Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2022-42920 (GCVE-0-2022-42920)
Vulnerability from cvelistv5 – Published: 2022-11-07 00:00 – Updated: 2024-08-03 13:19
VLAI
EPSS
Title
Apache Commons BCEL prior to 6.6.0 allows producing arbitrary bytecode via out-of-bounds writing
Summary
Apache Commons BCEL has a number of APIs that would normally only allow changing specific class characteristics. However, due to an out-of-bounds writing issue, these APIs can be used to produce arbitrary bytecode. This could be abused in applications that pass attacker-controllable data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected. Update to Apache Commons BCEL 6.6.0.
Severity
No CVSS data available.
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm… | |
| http://www.openwall.com/lists/oss-security/2022/11/07/2 | mailing-list |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisory |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisory |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisory |
| https://security.gentoo.org/glsa/202401-25 | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Commons BCEL |
Affected:
Apache Commons BCEL , < 6.6.0
(custom)
|
Credits
Reported by Felix Wilhelm (Google); GitHub pull request to Apache Commons BCEL #147 by Richard Atkins (https://github.com/rjatkins); PR derived from OpenJDK (https://github.com/openjdk/jdk11u/) commit 13bf52c8d876528a43be7cb77a1f452d29a21492 by Aleksei Voitylov and RealCLanger (Christoph Langer https://github.com/RealCLanger)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:19:05.457Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4"
},
{
"name": "[oss-security] 20221107 Re: CVE-2022-42920: Apache Commons BCEL prior to 6.6.0 allows producing arbitrary bytecode via out-of-bounds writing",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/07/2"
},
{
"name": "FEDORA-2022-01a56f581c",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LX3HEB4TV2BVCGDTK5BCLSYOZNQTOBN4/"
},
{
"name": "FEDORA-2022-0e358addb8",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QMVX6COVXZVS5GPWDODIRW6Z2GE7RPAQ/"
},
{
"name": "FEDORA-2022-f60a52e054",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QAMRHAKGIKZNHRBB4VLYTOIOIMMXCUCD/"
},
{
"name": "GLSA-202401-25",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202401-25"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Commons BCEL",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "6.6.0",
"status": "affected",
"version": "Apache Commons BCEL",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Reported by Felix Wilhelm (Google); GitHub pull request to Apache Commons BCEL #147 by Richard Atkins (https://github.com/rjatkins); PR derived from OpenJDK (https://github.com/openjdk/jdk11u/) commit 13bf52c8d876528a43be7cb77a1f452d29a21492 by Aleksei Voitylov and RealCLanger (Christoph Langer https://github.com/RealCLanger)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Commons BCEL has a number of APIs that would normally only allow changing specific class characteristics. However, due to an out-of-bounds writing issue, these APIs can be used to produce arbitrary bytecode. This could be abused in applications that pass attacker-controllable data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected. Update to Apache Commons BCEL 6.6.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-17T15:06:37.552Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"url": "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4"
},
{
"name": "[oss-security] 20221107 Re: CVE-2022-42920: Apache Commons BCEL prior to 6.6.0 allows producing arbitrary bytecode via out-of-bounds writing",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/07/2"
},
{
"name": "FEDORA-2022-01a56f581c",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LX3HEB4TV2BVCGDTK5BCLSYOZNQTOBN4/"
},
{
"name": "FEDORA-2022-0e358addb8",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QMVX6COVXZVS5GPWDODIRW6Z2GE7RPAQ/"
},
{
"name": "FEDORA-2022-f60a52e054",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QAMRHAKGIKZNHRBB4VLYTOIOIMMXCUCD/"
},
{
"name": "GLSA-202401-25",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202401-25"
}
],
"source": {
"defect": [
"BCEL-363"
],
"discovery": "UNKNOWN"
},
"title": "Apache Commons BCEL prior to 6.6.0 allows producing arbitrary bytecode via out-of-bounds writing",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-42920",
"datePublished": "2022-11-07T00:00:00.000Z",
"dateReserved": "2022-10-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T13:19:05.457Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2022-42920",
"date": "2026-05-30",
"epss": "0.03797",
"percentile": "0.88281"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-42920\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2022-11-07T13:15:10.270\",\"lastModified\":\"2024-11-21T07:25:35.887\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Apache Commons BCEL has a number of APIs that would normally only allow changing specific class characteristics. However, due to an out-of-bounds writing issue, these APIs can be used to produce arbitrary bytecode. This could be abused in applications that pass attacker-controllable data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected. Update to Apache Commons BCEL 6.6.0.\"},{\"lang\":\"es\",\"value\":\"Apache Commons BCEL tiene una serie de API que normalmente solo permitir\u00edan cambiar caracter\u00edsticas de clase espec\u00edficas. Sin embargo, debido a un problema de escritura fuera de l\u00edmites, estas API se pueden utilizar para producir c\u00f3digo de bytes arbitrario. Se podr\u00eda abusar de esto en aplicaciones que pasan datos controlables por el atacante a esas API, lo que le da al atacante m\u00e1s control sobre el c\u00f3digo de bytes resultante del que se esperar\u00eda. Actualizaci\u00f3n a Apache Commons BCEL 6.6.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-787\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:commons_bcel:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"6.6.0\",\"matchCriteriaId\":\"4EDE5588-DA3A-40CD-8AD3-D35652C1FD2D\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"80E516C0-98A4-4ADE-B69F-66A772E2BAAA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E30D0E6F-4AE8-4284-8716-991DFA48CC5D\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2022/11/07/2\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LX3HEB4TV2BVCGDTK5BCLSYOZNQTOBN4/\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QAMRHAKGIKZNHRBB4VLYTOIOIMMXCUCD/\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QMVX6COVXZVS5GPWDODIRW6Z2GE7RPAQ/\",\"source\":\"security@apache.org\"},{\"url\":\"https://security.gentoo.org/glsa/202401-25\",\"source\":\"security@apache.org\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2022/11/07/2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LX3HEB4TV2BVCGDTK5BCLSYOZNQTOBN4/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QAMRHAKGIKZNHRBB4VLYTOIOIMMXCUCD/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QMVX6COVXZVS5GPWDODIRW6Z2GE7RPAQ/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.gentoo.org/glsa/202401-25\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
}
}
OPENSUSE-SU-2024:12498-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
bcel5_3-5.3-21.1 on GA media
Severity
Moderate
Notes
Title of the patch: bcel5_3-5.3-21.1 on GA media
Description of the patch: These are all security issues fixed in the bcel5_3-5.3-21.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-12498
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.1 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:bcel5_3-5.3-21.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:bcel5_3-5.3-21.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:bcel5_3-5.3-21.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:bcel5_3-5.3-21.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:bcel5_3-javadoc-5.3-21.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:bcel5_3-javadoc-5.3-21.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:bcel5_3-javadoc-5.3-21.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:bcel5_3-javadoc-5.3-21.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
6 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "bcel5_3-5.3-21.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the bcel5_3-5.3-21.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-12498",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12498-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-42920 page",
"url": "https://www.suse.com/security/cve/CVE-2022-42920/"
}
],
"title": "bcel5_3-5.3-21.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:12498-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "bcel5_3-5.3-21.1.aarch64",
"product": {
"name": "bcel5_3-5.3-21.1.aarch64",
"product_id": "bcel5_3-5.3-21.1.aarch64"
}
},
{
"category": "product_version",
"name": "bcel5_3-javadoc-5.3-21.1.aarch64",
"product": {
"name": "bcel5_3-javadoc-5.3-21.1.aarch64",
"product_id": "bcel5_3-javadoc-5.3-21.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "bcel5_3-5.3-21.1.ppc64le",
"product": {
"name": "bcel5_3-5.3-21.1.ppc64le",
"product_id": "bcel5_3-5.3-21.1.ppc64le"
}
},
{
"category": "product_version",
"name": "bcel5_3-javadoc-5.3-21.1.ppc64le",
"product": {
"name": "bcel5_3-javadoc-5.3-21.1.ppc64le",
"product_id": "bcel5_3-javadoc-5.3-21.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "bcel5_3-5.3-21.1.s390x",
"product": {
"name": "bcel5_3-5.3-21.1.s390x",
"product_id": "bcel5_3-5.3-21.1.s390x"
}
},
{
"category": "product_version",
"name": "bcel5_3-javadoc-5.3-21.1.s390x",
"product": {
"name": "bcel5_3-javadoc-5.3-21.1.s390x",
"product_id": "bcel5_3-javadoc-5.3-21.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "bcel5_3-5.3-21.1.x86_64",
"product": {
"name": "bcel5_3-5.3-21.1.x86_64",
"product_id": "bcel5_3-5.3-21.1.x86_64"
}
},
{
"category": "product_version",
"name": "bcel5_3-javadoc-5.3-21.1.x86_64",
"product": {
"name": "bcel5_3-javadoc-5.3-21.1.x86_64",
"product_id": "bcel5_3-javadoc-5.3-21.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "bcel5_3-5.3-21.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:bcel5_3-5.3-21.1.aarch64"
},
"product_reference": "bcel5_3-5.3-21.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bcel5_3-5.3-21.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:bcel5_3-5.3-21.1.ppc64le"
},
"product_reference": "bcel5_3-5.3-21.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bcel5_3-5.3-21.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:bcel5_3-5.3-21.1.s390x"
},
"product_reference": "bcel5_3-5.3-21.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bcel5_3-5.3-21.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:bcel5_3-5.3-21.1.x86_64"
},
"product_reference": "bcel5_3-5.3-21.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bcel5_3-javadoc-5.3-21.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:bcel5_3-javadoc-5.3-21.1.aarch64"
},
"product_reference": "bcel5_3-javadoc-5.3-21.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bcel5_3-javadoc-5.3-21.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:bcel5_3-javadoc-5.3-21.1.ppc64le"
},
"product_reference": "bcel5_3-javadoc-5.3-21.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bcel5_3-javadoc-5.3-21.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:bcel5_3-javadoc-5.3-21.1.s390x"
},
"product_reference": "bcel5_3-javadoc-5.3-21.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bcel5_3-javadoc-5.3-21.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:bcel5_3-javadoc-5.3-21.1.x86_64"
},
"product_reference": "bcel5_3-javadoc-5.3-21.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-42920",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-42920"
}
],
"notes": [
{
"category": "general",
"text": "Apache Commons BCEL has a number of APIs that would normally only allow changing specific class characteristics. However, due to an out-of-bounds writing issue, these APIs can be used to produce arbitrary bytecode. This could be abused in applications that pass attacker-controllable data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected. Update to Apache Commons BCEL 6.6.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:bcel5_3-5.3-21.1.aarch64",
"openSUSE Tumbleweed:bcel5_3-5.3-21.1.ppc64le",
"openSUSE Tumbleweed:bcel5_3-5.3-21.1.s390x",
"openSUSE Tumbleweed:bcel5_3-5.3-21.1.x86_64",
"openSUSE Tumbleweed:bcel5_3-javadoc-5.3-21.1.aarch64",
"openSUSE Tumbleweed:bcel5_3-javadoc-5.3-21.1.ppc64le",
"openSUSE Tumbleweed:bcel5_3-javadoc-5.3-21.1.s390x",
"openSUSE Tumbleweed:bcel5_3-javadoc-5.3-21.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-42920",
"url": "https://www.suse.com/security/cve/CVE-2022-42920"
},
{
"category": "external",
"summary": "SUSE Bug 1205125 for CVE-2022-42920",
"url": "https://bugzilla.suse.com/1205125"
},
{
"category": "external",
"summary": "SUSE Bug 1209316 for CVE-2022-42920",
"url": "https://bugzilla.suse.com/1209316"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:bcel5_3-5.3-21.1.aarch64",
"openSUSE Tumbleweed:bcel5_3-5.3-21.1.ppc64le",
"openSUSE Tumbleweed:bcel5_3-5.3-21.1.s390x",
"openSUSE Tumbleweed:bcel5_3-5.3-21.1.x86_64",
"openSUSE Tumbleweed:bcel5_3-javadoc-5.3-21.1.aarch64",
"openSUSE Tumbleweed:bcel5_3-javadoc-5.3-21.1.ppc64le",
"openSUSE Tumbleweed:bcel5_3-javadoc-5.3-21.1.s390x",
"openSUSE Tumbleweed:bcel5_3-javadoc-5.3-21.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:bcel5_3-5.3-21.1.aarch64",
"openSUSE Tumbleweed:bcel5_3-5.3-21.1.ppc64le",
"openSUSE Tumbleweed:bcel5_3-5.3-21.1.s390x",
"openSUSE Tumbleweed:bcel5_3-5.3-21.1.x86_64",
"openSUSE Tumbleweed:bcel5_3-javadoc-5.3-21.1.aarch64",
"openSUSE Tumbleweed:bcel5_3-javadoc-5.3-21.1.ppc64le",
"openSUSE Tumbleweed:bcel5_3-javadoc-5.3-21.1.s390x",
"openSUSE Tumbleweed:bcel5_3-javadoc-5.3-21.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2022-42920"
}
]
}
OPENSUSE-SU-2024:12530-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
bcel-5.2-37.1 on GA media
Severity
Moderate
Notes
Title of the patch: bcel-5.2-37.1 on GA media
Description of the patch: These are all security issues fixed in the bcel-5.2-37.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-12530
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.1 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:bcel-5.2-37.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:bcel-5.2-37.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:bcel-5.2-37.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:bcel-5.2-37.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
6 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "bcel-5.2-37.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the bcel-5.2-37.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-12530",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12530-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-42920 page",
"url": "https://www.suse.com/security/cve/CVE-2022-42920/"
}
],
"title": "bcel-5.2-37.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:12530-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "bcel-5.2-37.1.aarch64",
"product": {
"name": "bcel-5.2-37.1.aarch64",
"product_id": "bcel-5.2-37.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "bcel-5.2-37.1.ppc64le",
"product": {
"name": "bcel-5.2-37.1.ppc64le",
"product_id": "bcel-5.2-37.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "bcel-5.2-37.1.s390x",
"product": {
"name": "bcel-5.2-37.1.s390x",
"product_id": "bcel-5.2-37.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "bcel-5.2-37.1.x86_64",
"product": {
"name": "bcel-5.2-37.1.x86_64",
"product_id": "bcel-5.2-37.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "bcel-5.2-37.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:bcel-5.2-37.1.aarch64"
},
"product_reference": "bcel-5.2-37.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bcel-5.2-37.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:bcel-5.2-37.1.ppc64le"
},
"product_reference": "bcel-5.2-37.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bcel-5.2-37.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:bcel-5.2-37.1.s390x"
},
"product_reference": "bcel-5.2-37.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bcel-5.2-37.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:bcel-5.2-37.1.x86_64"
},
"product_reference": "bcel-5.2-37.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-42920",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-42920"
}
],
"notes": [
{
"category": "general",
"text": "Apache Commons BCEL has a number of APIs that would normally only allow changing specific class characteristics. However, due to an out-of-bounds writing issue, these APIs can be used to produce arbitrary bytecode. This could be abused in applications that pass attacker-controllable data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected. Update to Apache Commons BCEL 6.6.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:bcel-5.2-37.1.aarch64",
"openSUSE Tumbleweed:bcel-5.2-37.1.ppc64le",
"openSUSE Tumbleweed:bcel-5.2-37.1.s390x",
"openSUSE Tumbleweed:bcel-5.2-37.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-42920",
"url": "https://www.suse.com/security/cve/CVE-2022-42920"
},
{
"category": "external",
"summary": "SUSE Bug 1205125 for CVE-2022-42920",
"url": "https://bugzilla.suse.com/1205125"
},
{
"category": "external",
"summary": "SUSE Bug 1209316 for CVE-2022-42920",
"url": "https://bugzilla.suse.com/1209316"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:bcel-5.2-37.1.aarch64",
"openSUSE Tumbleweed:bcel-5.2-37.1.ppc64le",
"openSUSE Tumbleweed:bcel-5.2-37.1.s390x",
"openSUSE Tumbleweed:bcel-5.2-37.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:bcel-5.2-37.1.aarch64",
"openSUSE Tumbleweed:bcel-5.2-37.1.ppc64le",
"openSUSE Tumbleweed:bcel-5.2-37.1.s390x",
"openSUSE Tumbleweed:bcel-5.2-37.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2022-42920"
}
]
}
RHSA-2022:8958
Vulnerability from csaf_redhat - Published: 2022-12-13 14:10 - Updated: 2026-03-20 18:14Summary
Red Hat Security Advisory: bcel security update
Severity
Important
Notes
Topic: An update for bcel is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: The Byte Code Engineering Library (Apache Commons BCEL) is intended to give users a convenient way to analyze, create, and manipulate (binary) Java class files (those ending with .class).
Security Fix(es):
* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
An out-of-bounds (OOB) write flaw was found in Apache Commons BCEL API. This flaw can be used to produce arbitrary bytecode and may abuse applications that pass attacker-controlled data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected.
8.1 (High)
Affected products
Fixed
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Client-optional-7.9.Z:bcel-0:5.2-19.el7_9.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Client-optional-7.9.Z:bcel-0:5.2-19.el7_9.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Client-optional-7.9.Z:bcel-javadoc-0:5.2-19.el7_9.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7ComputeNode-optional-7.9.Z:bcel-0:5.2-19.el7_9.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7ComputeNode-optional-7.9.Z:bcel-0:5.2-19.el7_9.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7ComputeNode-optional-7.9.Z:bcel-javadoc-0:5.2-19.el7_9.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-7.9.Z:bcel-0:5.2-19.el7_9.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-7.9.Z:bcel-0:5.2-19.el7_9.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-7.9.Z:bcel-javadoc-0:5.2-19.el7_9.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-optional-7.9.Z:bcel-0:5.2-19.el7_9.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-optional-7.9.Z:bcel-0:5.2-19.el7_9.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-optional-7.9.Z:bcel-javadoc-0:5.2-19.el7_9.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-7.9.Z:bcel-0:5.2-19.el7_9.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-7.9.Z:bcel-0:5.2-19.el7_9.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-7.9.Z:bcel-javadoc-0:5.2-19.el7_9.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-optional-7.9.Z:bcel-0:5.2-19.el7_9.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-optional-7.9.Z:bcel-0:5.2-19.el7_9.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-optional-7.9.Z:bcel-javadoc-0:5.2-19.el7_9.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Important
References
9 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for bcel is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The Byte Code Engineering Library (Apache Commons BCEL) is intended to give users a convenient way to analyze, create, and manipulate (binary) Java class files (those ending with .class).\n\nSecurity Fix(es):\n\n* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:8958",
"url": "https://access.redhat.com/errata/RHSA-2022:8958"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2142707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2142707"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_8958.json"
}
],
"title": "Red Hat Security Advisory: bcel security update",
"tracking": {
"current_release_date": "2026-03-20T18:14:05+00:00",
"generator": {
"date": "2026-03-20T18:14:05+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.3"
}
},
"id": "RHSA-2022:8958",
"initial_release_date": "2022-12-13T14:10:12+00:00",
"revision_history": [
{
"date": "2022-12-13T14:10:12+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-12-13T14:10:12+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-03-20T18:14:05+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Client Optional (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.9.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::client"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.9.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::computenode"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Server (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-7.9.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::server"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Server Optional (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.9.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::server"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Workstation (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.9.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::workstation"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.9.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::workstation"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "bcel-0:5.2-19.el7_9.src",
"product": {
"name": "bcel-0:5.2-19.el7_9.src",
"product_id": "bcel-0:5.2-19.el7_9.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/bcel@5.2-19.el7_9?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "bcel-0:5.2-19.el7_9.noarch",
"product": {
"name": "bcel-0:5.2-19.el7_9.noarch",
"product_id": "bcel-0:5.2-19.el7_9.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/bcel@5.2-19.el7_9?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "bcel-javadoc-0:5.2-19.el7_9.noarch",
"product": {
"name": "bcel-javadoc-0:5.2-19.el7_9.noarch",
"product_id": "bcel-javadoc-0:5.2-19.el7_9.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/bcel-javadoc@5.2-19.el7_9?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "bcel-0:5.2-19.el7_9.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.9.Z:bcel-0:5.2-19.el7_9.noarch"
},
"product_reference": "bcel-0:5.2-19.el7_9.noarch",
"relates_to_product_reference": "7Client-optional-7.9.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bcel-0:5.2-19.el7_9.src as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.9.Z:bcel-0:5.2-19.el7_9.src"
},
"product_reference": "bcel-0:5.2-19.el7_9.src",
"relates_to_product_reference": "7Client-optional-7.9.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bcel-javadoc-0:5.2-19.el7_9.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.9.Z:bcel-javadoc-0:5.2-19.el7_9.noarch"
},
"product_reference": "bcel-javadoc-0:5.2-19.el7_9.noarch",
"relates_to_product_reference": "7Client-optional-7.9.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bcel-0:5.2-19.el7_9.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.9.Z:bcel-0:5.2-19.el7_9.noarch"
},
"product_reference": "bcel-0:5.2-19.el7_9.noarch",
"relates_to_product_reference": "7ComputeNode-optional-7.9.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bcel-0:5.2-19.el7_9.src as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.9.Z:bcel-0:5.2-19.el7_9.src"
},
"product_reference": "bcel-0:5.2-19.el7_9.src",
"relates_to_product_reference": "7ComputeNode-optional-7.9.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bcel-javadoc-0:5.2-19.el7_9.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.9.Z:bcel-javadoc-0:5.2-19.el7_9.noarch"
},
"product_reference": "bcel-javadoc-0:5.2-19.el7_9.noarch",
"relates_to_product_reference": "7ComputeNode-optional-7.9.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bcel-0:5.2-19.el7_9.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-7.9.Z:bcel-0:5.2-19.el7_9.noarch"
},
"product_reference": "bcel-0:5.2-19.el7_9.noarch",
"relates_to_product_reference": "7Server-7.9.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bcel-0:5.2-19.el7_9.src as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-7.9.Z:bcel-0:5.2-19.el7_9.src"
},
"product_reference": "bcel-0:5.2-19.el7_9.src",
"relates_to_product_reference": "7Server-7.9.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bcel-javadoc-0:5.2-19.el7_9.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-7.9.Z:bcel-javadoc-0:5.2-19.el7_9.noarch"
},
"product_reference": "bcel-javadoc-0:5.2-19.el7_9.noarch",
"relates_to_product_reference": "7Server-7.9.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bcel-0:5.2-19.el7_9.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.9.Z:bcel-0:5.2-19.el7_9.noarch"
},
"product_reference": "bcel-0:5.2-19.el7_9.noarch",
"relates_to_product_reference": "7Server-optional-7.9.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bcel-0:5.2-19.el7_9.src as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.9.Z:bcel-0:5.2-19.el7_9.src"
},
"product_reference": "bcel-0:5.2-19.el7_9.src",
"relates_to_product_reference": "7Server-optional-7.9.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bcel-javadoc-0:5.2-19.el7_9.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.9.Z:bcel-javadoc-0:5.2-19.el7_9.noarch"
},
"product_reference": "bcel-javadoc-0:5.2-19.el7_9.noarch",
"relates_to_product_reference": "7Server-optional-7.9.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bcel-0:5.2-19.el7_9.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.9.Z:bcel-0:5.2-19.el7_9.noarch"
},
"product_reference": "bcel-0:5.2-19.el7_9.noarch",
"relates_to_product_reference": "7Workstation-7.9.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bcel-0:5.2-19.el7_9.src as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.9.Z:bcel-0:5.2-19.el7_9.src"
},
"product_reference": "bcel-0:5.2-19.el7_9.src",
"relates_to_product_reference": "7Workstation-7.9.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bcel-javadoc-0:5.2-19.el7_9.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.9.Z:bcel-javadoc-0:5.2-19.el7_9.noarch"
},
"product_reference": "bcel-javadoc-0:5.2-19.el7_9.noarch",
"relates_to_product_reference": "7Workstation-7.9.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bcel-0:5.2-19.el7_9.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.9.Z:bcel-0:5.2-19.el7_9.noarch"
},
"product_reference": "bcel-0:5.2-19.el7_9.noarch",
"relates_to_product_reference": "7Workstation-optional-7.9.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bcel-0:5.2-19.el7_9.src as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.9.Z:bcel-0:5.2-19.el7_9.src"
},
"product_reference": "bcel-0:5.2-19.el7_9.src",
"relates_to_product_reference": "7Workstation-optional-7.9.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bcel-javadoc-0:5.2-19.el7_9.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.9.Z:bcel-javadoc-0:5.2-19.el7_9.noarch"
},
"product_reference": "bcel-javadoc-0:5.2-19.el7_9.noarch",
"relates_to_product_reference": "7Workstation-optional-7.9.Z"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-42920",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-11-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2142707"
}
],
"notes": [
{
"category": "description",
"text": "An out-of-bounds (OOB) write flaw was found in Apache Commons BCEL API. This flaw can be used to produce arbitrary bytecode and may abuse applications that pass attacker-controlled data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Fuse 7 ships the code in question but does not utilize it in the product, so it is affected at a reduced impact of Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Client-optional-7.9.Z:bcel-0:5.2-19.el7_9.noarch",
"7Client-optional-7.9.Z:bcel-0:5.2-19.el7_9.src",
"7Client-optional-7.9.Z:bcel-javadoc-0:5.2-19.el7_9.noarch",
"7ComputeNode-optional-7.9.Z:bcel-0:5.2-19.el7_9.noarch",
"7ComputeNode-optional-7.9.Z:bcel-0:5.2-19.el7_9.src",
"7ComputeNode-optional-7.9.Z:bcel-javadoc-0:5.2-19.el7_9.noarch",
"7Server-7.9.Z:bcel-0:5.2-19.el7_9.noarch",
"7Server-7.9.Z:bcel-0:5.2-19.el7_9.src",
"7Server-7.9.Z:bcel-javadoc-0:5.2-19.el7_9.noarch",
"7Server-optional-7.9.Z:bcel-0:5.2-19.el7_9.noarch",
"7Server-optional-7.9.Z:bcel-0:5.2-19.el7_9.src",
"7Server-optional-7.9.Z:bcel-javadoc-0:5.2-19.el7_9.noarch",
"7Workstation-7.9.Z:bcel-0:5.2-19.el7_9.noarch",
"7Workstation-7.9.Z:bcel-0:5.2-19.el7_9.src",
"7Workstation-7.9.Z:bcel-javadoc-0:5.2-19.el7_9.noarch",
"7Workstation-optional-7.9.Z:bcel-0:5.2-19.el7_9.noarch",
"7Workstation-optional-7.9.Z:bcel-0:5.2-19.el7_9.src",
"7Workstation-optional-7.9.Z:bcel-javadoc-0:5.2-19.el7_9.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42920"
},
{
"category": "external",
"summary": "RHBZ#2142707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2142707"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42920",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42920"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42920",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42920"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4",
"url": "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4"
}
],
"release_date": "2022-11-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-12-13T14:10:12+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Client-optional-7.9.Z:bcel-0:5.2-19.el7_9.noarch",
"7Client-optional-7.9.Z:bcel-0:5.2-19.el7_9.src",
"7Client-optional-7.9.Z:bcel-javadoc-0:5.2-19.el7_9.noarch",
"7ComputeNode-optional-7.9.Z:bcel-0:5.2-19.el7_9.noarch",
"7ComputeNode-optional-7.9.Z:bcel-0:5.2-19.el7_9.src",
"7ComputeNode-optional-7.9.Z:bcel-javadoc-0:5.2-19.el7_9.noarch",
"7Server-7.9.Z:bcel-0:5.2-19.el7_9.noarch",
"7Server-7.9.Z:bcel-0:5.2-19.el7_9.src",
"7Server-7.9.Z:bcel-javadoc-0:5.2-19.el7_9.noarch",
"7Server-optional-7.9.Z:bcel-0:5.2-19.el7_9.noarch",
"7Server-optional-7.9.Z:bcel-0:5.2-19.el7_9.src",
"7Server-optional-7.9.Z:bcel-javadoc-0:5.2-19.el7_9.noarch",
"7Workstation-7.9.Z:bcel-0:5.2-19.el7_9.noarch",
"7Workstation-7.9.Z:bcel-0:5.2-19.el7_9.src",
"7Workstation-7.9.Z:bcel-javadoc-0:5.2-19.el7_9.noarch",
"7Workstation-optional-7.9.Z:bcel-0:5.2-19.el7_9.noarch",
"7Workstation-optional-7.9.Z:bcel-0:5.2-19.el7_9.src",
"7Workstation-optional-7.9.Z:bcel-javadoc-0:5.2-19.el7_9.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:8958"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Client-optional-7.9.Z:bcel-0:5.2-19.el7_9.noarch",
"7Client-optional-7.9.Z:bcel-0:5.2-19.el7_9.src",
"7Client-optional-7.9.Z:bcel-javadoc-0:5.2-19.el7_9.noarch",
"7ComputeNode-optional-7.9.Z:bcel-0:5.2-19.el7_9.noarch",
"7ComputeNode-optional-7.9.Z:bcel-0:5.2-19.el7_9.src",
"7ComputeNode-optional-7.9.Z:bcel-javadoc-0:5.2-19.el7_9.noarch",
"7Server-7.9.Z:bcel-0:5.2-19.el7_9.noarch",
"7Server-7.9.Z:bcel-0:5.2-19.el7_9.src",
"7Server-7.9.Z:bcel-javadoc-0:5.2-19.el7_9.noarch",
"7Server-optional-7.9.Z:bcel-0:5.2-19.el7_9.noarch",
"7Server-optional-7.9.Z:bcel-0:5.2-19.el7_9.src",
"7Server-optional-7.9.Z:bcel-javadoc-0:5.2-19.el7_9.noarch",
"7Workstation-7.9.Z:bcel-0:5.2-19.el7_9.noarch",
"7Workstation-7.9.Z:bcel-0:5.2-19.el7_9.src",
"7Workstation-7.9.Z:bcel-javadoc-0:5.2-19.el7_9.noarch",
"7Workstation-optional-7.9.Z:bcel-0:5.2-19.el7_9.noarch",
"7Workstation-optional-7.9.Z:bcel-0:5.2-19.el7_9.src",
"7Workstation-optional-7.9.Z:bcel-javadoc-0:5.2-19.el7_9.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing"
}
]
}
RHSA-2022:8959
Vulnerability from csaf_redhat - Published: 2022-12-13 14:02 - Updated: 2026-03-20 18:14Summary
Red Hat Security Advisory: rh-maven36-bcel security update
Severity
Important
Notes
Topic: An update for rh-maven36-bcel is now available for Red Hat Software Collections.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: The Byte Code Engineering Library (Apache Commons BCEL) is intended to give users a convenient way to analyze, create, and manipulate (binary) Java class files (those ending with .class).
Security Fix(es):
* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
An out-of-bounds (OOB) write flaw was found in Apache Commons BCEL API. This flaw can be used to produce arbitrary bytecode and may abuse applications that pass attacker-controlled data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected.
8.1 (High)
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RHSCL-3.8:rh-maven36-bcel-0:6.3.1-2.3.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-maven36-bcel-0:6.3.1-2.3.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-3.8:rh-maven36-bcel-javadoc-0:6.3.1-2.3.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-maven36-bcel-0:6.3.1-2.3.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-maven36-bcel-0:6.3.1-2.3.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-3.8:rh-maven36-bcel-javadoc-0:6.3.1-2.3.el7.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Important
References
9 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for rh-maven36-bcel is now available for Red Hat Software Collections.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The Byte Code Engineering Library (Apache Commons BCEL) is intended to give users a convenient way to analyze, create, and manipulate (binary) Java class files (those ending with .class).\n\nSecurity Fix(es):\n\n* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:8959",
"url": "https://access.redhat.com/errata/RHSA-2022:8959"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2142707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2142707"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_8959.json"
}
],
"title": "Red Hat Security Advisory: rh-maven36-bcel security update",
"tracking": {
"current_release_date": "2026-03-20T18:14:03+00:00",
"generator": {
"date": "2026-03-20T18:14:03+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.3"
}
},
"id": "RHSA-2022:8959",
"initial_release_date": "2022-12-13T14:02:08+00:00",
"revision_history": [
{
"date": "2022-12-13T14:02:08+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-12-13T14:02:08+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-03-20T18:14:03+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Software Collections for RHEL Workstation(v. 7)",
"product": {
"name": "Red Hat Software Collections for RHEL Workstation(v. 7)",
"product_id": "7Server-RHSCL-3.8",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:3::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for RHEL(v. 7)",
"product": {
"name": "Red Hat Software Collections for RHEL(v. 7)",
"product_id": "7Workstation-RHSCL-3.8",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:3::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat Software Collections"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-maven36-bcel-0:6.3.1-2.3.el7.src",
"product": {
"name": "rh-maven36-bcel-0:6.3.1-2.3.el7.src",
"product_id": "rh-maven36-bcel-0:6.3.1-2.3.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-maven36-bcel@6.3.1-2.3.el7?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-maven36-bcel-0:6.3.1-2.3.el7.noarch",
"product": {
"name": "rh-maven36-bcel-0:6.3.1-2.3.el7.noarch",
"product_id": "rh-maven36-bcel-0:6.3.1-2.3.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-maven36-bcel@6.3.1-2.3.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-maven36-bcel-javadoc-0:6.3.1-2.3.el7.noarch",
"product": {
"name": "rh-maven36-bcel-javadoc-0:6.3.1-2.3.el7.noarch",
"product_id": "rh-maven36-bcel-javadoc-0:6.3.1-2.3.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-maven36-bcel-javadoc@6.3.1-2.3.el7?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven36-bcel-0:6.3.1-2.3.el7.noarch as a component of Red Hat Software Collections for RHEL Workstation(v. 7)",
"product_id": "7Server-RHSCL-3.8:rh-maven36-bcel-0:6.3.1-2.3.el7.noarch"
},
"product_reference": "rh-maven36-bcel-0:6.3.1-2.3.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-3.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven36-bcel-0:6.3.1-2.3.el7.src as a component of Red Hat Software Collections for RHEL Workstation(v. 7)",
"product_id": "7Server-RHSCL-3.8:rh-maven36-bcel-0:6.3.1-2.3.el7.src"
},
"product_reference": "rh-maven36-bcel-0:6.3.1-2.3.el7.src",
"relates_to_product_reference": "7Server-RHSCL-3.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven36-bcel-javadoc-0:6.3.1-2.3.el7.noarch as a component of Red Hat Software Collections for RHEL Workstation(v. 7)",
"product_id": "7Server-RHSCL-3.8:rh-maven36-bcel-javadoc-0:6.3.1-2.3.el7.noarch"
},
"product_reference": "rh-maven36-bcel-javadoc-0:6.3.1-2.3.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-3.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven36-bcel-0:6.3.1-2.3.el7.noarch as a component of Red Hat Software Collections for RHEL(v. 7)",
"product_id": "7Workstation-RHSCL-3.8:rh-maven36-bcel-0:6.3.1-2.3.el7.noarch"
},
"product_reference": "rh-maven36-bcel-0:6.3.1-2.3.el7.noarch",
"relates_to_product_reference": "7Workstation-RHSCL-3.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven36-bcel-0:6.3.1-2.3.el7.src as a component of Red Hat Software Collections for RHEL(v. 7)",
"product_id": "7Workstation-RHSCL-3.8:rh-maven36-bcel-0:6.3.1-2.3.el7.src"
},
"product_reference": "rh-maven36-bcel-0:6.3.1-2.3.el7.src",
"relates_to_product_reference": "7Workstation-RHSCL-3.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven36-bcel-javadoc-0:6.3.1-2.3.el7.noarch as a component of Red Hat Software Collections for RHEL(v. 7)",
"product_id": "7Workstation-RHSCL-3.8:rh-maven36-bcel-javadoc-0:6.3.1-2.3.el7.noarch"
},
"product_reference": "rh-maven36-bcel-javadoc-0:6.3.1-2.3.el7.noarch",
"relates_to_product_reference": "7Workstation-RHSCL-3.8"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-42920",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-11-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2142707"
}
],
"notes": [
{
"category": "description",
"text": "An out-of-bounds (OOB) write flaw was found in Apache Commons BCEL API. This flaw can be used to produce arbitrary bytecode and may abuse applications that pass attacker-controlled data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Fuse 7 ships the code in question but does not utilize it in the product, so it is affected at a reduced impact of Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSCL-3.8:rh-maven36-bcel-0:6.3.1-2.3.el7.noarch",
"7Server-RHSCL-3.8:rh-maven36-bcel-0:6.3.1-2.3.el7.src",
"7Server-RHSCL-3.8:rh-maven36-bcel-javadoc-0:6.3.1-2.3.el7.noarch",
"7Workstation-RHSCL-3.8:rh-maven36-bcel-0:6.3.1-2.3.el7.noarch",
"7Workstation-RHSCL-3.8:rh-maven36-bcel-0:6.3.1-2.3.el7.src",
"7Workstation-RHSCL-3.8:rh-maven36-bcel-javadoc-0:6.3.1-2.3.el7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42920"
},
{
"category": "external",
"summary": "RHBZ#2142707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2142707"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42920",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42920"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42920",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42920"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4",
"url": "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4"
}
],
"release_date": "2022-11-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-12-13T14:02:08+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSCL-3.8:rh-maven36-bcel-0:6.3.1-2.3.el7.noarch",
"7Server-RHSCL-3.8:rh-maven36-bcel-0:6.3.1-2.3.el7.src",
"7Server-RHSCL-3.8:rh-maven36-bcel-javadoc-0:6.3.1-2.3.el7.noarch",
"7Workstation-RHSCL-3.8:rh-maven36-bcel-0:6.3.1-2.3.el7.noarch",
"7Workstation-RHSCL-3.8:rh-maven36-bcel-0:6.3.1-2.3.el7.src",
"7Workstation-RHSCL-3.8:rh-maven36-bcel-javadoc-0:6.3.1-2.3.el7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:8959"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSCL-3.8:rh-maven36-bcel-0:6.3.1-2.3.el7.noarch",
"7Server-RHSCL-3.8:rh-maven36-bcel-0:6.3.1-2.3.el7.src",
"7Server-RHSCL-3.8:rh-maven36-bcel-javadoc-0:6.3.1-2.3.el7.noarch",
"7Workstation-RHSCL-3.8:rh-maven36-bcel-0:6.3.1-2.3.el7.noarch",
"7Workstation-RHSCL-3.8:rh-maven36-bcel-0:6.3.1-2.3.el7.src",
"7Workstation-RHSCL-3.8:rh-maven36-bcel-javadoc-0:6.3.1-2.3.el7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing"
}
]
}
RHSA-2023:0004
Vulnerability from csaf_redhat - Published: 2023-01-02 07:03 - Updated: 2026-03-20 18:14Summary
Red Hat Security Advisory: bcel security update
Severity
Important
Notes
Topic: An update for bcel is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: The Byte Code Engineering Library (Apache Commons BCEL) is intended to give users a convenient way to analyze, create, and manipulate (binary) Java class files (those ending with .class).
Security Fix(es):
* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
An out-of-bounds (OOB) write flaw was found in Apache Commons BCEL API. This flaw can be used to produce arbitrary bytecode and may abuse applications that pass attacker-controlled data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected.
8.1 (High)
Affected products
Threats
Impact
Important
References
9 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for bcel is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The Byte Code Engineering Library (Apache Commons BCEL) is intended to give users a convenient way to analyze, create, and manipulate (binary) Java class files (those ending with .class).\n\nSecurity Fix(es):\n\n* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:0004",
"url": "https://access.redhat.com/errata/RHSA-2023:0004"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2142707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2142707"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_0004.json"
}
],
"title": "Red Hat Security Advisory: bcel security update",
"tracking": {
"current_release_date": "2026-03-20T18:14:04+00:00",
"generator": {
"date": "2026-03-20T18:14:04+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.3"
}
},
"id": "RHSA-2023:0004",
"initial_release_date": "2023-01-02T07:03:25+00:00",
"revision_history": [
{
"date": "2023-01-02T07:03:25+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-01-02T07:03:25+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-03-20T18:14:04+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream EUS (v.9.0)",
"product": {
"name": "Red Hat Enterprise Linux AppStream EUS (v.9.0)",
"product_id": "AppStream-9.0.0.Z.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_eus:9.0::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "bcel-0:6.4.1-9.el9_0.src",
"product": {
"name": "bcel-0:6.4.1-9.el9_0.src",
"product_id": "bcel-0:6.4.1-9.el9_0.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/bcel@6.4.1-9.el9_0?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "bcel-0:6.4.1-9.el9_0.noarch",
"product": {
"name": "bcel-0:6.4.1-9.el9_0.noarch",
"product_id": "bcel-0:6.4.1-9.el9_0.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/bcel@6.4.1-9.el9_0?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "bcel-0:6.4.1-9.el9_0.noarch as a component of Red Hat Enterprise Linux AppStream EUS (v.9.0)",
"product_id": "AppStream-9.0.0.Z.EUS:bcel-0:6.4.1-9.el9_0.noarch"
},
"product_reference": "bcel-0:6.4.1-9.el9_0.noarch",
"relates_to_product_reference": "AppStream-9.0.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bcel-0:6.4.1-9.el9_0.src as a component of Red Hat Enterprise Linux AppStream EUS (v.9.0)",
"product_id": "AppStream-9.0.0.Z.EUS:bcel-0:6.4.1-9.el9_0.src"
},
"product_reference": "bcel-0:6.4.1-9.el9_0.src",
"relates_to_product_reference": "AppStream-9.0.0.Z.EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-42920",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-11-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2142707"
}
],
"notes": [
{
"category": "description",
"text": "An out-of-bounds (OOB) write flaw was found in Apache Commons BCEL API. This flaw can be used to produce arbitrary bytecode and may abuse applications that pass attacker-controlled data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Fuse 7 ships the code in question but does not utilize it in the product, so it is affected at a reduced impact of Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.0.0.Z.EUS:bcel-0:6.4.1-9.el9_0.noarch",
"AppStream-9.0.0.Z.EUS:bcel-0:6.4.1-9.el9_0.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42920"
},
{
"category": "external",
"summary": "RHBZ#2142707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2142707"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42920",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42920"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42920",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42920"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4",
"url": "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4"
}
],
"release_date": "2022-11-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-02T07:03:25+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.0.0.Z.EUS:bcel-0:6.4.1-9.el9_0.noarch",
"AppStream-9.0.0.Z.EUS:bcel-0:6.4.1-9.el9_0.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0004"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.0.0.Z.EUS:bcel-0:6.4.1-9.el9_0.noarch",
"AppStream-9.0.0.Z.EUS:bcel-0:6.4.1-9.el9_0.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing"
}
]
}
RHSA-2023:0005
Vulnerability from csaf_redhat - Published: 2023-01-02 06:53 - Updated: 2026-03-20 18:14Summary
Red Hat Security Advisory: bcel security update
Severity
Important
Notes
Topic: An update for bcel is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: The Byte Code Engineering Library (Apache Commons BCEL) is intended to give users a convenient way to analyze, create, and manipulate (binary) Java class files (those ending with .class).
Security Fix(es):
* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
An out-of-bounds (OOB) write flaw was found in Apache Commons BCEL API. This flaw can be used to produce arbitrary bytecode and may abuse applications that pass attacker-controlled data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected.
8.1 (High)
Affected products
Threats
Impact
Important
References
9 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for bcel is now available for Red Hat Enterprise Linux 9.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The Byte Code Engineering Library (Apache Commons BCEL) is intended to give users a convenient way to analyze, create, and manipulate (binary) Java class files (those ending with .class).\n\nSecurity Fix(es):\n\n* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:0005",
"url": "https://access.redhat.com/errata/RHSA-2023:0005"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2142707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2142707"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_0005.json"
}
],
"title": "Red Hat Security Advisory: bcel security update",
"tracking": {
"current_release_date": "2026-03-20T18:14:02+00:00",
"generator": {
"date": "2026-03-20T18:14:02+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.3"
}
},
"id": "RHSA-2023:0005",
"initial_release_date": "2023-01-02T06:53:37+00:00",
"revision_history": [
{
"date": "2023-01-02T06:53:37+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-01-02T06:53:37+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-03-20T18:14:02+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.1.0.Z.MAIN",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:9::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "bcel-0:6.4.1-9.el9_1.src",
"product": {
"name": "bcel-0:6.4.1-9.el9_1.src",
"product_id": "bcel-0:6.4.1-9.el9_1.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/bcel@6.4.1-9.el9_1?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "bcel-0:6.4.1-9.el9_1.noarch",
"product": {
"name": "bcel-0:6.4.1-9.el9_1.noarch",
"product_id": "bcel-0:6.4.1-9.el9_1.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/bcel@6.4.1-9.el9_1?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "bcel-0:6.4.1-9.el9_1.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.1.0.Z.MAIN:bcel-0:6.4.1-9.el9_1.noarch"
},
"product_reference": "bcel-0:6.4.1-9.el9_1.noarch",
"relates_to_product_reference": "AppStream-9.1.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "bcel-0:6.4.1-9.el9_1.src as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.1.0.Z.MAIN:bcel-0:6.4.1-9.el9_1.src"
},
"product_reference": "bcel-0:6.4.1-9.el9_1.src",
"relates_to_product_reference": "AppStream-9.1.0.Z.MAIN"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-42920",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-11-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2142707"
}
],
"notes": [
{
"category": "description",
"text": "An out-of-bounds (OOB) write flaw was found in Apache Commons BCEL API. This flaw can be used to produce arbitrary bytecode and may abuse applications that pass attacker-controlled data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Fuse 7 ships the code in question but does not utilize it in the product, so it is affected at a reduced impact of Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.1.0.Z.MAIN:bcel-0:6.4.1-9.el9_1.noarch",
"AppStream-9.1.0.Z.MAIN:bcel-0:6.4.1-9.el9_1.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42920"
},
{
"category": "external",
"summary": "RHBZ#2142707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2142707"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42920",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42920"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42920",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42920"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4",
"url": "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4"
}
],
"release_date": "2022-11-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-02T06:53:37+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.1.0.Z.MAIN:bcel-0:6.4.1-9.el9_1.noarch",
"AppStream-9.1.0.Z.MAIN:bcel-0:6.4.1-9.el9_1.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0005"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.1.0.Z.MAIN:bcel-0:6.4.1-9.el9_1.noarch",
"AppStream-9.1.0.Z.MAIN:bcel-0:6.4.1-9.el9_1.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing"
}
]
}
RHSA-2023:0470
Vulnerability from csaf_redhat - Published: 2023-01-26 12:19 - Updated: 2026-03-20 18:14Summary
Red Hat Security Advisory: Migration Toolkit for Runtimes security update
Severity
Important
Notes
Topic: An update is now available for Migration Toolkit for Runtimes (v1.0.1).
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
Details: Security Fix(es):
* mtr-web-container: Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
An out-of-bounds (OOB) write flaw was found in Apache Commons BCEL API. This flaw can be used to produce arbitrary bytecode and may abuse applications that pass attacker-controlled data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected.
8.1 (High)
Affected products
Fixed
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTR-1:mtr/mtr-operator-bundle@sha256:2379b68337e7c30b1a16df2aa114dc4bdd5d92400f2d14718263f77dd5d604c1_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-MTR-1:mtr/mtr-operator-bundle@sha256:cbc6a0ebe53a0168b4acbb92c3e96205c3e32288c6795cebef9d96c0492cb4b6_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-MTR-1:mtr/mtr-operator-bundle@sha256:d33f26cc2c138d6691bb59b53e8c195b3c7bf472b0f15935f451a5bb08e23fef_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-MTR-1:mtr/mtr-operator-bundle@sha256:e43aaeccb5b9fc164fc1efc8187c47c65f264169d9713146a7147774ec865549_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:4f0415ff69c5bb35e424594a25287430f0c725555392a4f3b65808c20c2fc0f3_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:59e047a02d0e940c01497fc85876022db3c2d5be5fab50d4cd3f2d37380f49a4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:9e4d389dcf4954e12cf99ca9822d49ae4ed89d480172fe97d60192ea88d8a6c8_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:ad42b359fdc8556467a325de3a03db7b67814e28d6abb13977f7e39045736832_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:1428ff808b386e83b1605caa8382186f09b8d74e910e8aa02fe48f74da28c72b_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:40a560bb8aaa885e9ccc83729a3a2464485e40ea92be8e974679af7721f389c9_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:5d1f0364180f972231ad23ebd8dc04218dfcd55973be4ed10587aea2d86fbdb5_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:8431f6f4f034a6c3088e1c4087eabf3097295a1ff808d863c8f2db4c6a5e4b73_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:9d961ea251247afcfbda80eb65178d88fa6c3542de76a43b5cd4eea3dca9492a_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:b539ddfdb09be3f1fe8c0d94949fef4f5d81df5d9a3adefbbef2c432f5f73a94_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:f46c74ef13141dd7deb126e150519584d304df237c84bdcd766ee9dadcc66ab7_amd64 | — |
Vendor Fix
fix
|
Threats
Impact
Important
References
9 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Migration Toolkit for Runtimes (v1.0.1).\n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Security Fix(es):\n\n* mtr-web-container: Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:0470",
"url": "https://access.redhat.com/errata/RHSA-2023:0470"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2142707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2142707"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_0470.json"
}
],
"title": "Red Hat Security Advisory: Migration Toolkit for Runtimes security update",
"tracking": {
"current_release_date": "2026-03-20T18:14:01+00:00",
"generator": {
"date": "2026-03-20T18:14:01+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.3"
}
},
"id": "RHSA-2023:0470",
"initial_release_date": "2023-01-26T12:19:52+00:00",
"revision_history": [
{
"date": "2023-01-26T12:19:52+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-01-26T12:19:52+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-03-20T18:14:01+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Migration Toolkit for Runtimes 1 on RHEL 8",
"product": {
"name": "Migration Toolkit for Runtimes 1 on RHEL 8",
"product_id": "8Base-MTR-1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8"
}
}
}
],
"category": "product_family",
"name": "Migration Toolkit for Runtimes"
},
{
"branches": [
{
"category": "product_version",
"name": "mtr/mtr-operator-bundle@sha256:e43aaeccb5b9fc164fc1efc8187c47c65f264169d9713146a7147774ec865549_amd64",
"product": {
"name": "mtr/mtr-operator-bundle@sha256:e43aaeccb5b9fc164fc1efc8187c47c65f264169d9713146a7147774ec865549_amd64",
"product_id": "mtr/mtr-operator-bundle@sha256:e43aaeccb5b9fc164fc1efc8187c47c65f264169d9713146a7147774ec865549_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mtr-operator-bundle@sha256:e43aaeccb5b9fc164fc1efc8187c47c65f264169d9713146a7147774ec865549?arch=amd64\u0026repository_url=registry.redhat.io/mtr/mtr-operator-bundle\u0026tag=1.0-30"
}
}
},
{
"category": "product_version",
"name": "mtr/mtr-rhel8-operator@sha256:ad42b359fdc8556467a325de3a03db7b67814e28d6abb13977f7e39045736832_amd64",
"product": {
"name": "mtr/mtr-rhel8-operator@sha256:ad42b359fdc8556467a325de3a03db7b67814e28d6abb13977f7e39045736832_amd64",
"product_id": "mtr/mtr-rhel8-operator@sha256:ad42b359fdc8556467a325de3a03db7b67814e28d6abb13977f7e39045736832_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mtr-rhel8-operator@sha256:ad42b359fdc8556467a325de3a03db7b67814e28d6abb13977f7e39045736832?arch=amd64\u0026repository_url=registry.redhat.io/mtr/mtr-rhel8-operator\u0026tag=1.0-10"
}
}
},
{
"category": "product_version",
"name": "mtr/mtr-web-container-rhel8@sha256:40a560bb8aaa885e9ccc83729a3a2464485e40ea92be8e974679af7721f389c9_amd64",
"product": {
"name": "mtr/mtr-web-container-rhel8@sha256:40a560bb8aaa885e9ccc83729a3a2464485e40ea92be8e974679af7721f389c9_amd64",
"product_id": "mtr/mtr-web-container-rhel8@sha256:40a560bb8aaa885e9ccc83729a3a2464485e40ea92be8e974679af7721f389c9_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mtr-web-container-rhel8@sha256:40a560bb8aaa885e9ccc83729a3a2464485e40ea92be8e974679af7721f389c9?arch=amd64\u0026repository_url=registry.redhat.io/mtr/mtr-web-container-rhel8\u0026tag=1.0-15"
}
}
},
{
"category": "product_version",
"name": "mtr/mtr-web-executor-container-rhel8@sha256:f46c74ef13141dd7deb126e150519584d304df237c84bdcd766ee9dadcc66ab7_amd64",
"product": {
"name": "mtr/mtr-web-executor-container-rhel8@sha256:f46c74ef13141dd7deb126e150519584d304df237c84bdcd766ee9dadcc66ab7_amd64",
"product_id": "mtr/mtr-web-executor-container-rhel8@sha256:f46c74ef13141dd7deb126e150519584d304df237c84bdcd766ee9dadcc66ab7_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mtr-web-executor-container-rhel8@sha256:f46c74ef13141dd7deb126e150519584d304df237c84bdcd766ee9dadcc66ab7?arch=amd64\u0026repository_url=registry.redhat.io/mtr/mtr-web-executor-container-rhel8\u0026tag=1.0-14"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "mtr/mtr-operator-bundle@sha256:cbc6a0ebe53a0168b4acbb92c3e96205c3e32288c6795cebef9d96c0492cb4b6_arm64",
"product": {
"name": "mtr/mtr-operator-bundle@sha256:cbc6a0ebe53a0168b4acbb92c3e96205c3e32288c6795cebef9d96c0492cb4b6_arm64",
"product_id": "mtr/mtr-operator-bundle@sha256:cbc6a0ebe53a0168b4acbb92c3e96205c3e32288c6795cebef9d96c0492cb4b6_arm64",
"product_identification_helper": {
"purl": "pkg:oci/mtr-operator-bundle@sha256:cbc6a0ebe53a0168b4acbb92c3e96205c3e32288c6795cebef9d96c0492cb4b6?arch=arm64\u0026repository_url=registry.redhat.io/mtr/mtr-operator-bundle\u0026tag=1.0-30"
}
}
},
{
"category": "product_version",
"name": "mtr/mtr-rhel8-operator@sha256:59e047a02d0e940c01497fc85876022db3c2d5be5fab50d4cd3f2d37380f49a4_arm64",
"product": {
"name": "mtr/mtr-rhel8-operator@sha256:59e047a02d0e940c01497fc85876022db3c2d5be5fab50d4cd3f2d37380f49a4_arm64",
"product_id": "mtr/mtr-rhel8-operator@sha256:59e047a02d0e940c01497fc85876022db3c2d5be5fab50d4cd3f2d37380f49a4_arm64",
"product_identification_helper": {
"purl": "pkg:oci/mtr-rhel8-operator@sha256:59e047a02d0e940c01497fc85876022db3c2d5be5fab50d4cd3f2d37380f49a4?arch=arm64\u0026repository_url=registry.redhat.io/mtr/mtr-rhel8-operator\u0026tag=1.0-10"
}
}
},
{
"category": "product_version",
"name": "mtr/mtr-web-executor-container-rhel8@sha256:8431f6f4f034a6c3088e1c4087eabf3097295a1ff808d863c8f2db4c6a5e4b73_arm64",
"product": {
"name": "mtr/mtr-web-executor-container-rhel8@sha256:8431f6f4f034a6c3088e1c4087eabf3097295a1ff808d863c8f2db4c6a5e4b73_arm64",
"product_id": "mtr/mtr-web-executor-container-rhel8@sha256:8431f6f4f034a6c3088e1c4087eabf3097295a1ff808d863c8f2db4c6a5e4b73_arm64",
"product_identification_helper": {
"purl": "pkg:oci/mtr-web-executor-container-rhel8@sha256:8431f6f4f034a6c3088e1c4087eabf3097295a1ff808d863c8f2db4c6a5e4b73?arch=arm64\u0026repository_url=registry.redhat.io/mtr/mtr-web-executor-container-rhel8\u0026tag=1.0-14"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "mtr/mtr-operator-bundle@sha256:2379b68337e7c30b1a16df2aa114dc4bdd5d92400f2d14718263f77dd5d604c1_ppc64le",
"product": {
"name": "mtr/mtr-operator-bundle@sha256:2379b68337e7c30b1a16df2aa114dc4bdd5d92400f2d14718263f77dd5d604c1_ppc64le",
"product_id": "mtr/mtr-operator-bundle@sha256:2379b68337e7c30b1a16df2aa114dc4bdd5d92400f2d14718263f77dd5d604c1_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/mtr-operator-bundle@sha256:2379b68337e7c30b1a16df2aa114dc4bdd5d92400f2d14718263f77dd5d604c1?arch=ppc64le\u0026repository_url=registry.redhat.io/mtr/mtr-operator-bundle\u0026tag=1.0-30"
}
}
},
{
"category": "product_version",
"name": "mtr/mtr-rhel8-operator@sha256:9e4d389dcf4954e12cf99ca9822d49ae4ed89d480172fe97d60192ea88d8a6c8_ppc64le",
"product": {
"name": "mtr/mtr-rhel8-operator@sha256:9e4d389dcf4954e12cf99ca9822d49ae4ed89d480172fe97d60192ea88d8a6c8_ppc64le",
"product_id": "mtr/mtr-rhel8-operator@sha256:9e4d389dcf4954e12cf99ca9822d49ae4ed89d480172fe97d60192ea88d8a6c8_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/mtr-rhel8-operator@sha256:9e4d389dcf4954e12cf99ca9822d49ae4ed89d480172fe97d60192ea88d8a6c8?arch=ppc64le\u0026repository_url=registry.redhat.io/mtr/mtr-rhel8-operator\u0026tag=1.0-10"
}
}
},
{
"category": "product_version",
"name": "mtr/mtr-web-container-rhel8@sha256:5d1f0364180f972231ad23ebd8dc04218dfcd55973be4ed10587aea2d86fbdb5_ppc64le",
"product": {
"name": "mtr/mtr-web-container-rhel8@sha256:5d1f0364180f972231ad23ebd8dc04218dfcd55973be4ed10587aea2d86fbdb5_ppc64le",
"product_id": "mtr/mtr-web-container-rhel8@sha256:5d1f0364180f972231ad23ebd8dc04218dfcd55973be4ed10587aea2d86fbdb5_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/mtr-web-container-rhel8@sha256:5d1f0364180f972231ad23ebd8dc04218dfcd55973be4ed10587aea2d86fbdb5?arch=ppc64le\u0026repository_url=registry.redhat.io/mtr/mtr-web-container-rhel8\u0026tag=1.0-15"
}
}
},
{
"category": "product_version",
"name": "mtr/mtr-web-executor-container-rhel8@sha256:b539ddfdb09be3f1fe8c0d94949fef4f5d81df5d9a3adefbbef2c432f5f73a94_ppc64le",
"product": {
"name": "mtr/mtr-web-executor-container-rhel8@sha256:b539ddfdb09be3f1fe8c0d94949fef4f5d81df5d9a3adefbbef2c432f5f73a94_ppc64le",
"product_id": "mtr/mtr-web-executor-container-rhel8@sha256:b539ddfdb09be3f1fe8c0d94949fef4f5d81df5d9a3adefbbef2c432f5f73a94_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/mtr-web-executor-container-rhel8@sha256:b539ddfdb09be3f1fe8c0d94949fef4f5d81df5d9a3adefbbef2c432f5f73a94?arch=ppc64le\u0026repository_url=registry.redhat.io/mtr/mtr-web-executor-container-rhel8\u0026tag=1.0-14"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "mtr/mtr-operator-bundle@sha256:d33f26cc2c138d6691bb59b53e8c195b3c7bf472b0f15935f451a5bb08e23fef_s390x",
"product": {
"name": "mtr/mtr-operator-bundle@sha256:d33f26cc2c138d6691bb59b53e8c195b3c7bf472b0f15935f451a5bb08e23fef_s390x",
"product_id": "mtr/mtr-operator-bundle@sha256:d33f26cc2c138d6691bb59b53e8c195b3c7bf472b0f15935f451a5bb08e23fef_s390x",
"product_identification_helper": {
"purl": "pkg:oci/mtr-operator-bundle@sha256:d33f26cc2c138d6691bb59b53e8c195b3c7bf472b0f15935f451a5bb08e23fef?arch=s390x\u0026repository_url=registry.redhat.io/mtr/mtr-operator-bundle\u0026tag=1.0-30"
}
}
},
{
"category": "product_version",
"name": "mtr/mtr-rhel8-operator@sha256:4f0415ff69c5bb35e424594a25287430f0c725555392a4f3b65808c20c2fc0f3_s390x",
"product": {
"name": "mtr/mtr-rhel8-operator@sha256:4f0415ff69c5bb35e424594a25287430f0c725555392a4f3b65808c20c2fc0f3_s390x",
"product_id": "mtr/mtr-rhel8-operator@sha256:4f0415ff69c5bb35e424594a25287430f0c725555392a4f3b65808c20c2fc0f3_s390x",
"product_identification_helper": {
"purl": "pkg:oci/mtr-rhel8-operator@sha256:4f0415ff69c5bb35e424594a25287430f0c725555392a4f3b65808c20c2fc0f3?arch=s390x\u0026repository_url=registry.redhat.io/mtr/mtr-rhel8-operator\u0026tag=1.0-10"
}
}
},
{
"category": "product_version",
"name": "mtr/mtr-web-container-rhel8@sha256:1428ff808b386e83b1605caa8382186f09b8d74e910e8aa02fe48f74da28c72b_s390x",
"product": {
"name": "mtr/mtr-web-container-rhel8@sha256:1428ff808b386e83b1605caa8382186f09b8d74e910e8aa02fe48f74da28c72b_s390x",
"product_id": "mtr/mtr-web-container-rhel8@sha256:1428ff808b386e83b1605caa8382186f09b8d74e910e8aa02fe48f74da28c72b_s390x",
"product_identification_helper": {
"purl": "pkg:oci/mtr-web-container-rhel8@sha256:1428ff808b386e83b1605caa8382186f09b8d74e910e8aa02fe48f74da28c72b?arch=s390x\u0026repository_url=registry.redhat.io/mtr/mtr-web-container-rhel8\u0026tag=1.0-15"
}
}
},
{
"category": "product_version",
"name": "mtr/mtr-web-executor-container-rhel8@sha256:9d961ea251247afcfbda80eb65178d88fa6c3542de76a43b5cd4eea3dca9492a_s390x",
"product": {
"name": "mtr/mtr-web-executor-container-rhel8@sha256:9d961ea251247afcfbda80eb65178d88fa6c3542de76a43b5cd4eea3dca9492a_s390x",
"product_id": "mtr/mtr-web-executor-container-rhel8@sha256:9d961ea251247afcfbda80eb65178d88fa6c3542de76a43b5cd4eea3dca9492a_s390x",
"product_identification_helper": {
"purl": "pkg:oci/mtr-web-executor-container-rhel8@sha256:9d961ea251247afcfbda80eb65178d88fa6c3542de76a43b5cd4eea3dca9492a?arch=s390x\u0026repository_url=registry.redhat.io/mtr/mtr-web-executor-container-rhel8\u0026tag=1.0-14"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "mtr/mtr-operator-bundle@sha256:2379b68337e7c30b1a16df2aa114dc4bdd5d92400f2d14718263f77dd5d604c1_ppc64le as a component of Migration Toolkit for Runtimes 1 on RHEL 8",
"product_id": "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:2379b68337e7c30b1a16df2aa114dc4bdd5d92400f2d14718263f77dd5d604c1_ppc64le"
},
"product_reference": "mtr/mtr-operator-bundle@sha256:2379b68337e7c30b1a16df2aa114dc4bdd5d92400f2d14718263f77dd5d604c1_ppc64le",
"relates_to_product_reference": "8Base-MTR-1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mtr/mtr-operator-bundle@sha256:cbc6a0ebe53a0168b4acbb92c3e96205c3e32288c6795cebef9d96c0492cb4b6_arm64 as a component of Migration Toolkit for Runtimes 1 on RHEL 8",
"product_id": "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:cbc6a0ebe53a0168b4acbb92c3e96205c3e32288c6795cebef9d96c0492cb4b6_arm64"
},
"product_reference": "mtr/mtr-operator-bundle@sha256:cbc6a0ebe53a0168b4acbb92c3e96205c3e32288c6795cebef9d96c0492cb4b6_arm64",
"relates_to_product_reference": "8Base-MTR-1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mtr/mtr-operator-bundle@sha256:d33f26cc2c138d6691bb59b53e8c195b3c7bf472b0f15935f451a5bb08e23fef_s390x as a component of Migration Toolkit for Runtimes 1 on RHEL 8",
"product_id": "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:d33f26cc2c138d6691bb59b53e8c195b3c7bf472b0f15935f451a5bb08e23fef_s390x"
},
"product_reference": "mtr/mtr-operator-bundle@sha256:d33f26cc2c138d6691bb59b53e8c195b3c7bf472b0f15935f451a5bb08e23fef_s390x",
"relates_to_product_reference": "8Base-MTR-1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mtr/mtr-operator-bundle@sha256:e43aaeccb5b9fc164fc1efc8187c47c65f264169d9713146a7147774ec865549_amd64 as a component of Migration Toolkit for Runtimes 1 on RHEL 8",
"product_id": "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:e43aaeccb5b9fc164fc1efc8187c47c65f264169d9713146a7147774ec865549_amd64"
},
"product_reference": "mtr/mtr-operator-bundle@sha256:e43aaeccb5b9fc164fc1efc8187c47c65f264169d9713146a7147774ec865549_amd64",
"relates_to_product_reference": "8Base-MTR-1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mtr/mtr-rhel8-operator@sha256:4f0415ff69c5bb35e424594a25287430f0c725555392a4f3b65808c20c2fc0f3_s390x as a component of Migration Toolkit for Runtimes 1 on RHEL 8",
"product_id": "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:4f0415ff69c5bb35e424594a25287430f0c725555392a4f3b65808c20c2fc0f3_s390x"
},
"product_reference": "mtr/mtr-rhel8-operator@sha256:4f0415ff69c5bb35e424594a25287430f0c725555392a4f3b65808c20c2fc0f3_s390x",
"relates_to_product_reference": "8Base-MTR-1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mtr/mtr-rhel8-operator@sha256:59e047a02d0e940c01497fc85876022db3c2d5be5fab50d4cd3f2d37380f49a4_arm64 as a component of Migration Toolkit for Runtimes 1 on RHEL 8",
"product_id": "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:59e047a02d0e940c01497fc85876022db3c2d5be5fab50d4cd3f2d37380f49a4_arm64"
},
"product_reference": "mtr/mtr-rhel8-operator@sha256:59e047a02d0e940c01497fc85876022db3c2d5be5fab50d4cd3f2d37380f49a4_arm64",
"relates_to_product_reference": "8Base-MTR-1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mtr/mtr-rhel8-operator@sha256:9e4d389dcf4954e12cf99ca9822d49ae4ed89d480172fe97d60192ea88d8a6c8_ppc64le as a component of Migration Toolkit for Runtimes 1 on RHEL 8",
"product_id": "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:9e4d389dcf4954e12cf99ca9822d49ae4ed89d480172fe97d60192ea88d8a6c8_ppc64le"
},
"product_reference": "mtr/mtr-rhel8-operator@sha256:9e4d389dcf4954e12cf99ca9822d49ae4ed89d480172fe97d60192ea88d8a6c8_ppc64le",
"relates_to_product_reference": "8Base-MTR-1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mtr/mtr-rhel8-operator@sha256:ad42b359fdc8556467a325de3a03db7b67814e28d6abb13977f7e39045736832_amd64 as a component of Migration Toolkit for Runtimes 1 on RHEL 8",
"product_id": "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:ad42b359fdc8556467a325de3a03db7b67814e28d6abb13977f7e39045736832_amd64"
},
"product_reference": "mtr/mtr-rhel8-operator@sha256:ad42b359fdc8556467a325de3a03db7b67814e28d6abb13977f7e39045736832_amd64",
"relates_to_product_reference": "8Base-MTR-1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mtr/mtr-web-container-rhel8@sha256:1428ff808b386e83b1605caa8382186f09b8d74e910e8aa02fe48f74da28c72b_s390x as a component of Migration Toolkit for Runtimes 1 on RHEL 8",
"product_id": "8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:1428ff808b386e83b1605caa8382186f09b8d74e910e8aa02fe48f74da28c72b_s390x"
},
"product_reference": "mtr/mtr-web-container-rhel8@sha256:1428ff808b386e83b1605caa8382186f09b8d74e910e8aa02fe48f74da28c72b_s390x",
"relates_to_product_reference": "8Base-MTR-1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mtr/mtr-web-container-rhel8@sha256:40a560bb8aaa885e9ccc83729a3a2464485e40ea92be8e974679af7721f389c9_amd64 as a component of Migration Toolkit for Runtimes 1 on RHEL 8",
"product_id": "8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:40a560bb8aaa885e9ccc83729a3a2464485e40ea92be8e974679af7721f389c9_amd64"
},
"product_reference": "mtr/mtr-web-container-rhel8@sha256:40a560bb8aaa885e9ccc83729a3a2464485e40ea92be8e974679af7721f389c9_amd64",
"relates_to_product_reference": "8Base-MTR-1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mtr/mtr-web-container-rhel8@sha256:5d1f0364180f972231ad23ebd8dc04218dfcd55973be4ed10587aea2d86fbdb5_ppc64le as a component of Migration Toolkit for Runtimes 1 on RHEL 8",
"product_id": "8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:5d1f0364180f972231ad23ebd8dc04218dfcd55973be4ed10587aea2d86fbdb5_ppc64le"
},
"product_reference": "mtr/mtr-web-container-rhel8@sha256:5d1f0364180f972231ad23ebd8dc04218dfcd55973be4ed10587aea2d86fbdb5_ppc64le",
"relates_to_product_reference": "8Base-MTR-1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mtr/mtr-web-executor-container-rhel8@sha256:8431f6f4f034a6c3088e1c4087eabf3097295a1ff808d863c8f2db4c6a5e4b73_arm64 as a component of Migration Toolkit for Runtimes 1 on RHEL 8",
"product_id": "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:8431f6f4f034a6c3088e1c4087eabf3097295a1ff808d863c8f2db4c6a5e4b73_arm64"
},
"product_reference": "mtr/mtr-web-executor-container-rhel8@sha256:8431f6f4f034a6c3088e1c4087eabf3097295a1ff808d863c8f2db4c6a5e4b73_arm64",
"relates_to_product_reference": "8Base-MTR-1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mtr/mtr-web-executor-container-rhel8@sha256:9d961ea251247afcfbda80eb65178d88fa6c3542de76a43b5cd4eea3dca9492a_s390x as a component of Migration Toolkit for Runtimes 1 on RHEL 8",
"product_id": "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:9d961ea251247afcfbda80eb65178d88fa6c3542de76a43b5cd4eea3dca9492a_s390x"
},
"product_reference": "mtr/mtr-web-executor-container-rhel8@sha256:9d961ea251247afcfbda80eb65178d88fa6c3542de76a43b5cd4eea3dca9492a_s390x",
"relates_to_product_reference": "8Base-MTR-1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mtr/mtr-web-executor-container-rhel8@sha256:b539ddfdb09be3f1fe8c0d94949fef4f5d81df5d9a3adefbbef2c432f5f73a94_ppc64le as a component of Migration Toolkit for Runtimes 1 on RHEL 8",
"product_id": "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:b539ddfdb09be3f1fe8c0d94949fef4f5d81df5d9a3adefbbef2c432f5f73a94_ppc64le"
},
"product_reference": "mtr/mtr-web-executor-container-rhel8@sha256:b539ddfdb09be3f1fe8c0d94949fef4f5d81df5d9a3adefbbef2c432f5f73a94_ppc64le",
"relates_to_product_reference": "8Base-MTR-1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mtr/mtr-web-executor-container-rhel8@sha256:f46c74ef13141dd7deb126e150519584d304df237c84bdcd766ee9dadcc66ab7_amd64 as a component of Migration Toolkit for Runtimes 1 on RHEL 8",
"product_id": "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:f46c74ef13141dd7deb126e150519584d304df237c84bdcd766ee9dadcc66ab7_amd64"
},
"product_reference": "mtr/mtr-web-executor-container-rhel8@sha256:f46c74ef13141dd7deb126e150519584d304df237c84bdcd766ee9dadcc66ab7_amd64",
"relates_to_product_reference": "8Base-MTR-1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-42920",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-11-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2142707"
}
],
"notes": [
{
"category": "description",
"text": "An out-of-bounds (OOB) write flaw was found in Apache Commons BCEL API. This flaw can be used to produce arbitrary bytecode and may abuse applications that pass attacker-controlled data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Fuse 7 ships the code in question but does not utilize it in the product, so it is affected at a reduced impact of Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-MTR-1:mtr/mtr-operator-bundle@sha256:2379b68337e7c30b1a16df2aa114dc4bdd5d92400f2d14718263f77dd5d604c1_ppc64le",
"8Base-MTR-1:mtr/mtr-operator-bundle@sha256:cbc6a0ebe53a0168b4acbb92c3e96205c3e32288c6795cebef9d96c0492cb4b6_arm64",
"8Base-MTR-1:mtr/mtr-operator-bundle@sha256:d33f26cc2c138d6691bb59b53e8c195b3c7bf472b0f15935f451a5bb08e23fef_s390x",
"8Base-MTR-1:mtr/mtr-operator-bundle@sha256:e43aaeccb5b9fc164fc1efc8187c47c65f264169d9713146a7147774ec865549_amd64",
"8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:4f0415ff69c5bb35e424594a25287430f0c725555392a4f3b65808c20c2fc0f3_s390x",
"8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:59e047a02d0e940c01497fc85876022db3c2d5be5fab50d4cd3f2d37380f49a4_arm64",
"8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:9e4d389dcf4954e12cf99ca9822d49ae4ed89d480172fe97d60192ea88d8a6c8_ppc64le",
"8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:ad42b359fdc8556467a325de3a03db7b67814e28d6abb13977f7e39045736832_amd64",
"8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:1428ff808b386e83b1605caa8382186f09b8d74e910e8aa02fe48f74da28c72b_s390x",
"8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:40a560bb8aaa885e9ccc83729a3a2464485e40ea92be8e974679af7721f389c9_amd64",
"8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:5d1f0364180f972231ad23ebd8dc04218dfcd55973be4ed10587aea2d86fbdb5_ppc64le",
"8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:8431f6f4f034a6c3088e1c4087eabf3097295a1ff808d863c8f2db4c6a5e4b73_arm64",
"8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:9d961ea251247afcfbda80eb65178d88fa6c3542de76a43b5cd4eea3dca9492a_s390x",
"8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:b539ddfdb09be3f1fe8c0d94949fef4f5d81df5d9a3adefbbef2c432f5f73a94_ppc64le",
"8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:f46c74ef13141dd7deb126e150519584d304df237c84bdcd766ee9dadcc66ab7_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42920"
},
{
"category": "external",
"summary": "RHBZ#2142707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2142707"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42920",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42920"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42920",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42920"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4",
"url": "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4"
}
],
"release_date": "2022-11-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-26T12:19:52+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-MTR-1:mtr/mtr-operator-bundle@sha256:2379b68337e7c30b1a16df2aa114dc4bdd5d92400f2d14718263f77dd5d604c1_ppc64le",
"8Base-MTR-1:mtr/mtr-operator-bundle@sha256:cbc6a0ebe53a0168b4acbb92c3e96205c3e32288c6795cebef9d96c0492cb4b6_arm64",
"8Base-MTR-1:mtr/mtr-operator-bundle@sha256:d33f26cc2c138d6691bb59b53e8c195b3c7bf472b0f15935f451a5bb08e23fef_s390x",
"8Base-MTR-1:mtr/mtr-operator-bundle@sha256:e43aaeccb5b9fc164fc1efc8187c47c65f264169d9713146a7147774ec865549_amd64",
"8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:4f0415ff69c5bb35e424594a25287430f0c725555392a4f3b65808c20c2fc0f3_s390x",
"8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:59e047a02d0e940c01497fc85876022db3c2d5be5fab50d4cd3f2d37380f49a4_arm64",
"8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:9e4d389dcf4954e12cf99ca9822d49ae4ed89d480172fe97d60192ea88d8a6c8_ppc64le",
"8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:ad42b359fdc8556467a325de3a03db7b67814e28d6abb13977f7e39045736832_amd64",
"8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:1428ff808b386e83b1605caa8382186f09b8d74e910e8aa02fe48f74da28c72b_s390x",
"8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:40a560bb8aaa885e9ccc83729a3a2464485e40ea92be8e974679af7721f389c9_amd64",
"8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:5d1f0364180f972231ad23ebd8dc04218dfcd55973be4ed10587aea2d86fbdb5_ppc64le",
"8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:8431f6f4f034a6c3088e1c4087eabf3097295a1ff808d863c8f2db4c6a5e4b73_arm64",
"8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:9d961ea251247afcfbda80eb65178d88fa6c3542de76a43b5cd4eea3dca9492a_s390x",
"8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:b539ddfdb09be3f1fe8c0d94949fef4f5d81df5d9a3adefbbef2c432f5f73a94_ppc64le",
"8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:f46c74ef13141dd7deb126e150519584d304df237c84bdcd766ee9dadcc66ab7_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0470"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-MTR-1:mtr/mtr-operator-bundle@sha256:2379b68337e7c30b1a16df2aa114dc4bdd5d92400f2d14718263f77dd5d604c1_ppc64le",
"8Base-MTR-1:mtr/mtr-operator-bundle@sha256:cbc6a0ebe53a0168b4acbb92c3e96205c3e32288c6795cebef9d96c0492cb4b6_arm64",
"8Base-MTR-1:mtr/mtr-operator-bundle@sha256:d33f26cc2c138d6691bb59b53e8c195b3c7bf472b0f15935f451a5bb08e23fef_s390x",
"8Base-MTR-1:mtr/mtr-operator-bundle@sha256:e43aaeccb5b9fc164fc1efc8187c47c65f264169d9713146a7147774ec865549_amd64",
"8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:4f0415ff69c5bb35e424594a25287430f0c725555392a4f3b65808c20c2fc0f3_s390x",
"8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:59e047a02d0e940c01497fc85876022db3c2d5be5fab50d4cd3f2d37380f49a4_arm64",
"8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:9e4d389dcf4954e12cf99ca9822d49ae4ed89d480172fe97d60192ea88d8a6c8_ppc64le",
"8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:ad42b359fdc8556467a325de3a03db7b67814e28d6abb13977f7e39045736832_amd64",
"8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:1428ff808b386e83b1605caa8382186f09b8d74e910e8aa02fe48f74da28c72b_s390x",
"8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:40a560bb8aaa885e9ccc83729a3a2464485e40ea92be8e974679af7721f389c9_amd64",
"8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:5d1f0364180f972231ad23ebd8dc04218dfcd55973be4ed10587aea2d86fbdb5_ppc64le",
"8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:8431f6f4f034a6c3088e1c4087eabf3097295a1ff808d863c8f2db4c6a5e4b73_arm64",
"8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:9d961ea251247afcfbda80eb65178d88fa6c3542de76a43b5cd4eea3dca9492a_s390x",
"8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:b539ddfdb09be3f1fe8c0d94949fef4f5d81df5d9a3adefbbef2c432f5f73a94_ppc64le",
"8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:f46c74ef13141dd7deb126e150519584d304df237c84bdcd766ee9dadcc66ab7_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing"
}
]
}
RHSA-2023:0471
Vulnerability from csaf_redhat - Published: 2023-01-26 12:14 - Updated: 2026-04-29 18:01Summary
Red Hat Security Advisory: Migration Toolkit for Runtimes security update
Severity
Important
Notes
Topic: An update is now available for Migration Toolkit for Runtimes (v1.0.1).
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
Details: Security Fix(es):
* jib-core: RCE via the isDockerInstalled (CVE-2022-25914)
* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)
* nodejs-minimatch: ReDoS via the braceExpand function (CVE-2022-3517)
* loader-utils: Regular expression denial of service (CVE-2022-37603)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A vulnerability was found in the nodejs-minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Migration Toolkit for Runtimes 1 on RHEL 8
Red Hat / Migration Toolkit for Runtimes
|
cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the jib-core package. This flaw allows an attacker to execute remote code into its target.
9.8 (Critical)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Migration Toolkit for Runtimes 1 on RHEL 8
Red Hat / Migration Toolkit for Runtimes
|
cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Migration Toolkit for Runtimes 1 on RHEL 8
Red Hat / Migration Toolkit for Runtimes
|
cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Migration Toolkit for Runtimes 1 on RHEL 8
Red Hat / Migration Toolkit for Runtimes
|
cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Migration Toolkit for Runtimes 1 on RHEL 8
Red Hat / Migration Toolkit for Runtimes
|
cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
An out-of-bounds (OOB) write flaw was found in Apache Commons BCEL API. This flaw can be used to produce arbitrary bytecode and may abuse applications that pass attacker-controlled data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected.
8.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Migration Toolkit for Runtimes 1 on RHEL 8
Red Hat / Migration Toolkit for Runtimes
|
cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
References
35 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Migration Toolkit for Runtimes (v1.0.1).\n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Security Fix(es):\n\n* jib-core: RCE via the isDockerInstalled (CVE-2022-25914)\n* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)\n* nodejs-minimatch: ReDoS via the braceExpand function (CVE-2022-3517)\n* loader-utils: Regular expression denial of service (CVE-2022-37603)\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:0471",
"url": "https://access.redhat.com/errata/RHSA-2023:0471"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=migration.toolkit.runtimes\u0026downloadType=distributions",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=migration.toolkit.runtimes\u0026downloadType=distributions"
},
{
"category": "external",
"summary": "2134344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134344"
},
{
"category": "external",
"summary": "2134609",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134609"
},
{
"category": "external",
"summary": "2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "2142707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2142707"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_0471.json"
}
],
"title": "Red Hat Security Advisory: Migration Toolkit for Runtimes security update",
"tracking": {
"current_release_date": "2026-04-29T18:01:53+00:00",
"generator": {
"date": "2026-04-29T18:01:53+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.7"
}
},
"id": "RHSA-2023:0471",
"initial_release_date": "2023-01-26T12:14:50+00:00",
"revision_history": [
{
"date": "2023-01-26T12:14:50+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-01-26T12:14:50+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-04-29T18:01:53+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Migration Toolkit for Runtimes 1 on RHEL 8",
"product": {
"name": "Migration Toolkit for Runtimes 1 on RHEL 8",
"product_id": "Migration Toolkit for Runtimes 1 on RHEL 8",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8"
}
}
}
],
"category": "product_family",
"name": "Migration Toolkit for Runtimes"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-3517",
"cwe": {
"id": "CWE-1333",
"name": "Inefficient Regular Expression Complexity"
},
"discovery_date": "2022-06-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2134609"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in the nodejs-minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-minimatch: ReDoS via the braceExpand function",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3517"
},
{
"category": "external",
"summary": "RHBZ#2134609",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134609"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3517",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3517"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3517",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3517"
}
],
"release_date": "2022-02-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-26T12:14:50+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0471"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs-minimatch: ReDoS via the braceExpand function"
},
{
"cve": "CVE-2022-25914",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-10-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2134344"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the jib-core package. This flaw allows an attacker to execute remote code into its target.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jib-core: RCE via the isDockerInstalled",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-25914"
},
{
"category": "external",
"summary": "RHBZ#2134344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134344"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-25914",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25914"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-25914",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25914"
}
],
"release_date": "2022-09-08T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-26T12:14:50+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0471"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jib-core: RCE via the isDockerInstalled"
},
{
"cve": "CVE-2022-37603",
"cwe": {
"id": "CWE-185",
"name": "Incorrect Regular Expression"
},
"discovery_date": "2022-11-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2140597"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "loader-utils: Regular expression denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-37603"
},
{
"category": "external",
"summary": "RHBZ#2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-37603",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37603"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603"
}
],
"release_date": "2022-10-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-26T12:14:50+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0471"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "loader-utils: Regular expression denial of service"
},
{
"cve": "CVE-2022-42003",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135244"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42003"
},
{
"category": "external",
"summary": "RHBZ#2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-26T12:14:50+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0471"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS"
},
{
"cve": "CVE-2022-42004",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135247"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: use of deeply nested arrays",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42004"
},
{
"category": "external",
"summary": "RHBZ#2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-26T12:14:50+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0471"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: use of deeply nested arrays"
},
{
"cve": "CVE-2022-42920",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-11-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2142707"
}
],
"notes": [
{
"category": "description",
"text": "An out-of-bounds (OOB) write flaw was found in Apache Commons BCEL API. This flaw can be used to produce arbitrary bytecode and may abuse applications that pass attacker-controlled data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Fuse 7 ships the code in question but does not utilize it in the product, so it is affected at a reduced impact of Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42920"
},
{
"category": "external",
"summary": "RHBZ#2142707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2142707"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42920",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42920"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42920",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42920"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4",
"url": "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4"
}
],
"release_date": "2022-11-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-26T12:14:50+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0471"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing"
}
]
}
RHSA-2023:0934
Vulnerability from csaf_redhat - Published: 2023-02-28 00:50 - Updated: 2026-05-27 20:16Summary
Red Hat Security Advisory: Migration Toolkit for Applications security and bug fix update
Severity
Important
Notes
Topic: Migration Toolkit for Applications 6.0.1 release
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
Details: Migration Toolkit for Applications 6.0.1 Images
Security Fix(es) from Bugzilla:
* loader-utils: prototype pollution in function parseQuery in parseQuery.js (CVE-2022-37601)
* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)
* gin: Unsanitized input in the default logger in github.com/gin-gonic/gin (CVE-2020-36567)
* glob-parent: Regular Expression Denial of Service (CVE-2021-35065)
* express: "qs" prototype poisoning causes the hang of the node process (CVE-2022-24999)
* loader-utils:Regular expression denial of service (CVE-2022-37603)
* golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)
* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in gin. This issue occurs when the default Formatter for the Logger middleware (LoggerConfig.Formatter), which is included in the Default engine, allows attackers to inject arbitrary log entries by manipulating the request path.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64 | — |
Vendor Fix
fix
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64 | — |
Threats
Impact
Moderate
A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64 | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64 | — |
Threats
Impact
Moderate
A flaw was found in the express.js npm package of nodejs:14 module stream. Express.js Express is vulnerable to a denial of service caused by a prototype pollution flaw in qs. By adding or modifying properties of Object.prototype using a __proto__ or constructor payload, a remote attacker can cause a denial of service.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64 | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64 | — |
Threats
Impact
Moderate
A prototype pollution vulnerability was found in the parseQuery function in parseQuery.js in the webpack loader-utils via the name variable in parseQuery.js. This flaw can lead to a denial of service or remote code execution.
8.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64 | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64 | — |
Threats
Impact
Moderate
A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64 | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64 | — |
Threats
Impact
Moderate
A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
5.3 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64 | — |
Vendor Fix
fix
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64 | — |
Threats
Impact
Moderate
An out-of-bounds (OOB) write flaw was found in Apache Commons BCEL API. This flaw can be used to produce arbitrary bytecode and may abuse applications that pass attacker-controlled data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected.
8.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64 | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64 | — |
Threats
Impact
Important
A flaw was found in the json5 package. The affected version of the json5 package could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse.
8.8 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64 | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64 | — | ||
| Unresolved product id: 8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64 | — |
Threats
Impact
Moderate
References
80 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Migration Toolkit for Applications 6.0.1 release\n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Migration Toolkit for Applications 6.0.1 Images\n\nSecurity Fix(es) from Bugzilla:\n\n* loader-utils: prototype pollution in function parseQuery in parseQuery.js (CVE-2022-37601)\n\n* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)\n\n* gin: Unsanitized input in the default logger in github.com/gin-gonic/gin (CVE-2020-36567)\n\n* glob-parent: Regular Expression Denial of Service (CVE-2021-35065)\n\n* express: \"qs\" prototype poisoning causes the hang of the node process (CVE-2022-24999)\n\n* loader-utils:Regular expression denial of service (CVE-2022-37603)\n\n* golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)\n\n* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:0934",
"url": "https://access.redhat.com/errata/RHSA-2023:0934"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2134876",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134876"
},
{
"category": "external",
"summary": "2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "2142707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2142707"
},
{
"category": "external",
"summary": "2150323",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150323"
},
{
"category": "external",
"summary": "2156263",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263"
},
{
"category": "external",
"summary": "2156324",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156324"
},
{
"category": "external",
"summary": "2156683",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156683"
},
{
"category": "external",
"summary": "2161274",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161274"
},
{
"category": "external",
"summary": "MTA-103",
"url": "https://issues.redhat.com/browse/MTA-103"
},
{
"category": "external",
"summary": "MTA-106",
"url": "https://issues.redhat.com/browse/MTA-106"
},
{
"category": "external",
"summary": "MTA-122",
"url": "https://issues.redhat.com/browse/MTA-122"
},
{
"category": "external",
"summary": "MTA-123",
"url": "https://issues.redhat.com/browse/MTA-123"
},
{
"category": "external",
"summary": "MTA-127",
"url": "https://issues.redhat.com/browse/MTA-127"
},
{
"category": "external",
"summary": "MTA-131",
"url": "https://issues.redhat.com/browse/MTA-131"
},
{
"category": "external",
"summary": "MTA-36",
"url": "https://issues.redhat.com/browse/MTA-36"
},
{
"category": "external",
"summary": "MTA-44",
"url": "https://issues.redhat.com/browse/MTA-44"
},
{
"category": "external",
"summary": "MTA-49",
"url": "https://issues.redhat.com/browse/MTA-49"
},
{
"category": "external",
"summary": "MTA-59",
"url": "https://issues.redhat.com/browse/MTA-59"
},
{
"category": "external",
"summary": "MTA-65",
"url": "https://issues.redhat.com/browse/MTA-65"
},
{
"category": "external",
"summary": "MTA-72",
"url": "https://issues.redhat.com/browse/MTA-72"
},
{
"category": "external",
"summary": "MTA-73",
"url": "https://issues.redhat.com/browse/MTA-73"
},
{
"category": "external",
"summary": "MTA-74",
"url": "https://issues.redhat.com/browse/MTA-74"
},
{
"category": "external",
"summary": "MTA-76",
"url": "https://issues.redhat.com/browse/MTA-76"
},
{
"category": "external",
"summary": "MTA-77",
"url": "https://issues.redhat.com/browse/MTA-77"
},
{
"category": "external",
"summary": "MTA-80",
"url": "https://issues.redhat.com/browse/MTA-80"
},
{
"category": "external",
"summary": "MTA-82",
"url": "https://issues.redhat.com/browse/MTA-82"
},
{
"category": "external",
"summary": "MTA-85",
"url": "https://issues.redhat.com/browse/MTA-85"
},
{
"category": "external",
"summary": "MTA-88",
"url": "https://issues.redhat.com/browse/MTA-88"
},
{
"category": "external",
"summary": "MTA-92",
"url": "https://issues.redhat.com/browse/MTA-92"
},
{
"category": "external",
"summary": "MTA-96",
"url": "https://issues.redhat.com/browse/MTA-96"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_0934.json"
}
],
"title": "Red Hat Security Advisory: Migration Toolkit for Applications security and bug fix update",
"tracking": {
"current_release_date": "2026-05-27T20:16:53+00:00",
"generator": {
"date": "2026-05-27T20:16:53+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2023:0934",
"initial_release_date": "2023-02-28T00:50:28+00:00",
"revision_history": [
{
"date": "2023-02-28T00:50:28+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-02-28T23:46:39+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-27T20:16:53+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "MTA 6.0 for RHEL 8",
"product": {
"name": "MTA 6.0 for RHEL 8",
"product_id": "8Base-MTA-6.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:migration_toolkit_applications:6.0::el8"
}
}
}
],
"category": "product_family",
"name": "Migration Toolkit for Applications"
},
{
"branches": [
{
"category": "product_version",
"name": "mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"product": {
"name": "mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"product_id": "mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305?arch=amd64\u0026repository_url=registry.redhat.io/mta/mta-admin-addon-rhel8\u0026tag=6.0.1-8"
}
}
},
{
"category": "product_version",
"name": "mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"product": {
"name": "mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"product_id": "mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76?arch=amd64\u0026repository_url=registry.redhat.io/mta/mta-hub-rhel8\u0026tag=6.0.1-8"
}
}
},
{
"category": "product_version",
"name": "mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"product": {
"name": "mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"product_id": "mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956?arch=amd64\u0026repository_url=registry.redhat.io/mta/mta-pathfinder-rhel8\u0026tag=6.0.1-6"
}
}
},
{
"category": "product_version",
"name": "mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64",
"product": {
"name": "mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64",
"product_id": "mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4?arch=amd64\u0026repository_url=registry.redhat.io/mta/mta-ui-rhel8\u0026tag=6.0.1-10"
}
}
},
{
"category": "product_version",
"name": "mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64",
"product": {
"name": "mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64",
"product_id": "mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108?arch=amd64\u0026repository_url=registry.redhat.io/mta/mta-windup-addon-rhel8\u0026tag=6.0.1-9"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64 as a component of MTA 6.0 for RHEL 8",
"product_id": "8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64"
},
"product_reference": "mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"relates_to_product_reference": "8Base-MTA-6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64 as a component of MTA 6.0 for RHEL 8",
"product_id": "8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64"
},
"product_reference": "mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"relates_to_product_reference": "8Base-MTA-6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64 as a component of MTA 6.0 for RHEL 8",
"product_id": "8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64"
},
"product_reference": "mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"relates_to_product_reference": "8Base-MTA-6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64 as a component of MTA 6.0 for RHEL 8",
"product_id": "8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64"
},
"product_reference": "mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64",
"relates_to_product_reference": "8Base-MTA-6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64 as a component of MTA 6.0 for RHEL 8",
"product_id": "8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
},
"product_reference": "mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64",
"relates_to_product_reference": "8Base-MTA-6.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-36567",
"cwe": {
"id": "CWE-117",
"name": "Improper Output Neutralization for Logs"
},
"discovery_date": "2022-12-28T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2156683"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in gin. This issue occurs when the default Formatter for the Logger middleware (LoggerConfig.Formatter), which is included in the Default engine, allows attackers to inject arbitrary log entries by manipulating the request path.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "gin: Unsanitized input in the default logger in github.com/gin-gonic/gin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
],
"known_not_affected": [
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-36567"
},
{
"category": "external",
"summary": "RHBZ#2156683",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156683"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-36567",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36567"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-36567",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36567"
},
{
"category": "external",
"summary": "https://github.com/gin-gonic/gin/commit/a71af9c144f9579f6dbe945341c1df37aaf09c0d",
"url": "https://github.com/gin-gonic/gin/commit/a71af9c144f9579f6dbe945341c1df37aaf09c0d"
},
{
"category": "external",
"summary": "https://github.com/gin-gonic/gin/pull/2237",
"url": "https://github.com/gin-gonic/gin/pull/2237"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2020-0001",
"url": "https://pkg.go.dev/vuln/GO-2020-0001"
}
],
"release_date": "2022-12-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-28T00:50:28+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0934"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "gin: Unsanitized input in the default logger in github.com/gin-gonic/gin"
},
{
"cve": "CVE-2021-35065",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-12-26T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2156324"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "glob-parent: Regular Expression Denial of Service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The glob-parent package is a transitive dependency and this is not used directly in any of the Red Hat products. Hence, the impact is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64"
],
"known_not_affected": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-35065"
},
{
"category": "external",
"summary": "RHBZ#2156324",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156324"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-35065",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-35065"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065"
},
{
"category": "external",
"summary": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294",
"url": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294"
}
],
"release_date": "2022-12-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-28T00:50:28+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0934"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "glob-parent: Regular Expression Denial of Service"
},
{
"cve": "CVE-2022-24999",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2022-12-02T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2150323"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the express.js npm package of nodejs:14 module stream. Express.js Express is vulnerable to a denial of service caused by a prototype pollution flaw in qs. By adding or modifying properties of Object.prototype using a __proto__ or constructor payload, a remote attacker can cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "express: \"qs\" prototype poisoning causes the hang of the node process",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "- The qs and express Package is not used by the OpenShift Container Platform console directly and is only a third-party package dependency. Hence, it is marked as wontfix. \nAs a result, any services that depend on Openshift for their use of qs and express are marked won\u0027t fix. \n- In OpenShift Service Mesh, \u0027qs\u0027 is hoisted from storybook and node-sass, both are dev dependencies, and the vulnerability is not exposed to end users. Hence marked as wontfix.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64"
],
"known_not_affected": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-24999"
},
{
"category": "external",
"summary": "RHBZ#2150323",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150323"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-24999",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24999"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24999",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24999"
},
{
"category": "external",
"summary": "https://github.com/expressjs/express/releases/tag/4.17.3",
"url": "https://github.com/expressjs/express/releases/tag/4.17.3"
},
{
"category": "external",
"summary": "https://github.com/ljharb/qs/pull/428",
"url": "https://github.com/ljharb/qs/pull/428"
},
{
"category": "external",
"summary": "https://github.com/n8tz/CVE-2022-24999",
"url": "https://github.com/n8tz/CVE-2022-24999"
}
],
"release_date": "2022-11-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-28T00:50:28+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0934"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "express: \"qs\" prototype poisoning causes the hang of the node process"
},
{
"cve": "CVE-2022-37601",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2022-10-14T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2134876"
}
],
"notes": [
{
"category": "description",
"text": "A prototype pollution vulnerability was found in the parseQuery function in parseQuery.js in the webpack loader-utils via the name variable in parseQuery.js. This flaw can lead to a denial of service or remote code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "loader-utils: prototype pollution in function parseQuery in parseQuery.js",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Packages shipped in Red Hat Enterprise Linux use \u0027loader-utils\u0027 as a transitive dependency. Thus, reducing the impact to Moderate.\n\nIn Red Hat containerized products like OCP and ODF, the vulnerable loader-utils NodeJS module is bundled as a transitive dependency, hence the direct impact is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64"
],
"known_not_affected": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-37601"
},
{
"category": "external",
"summary": "RHBZ#2134876",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134876"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-37601",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37601"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-37601",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37601"
},
{
"category": "external",
"summary": "https://github.com/webpack/loader-utils/issues/212",
"url": "https://github.com/webpack/loader-utils/issues/212"
}
],
"release_date": "2022-10-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-28T00:50:28+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0934"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "loader-utils: prototype pollution in function parseQuery in parseQuery.js"
},
{
"cve": "CVE-2022-37603",
"cwe": {
"id": "CWE-185",
"name": "Incorrect Regular Expression"
},
"discovery_date": "2022-11-07T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2140597"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "loader-utils: Regular expression denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64"
],
"known_not_affected": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-37603"
},
{
"category": "external",
"summary": "RHBZ#2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-37603",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37603"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603"
}
],
"release_date": "2022-10-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-28T00:50:28+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0934"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "loader-utils: Regular expression denial of service"
},
{
"cve": "CVE-2022-41717",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2023-01-16T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2161274"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Within Red Hat OpenShift Container Platform, the grafana container is listed as will not fix. Since OCP 4.10, Grafana itself is not shipped and the Grafana web server is protected behind an OAuth proxy server.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
],
"known_not_affected": [
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41717"
},
{
"category": "external",
"summary": "RHBZ#2161274",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161274"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41717",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41717"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717"
},
{
"category": "external",
"summary": "https://go.dev/cl/455635",
"url": "https://go.dev/cl/455635"
},
{
"category": "external",
"summary": "https://go.dev/cl/455717",
"url": "https://go.dev/cl/455717"
},
{
"category": "external",
"summary": "https://go.dev/issue/56350",
"url": "https://go.dev/issue/56350"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ",
"url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2022-1144",
"url": "https://pkg.go.dev/vuln/GO-2022-1144"
}
],
"release_date": "2022-11-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-28T00:50:28+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0934"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests"
},
{
"cve": "CVE-2022-42920",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-11-07T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2142707"
}
],
"notes": [
{
"category": "description",
"text": "An out-of-bounds (OOB) write flaw was found in Apache Commons BCEL API. This flaw can be used to produce arbitrary bytecode and may abuse applications that pass attacker-controlled data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Fuse 7 ships the code in question but does not utilize it in the product, so it is affected at a reduced impact of Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64"
],
"known_not_affected": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42920"
},
{
"category": "external",
"summary": "RHBZ#2142707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2142707"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42920",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42920"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42920",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42920"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4",
"url": "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4"
}
],
"release_date": "2022-11-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-28T00:50:28+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0934"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing"
},
{
"cve": "CVE-2022-46175",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2022-12-26T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2156263"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the json5 package. The affected version of the json5 package could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "json5: Prototype Pollution in JSON5 via Parse Method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The json5 package is a build-time dependency in Red Hat products and is not used in production runtime. Hence, the impact is set to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64"
],
"known_not_affected": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46175"
},
{
"category": "external",
"summary": "RHBZ#2156263",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46175",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46175"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175"
},
{
"category": "external",
"summary": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h",
"url": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h"
}
],
"release_date": "2022-12-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-28T00:50:28+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0934"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-MTA-6.0:mta/mta-admin-addon-rhel8@sha256:9445191232ad1ff1c2926b5a2194130502696a74620cda941675edc9c366b305_amd64",
"8Base-MTA-6.0:mta/mta-hub-rhel8@sha256:ebc8706761a518bd08447a6e51a35f81e5beb3840f3b6b66f656c23c36c07e76_amd64",
"8Base-MTA-6.0:mta/mta-pathfinder-rhel8@sha256:b50244562f83977574d1bd88adc1d259501c90f883596b15fa81e557844e2956_amd64",
"8Base-MTA-6.0:mta/mta-ui-rhel8@sha256:e00e79bc7fb1bc104b1d3e0ebc6b49c7d3c7885925e3c432d60b43f10aaec1c4_amd64",
"8Base-MTA-6.0:mta/mta-windup-addon-rhel8@sha256:9a912e054a7c46e07bdbfeb165f0e71ff3686bcdba9cd53d0ed6be8ff0607108_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "json5: Prototype Pollution in JSON5 via Parse Method"
}
]
}
RHSA-2023:3954
Vulnerability from csaf_redhat - Published: 2023-06-29 20:07 - Updated: 2026-05-16 23:26Summary
Red Hat Security Advisory: Red Hat Fuse 7.12 release and security update
Severity
Critical
Notes
Topic: A minor version update (from 7.11 to 7.12) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release.
Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: This release of Red Hat Fuse 7.12 serves as a replacement for Red Hat Fuse 7.11 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.
Security Fix(es):
* hazelcast: Hazelcast connection caching (CVE-2022-36437)
* spring-security: Authorization rules can be bypassed via forward or include dispatcher types in Spring Security (CVE-2022-31692)
* xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow (CVE-2022-41966)
* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)
* Apache CXF: SSRF Vulnerability (CVE-2022-46364)
* Undertow: Infinite loop in SslConduit during close (CVE-2023-1108)
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)
* spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883)
* jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name (CVE-2012-5783)
* apache-httpclient: incorrect handling of malformed authority component in request URIs (CVE-2020-13956)
* undertow: Server identity in https connection is not checked by the undertow client (CVE-2022-4492)
* Moment.js: Path traversal in moment.locale (CVE-2022-24785)
* batik: Server-Side Request Forgery (CVE-2022-38398)
* batik: Server-Side Request Forgery (CVE-2022-38648)
* batik: Server-Side Request Forgery (SSRF) vulnerability (CVE-2022-40146)
* batik: Apache XML Graphics Batik vulnerable to code execution via SVG (CVE-2022-41704)
* dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)
* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS (CVE-2022-41881)
* engine.io: Specially crafted HTTP request can trigger an uncaught exception (CVE-2022-41940)
* postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions (CVE-2022-41946)
* batik: Untrusted code execution in Apache XML Graphics Batik (CVE-2022-42890)
* Apache CXF: directory listing / code exfiltration (CVE-2022-46363)
* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)
* shiro: Authentication bypass through a specially crafted HTTP request (CVE-2023-22602)
* bouncycastle: potential blind LDAP injection attack using a self-signed certificate (CVE-2023-33201)
* tomcat: JsonErrorReportValve injection (CVE-2022-45143)
For more details about the security issues, including the impact, CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
It was found that Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Fuse 7.12
Red Hat / Red Hat JBoss Fuse
|
cpe:/a:redhat:jboss_fuse:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
5.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Fuse 7.12
Red Hat / Red Hat JBoss Fuse
|
cpe:/a:redhat:jboss_fuse:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in undertow. The undertow client is not checking the server identity the server certificate presents in HTTPS connections. This is a compulsory step ( that should at least be performed by default) in HTTPS and in http/2.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Fuse 7.12
Red Hat / Red Hat JBoss Fuse
|
cpe:/a:redhat:jboss_fuse:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A path traversal vulnerability was found in Moment.js that impacts npm (server) users. This issue occurs if a user-provided locale string is directly used to switch moment locale, which an attacker can exploit to change the correct path to one of their choice. This can result in a loss of integrity.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Fuse 7.12
Red Hat / Red Hat JBoss Fuse
|
cpe:/a:redhat:jboss_fuse:7
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in the spring-security framework. Spring Security could allow a remote attacker to bypass security restrictions caused by an issue when using forward or include dispatcher types. By sending a specially-crafted request, an attacker can bypass authorization rules.
7.4 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Fuse 7.12
Red Hat / Red Hat JBoss Fuse
|
cpe:/a:redhat:jboss_fuse:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Hazelcast and Hazelcast Jet. This flaw may allow an attacker unauthenticated access to manipulate data in the cluster.
9.1 (Critical)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Fuse 7.12
Red Hat / Red Hat JBoss Fuse
|
cpe:/a:redhat:jboss_fuse:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Critical
Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14.
5.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Fuse 7.12
Red Hat / Red Hat JBoss Fuse
|
cpe:/a:redhat:jboss_fuse:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. This issue affects Apache XML Graphics Batik 1.14.
5.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Fuse 7.12
Red Hat / Red Hat JBoss Fuse
|
cpe:/a:redhat:jboss_fuse:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Fuse 7.12
Red Hat / Red Hat JBoss Fuse
|
cpe:/a:redhat:jboss_fuse:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Batik. This issue may allow a malicious user to run untrusted Java code from an SVG.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Fuse 7.12
Red Hat / Red Hat JBoss Fuse
|
cpe:/a:redhat:jboss_fuse:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Fuse 7.12
Red Hat / Red Hat JBoss Fuse
|
cpe:/a:redhat:jboss_fuse:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in codec-haproxy from the Netty project. This flaw allows an attacker to build a malformed crafted message and cause infinite recursion, causing stack exhaustion and leading to a denial of service (DoS).
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Fuse 7.12
Red Hat / Red Hat JBoss Fuse
|
cpe:/a:redhat:jboss_fuse:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in engine.io. The Socket.IO Engine.IO is vulnerable to a denial of service caused by an uncaught exception flaw. By sending a specially-crafted HTTP request, a remote, authenticated attacker can cause the Node.js process to crash, resulting in a denial of service.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Fuse 7.12
Red Hat / Red Hat JBoss Fuse
|
cpe:/a:redhat:jboss_fuse:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in org.postgresql. This issue allows the creation of a temporary file when using PreparedStatement.setText(int, InputStream) and PreparedStatemet.setBytea(int, InputStream). This could allow a user to create an unexpected file available to all users, which could end in unexpected behavior.
5.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Fuse 7.12
Red Hat / Red Hat JBoss Fuse
|
cpe:/a:redhat:jboss_fuse:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the xstream package. This flaw allows an attacker to cause a denial of service by injecting recursive collections or maps, raising a stack overflow.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Fuse 7.12
Red Hat / Red Hat JBoss Fuse
|
cpe:/a:redhat:jboss_fuse:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Batik of Apache XML Graphics. This issue may allow a malicious user to run Java code from untrusted SVG via JavaScript.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Fuse 7.12
Red Hat / Red Hat JBoss Fuse
|
cpe:/a:redhat:jboss_fuse:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
An out-of-bounds (OOB) write flaw was found in Apache Commons BCEL API. This flaw can be used to produce arbitrary bytecode and may abuse applications that pass attacker-controlled data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected.
8.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Fuse 7.12
Red Hat / Red Hat JBoss Fuse
|
cpe:/a:redhat:jboss_fuse:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the Tomcat package. This flaw allowed users to input an invalid JSON structure, causing unwanted behavior as it did not escape the type, message, or description values.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Fuse 7.12
Red Hat / Red Hat JBoss Fuse
|
cpe:/a:redhat:jboss_fuse:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Fuse 7.12
Red Hat / Red Hat JBoss Fuse
|
cpe:/a:redhat:jboss_fuse:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.
9.8 (Critical)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Fuse 7.12
Red Hat / Red Hat JBoss Fuse
|
cpe:/a:redhat:jboss_fuse:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Fuse 7.12
Red Hat / Red Hat JBoss Fuse
|
cpe:/a:redhat:jboss_fuse:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Fuse 7.12
Red Hat / Red Hat JBoss Fuse
|
cpe:/a:redhat:jboss_fuse:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in Spring Framework. In this vulnerability, a security bypass is possible due to the behavior of the wildcard pattern.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Fuse 7.12
Red Hat / Red Hat JBoss Fuse
|
cpe:/a:redhat:jboss_fuse:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw found was found in Spring Framework. This flaw allows a malicious user to use a specially crafted SpEL expression that causes a denial of service (DoS).
5.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Fuse 7.12
Red Hat / Red Hat JBoss Fuse
|
cpe:/a:redhat:jboss_fuse:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Spring Boot, occurring prominently in Spring MVC with a reverse proxy cache. This issue requires Spring MVC to have auto-configuration enabled and the application to use Spring Boot's welcome page support, either static or templated, resulting in the application being deployed behind a proxy that caches 404 responses. This issue may cause a denial of service (DoS) attack.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Fuse 7.12
Red Hat / Red Hat JBoss Fuse
|
cpe:/a:redhat:jboss_fuse:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Apache Shiro. This issue may allow a malicious user to send a specially crafted HTTP request that could cause an authentication bypass.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Fuse 7.12
Red Hat / Red Hat JBoss Fuse
|
cpe:/a:redhat:jboss_fuse:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Bouncy Castle 1.73. This issue targets the fix of LDAP wild cards. Before the fix there was no validation for the X.500 name of any certificate, subject, or issuer, so the presence of a wild card may lead to information disclosure. This could allow a malicious user to obtain unauthorized information via blind LDAP Injection, exploring the environment and enumerating data. The exploit depends on the structure of the target LDAP directory as well as what kind of errors are exposed to the user.
5.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Fuse 7.12
Red Hat / Red Hat JBoss Fuse
|
cpe:/a:redhat:jboss_fuse:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
167 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "A minor version update (from 7.11 to 7.12) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "This release of Red Hat Fuse 7.12 serves as a replacement for Red Hat Fuse 7.11 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.\n\nSecurity Fix(es):\n\n* hazelcast: Hazelcast connection caching (CVE-2022-36437)\n\n* spring-security: Authorization rules can be bypassed via forward or include dispatcher types in Spring Security (CVE-2022-31692)\n\n* xstream: Denial of Service by injecting recursive collections or maps based on element\u0027s hash values raising a stack overflow (CVE-2022-41966)\n\n* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)\n\n* Apache CXF: SSRF Vulnerability (CVE-2022-46364)\n\n* Undertow: Infinite loop in SslConduit during close (CVE-2023-1108)\n\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)\n\n* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)\n\n* spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883)\n\n* jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name (CVE-2012-5783)\n\n* apache-httpclient: incorrect handling of malformed authority component in request URIs (CVE-2020-13956)\n\n* undertow: Server identity in https connection is not checked by the undertow client (CVE-2022-4492)\n\n* Moment.js: Path traversal in moment.locale (CVE-2022-24785)\n\n* batik: Server-Side Request Forgery (CVE-2022-38398)\n\n* batik: Server-Side Request Forgery (CVE-2022-38648)\n\n* batik: Server-Side Request Forgery (SSRF) vulnerability (CVE-2022-40146)\n\n* batik: Apache XML Graphics Batik vulnerable to code execution via SVG (CVE-2022-41704)\n\n* dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)\n\n* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS (CVE-2022-41881)\n\n* engine.io: Specially crafted HTTP request can trigger an uncaught exception (CVE-2022-41940)\n\n* postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions (CVE-2022-41946)\n\n* batik: Untrusted code execution in Apache XML Graphics Batik (CVE-2022-42890)\n\n* Apache CXF: directory listing / code exfiltration (CVE-2022-46363)\n\n* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)\n\n* shiro: Authentication bypass through a specially crafted HTTP request (CVE-2023-22602)\n\n* bouncycastle: potential blind LDAP injection attack using a self-signed certificate (CVE-2023-33201)\n\n* tomcat: JsonErrorReportValve injection (CVE-2022-45143)\n\nFor more details about the security issues, including the impact, CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:3954",
"url": "https://access.redhat.com/errata/RHSA-2023:3954"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=jboss.fuse\u0026version=7.12.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=jboss.fuse\u0026version=7.12.0"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_fuse/7.12/",
"url": "https://access.redhat.com/documentation/en-us/red_hat_fuse/7.12/"
},
{
"category": "external",
"summary": "873317",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=873317"
},
{
"category": "external",
"summary": "1886587",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1886587"
},
{
"category": "external",
"summary": "2072009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009"
},
{
"category": "external",
"summary": "2142707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2142707"
},
{
"category": "external",
"summary": "2144970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144970"
},
{
"category": "external",
"summary": "2151988",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2151988"
},
{
"category": "external",
"summary": "2153260",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153260"
},
{
"category": "external",
"summary": "2153379",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153379"
},
{
"category": "external",
"summary": "2153399",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153399"
},
{
"category": "external",
"summary": "2155291",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155291"
},
{
"category": "external",
"summary": "2155292",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155292"
},
{
"category": "external",
"summary": "2155295",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155295"
},
{
"category": "external",
"summary": "2155681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
},
{
"category": "external",
"summary": "2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "2158695",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158695"
},
{
"category": "external",
"summary": "2162053",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2162053"
},
{
"category": "external",
"summary": "2162206",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2162206"
},
{
"category": "external",
"summary": "2170431",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2170431"
},
{
"category": "external",
"summary": "2174246",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2174246"
},
{
"category": "external",
"summary": "2180528",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2180528"
},
{
"category": "external",
"summary": "2180530",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2180530"
},
{
"category": "external",
"summary": "2182182",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2182182"
},
{
"category": "external",
"summary": "2182183",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2182183"
},
{
"category": "external",
"summary": "2182198",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2182198"
},
{
"category": "external",
"summary": "2188542",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2188542"
},
{
"category": "external",
"summary": "2209342",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2209342"
},
{
"category": "external",
"summary": "2215465",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2215465"
},
{
"category": "external",
"summary": "ENTESB-20598",
"url": "https://issues.redhat.com/browse/ENTESB-20598"
},
{
"category": "external",
"summary": "ENTESB-21418",
"url": "https://issues.redhat.com/browse/ENTESB-21418"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3954.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Fuse 7.12 release and security update",
"tracking": {
"current_release_date": "2026-05-16T23:26:27+00:00",
"generator": {
"date": "2026-05-16T23:26:27+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2023:3954",
"initial_release_date": "2023-06-29T20:07:23+00:00",
"revision_history": [
{
"date": "2023-06-29T20:07:23+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-06-29T20:07:23+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-16T23:26:27+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Fuse 7.12",
"product": {
"name": "Red Hat Fuse 7.12",
"product_id": "Red Hat Fuse 7.12",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_fuse:7"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Fuse"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2012-5783",
"discovery_date": "2012-11-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "873317"
}
],
"notes": [
{
"category": "description",
"text": "It was found that Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject\u0027s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Fuse 7.12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-5783"
},
{
"category": "external",
"summary": "RHBZ#873317",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=873317"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-5783",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-5783"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-5783",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5783"
}
],
"release_date": "2012-10-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-29T20:07:23+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Fuse 7.12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3954"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
},
"products": [
"Red Hat Fuse 7.12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name"
},
{
"cve": "CVE-2020-13956",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2020-10-08T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1886587"
}
],
"notes": [
{
"category": "description",
"text": "Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-httpclient: incorrect handling of malformed authority component in request URIs",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift Container Platform (OCP) the affected components are behind OpenShift OAuth authentication. This restricts access to the vulnerable httpclient library to authenticated users only. Additionally the vulnerable httpclient library is not used directly in OCP components, therefore the impact by this vulnerability is Low.\nIn OCP 4 there are no plans to maintain ose-logging-elasticsearch5 container, hence marked as wontfix.\n\nIn the Red Hat Enterprise Linux platforms, Maven 35 and 36 are affected via their respective `httpcomponents-client` component.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Fuse 7.12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-13956"
},
{
"category": "external",
"summary": "RHBZ#1886587",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1886587"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-13956",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-13956"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-13956",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13956"
},
{
"category": "external",
"summary": "https://www.openwall.com/lists/oss-security/2020/10/08/4",
"url": "https://www.openwall.com/lists/oss-security/2020/10/08/4"
}
],
"release_date": "2020-10-08T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-29T20:07:23+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Fuse 7.12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3954"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Fuse 7.12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "apache-httpclient: incorrect handling of malformed authority component in request URIs"
},
{
"cve": "CVE-2022-4492",
"cwe": {
"id": "CWE-550",
"name": "Server-generated Error Message Containing Sensitive Information"
},
"discovery_date": "2022-12-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2153260"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in undertow. The undertow client is not checking the server identity the server certificate presents in HTTPS connections. This is a compulsory step ( that should at least be performed by default) in HTTPS and in http/2.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "undertow: Server identity in https connection is not checked by the undertow client",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Fuse 7.12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-4492"
},
{
"category": "external",
"summary": "RHBZ#2153260",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153260"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-4492",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-4492"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-4492",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4492"
}
],
"release_date": "2022-12-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-29T20:07:23+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Fuse 7.12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3954"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Fuse 7.12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "undertow: Server identity in https connection is not checked by the undertow client"
},
{
"cve": "CVE-2022-24785",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2022-04-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2072009"
}
],
"notes": [
{
"category": "description",
"text": "A path traversal vulnerability was found in Moment.js that impacts npm (server) users. This issue occurs if a user-provided locale string is directly used to switch moment locale, which an attacker can exploit to change the correct path to one of their choice. This can result in a loss of integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Moment.js: Path traversal in moment.locale",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In Quay 3.10 and above, no version of affected momentjs is present.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Fuse 7.12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-24785"
},
{
"category": "external",
"summary": "RHBZ#2072009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-24785",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24785"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785"
},
{
"category": "external",
"summary": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4",
"url": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4"
}
],
"release_date": "2022-04-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-29T20:07:23+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Fuse 7.12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3954"
},
{
"category": "workaround",
"details": "Sanitize the user-provided locale name before passing it to Moment.js.",
"product_ids": [
"Red Hat Fuse 7.12"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Fuse 7.12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Moment.js: Path traversal in moment.locale"
},
{
"cve": "CVE-2022-31692",
"cwe": {
"id": "CWE-863",
"name": "Incorrect Authorization"
},
"discovery_date": "2023-01-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2162206"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the spring-security framework. Spring Security could allow a remote attacker to bypass security restrictions caused by an issue when using forward or include dispatcher types. By sending a specially-crafted request, an attacker can bypass authorization rules.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "spring-security: Authorization rules can be bypassed via forward or include dispatcher types in Spring Security",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Fuse 7.12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-31692"
},
{
"category": "external",
"summary": "RHBZ#2162206",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2162206"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-31692",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31692"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31692",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31692"
},
{
"category": "external",
"summary": "https://spring.io/security/cve-2022-31692",
"url": "https://spring.io/security/cve-2022-31692"
}
],
"release_date": "2022-10-31T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-29T20:07:23+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Fuse 7.12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3954"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Fuse 7.12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "spring-security: Authorization rules can be bypassed via forward or include dispatcher types in Spring Security"
},
{
"cve": "CVE-2022-36437",
"cwe": {
"id": "CWE-384",
"name": "Session Fixation"
},
"discovery_date": "2023-01-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2162053"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Hazelcast and Hazelcast Jet. This flaw may allow an attacker unauthenticated access to manipulate data in the cluster.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "hazelcast: Hazelcast connection caching",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Integration - Camel Quarkus Extensions: Hazelcast is contained in camel-quarkus-hazelcast but it does not affect any supported component. This package is community support only. Hence the low impact for Camel Quarkus Extension.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Fuse 7.12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-36437"
},
{
"category": "external",
"summary": "RHBZ#2162053",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2162053"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-36437",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36437"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-36437",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36437"
},
{
"category": "external",
"summary": "https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp",
"url": "https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp"
}
],
"release_date": "2022-12-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-29T20:07:23+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Fuse 7.12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3954"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Fuse 7.12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "hazelcast: Hazelcast connection caching"
},
{
"cve": "CVE-2022-38398",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2022-12-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155292"
}
],
"notes": [
{
"category": "description",
"text": "Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "batik: Server-Side Request Forgery",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Fuse 7.12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38398"
},
{
"category": "external",
"summary": "RHBZ#2155292",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155292"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38398",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38398"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38398",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38398"
},
{
"category": "external",
"summary": "http://svn.apache.org/viewvc?view=revision\u0026revision=1903462",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1903462"
},
{
"category": "external",
"summary": "https://issues.apache.org/jira/browse/BATIK-1331",
"url": "https://issues.apache.org/jira/browse/BATIK-1331"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/712c9xwtmyghyokzrm2ml6sps4xlmbsx",
"url": "https://lists.apache.org/thread/712c9xwtmyghyokzrm2ml6sps4xlmbsx"
}
],
"release_date": "2022-09-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-29T20:07:23+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Fuse 7.12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3954"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Fuse 7.12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "batik: Server-Side Request Forgery"
},
{
"cve": "CVE-2022-38648",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2022-12-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155295"
}
],
"notes": [
{
"category": "description",
"text": "Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. This issue affects Apache XML Graphics Batik 1.14.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "batik: Server-Side Request Forgery",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Fuse 7.12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38648"
},
{
"category": "external",
"summary": "RHBZ#2155295",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155295"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38648",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38648"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38648",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38648"
},
{
"category": "external",
"summary": "http://svn.apache.org/viewvc?view=revision\u0026revision=1903625",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1903625"
},
{
"category": "external",
"summary": "https://issues.apache.org/jira/browse/BATIK-1333",
"url": "https://issues.apache.org/jira/browse/BATIK-1333"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/gfsktxvj7jtwyovmhhbrw0bs13wfjd7b",
"url": "https://lists.apache.org/thread/gfsktxvj7jtwyovmhhbrw0bs13wfjd7b"
}
],
"release_date": "2022-09-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-29T20:07:23+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Fuse 7.12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3954"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Fuse 7.12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "batik: Server-Side Request Forgery"
},
{
"cve": "CVE-2022-40146",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2022-12-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155291"
}
],
"notes": [
{
"category": "description",
"text": "Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "batik: Server-Side Request Forgery (SSRF) vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Fuse 7.12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40146"
},
{
"category": "external",
"summary": "RHBZ#2155291",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155291"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40146",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40146"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40146",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40146"
},
{
"category": "external",
"summary": "http://svn.apache.org/viewvc?view=revision\u0026revision=1903910",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1903910"
},
{
"category": "external",
"summary": "https://issues.apache.org/jira/browse/BATIK-1335",
"url": "https://issues.apache.org/jira/browse/BATIK-1335"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/hxtddqjty2sbs12y97c8g7xfh17jzxsx",
"url": "https://lists.apache.org/thread/hxtddqjty2sbs12y97c8g7xfh17jzxsx"
}
],
"release_date": "2022-09-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-29T20:07:23+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Fuse 7.12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3954"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Fuse 7.12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "batik: Server-Side Request Forgery (SSRF) vulnerability"
},
{
"cve": "CVE-2022-41704",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2023-03-27T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2182182"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Batik.\u00a0This issue may allow a malicious user to run untrusted Java code from an SVG.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "batik: Apache XML Graphics Batik vulnerable to code execution via SVG",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Fuse 7.12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41704"
},
{
"category": "external",
"summary": "RHBZ#2182182",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2182182"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41704",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41704"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41704",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41704"
}
],
"release_date": "2022-10-25T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-29T20:07:23+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Fuse 7.12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3954"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Fuse 7.12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "batik: Apache XML Graphics Batik vulnerable to code execution via SVG"
},
{
"cve": "CVE-2022-41854",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-12-08T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2151988"
}
],
"notes": [
{
"category": "description",
"text": "Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "dev-java/snakeyaml: DoS via stack overflow",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Fuse 7.12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41854"
},
{
"category": "external",
"summary": "RHBZ#2151988",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2151988"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41854",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41854"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41854",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41854"
},
{
"category": "external",
"summary": "https://bitbucket.org/snakeyaml/snakeyaml/issues/543/stackoverflow-oss-fuzz-50355",
"url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/543/stackoverflow-oss-fuzz-50355"
},
{
"category": "external",
"summary": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355",
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355"
}
],
"release_date": "2022-11-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-29T20:07:23+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Fuse 7.12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3954"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Fuse 7.12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "dev-java/snakeyaml: DoS via stack overflow"
},
{
"cve": "CVE-2022-41881",
"cwe": {
"id": "CWE-674",
"name": "Uncontrolled Recursion"
},
"discovery_date": "2022-12-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2153379"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in codec-haproxy from the Netty project. This flaw allows an attacker to build a malformed crafted message and cause infinite recursion, causing stack exhaustion and leading to a denial of service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Fuse 7.12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41881"
},
{
"category": "external",
"summary": "RHBZ#2153379",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153379"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41881",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41881"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41881",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41881"
}
],
"release_date": "2022-12-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-29T20:07:23+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Fuse 7.12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3954"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Fuse 7.12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS"
},
{
"cve": "CVE-2022-41940",
"cwe": {
"id": "CWE-248",
"name": "Uncaught Exception"
},
"discovery_date": "2022-11-22T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2144970"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in engine.io. The Socket.IO Engine.IO is vulnerable to a denial of service caused by an uncaught exception flaw. By sending a specially-crafted HTTP request, a remote, authenticated attacker can cause the Node.js process to crash, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "engine.io: Specially crafted HTTP request can trigger an uncaught exception",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Fuse 7.12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41940"
},
{
"category": "external",
"summary": "RHBZ#2144970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144970"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41940",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41940"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41940",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41940"
}
],
"release_date": "2022-11-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-29T20:07:23+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Fuse 7.12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3954"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Fuse 7.12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "engine.io: Specially crafted HTTP request can trigger an uncaught exception"
},
{
"cve": "CVE-2022-41946",
"cwe": {
"id": "CWE-377",
"name": "Insecure Temporary File"
},
"discovery_date": "2022-12-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2153399"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in org.postgresql. This issue allows the creation of a temporary file when using PreparedStatement.setText(int, InputStream) and PreparedStatemet.setBytea(int, InputStream). This could allow a user to create an unexpected file available to all users, which could end in unexpected behavior.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite ships a PostgreSQL JDBC Driver for Hibernate ORM framework, which is embeds into Candlepin. Although Candlepin itself doesn\u0027t make direct use of the PreparedStatement methods from the PostgreSQL JDBC Driver, Hibernate ORM does utilize these methods, potentially making framework affected. Satellite server operating in an environment with untrusted users while the driver is running are vulnerable to the flaw, however, deployments without untrusted users are considered safe. A future Satellite update should address this issue.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Fuse 7.12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41946"
},
{
"category": "external",
"summary": "RHBZ#2153399",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153399"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41946",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41946"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41946",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41946"
}
],
"release_date": "2022-11-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-29T20:07:23+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Fuse 7.12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3954"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Fuse 7.12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions"
},
{
"cve": "CVE-2022-41966",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2023-02-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2170431"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the xstream package. This flaw allows an attacker to cause a denial of service by injecting recursive collections or maps, raising a stack overflow.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Denial of Service by injecting recursive collections or maps based on element\u0027s hash values raising a stack overflow",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Fuse 7 ships an affected version of XStream. No endpoint in any flavor of Fuse is accepting by default an unverified input stream passed directly to XStream unmarshaller. Documentation always recommend all the endpoints (TCP/UDP/HTTP(S)/other listeners) to have at least one layer of authentication/authorization and Fuse in general itself in particular has a lot of mechanisms to protect the endpoints.\n\nRed Hat Single Sign-On contains XStream as a transitive dependency from Infinispan and the same is not affected as NO_REFERENCE is in use.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Fuse 7.12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41966"
},
{
"category": "external",
"summary": "RHBZ#2170431",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2170431"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41966",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41966"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41966",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41966"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv"
}
],
"release_date": "2022-12-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-29T20:07:23+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Fuse 7.12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3954"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Fuse 7.12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "xstream: Denial of Service by injecting recursive collections or maps based on element\u0027s hash values raising a stack overflow"
},
{
"cve": "CVE-2022-42890",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2023-03-27T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2182183"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Batik of Apache XML Graphics. This issue may allow a malicious user to run Java code from untrusted SVG via JavaScript.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "batik: Untrusted code execution in Apache XML Graphics Batik",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Fuse 7.12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42890"
},
{
"category": "external",
"summary": "RHBZ#2182183",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2182183"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42890",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42890"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42890",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42890"
}
],
"release_date": "2022-10-25T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-29T20:07:23+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Fuse 7.12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3954"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Fuse 7.12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "batik: Untrusted code execution in Apache XML Graphics Batik"
},
{
"cve": "CVE-2022-42920",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-11-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2142707"
}
],
"notes": [
{
"category": "description",
"text": "An out-of-bounds (OOB) write flaw was found in Apache Commons BCEL API. This flaw can be used to produce arbitrary bytecode and may abuse applications that pass attacker-controlled data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Fuse 7 ships the code in question but does not utilize it in the product, so it is affected at a reduced impact of Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Fuse 7.12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42920"
},
{
"category": "external",
"summary": "RHBZ#2142707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2142707"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42920",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42920"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42920",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42920"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4",
"url": "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4"
}
],
"release_date": "2022-11-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-29T20:07:23+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Fuse 7.12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3954"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Fuse 7.12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing"
},
{
"cve": "CVE-2022-45143",
"cwe": {
"id": "CWE-74",
"name": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
},
"discovery_date": "2023-01-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2158695"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Tomcat package. This flaw allowed users to input an invalid JSON structure, causing unwanted behavior as it did not escape the type, message, or description values.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tomcat: JsonErrorReportValve injection",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Although it may be rated as CVSS 7.5, it\u0027s still considered a low impact flaw as according to the advisory report from Apache, user controlled data may occur in specific cases only and may alter some specific fields only.\n\nRed Hat Satellite does not include the affected Apache Tomcat, however, Tomcat is shipped with Red Hat Enterprise Linux and consumed by the Candlepin component of Satellite. Red Hat Satellite users are therefore advised to check the impact state of Red Hat Enterprise Linux, since any necessary fixes will be distributed through the platform.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Fuse 7.12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45143"
},
{
"category": "external",
"summary": "RHBZ#2158695",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158695"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45143",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45143"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45143",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45143"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj",
"url": "https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj"
}
],
"release_date": "2023-01-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-29T20:07:23+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Fuse 7.12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3954"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Fuse 7.12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "tomcat: JsonErrorReportValve injection"
},
{
"cve": "CVE-2022-46363",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155681"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: directory listing / code exfiltration",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Fuse 7.12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46363"
},
{
"category": "external",
"summary": "RHBZ#2155681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46363",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46363"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c",
"url": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-29T20:07:23+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Fuse 7.12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3954"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Fuse 7.12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "CXF: directory listing / code exfiltration"
},
{
"cve": "CVE-2022-46364",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155682"
}
],
"notes": [
{
"category": "description",
"text": "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: SSRF Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Fuse 7.12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46364"
},
{
"category": "external",
"summary": "RHBZ#2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46364",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46364"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364"
},
{
"category": "external",
"summary": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2",
"url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-29T20:07:23+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Fuse 7.12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3954"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Fuse 7.12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "CXF: SSRF Vulnerability"
},
{
"cve": "CVE-2023-1108",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"discovery_date": "2023-02-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2174246"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Undertow: Infinite loop in SslConduit during close",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Fuse 7.12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-1108"
},
{
"category": "external",
"summary": "RHBZ#2174246",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2174246"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-1108",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1108"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-1108",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1108"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-m4mm-pg93-fv78",
"url": "https://github.com/advisories/GHSA-m4mm-pg93-fv78"
}
],
"release_date": "2023-03-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-29T20:07:23+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Fuse 7.12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3954"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Fuse 7.12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Undertow: Infinite loop in SslConduit during close"
},
{
"cve": "CVE-2023-1370",
"cwe": {
"id": "CWE-674",
"name": "Uncontrolled Recursion"
},
"discovery_date": "2023-04-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2188542"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the json-smart package. This security flaw occurs when reaching a \u2018[\u2018 or \u2018{\u2018 character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Fuse 7.12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-1370"
},
{
"category": "external",
"summary": "RHBZ#2188542",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2188542"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-1370",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1370"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-1370",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1370"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-493p-pfq6-5258",
"url": "https://github.com/advisories/GHSA-493p-pfq6-5258"
},
{
"category": "external",
"summary": "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/",
"url": "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/"
}
],
"release_date": "2023-03-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-29T20:07:23+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Fuse 7.12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3954"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Fuse 7.12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)"
},
{
"cve": "CVE-2023-20860",
"cwe": {
"id": "CWE-155",
"name": "Improper Neutralization of Wildcards or Matching Symbols"
},
"discovery_date": "2023-03-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2180528"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Spring Framework. In this vulnerability, a security bypass is possible due to the behavior of the wildcard pattern.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Fuse 7.12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-20860"
},
{
"category": "external",
"summary": "RHBZ#2180528",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2180528"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-20860",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-20860"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-20860",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20860"
},
{
"category": "external",
"summary": "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861",
"url": "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861"
}
],
"release_date": "2023-03-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-29T20:07:23+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Fuse 7.12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3954"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Fuse 7.12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern"
},
{
"cve": "CVE-2023-20861",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2023-03-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2180530"
}
],
"notes": [
{
"category": "description",
"text": "A flaw found was found in Spring Framework. This flaw allows a malicious user to use a specially crafted SpEL expression that causes a denial of service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "springframework: Spring Expression DoS Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Fuse 7.12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-20861"
},
{
"category": "external",
"summary": "RHBZ#2180530",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2180530"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-20861",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-20861"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-20861",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20861"
},
{
"category": "external",
"summary": "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861",
"url": "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861"
}
],
"release_date": "2023-03-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-29T20:07:23+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Fuse 7.12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3954"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Red Hat Fuse 7.12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "springframework: Spring Expression DoS Vulnerability"
},
{
"cve": "CVE-2023-20883",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2023-05-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2209342"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Spring Boot, occurring prominently in Spring MVC with a reverse proxy cache. This issue requires Spring MVC to have auto-configuration enabled and the application to use Spring Boot\u0027s welcome page support, either static or templated, resulting in the application being deployed behind a proxy that caches 404 responses. This issue may cause a denial of service (DoS) attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "spring-boot: Spring Boot Welcome Page DoS Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Fuse 7.12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-20883"
},
{
"category": "external",
"summary": "RHBZ#2209342",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2209342"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-20883",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-20883"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-20883",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20883"
}
],
"release_date": "2023-05-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-29T20:07:23+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Fuse 7.12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3954"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Fuse 7.12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "spring-boot: Spring Boot Welcome Page DoS Vulnerability"
},
{
"cve": "CVE-2023-22602",
"cwe": {
"id": "CWE-436",
"name": "Interpretation Conflict"
},
"discovery_date": "2023-03-27T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2182198"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Shiro. This issue may allow a malicious user to send a specially crafted HTTP request that could cause an authentication bypass.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "shiro: Authentication bypass through a specially crafted HTTP request",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Fuse 7.12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-22602"
},
{
"category": "external",
"summary": "RHBZ#2182198",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2182198"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-22602",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22602"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-22602",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22602"
}
],
"release_date": "2023-01-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-29T20:07:23+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Fuse 7.12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3954"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Fuse 7.12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "shiro: Authentication bypass through a specially crafted HTTP request"
},
{
"cve": "CVE-2023-33201",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2023-06-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2215465"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Bouncy Castle 1.73. This issue targets the fix of LDAP wild cards. Before the fix there was no validation for the X.500 name of any certificate, subject, or issuer, so the presence of a wild card may lead to information disclosure. This could allow a malicious user to obtain unauthorized information via blind LDAP Injection, exploring the environment and enumerating data. The exploit depends on the structure of the target LDAP directory as well as what kind of errors are exposed to the user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bouncycastle: potential blind LDAP injection attack using a self-signed certificate",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Fuse 7.12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-33201"
},
{
"category": "external",
"summary": "RHBZ#2215465",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2215465"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-33201",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-33201"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-33201",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33201"
},
{
"category": "external",
"summary": "https://github.com/bcgit/bc-java/wiki/CVE-2023-33201",
"url": "https://github.com/bcgit/bc-java/wiki/CVE-2023-33201"
}
],
"release_date": "2023-06-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-29T20:07:23+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Fuse 7.12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3954"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Fuse 7.12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bouncycastle: potential blind LDAP injection attack using a self-signed certificate"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…