{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "A Kogito update is now available for Red Hat Process Automation Manager, including images for Red Hat OpenShift Container Platform.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.\n\nThis release includes security fixes.\n\nSecurity Fix(es):\n\n* quarkus: HTTP security policy bypass (CVE-2023-4853)\n\nA Red Hat Security Bulletin which addresses further details about this flaw is available in the References section.\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2023:6107",
        "url": "https://access.redhat.com/errata/RHSA-2023:6107"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-002",
        "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-002"
      },
      {
        "category": "external",
        "summary": "2238034",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238034"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_6107.json"
      }
    ],
    "title": "Red Hat Security Advisory: Updated Kogito for Red Hat Process Automation Manager 7.13.4 SP1 Images",
    "tracking": {
      "current_release_date": "2026-03-18T02:26:20+00:00",
      "generator": {
        "date": "2026-03-18T02:26:20+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.3"
        }
      },
      "id": "RHSA-2023:6107",
      "initial_release_date": "2023-10-25T12:34:17+00:00",
      "revision_history": [
        {
          "date": "2023-10-25T12:34:17+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2023-10-25T12:34:17+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-03-18T02:26:20+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Middleware Containers for OpenShift",
                "product": {
                  "name": "Middleware Containers for OpenShift",
                  "product_id": "8Base-RHOSE-Middleware",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:rhosemc:1.0::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenShift Enterprise"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rhpam-7/rhpam-kogito-builder-rhel8@sha256:ba92f9f2163a29eb956e445a3687e83c54838fae6098b81bef980fbb27a2c0b5_ppc64le",
                "product": {
                  "name": "rhpam-7/rhpam-kogito-builder-rhel8@sha256:ba92f9f2163a29eb956e445a3687e83c54838fae6098b81bef980fbb27a2c0b5_ppc64le",
                  "product_id": "rhpam-7/rhpam-kogito-builder-rhel8@sha256:ba92f9f2163a29eb956e445a3687e83c54838fae6098b81bef980fbb27a2c0b5_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhpam-kogito-builder-rhel8@sha256:ba92f9f2163a29eb956e445a3687e83c54838fae6098b81bef980fbb27a2c0b5?arch=ppc64le\u0026repository_url=registry.redhat.io/rhpam-7/rhpam-kogito-builder-rhel8\u0026tag=7.13.4-3"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:f84af09c90836c2f4ee93fed624d04478953b4fc70c25eee277373d829101fa6_ppc64le",
                "product": {
                  "name": "rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:f84af09c90836c2f4ee93fed624d04478953b4fc70c25eee277373d829101fa6_ppc64le",
                  "product_id": "rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:f84af09c90836c2f4ee93fed624d04478953b4fc70c25eee277373d829101fa6_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhpam-kogito-rhel8-operator-bundle@sha256:f84af09c90836c2f4ee93fed624d04478953b4fc70c25eee277373d829101fa6?arch=ppc64le\u0026repository_url=registry.redhat.io/rhpam-7/rhpam-kogito-rhel8-operator-bundle\u0026tag=7.13.4-2"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhpam-7/rhpam-kogito-rhel8-operator@sha256:8ecf3a814085236c5692c18a117a604348172fc2d38566363d16191d52717406_ppc64le",
                "product": {
                  "name": "rhpam-7/rhpam-kogito-rhel8-operator@sha256:8ecf3a814085236c5692c18a117a604348172fc2d38566363d16191d52717406_ppc64le",
                  "product_id": "rhpam-7/rhpam-kogito-rhel8-operator@sha256:8ecf3a814085236c5692c18a117a604348172fc2d38566363d16191d52717406_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhpam-kogito-rhel8-operator@sha256:8ecf3a814085236c5692c18a117a604348172fc2d38566363d16191d52717406?arch=ppc64le\u0026repository_url=registry.redhat.io/rhpam-7/rhpam-kogito-rhel8-operator\u0026tag=7.13.4-2"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:e525c9934424b2b46a61a3b8d6b1cef7f005c19456e927d544733f66dcfdf064_ppc64le",
                "product": {
                  "name": "rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:e525c9934424b2b46a61a3b8d6b1cef7f005c19456e927d544733f66dcfdf064_ppc64le",
                  "product_id": "rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:e525c9934424b2b46a61a3b8d6b1cef7f005c19456e927d544733f66dcfdf064_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhpam-kogito-runtime-jvm-rhel8@sha256:e525c9934424b2b46a61a3b8d6b1cef7f005c19456e927d544733f66dcfdf064?arch=ppc64le\u0026repository_url=registry.redhat.io/rhpam-7/rhpam-kogito-runtime-jvm-rhel8\u0026tag=7.13.4-3"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rhpam-7/rhpam-kogito-builder-rhel8@sha256:45b76edfd70a76efb113a5754b72e684aa3093add2db3fac7394a94032723203_amd64",
                "product": {
                  "name": "rhpam-7/rhpam-kogito-builder-rhel8@sha256:45b76edfd70a76efb113a5754b72e684aa3093add2db3fac7394a94032723203_amd64",
                  "product_id": "rhpam-7/rhpam-kogito-builder-rhel8@sha256:45b76edfd70a76efb113a5754b72e684aa3093add2db3fac7394a94032723203_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhpam-kogito-builder-rhel8@sha256:45b76edfd70a76efb113a5754b72e684aa3093add2db3fac7394a94032723203?arch=amd64\u0026repository_url=registry.redhat.io/rhpam-7/rhpam-kogito-builder-rhel8\u0026tag=7.13.4-3"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:65f4db25e0fa2348279061a29f8f137494918362d152a42946dfc9d8dcb4f343_amd64",
                "product": {
                  "name": "rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:65f4db25e0fa2348279061a29f8f137494918362d152a42946dfc9d8dcb4f343_amd64",
                  "product_id": "rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:65f4db25e0fa2348279061a29f8f137494918362d152a42946dfc9d8dcb4f343_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhpam-kogito-rhel8-operator-bundle@sha256:65f4db25e0fa2348279061a29f8f137494918362d152a42946dfc9d8dcb4f343?arch=amd64\u0026repository_url=registry.redhat.io/rhpam-7/rhpam-kogito-rhel8-operator-bundle\u0026tag=7.13.4-2"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhpam-7/rhpam-kogito-rhel8-operator@sha256:dbc35eb75dfe94c46c99d9b45906a86abf895cfba37bb001c11cc463bda3c733_amd64",
                "product": {
                  "name": "rhpam-7/rhpam-kogito-rhel8-operator@sha256:dbc35eb75dfe94c46c99d9b45906a86abf895cfba37bb001c11cc463bda3c733_amd64",
                  "product_id": "rhpam-7/rhpam-kogito-rhel8-operator@sha256:dbc35eb75dfe94c46c99d9b45906a86abf895cfba37bb001c11cc463bda3c733_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhpam-kogito-rhel8-operator@sha256:dbc35eb75dfe94c46c99d9b45906a86abf895cfba37bb001c11cc463bda3c733?arch=amd64\u0026repository_url=registry.redhat.io/rhpam-7/rhpam-kogito-rhel8-operator\u0026tag=7.13.4-2"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:62d4cd51c9ed4735a0a7d78668b4b3eeb4db5b625f4f36e125698212321bc9b1_amd64",
                "product": {
                  "name": "rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:62d4cd51c9ed4735a0a7d78668b4b3eeb4db5b625f4f36e125698212321bc9b1_amd64",
                  "product_id": "rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:62d4cd51c9ed4735a0a7d78668b4b3eeb4db5b625f4f36e125698212321bc9b1_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhpam-kogito-runtime-jvm-rhel8@sha256:62d4cd51c9ed4735a0a7d78668b4b3eeb4db5b625f4f36e125698212321bc9b1?arch=amd64\u0026repository_url=registry.redhat.io/rhpam-7/rhpam-kogito-runtime-jvm-rhel8\u0026tag=7.13.4-3"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8@sha256:9ad109b7163da5f8caaf2b104475004548886d7dbbc9a732425fcafcf41b0ea6_amd64",
                "product": {
                  "name": "rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8@sha256:9ad109b7163da5f8caaf2b104475004548886d7dbbc9a732425fcafcf41b0ea6_amd64",
                  "product_id": "rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8@sha256:9ad109b7163da5f8caaf2b104475004548886d7dbbc9a732425fcafcf41b0ea6_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhpam-kogito-runtime-native-rhel8@sha256:9ad109b7163da5f8caaf2b104475004548886d7dbbc9a732425fcafcf41b0ea6?arch=amd64\u0026repository_url=registry.redhat.io/rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8\u0026tag=7.13.4-3"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8@sha256:9ad109b7163da5f8caaf2b104475004548886d7dbbc9a732425fcafcf41b0ea6_amd64 as a component of Middleware Containers for OpenShift",
          "product_id": "8Base-RHOSE-Middleware:rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8@sha256:9ad109b7163da5f8caaf2b104475004548886d7dbbc9a732425fcafcf41b0ea6_amd64"
        },
        "product_reference": "rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8@sha256:9ad109b7163da5f8caaf2b104475004548886d7dbbc9a732425fcafcf41b0ea6_amd64",
        "relates_to_product_reference": "8Base-RHOSE-Middleware"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhpam-7/rhpam-kogito-builder-rhel8@sha256:45b76edfd70a76efb113a5754b72e684aa3093add2db3fac7394a94032723203_amd64 as a component of Middleware Containers for OpenShift",
          "product_id": "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-builder-rhel8@sha256:45b76edfd70a76efb113a5754b72e684aa3093add2db3fac7394a94032723203_amd64"
        },
        "product_reference": "rhpam-7/rhpam-kogito-builder-rhel8@sha256:45b76edfd70a76efb113a5754b72e684aa3093add2db3fac7394a94032723203_amd64",
        "relates_to_product_reference": "8Base-RHOSE-Middleware"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhpam-7/rhpam-kogito-builder-rhel8@sha256:ba92f9f2163a29eb956e445a3687e83c54838fae6098b81bef980fbb27a2c0b5_ppc64le as a component of Middleware Containers for OpenShift",
          "product_id": "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-builder-rhel8@sha256:ba92f9f2163a29eb956e445a3687e83c54838fae6098b81bef980fbb27a2c0b5_ppc64le"
        },
        "product_reference": "rhpam-7/rhpam-kogito-builder-rhel8@sha256:ba92f9f2163a29eb956e445a3687e83c54838fae6098b81bef980fbb27a2c0b5_ppc64le",
        "relates_to_product_reference": "8Base-RHOSE-Middleware"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:65f4db25e0fa2348279061a29f8f137494918362d152a42946dfc9d8dcb4f343_amd64 as a component of Middleware Containers for OpenShift",
          "product_id": "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:65f4db25e0fa2348279061a29f8f137494918362d152a42946dfc9d8dcb4f343_amd64"
        },
        "product_reference": "rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:65f4db25e0fa2348279061a29f8f137494918362d152a42946dfc9d8dcb4f343_amd64",
        "relates_to_product_reference": "8Base-RHOSE-Middleware"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:f84af09c90836c2f4ee93fed624d04478953b4fc70c25eee277373d829101fa6_ppc64le as a component of Middleware Containers for OpenShift",
          "product_id": "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:f84af09c90836c2f4ee93fed624d04478953b4fc70c25eee277373d829101fa6_ppc64le"
        },
        "product_reference": "rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:f84af09c90836c2f4ee93fed624d04478953b4fc70c25eee277373d829101fa6_ppc64le",
        "relates_to_product_reference": "8Base-RHOSE-Middleware"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhpam-7/rhpam-kogito-rhel8-operator@sha256:8ecf3a814085236c5692c18a117a604348172fc2d38566363d16191d52717406_ppc64le as a component of Middleware Containers for OpenShift",
          "product_id": "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator@sha256:8ecf3a814085236c5692c18a117a604348172fc2d38566363d16191d52717406_ppc64le"
        },
        "product_reference": "rhpam-7/rhpam-kogito-rhel8-operator@sha256:8ecf3a814085236c5692c18a117a604348172fc2d38566363d16191d52717406_ppc64le",
        "relates_to_product_reference": "8Base-RHOSE-Middleware"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhpam-7/rhpam-kogito-rhel8-operator@sha256:dbc35eb75dfe94c46c99d9b45906a86abf895cfba37bb001c11cc463bda3c733_amd64 as a component of Middleware Containers for OpenShift",
          "product_id": "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator@sha256:dbc35eb75dfe94c46c99d9b45906a86abf895cfba37bb001c11cc463bda3c733_amd64"
        },
        "product_reference": "rhpam-7/rhpam-kogito-rhel8-operator@sha256:dbc35eb75dfe94c46c99d9b45906a86abf895cfba37bb001c11cc463bda3c733_amd64",
        "relates_to_product_reference": "8Base-RHOSE-Middleware"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:62d4cd51c9ed4735a0a7d78668b4b3eeb4db5b625f4f36e125698212321bc9b1_amd64 as a component of Middleware Containers for OpenShift",
          "product_id": "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:62d4cd51c9ed4735a0a7d78668b4b3eeb4db5b625f4f36e125698212321bc9b1_amd64"
        },
        "product_reference": "rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:62d4cd51c9ed4735a0a7d78668b4b3eeb4db5b625f4f36e125698212321bc9b1_amd64",
        "relates_to_product_reference": "8Base-RHOSE-Middleware"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:e525c9934424b2b46a61a3b8d6b1cef7f005c19456e927d544733f66dcfdf064_ppc64le as a component of Middleware Containers for OpenShift",
          "product_id": "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:e525c9934424b2b46a61a3b8d6b1cef7f005c19456e927d544733f66dcfdf064_ppc64le"
        },
        "product_reference": "rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:e525c9934424b2b46a61a3b8d6b1cef7f005c19456e927d544733f66dcfdf064_ppc64le",
        "relates_to_product_reference": "8Base-RHOSE-Middleware"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-4853",
      "cwe": {
        "id": "CWE-148",
        "name": "Improper Neutralization of Input Leaders"
      },
      "discovery_date": "2023-09-08T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2238034"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "quarkus: HTTP security policy bypass",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHOSE-Middleware:rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8@sha256:9ad109b7163da5f8caaf2b104475004548886d7dbbc9a732425fcafcf41b0ea6_amd64",
          "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-builder-rhel8@sha256:45b76edfd70a76efb113a5754b72e684aa3093add2db3fac7394a94032723203_amd64",
          "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-builder-rhel8@sha256:ba92f9f2163a29eb956e445a3687e83c54838fae6098b81bef980fbb27a2c0b5_ppc64le",
          "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:65f4db25e0fa2348279061a29f8f137494918362d152a42946dfc9d8dcb4f343_amd64",
          "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:f84af09c90836c2f4ee93fed624d04478953b4fc70c25eee277373d829101fa6_ppc64le",
          "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator@sha256:8ecf3a814085236c5692c18a117a604348172fc2d38566363d16191d52717406_ppc64le",
          "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator@sha256:dbc35eb75dfe94c46c99d9b45906a86abf895cfba37bb001c11cc463bda3c733_amd64",
          "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:62d4cd51c9ed4735a0a7d78668b4b3eeb4db5b625f4f36e125698212321bc9b1_amd64",
          "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:e525c9934424b2b46a61a3b8d6b1cef7f005c19456e927d544733f66dcfdf064_ppc64le"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-4853"
        },
        {
          "category": "external",
          "summary": "RHBZ#2238034",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238034"
        },
        {
          "category": "external",
          "summary": "RHSB-2023-002",
          "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-002"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-4853",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-4853"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-4853",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4853"
        }
      ],
      "release_date": "2023-09-08T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-10-25T12:34:17+00:00",
          "details": "Updated Red Hat Process Automation Manager 7.13.4 SP1 OpenShift images can be found in the Red Hat Container Catalog.",
          "product_ids": [
            "8Base-RHOSE-Middleware:rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8@sha256:9ad109b7163da5f8caaf2b104475004548886d7dbbc9a732425fcafcf41b0ea6_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-builder-rhel8@sha256:45b76edfd70a76efb113a5754b72e684aa3093add2db3fac7394a94032723203_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-builder-rhel8@sha256:ba92f9f2163a29eb956e445a3687e83c54838fae6098b81bef980fbb27a2c0b5_ppc64le",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:65f4db25e0fa2348279061a29f8f137494918362d152a42946dfc9d8dcb4f343_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:f84af09c90836c2f4ee93fed624d04478953b4fc70c25eee277373d829101fa6_ppc64le",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator@sha256:8ecf3a814085236c5692c18a117a604348172fc2d38566363d16191d52717406_ppc64le",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator@sha256:dbc35eb75dfe94c46c99d9b45906a86abf895cfba37bb001c11cc463bda3c733_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:62d4cd51c9ed4735a0a7d78668b4b3eeb4db5b625f4f36e125698212321bc9b1_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:e525c9934424b2b46a61a3b8d6b1cef7f005c19456e927d544733f66dcfdf064_ppc64le"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:6107"
        },
        {
          "category": "workaround",
          "details": "Use a \u2018deny\u2019 wildcard for base paths, then authenticate specifics within that:\n\nExamples:\n```\ndeny: /*\nauthenticated: /services/*\n```\nor\n```\ndeny: /services/*\nroles-allowed: /services/rbac/*\n```\n\nNOTE: Products are only vulnerable if they use (or allow use of) path-based HTTP policy configuration. Products may also be affected\u2013shipping the component in question\u2013without being vulnerable (\u201caffected at reduced impact\u201d).\n\nSee https://access.redhat.com/security/vulnerabilities/RHSB-2023-002 for more detailed mitigations.",
          "product_ids": [
            "8Base-RHOSE-Middleware:rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8@sha256:9ad109b7163da5f8caaf2b104475004548886d7dbbc9a732425fcafcf41b0ea6_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-builder-rhel8@sha256:45b76edfd70a76efb113a5754b72e684aa3093add2db3fac7394a94032723203_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-builder-rhel8@sha256:ba92f9f2163a29eb956e445a3687e83c54838fae6098b81bef980fbb27a2c0b5_ppc64le",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:65f4db25e0fa2348279061a29f8f137494918362d152a42946dfc9d8dcb4f343_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:f84af09c90836c2f4ee93fed624d04478953b4fc70c25eee277373d829101fa6_ppc64le",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator@sha256:8ecf3a814085236c5692c18a117a604348172fc2d38566363d16191d52717406_ppc64le",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator@sha256:dbc35eb75dfe94c46c99d9b45906a86abf895cfba37bb001c11cc463bda3c733_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:62d4cd51c9ed4735a0a7d78668b4b3eeb4db5b625f4f36e125698212321bc9b1_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:e525c9934424b2b46a61a3b8d6b1cef7f005c19456e927d544733f66dcfdf064_ppc64le"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-RHOSE-Middleware:rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8@sha256:9ad109b7163da5f8caaf2b104475004548886d7dbbc9a732425fcafcf41b0ea6_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-builder-rhel8@sha256:45b76edfd70a76efb113a5754b72e684aa3093add2db3fac7394a94032723203_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-builder-rhel8@sha256:ba92f9f2163a29eb956e445a3687e83c54838fae6098b81bef980fbb27a2c0b5_ppc64le",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:65f4db25e0fa2348279061a29f8f137494918362d152a42946dfc9d8dcb4f343_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:f84af09c90836c2f4ee93fed624d04478953b4fc70c25eee277373d829101fa6_ppc64le",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator@sha256:8ecf3a814085236c5692c18a117a604348172fc2d38566363d16191d52717406_ppc64le",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator@sha256:dbc35eb75dfe94c46c99d9b45906a86abf895cfba37bb001c11cc463bda3c733_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:62d4cd51c9ed4735a0a7d78668b4b3eeb4db5b625f4f36e125698212321bc9b1_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:e525c9934424b2b46a61a3b8d6b1cef7f005c19456e927d544733f66dcfdf064_ppc64le"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "quarkus: HTTP security policy bypass"
    }
  ]
}

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "A one-off update is now available for Red Hat Process Automation Manager.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which provides a detailed severity rating, is available for each vulnerability from the CVE links in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.\n\nThis asynchronous one-off security patch is an update to Red Hat Process Automation Manager 7.\n\nSecurity Fixes:\n\n* quarkus: HTTP security policy bypass (CVE-2023-4853)\n\nFor more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE pages listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2023:6112",
        "url": "https://access.redhat.com/errata/RHSA-2023:6112"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "2238034",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238034"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_6112.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Process Automation Manager 7.13.4 security one-off update",
    "tracking": {
      "current_release_date": "2026-03-18T02:26:20+00:00",
      "generator": {
        "date": "2026-03-18T02:26:20+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.3"
        }
      },
      "id": "RHSA-2023:6112",
      "initial_release_date": "2023-10-25T13:03:39+00:00",
      "revision_history": [
        {
          "date": "2023-10-25T13:03:39+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2023-10-25T13:03:39+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-03-18T02:26:20+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "RHPAM 7.13.4 async",
                "product": {
                  "name": "RHPAM 7.13.4 async",
                  "product_id": "RHPAM 7.13.4 async",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Process Automation Manager"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-4853",
      "cwe": {
        "id": "CWE-148",
        "name": "Improper Neutralization of Input Leaders"
      },
      "discovery_date": "2023-09-08T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2238034"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "quarkus: HTTP security policy bypass",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "RHPAM 7.13.4 async"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-4853"
        },
        {
          "category": "external",
          "summary": "RHBZ#2238034",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238034"
        },
        {
          "category": "external",
          "summary": "RHSB-2023-002",
          "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-002"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-4853",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-4853"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-4853",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4853"
        }
      ],
      "release_date": "2023-09-08T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-10-25T13:03:39+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "RHPAM 7.13.4 async"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:6112"
        },
        {
          "category": "workaround",
          "details": "Use a \u2018deny\u2019 wildcard for base paths, then authenticate specifics within that:\n\nExamples:\n```\ndeny: /*\nauthenticated: /services/*\n```\nor\n```\ndeny: /services/*\nroles-allowed: /services/rbac/*\n```\n\nNOTE: Products are only vulnerable if they use (or allow use of) path-based HTTP policy configuration. Products may also be affected\u2013shipping the component in question\u2013without being vulnerable (\u201caffected at reduced impact\u201d).\n\nSee https://access.redhat.com/security/vulnerabilities/RHSB-2023-002 for more detailed mitigations.",
          "product_ids": [
            "RHPAM 7.13.4 async"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "RHPAM 7.13.4 async"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "quarkus: HTTP security policy bypass"
    }
  ]
}

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update to the images for Red Hat Integration - Service Registry is now available from the Red Hat Container Catalog. The purpose of this text-only errata is to inform you about the security issues fixed in this release.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "This release of Red Hat Integration - Service Registry 2.5.4 GA includes the following security fixes.\n\nSecurity Fix(es):\n\n* undertow: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) [rhint-serv-2] (CVE-2023-44487)\n\n* quarkus-vertx-http: quarkus: HTTP security policy bypass [rhint-serv-2] (CVE-2023-4853)\n\n* netty: SniHandler 16MB allocation leads to OOM [rhint-serv-2] (CVE-2023-34462)\n\n* snappy-java: Unchecked chunk length leads to DoS [rhint-serv-2] (CVE-2023-34455)\n\n* quarkus-oidc: ID and access tokens leak via the authorization code flow [rhint-serv-2] (CVE-2023-1584)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2023:7653",
        "url": "https://access.redhat.com/errata/RHSA-2023:7653"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "2180886",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2180886"
      },
      {
        "category": "external",
        "summary": "2215445",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2215445"
      },
      {
        "category": "external",
        "summary": "2216888",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2216888"
      },
      {
        "category": "external",
        "summary": "2238034",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238034"
      },
      {
        "category": "external",
        "summary": "2242803",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_7653.json"
      }
    ],
    "title": "Red Hat Security Advisory: Service Registry (container images) release and security update [2.5.4 GA]",
    "tracking": {
      "current_release_date": "2026-04-30T13:13:28+00:00",
      "generator": {
        "date": "2026-04-30T13:13:28+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.7"
        }
      },
      "id": "RHSA-2023:7653",
      "initial_release_date": "2023-12-05T14:36:34+00:00",
      "revision_history": [
        {
          "date": "2023-12-05T14:36:34+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2023-12-05T14:36:34+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-04-30T13:13:28+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "RHINT Service Registry 2.5.4 GA",
                "product": {
                  "name": "RHINT Service Registry 2.5.4 GA",
                  "product_id": "RHINT Service Registry 2.5.4 GA",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:service_registry:2.5"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Integration"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Paulo Lopes"
          ],
          "organization": "Red Hat",
          "summary": "This issue was discovered by Red Hat."
        }
      ],
      "cve": "CVE-2023-1584",
      "cwe": {
        "id": "CWE-200",
        "name": "Exposure of Sensitive Information to an Unauthorized Actor"
      },
      "discovery_date": "2023-03-22T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2180886"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Quarkus. Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used, which can allow attackers to access sensitive user data directly from the ID token or by using the access token to access user data from OIDC provider services. Please note that passwords are not stored in access tokens.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "quarkus-oidc: ID and access tokens leak via the authorization code flow",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat Build of Quarkus flaw happens because the cookie contains a token that token could potentially be more useful to attackers than a normal session cookie hijacking attack. Other potentially higher security applications may accept the same token from the cookie, while with a normal session hijacking attack it is limited to the application that issued the cookie.\n\nAn attacker needs to have compromised a significant amount of your infrastructure to get the cookie. For this reason, the flaw is rated Low impact",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "RHINT Service Registry 2.5.4 GA"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-1584"
        },
        {
          "category": "external",
          "summary": "RHBZ#2180886",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2180886"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-1584",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-1584"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-1584",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1584"
        },
        {
          "category": "external",
          "summary": "https://github.com/quarkusio/quarkus/pull/32192",
          "url": "https://github.com/quarkusio/quarkus/pull/32192"
        },
        {
          "category": "external",
          "summary": "https://github.com/quarkusio/quarkus/pull/33414",
          "url": "https://github.com/quarkusio/quarkus/pull/33414"
        }
      ],
      "release_date": "2023-03-22T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-12-05T14:36:34+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "RHINT Service Registry 2.5.4 GA"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:7653"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "RHINT Service Registry 2.5.4 GA"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "quarkus-oidc: ID and access tokens leak via the authorization code flow"
    },
    {
      "cve": "CVE-2023-4853",
      "cwe": {
        "id": "CWE-148",
        "name": "Improper Neutralization of Input Leaders"
      },
      "discovery_date": "2023-09-08T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2238034"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "quarkus: HTTP security policy bypass",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "RHINT Service Registry 2.5.4 GA"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-4853"
        },
        {
          "category": "external",
          "summary": "RHBZ#2238034",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238034"
        },
        {
          "category": "external",
          "summary": "RHSB-2023-002",
          "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-002"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-4853",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-4853"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-4853",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4853"
        }
      ],
      "release_date": "2023-09-08T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-12-05T14:36:34+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "RHINT Service Registry 2.5.4 GA"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:7653"
        },
        {
          "category": "workaround",
          "details": "Use a \u2018deny\u2019 wildcard for base paths, then authenticate specifics within that:\n\nExamples:\n```\ndeny: /*\nauthenticated: /services/*\n```\nor\n```\ndeny: /services/*\nroles-allowed: /services/rbac/*\n```\n\nNOTE: Products are only vulnerable if they use (or allow use of) path-based HTTP policy configuration. Products may also be affected\u2013shipping the component in question\u2013without being vulnerable (\u201caffected at reduced impact\u201d).\n\nSee https://access.redhat.com/security/vulnerabilities/RHSB-2023-002 for more detailed mitigations.",
          "product_ids": [
            "RHINT Service Registry 2.5.4 GA"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "RHINT Service Registry 2.5.4 GA"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "quarkus: HTTP security policy bypass"
    },
    {
      "cve": "CVE-2023-34455",
      "cwe": {
        "id": "CWE-1285",
        "name": "Improper Validation of Specified Index, Position, or Offset in Input"
      },
      "discovery_date": "2023-06-16T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2215445"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Snappy-java\u0027s fileSnappyInputStream hasNextChunk function, which does not sufficiently evaluate input bytes before beginning operations. This issue could allow an attacker to send malicious input to trigger an out of memory error that crashes the program, resulting in a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "snappy-java: Unchecked chunk length leads to DoS",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "RHINT Service Registry 2.5.4 GA"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-34455"
        },
        {
          "category": "external",
          "summary": "RHBZ#2215445",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2215445"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-34455",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-34455"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-34455",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34455"
        }
      ],
      "release_date": "2023-06-16T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-12-05T14:36:34+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "RHINT Service Registry 2.5.4 GA"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:7653"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "RHINT Service Registry 2.5.4 GA"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "snappy-java: Unchecked chunk length leads to DoS"
    },
    {
      "cve": "CVE-2023-34462",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2023-06-23T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2216888"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Netty\u0027s SniHandler while navigating TLS handshake which may permit a large heap allocation if the handler did not have a timeout configured. This issue may allow an attacker to send a client hello packet which would cause the server to buffer large amounts of data per connection, potentially causing an out of memory error, resulting in Denial of Service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "netty: SniHandler 16MB allocation leads to OOM",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "RHINT Service Registry 2.5.4 GA"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-34462"
        },
        {
          "category": "external",
          "summary": "RHBZ#2216888",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2216888"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-34462",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-34462"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-34462",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34462"
        }
      ],
      "release_date": "2023-06-23T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-12-05T14:36:34+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "RHINT Service Registry 2.5.4 GA"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:7653"
        },
        {
          "category": "workaround",
          "details": "Configuration of SniHandler with an idle timeout will mitigate this issue.",
          "product_ids": [
            "RHINT Service Registry 2.5.4 GA"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "RHINT Service Registry 2.5.4 GA"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "netty: SniHandler 16MB allocation leads to OOM"
    },
    {
      "cve": "CVE-2023-44487",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2023-10-09T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2242803"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. Red Hat has rated the severity of this flaw as \u0027Important\u0027 as the US Cybersecurity and Infrastructure Security Agency (CISA) declared this vulnerability an active exploit.\r\n\r\nCVE-2023-39325 was assigned for the Rapid Reset Attack in the Go language packages.\r\n\r\nSecurity Bulletin\r\nhttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "NGINX has been marked as Moderate Impact because, for performance and resource consumption reasons, NGINX limits the number of concurrent streams to a default of 128. In addition, to optimally balance network and server performance, NGINX allows the client to persist HTTP connections for up to 1000 requests by default using an HTTP keepalive.\n\nThe majority of RHEL utilities are not long-running applications; instead, they are command-line tools. These tools utilize Golang package as build-time dependency, which is why they are classified as having a \"Moderate\" level of impact.\n\nrhc component is no longer impacted by CVE-2023-44487 \u0026 CVE-2023-39325.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "RHINT Service Registry 2.5.4 GA"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-44487"
        },
        {
          "category": "external",
          "summary": "RHBZ#2242803",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803"
        },
        {
          "category": "external",
          "summary": "RHSB-2023-003",
          "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-003"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-44487",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-44487"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487"
        },
        {
          "category": "external",
          "summary": "https://github.com/dotnet/announcements/issues/277",
          "url": "https://github.com/dotnet/announcements/issues/277"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2023-2102",
          "url": "https://pkg.go.dev/vuln/GO-2023-2102"
        },
        {
          "category": "external",
          "summary": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487",
          "url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487"
        },
        {
          "category": "external",
          "summary": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/",
          "url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/"
        },
        {
          "category": "external",
          "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
          "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
        }
      ],
      "release_date": "2023-10-10T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-12-05T14:36:34+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "RHINT Service Registry 2.5.4 GA"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:7653"
        },
        {
          "category": "workaround",
          "details": "Users are strongly urged to update their software as soon as fixes are available. \nThere are several mitigation approaches for this flaw. \n\n1. If circumstances permit, users may disable http2 endpoints to circumvent the flaw altogether until a fix is available.\n2. IP-based blocking or flood protection and rate control tools may be used at network endpoints to filter incoming traffic.\n3. Several package specific mitigations are also available. \n     a. nginx: https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/\n     b. netty: https://github.com/netty/netty/security/advisories/GHSA-xpw8-rcwv-8f8p\n     c. haproxy: https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487\n     d. nghttp2: https://github.com/nghttp2/nghttp2/security/advisories/GHSA-vx74-f528-fxqg\n     e. golang: The default stream concurrency limit in golang is 250 streams (requests) per HTTP/2 connection. This value may be adjusted in the golang.org/x/net/http2 package using the Server.MaxConcurrentStreams setting and the ConfigureServer function which are available in golang.org/x/net/http2.",
          "product_ids": [
            "RHINT Service Registry 2.5.4 GA"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "RHINT Service Registry 2.5.4 GA"
          ]
        }
      ],
      "threats": [
        {
          "category": "exploit_status",
          "date": "2023-10-10T00:00:00+00:00",
          "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
        },
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)"
    }
  ]
}

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Red Hat Enterprise Linux (RHEL) ist eine popul\u00e4re Linux-Distribution.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter anonymer Angreifer kann eine Schwachstelle in Red Hat Quarkus ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen oder einen Denial-of-Service-Zustand zu verursachen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2023-2362 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-2362.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2023-2362 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-2362"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory - RHSA-2023:5170 vom 2023-09-14",
        "url": "https://access.redhat.com/errata/RHSA-2023:5170"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory - RHSA-2023:5170 vom 2023-09-14",
        "url": "https://access.redhat.com/security/cve/CVE-2023-4853"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2023:5310 vom 2023-09-20",
        "url": "https://access.redhat.com/errata/RHSA-2023:5310"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2023:5337 vom 2023-09-21",
        "url": "https://access.redhat.com/errata/RHSA-2023:5337"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2023:5446 vom 2023-10-04",
        "url": "https://access.redhat.com/errata/RHSA-2023:5446"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2023:5480 vom 2023-10-05",
        "url": "https://access.redhat.com/errata/RHSA-2023:5480"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2023:5479 vom 2023-10-05",
        "url": "https://access.redhat.com/errata/RHSA-2023:5479"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2023:6112 vom 2023-10-25",
        "url": "https://access.redhat.com/errata/RHSA-2023:6112"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2023:6107 vom 2023-10-25",
        "url": "https://access.redhat.com/errata/RHSA-2023:6107"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2023:7653 vom 2023-12-06",
        "url": "https://access.redhat.com/errata/RHSA-2023:7653"
      },
      {
        "category": "external",
        "summary": "Hitachi Vulnerability Information HITACHI-SEC-2024-134 vom 2024-07-02",
        "url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2024-134/index.html"
      }
    ],
    "source_lang": "en-US",
    "title": "Red Hat Quarkus: Schwachstelle erm\u00f6glicht die Umgehung von Sicherheitsma\u00dfnahmen oder die Verursachung eines Denial-of-Service-Zustands",
    "tracking": {
      "current_release_date": "2024-07-01T22:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T17:58:29.286+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2023-2362",
      "initial_release_date": "2023-09-14T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2023-09-14T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2023-09-19T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2023-09-21T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2023-10-04T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2023-10-05T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2023-10-25T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2023-12-05T23:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2024-07-01T22:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von HITACHI aufgenommen"
        }
      ],
      "status": "final",
      "version": "8"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Hitachi Ops Center",
            "product": {
              "name": "Hitachi Ops Center",
              "product_id": "T017562",
              "product_identification_helper": {
                "cpe": "cpe:/a:hitachi:ops_center:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Hitachi"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux",
                "product": {
                  "name": "Red Hat Enterprise Linux",
                  "product_id": "67646",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:-"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Quarkus \u003c2.13.8",
                "product": {
                  "name": "Red Hat Enterprise Linux Quarkus \u003c2.13.8",
                  "product_id": "T029889"
                }
              }
            ],
            "category": "product_name",
            "name": "Enterprise Linux"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "Service Registry 1",
                "product": {
                  "name": "Red Hat Integration Service Registry 1",
                  "product_id": "T031465",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:integration:service_registry_1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Integration"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-4853",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle in Red Hat Enterprise Linux. Dieser Fehler besteht in der Quarkus-Komponente, da die HTTP-Sicherheitsrichtlinien bestimmte Zeichenkombinationen nicht korrekt bereinigen, was zu einem nicht autorisierten Endpunktzugriff f\u00fchrt. Ein entfernter Angreifer kann diese Schwachstelle ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen oder einen Denial-of-Service-Zustand zu verursachen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T031465",
          "67646",
          "T017562"
        ]
      },
      "release_date": "2023-09-14T22:00:00.000+00:00",
      "title": "CVE-2023-4853"
    }
  ]
}

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Hitachi Ops Center ist eine Softwarel\u00f6sung f\u00fcr Rechenzentren zur Verwaltung, Optimierung, Orchestrierung und zum Schutz von Daten.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in Hitachi Ops Center ausnutzen, um einen nicht n\u00e4her spezifizierten Angriff durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-1769 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-1769.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-1769 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-1769"
      },
      {
        "category": "external",
        "summary": "Hitachi Software Vulnerability Information vom 2024-08-05",
        "url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2024-136/index.html"
      }
    ],
    "source_lang": "en-US",
    "title": "Hitachi Ops Center: Mehrere Schwachstellen erm\u00f6glichen nicht spezifizierten Angriff",
    "tracking": {
      "current_release_date": "2024-08-05T22:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T18:11:59.017+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2024-1769",
      "initial_release_date": "2024-08-05T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-08-05T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "Analyzer \u003c11.0.1-00",
                "product": {
                  "name": "Hitachi Ops Center Analyzer \u003c11.0.1-00",
                  "product_id": "T036614"
                }
              },
              {
                "category": "product_version_range",
                "name": "Viewpoint \u003c11.0.2-00",
                "product": {
                  "name": "Hitachi Ops Center Viewpoint \u003c11.0.2-00",
                  "product_id": "T036615"
                }
              }
            ],
            "category": "product_name",
            "name": "Ops Center"
          }
        ],
        "category": "vendor",
        "name": "Hitachi"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-0482",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in Hitachi Ops Center, die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen."
        }
      ],
      "release_date": "2024-08-05T22:00:00.000+00:00",
      "title": "CVE-2023-0482"
    },
    {
      "cve": "CVE-2023-24815",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in Hitachi Ops Center, die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen."
        }
      ],
      "release_date": "2024-08-05T22:00:00.000+00:00",
      "title": "CVE-2023-24815"
    },
    {
      "cve": "CVE-2023-2974",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in Hitachi Ops Center, die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen."
        }
      ],
      "release_date": "2024-08-05T22:00:00.000+00:00",
      "title": "CVE-2023-2974"
    },
    {
      "cve": "CVE-2023-32081",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in Hitachi Ops Center, die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen."
        }
      ],
      "release_date": "2024-08-05T22:00:00.000+00:00",
      "title": "CVE-2023-32081"
    },
    {
      "cve": "CVE-2023-33546",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in Hitachi Ops Center, die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen."
        }
      ],
      "release_date": "2024-08-05T22:00:00.000+00:00",
      "title": "CVE-2023-33546"
    },
    {
      "cve": "CVE-2023-4853",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in Hitachi Ops Center, die zum aktuellen Zeitpunkt nicht im Detail beschrieben und ver\u00f6ffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen."
        }
      ],
      "release_date": "2024-08-05T22:00:00.000+00:00",
      "title": "CVE-2023-4853"
    }
  ]
}