools-0:3.4.1-5.15.3.jbcs.el7.noarch",
            "7Server-RHSSO-7.6:rh-sso7-javapackages-tools-0:3.4.1-5.15.3.jbcs.el7.src",
            "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el7sso.noarch",
            "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el7sso.src",
            "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.0-2.redhat_00001.1.el7sso.noarch",
            "7Server-RHSSO-7.6:rh-sso7-python-javapackages-0:3.4.1-5.15.3.jbcs.el7.noarch",
            "7Server-RHSSO-7.6:rh-sso7-runtime-0:1-4.el7sso.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "keycloak-services: ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader"
    },
    {
      "cve": "CVE-2022-0839",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "discovery_date": "2022-03-19T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2081484"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Liquiibase\u0027s XMLChangeLogSAXParser() function. It uses SAXParser with no FEATURE_SECURE_PROCESSING set, which could possibly allow XML External Entity (XXE) attacks.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "liquibase: Improper Restriction of XML External Entity",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "The impact to Satellite up to 6.11 is very low, as it does not use custom or external XSD in Candlepin\u0027s liquibase changelog files. Satellite 6.12 and later versions are not affected by this flaw.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "7Server-RHSSO-7.6:rh-sso7-0:1-4.el7sso.src",
          "7Server-RHSSO-7.6:rh-sso7-0:1-4.el7sso.x86_64",
          "7Server-RHSSO-7.6:rh-sso7-javapackages-tools-0:3.4.1-5.15.3.jbcs.el7.noarch",
          "7Server-RHSSO-7.6:rh-sso7-javapackages-tools-0:3.4.1-5.15.3.jbcs.el7.src",
          "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el7sso.noarch",
          "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el7sso.src",
          "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.0-2.redhat_00001.1.el7sso.noarch",
          "7Server-RHSSO-7.6:rh-sso7-python-javapackages-0:3.4.1-5.15.3.jbcs.el7.noarch",
          "7Server-RHSSO-7.6:rh-sso7-runtime-0:1-4.el7sso.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-0839"
        },
        {
          "category": "external",
          "summary": "RHBZ#2081484",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2081484"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-0839",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-0839"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0839",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0839"
        },
        {
          "category": "external",
          "summary": "https://huntr.dev/bounties/f1ae5779-b406-4594-a8a3-d089c68d6e70",
          "url": "https://huntr.dev/bounties/f1ae5779-b406-4594-a8a3-d089c68d6e70"
        }
      ],
      "release_date": "2022-01-15T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-06-30T18:33:28+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "7Server-RHSSO-7.6:rh-sso7-0:1-4.el7sso.src",
            "7Server-RHSSO-7.6:rh-sso7-0:1-4.el7sso.x86_64",
            "7Server-RHSSO-7.6:rh-sso7-javapackages-tools-0:3.4.1-5.15.3.jbcs.el7.noarch",
            "7Server-RHSSO-7.6:rh-sso7-javapackages-tools-0:3.4.1-5.15.3.jbcs.el7.src",
            "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el7sso.noarch",
            "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el7sso.src",
            "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.0-2.redhat_00001.1.el7sso.noarch",
            "7Server-RHSSO-7.6:rh-sso7-python-javapackages-0:3.4.1-5.15.3.jbcs.el7.noarch",
            "7Server-RHSSO-7.6:rh-sso7-runtime-0:1-4.el7sso.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHBA-2022:5452"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "7Server-RHSSO-7.6:rh-sso7-0:1-4.el7sso.src",
            "7Server-RHSSO-7.6:rh-sso7-0:1-4.el7sso.x86_64",
            "7Server-RHSSO-7.6:rh-sso7-javapackages-tools-0:3.4.1-5.15.3.jbcs.el7.noarch",
            "7Server-RHSSO-7.6:rh-sso7-javapackages-tools-0:3.4.1-5.15.3.jbcs.el7.src",
            "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el7sso.noarch",
            "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.0-2.redhat_00001.1.el7sso.src",
            "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.0-2.redhat_00001.1.el7sso.noarch",
            "7Server-RHSSO-7.6:rh-sso7-python-javapackages-0:3.4.1-5.15.3.jbcs.el7.noarch",
            "7Server-RHSSO-7.6:rh-sso7-runtime-0:1-4.el7sso.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "liquibase: Improper Restriction of XML External Entity"
    }
  ]
}

CERTFR-2022-AVI-654

Vulnerability from certfr_avis - Published: 2022-07-20 - Updated: 2022-07-20

De multiples vulnérabilités ont été découvertes dans Oracle Database Server. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire, un déni de service à distance et une atteinte à l'intégrité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Oracle Database version 12.1.0.2
Oracle Database version 19c
Oracle Database version 21c
Oracle Application Express versions antérieures à 22.1.1

Les versions d'Oracle Database qui ne sont plus sous maintenance sont affectées par la vulnérabilité CVE-2022-21510.

Impacted products

	Vendor	Product	Description

References

Title

Publication Time

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-0839 (GCVE-0-2022-0839)

Solution

Tags

Sightings

Nomenclature