Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2024-1300 (GCVE-0-2024-1300)
Vulnerability from cvelistv5 – Published: 2024-04-02 07:33 – Updated: 2026-02-25 19:31
VLAI
EPSS
Title
Io.vertx:vertx-core: memory leak when a tcp server is configured with tls and sni support
Summary
A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.
Severity
5.4 (Medium)
CWE
- CWE-772 - Missing Release of Resource after Effective Lifetime
Assigner
References
11 references
| URL | Tags |
|---|---|
| https://access.redhat.com/errata/RHSA-2024:1662 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2024:1706 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2024:1923 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2024:2088 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2024:2833 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2024:3527 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2024:3989 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2024:4884 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/security/cve/CVE-2024-1300 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2263139 | issue-trackingx_refsource_REDHAT |
| https://vertx.io/docs/vertx-core/java/#_server_na… |
Impacted products
33 products
| Vendor | Product | Version | |
|---|---|---|---|
|
Affected:
4.3.4 , ≤ 4.5.2
(semver)
|
|||
| Red Hat | CEQ 3.2 |
cpe:/a:redhat:camel_quarkus:3 |
|
| Red Hat | Cryostat 2 on RHEL 8 |
Unaffected:
2.4.0-7 , < *
(rpm)
cpe:/a:redhat:cryostat:2::el8 |
|
| Red Hat | Cryostat 2 on RHEL 8 |
Unaffected:
2.4.0-4 , < *
(rpm)
cpe:/a:redhat:cryostat:2::el8 |
|
| Red Hat | Cryostat 2 on RHEL 8 |
Unaffected:
2.4.0-4 , < *
(rpm)
cpe:/a:redhat:cryostat:2::el8 |
|
| Red Hat | Cryostat 2 on RHEL 8 |
Unaffected:
2.4.0-4 , < *
(rpm)
cpe:/a:redhat:cryostat:2::el8 |
|
| Red Hat | Cryostat 2 on RHEL 8 |
Unaffected:
2.4.0-9 , < *
(rpm)
cpe:/a:redhat:cryostat:2::el8 |
|
| Red Hat | Cryostat 2 on RHEL 8 |
Unaffected:
2.4.0-4 , < *
(rpm)
cpe:/a:redhat:cryostat:2::el8 |
|
| Red Hat | Migration Toolkit for Runtimes 1 on RHEL 8 |
Unaffected:
1.2-18 , < *
(rpm)
cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8 |
|
| Red Hat | Migration Toolkit for Runtimes 1 on RHEL 8 |
Unaffected:
1.2-11 , < *
(rpm)
cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8 |
|
| Red Hat | Migration Toolkit for Runtimes 1 on RHEL 8 |
Unaffected:
1.2-12 , < *
(rpm)
cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8 |
|
| Red Hat | Migration Toolkit for Runtimes 1 on RHEL 8 |
Unaffected:
1.2-10 , < *
(rpm)
cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8 |
|
| Red Hat | MTA-6.2-RHEL-9 |
Unaffected:
6.2.3-2 , < *
(rpm)
cpe:/a:redhat:migration_toolkit_applications:6.2::el9 cpe:/a:redhat:migration_toolkit_applications:6.2::el8 |
|
| Red Hat | Red Hat AMQ Streams 2.7.0 |
cpe:/a:redhat:amq_streams:2 |
|
| Red Hat | Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2 |
cpe:/a:redhat:apache_camel_spring_boot:4.4::el6 |
|
| Red Hat | Red Hat build of Quarkus 3.2.11.Final |
Unaffected:
4.4.8.redhat-00001 , < *
(rpm)
cpe:/a:redhat:quarkus:3.2::el8 |
|
| Red Hat | RHINT Service Registry 2.5.11 GA |
cpe:/a:redhat:service_registry:2.5 |
|
| Red Hat | A-MQ Clients 2 |
cpe:/a:redhat:a_mq_clients:2 |
|
| Red Hat | OpenShift Serverless |
cpe:/a:redhat:serverless:1 |
|
| Red Hat | Red Hat AMQ Broker 7 |
cpe:/a:redhat:amq_broker:7 |
|
| Red Hat | Red Hat build of Apache Camel for Spring Boot 3 |
cpe:/a:redhat:camel_spring_boot:3 |
|
| Red Hat | Red Hat Build of Keycloak |
cpe:/a:redhat:build_keycloak: |
|
| Red Hat | Red Hat build of OptaPlanner 8 |
cpe:/a:redhat:optaplanner:::el6 |
|
| Red Hat | Red Hat build of Quarkus |
cpe:/a:redhat:quarkus:2 |
|
| Red Hat | Red Hat Data Grid 8 |
cpe:/a:redhat:jboss_data_grid:8 |
|
| Red Hat | Red Hat Fuse 7 |
cpe:/a:redhat:jboss_fuse:7 |
|
| Red Hat | Red Hat Integration Camel K 1 |
cpe:/a:redhat:integration:1 |
|
| Red Hat | Red Hat Integration Camel Quarkus 2 |
cpe:/a:redhat:camel_quarkus:2 |
|
| Red Hat | Red Hat JBoss Data Grid 7 |
cpe:/a:redhat:jboss_data_grid:7 |
|
| Red Hat | Red Hat JBoss Enterprise Application Platform 7 |
cpe:/a:redhat:jboss_enterprise_application_platform:7 |
|
| Red Hat | Red Hat JBoss Enterprise Application Platform 8 |
cpe:/a:redhat:jboss_enterprise_application_platform:8 |
|
| Red Hat | Red Hat JBoss Enterprise Application Platform Expansion Pack |
cpe:/a:redhat:jbosseapxp |
|
| Red Hat | Red Hat Process Automation 7 |
cpe:/a:redhat:jboss_enterprise_bpms_platform:7 |
Date Public
2024-02-06 00:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1300",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-02T15:16:36.592165Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-20T19:53:23.394Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:33:25.527Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2024:1662",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:1662"
},
{
"name": "RHSA-2024:1706",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:1706"
},
{
"name": "RHSA-2024:1923",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:1923"
},
{
"name": "RHSA-2024:2088",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:2088"
},
{
"name": "RHSA-2024:2833",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:2833"
},
{
"name": "RHSA-2024:3527",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:3527"
},
{
"name": "RHSA-2024:3989",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:3989"
},
{
"name": "RHSA-2024:4884",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4884"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2024-1300"
},
{
"name": "RHBZ#2263139",
"tags": [
"issue-tracking",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2263139"
},
{
"tags": [
"x_transferred"
],
"url": "https://vertx.io/docs/vertx-core/java/#_server_name_indication_sni."
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://vertx.io/docs/vertx-core/java/",
"defaultStatus": "unaffected",
"packageName": "io.vertx:vertx-core",
"versions": [
{
"lessThanOrEqual": "4.5.2",
"status": "affected",
"version": "4.3.4",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:camel_quarkus:3"
],
"defaultStatus": "unaffected",
"packageName": "vertx-core",
"product": "CEQ 3.2",
"vendor": "Red Hat"
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:cryostat:2::el8"
],
"defaultStatus": "affected",
"packageName": "cryostat-tech-preview/cryostat-grafana-dashboard-rhel8",
"product": "Cryostat 2 on RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "2.4.0-7",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:cryostat:2::el8"
],
"defaultStatus": "affected",
"packageName": "cryostat-tech-preview/cryostat-operator-bundle",
"product": "Cryostat 2 on RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "2.4.0-4",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:cryostat:2::el8"
],
"defaultStatus": "affected",
"packageName": "cryostat-tech-preview/cryostat-reports-rhel8",
"product": "Cryostat 2 on RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "2.4.0-4",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:cryostat:2::el8"
],
"defaultStatus": "affected",
"packageName": "cryostat-tech-preview/cryostat-rhel8",
"product": "Cryostat 2 on RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "2.4.0-4",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:cryostat:2::el8"
],
"defaultStatus": "affected",
"packageName": "cryostat-tech-preview/cryostat-rhel8-operator",
"product": "Cryostat 2 on RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "2.4.0-9",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:cryostat:2::el8"
],
"defaultStatus": "affected",
"packageName": "cryostat-tech-preview/jfr-datasource-rhel8",
"product": "Cryostat 2 on RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "2.4.0-4",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8"
],
"defaultStatus": "affected",
"packageName": "mtr/mtr-operator-bundle",
"product": "Migration Toolkit for Runtimes 1 on RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1.2-18",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8"
],
"defaultStatus": "affected",
"packageName": "mtr/mtr-rhel8-operator",
"product": "Migration Toolkit for Runtimes 1 on RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1.2-11",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8"
],
"defaultStatus": "affected",
"packageName": "mtr/mtr-web-container-rhel8",
"product": "Migration Toolkit for Runtimes 1 on RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1.2-12",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8"
],
"defaultStatus": "affected",
"packageName": "mtr/mtr-web-executor-container-rhel8",
"product": "Migration Toolkit for Runtimes 1 on RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1.2-10",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:migration_toolkit_applications:6.2::el9",
"cpe:/a:redhat:migration_toolkit_applications:6.2::el8"
],
"defaultStatus": "affected",
"packageName": "mta/mta-windup-addon-rhel9",
"product": "MTA-6.2-RHEL-9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "6.2.3-2",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:amq_streams:2"
],
"defaultStatus": "unaffected",
"packageName": "vertx-core",
"product": "Red Hat AMQ Streams 2.7.0",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:apache_camel_spring_boot:4.4::el6"
],
"defaultStatus": "unaffected",
"packageName": "vertx-core",
"product": "Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:quarkus:3.2::el8"
],
"defaultStatus": "affected",
"packageName": "io.vertx/vertx-core",
"product": "Red Hat build of Quarkus 3.2.11.Final",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "4.4.8.redhat-00001",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:service_registry:2.5"
],
"defaultStatus": "unaffected",
"packageName": "vertx-core",
"product": "RHINT Service Registry 2.5.11 GA",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:a_mq_clients:2"
],
"defaultStatus": "unaffected",
"packageName": "vertx-core",
"product": "A-MQ Clients 2",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:serverless:1"
],
"defaultStatus": "unaffected",
"packageName": "vertx-core",
"product": "OpenShift Serverless",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:amq_broker:7"
],
"defaultStatus": "unaffected",
"packageName": "vertx-core",
"product": "Red Hat AMQ Broker 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:camel_spring_boot:3"
],
"defaultStatus": "affected",
"packageName": "vertx-core",
"product": "Red Hat build of Apache Camel for Spring Boot 3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:build_keycloak:"
],
"defaultStatus": "affected",
"packageName": "vertx-core",
"product": "Red Hat Build of Keycloak",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:optaplanner:::el6"
],
"defaultStatus": "affected",
"packageName": "vertx-core",
"product": "Red Hat build of OptaPlanner 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:quarkus:2"
],
"defaultStatus": "affected",
"packageName": "io.vertx/vertx-core",
"product": "Red Hat build of Quarkus",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_data_grid:8"
],
"defaultStatus": "unaffected",
"packageName": "vertx-core",
"product": "Red Hat Data Grid 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_fuse:7"
],
"defaultStatus": "unaffected",
"packageName": "vertx-core",
"product": "Red Hat Fuse 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:integration:1"
],
"defaultStatus": "affected",
"packageName": "vertx-core",
"product": "Red Hat Integration Camel K 1",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:camel_quarkus:2"
],
"defaultStatus": "affected",
"packageName": "vertx-core",
"product": "Red Hat Integration Camel Quarkus 2",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"cpes": [
"cpe:/a:redhat:jboss_data_grid:7"
],
"defaultStatus": "affected",
"packageName": "vertx-core",
"product": "Red Hat JBoss Data Grid 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7"
],
"defaultStatus": "unaffected",
"packageName": "vertx-core",
"product": "Red Hat JBoss Enterprise Application Platform 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:8"
],
"defaultStatus": "unaffected",
"packageName": "vertx-core",
"product": "Red Hat JBoss Enterprise Application Platform 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"cpes": [
"cpe:/a:redhat:jbosseapxp"
],
"defaultStatus": "unaffected",
"packageName": "vertx-core",
"product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
],
"defaultStatus": "affected",
"packageName": "vertx-core",
"product": "Red Hat Process Automation 7",
"vendor": "Red Hat"
}
],
"datePublic": "2024-02-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T19:31:07.332Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2024:1662",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:1662"
},
{
"name": "RHSA-2024:1706",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:1706"
},
{
"name": "RHSA-2024:1923",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:1923"
},
{
"name": "RHSA-2024:2088",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:2088"
},
{
"name": "RHSA-2024:2833",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:2833"
},
{
"name": "RHSA-2024:3527",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:3527"
},
{
"name": "RHSA-2024:3989",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:3989"
},
{
"name": "RHSA-2024:4884",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4884"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2024-1300"
},
{
"name": "RHBZ#2263139",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2263139"
},
{
"url": "https://vertx.io/docs/vertx-core/java/#_server_name_indication_sni."
}
],
"timeline": [
{
"lang": "en",
"time": "2024-02-07T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-02-06T00:00:00.000Z",
"value": "Made public."
}
],
"title": "Io.vertx:vertx-core: memory leak when a tcp server is configured with tls and sni support",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-772: Missing Release of Resource after Effective Lifetime"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2024-1300",
"datePublished": "2024-04-02T07:33:05.215Z",
"dateReserved": "2024-02-07T07:11:11.156Z",
"dateUpdated": "2026-02-25T19:31:07.332Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2024-1300",
"date": "2026-05-28",
"epss": "0.00245",
"percentile": "0.47886"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-1300\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2024-04-02T08:15:53.993\",\"lastModified\":\"2026-02-25T20:17:16.663\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad en Eclipse Vert.x toolkit provoca una p\u00e9rdida de memoria en servidores TCP configurados con soporte TLS y SNI. Al procesar un nombre de servidor SNI desconocido al que se le asigna el certificado predeterminado en lugar de un certificado asignado, el contexto SSL se almacena en cach\u00e9 por error en el mapa de nombres del servidor, lo que provoca que se agote la memoria. Esta falla permite a los atacantes enviar mensajes de saludo al cliente TLS con nombres de servidor falsos, lo que provoca un error de falta de memoria de JVM.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-772\"}]}],\"references\":[{\"url\":\"https://access.redhat.com/errata/RHSA-2024:1662\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2024:1706\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2024:1923\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2024:2088\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2024:2833\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2024:3527\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2024:3989\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2024:4884\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/security/cve/CVE-2024-1300\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2263139\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://vertx.io/docs/vertx-core/java/#_server_name_indication_sni.\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2024:1662\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2024:1706\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2024:1923\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2024:2088\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2024:2833\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2024:3527\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2024:3989\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2024:4884\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/security/cve/CVE-2024-1300\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2263139\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://vertx.io/docs/vertx-core/java/#_server_name_indication_sni.\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://access.redhat.com/errata/RHSA-2024:1662\", \"name\": \"RHSA-2024:1662\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\", \"x_transferred\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2024:1706\", \"name\": \"RHSA-2024:1706\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\", \"x_transferred\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2024:1923\", \"name\": \"RHSA-2024:1923\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\", \"x_transferred\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2024:2088\", \"name\": \"RHSA-2024:2088\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\", \"x_transferred\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2024:2833\", \"name\": \"RHSA-2024:2833\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\", \"x_transferred\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2024:3527\", \"name\": \"RHSA-2024:3527\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\", \"x_transferred\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2024:3989\", \"name\": \"RHSA-2024:3989\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\", \"x_transferred\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2024:4884\", \"name\": \"RHSA-2024:4884\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\", \"x_transferred\"]}, {\"url\": \"https://access.redhat.com/security/cve/CVE-2024-1300\", \"tags\": [\"vdb-entry\", \"x_refsource_REDHAT\", \"x_transferred\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2263139\", \"name\": \"RHBZ#2263139\", \"tags\": [\"issue-tracking\", \"x_refsource_REDHAT\", \"x_transferred\"]}, {\"url\": \"https://vertx.io/docs/vertx-core/java/#_server_name_indication_sni.\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T18:33:25.527Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-1300\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-04-02T15:16:36.592165Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-06-20T19:53:20.714Z\"}}], \"cna\": {\"title\": \"Io.vertx:vertx-core: memory leak when a tcp server is configured with tls and sni support\", \"metrics\": [{\"other\": {\"type\": \"Red Hat severity rating\", \"content\": {\"value\": \"Moderate\", \"namespace\": \"https://access.redhat.com/security/updates/classification/\"}}}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"versions\": [{\"status\": \"affected\", \"version\": \"4.3.4\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"4.5.2\"}], \"packageName\": \"io.vertx:vertx-core\", \"collectionURL\": \"https://vertx.io/docs/vertx-core/java/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:camel_quarkus:3\"], \"vendor\": \"Red Hat\", \"product\": \"CEQ 3.2\", \"packageName\": \"vertx-core\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:cryostat:2::el8\"], \"vendor\": \"Red Hat\", \"product\": \"Cryostat 2 on RHEL 8\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"2.4.0-7\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"cryostat-tech-preview/cryostat-grafana-dashboard-rhel8\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:cryostat:2::el8\"], \"vendor\": \"Red Hat\", \"product\": \"Cryostat 2 on RHEL 8\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"2.4.0-4\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"cryostat-tech-preview/cryostat-operator-bundle\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:cryostat:2::el8\"], \"vendor\": \"Red Hat\", \"product\": \"Cryostat 2 on RHEL 8\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"2.4.0-4\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"cryostat-tech-preview/cryostat-reports-rhel8\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:cryostat:2::el8\"], \"vendor\": \"Red Hat\", \"product\": \"Cryostat 2 on RHEL 8\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"2.4.0-4\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"cryostat-tech-preview/cryostat-rhel8\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:cryostat:2::el8\"], \"vendor\": \"Red Hat\", \"product\": \"Cryostat 2 on RHEL 8\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"2.4.0-9\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"cryostat-tech-preview/cryostat-rhel8-operator\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:cryostat:2::el8\"], \"vendor\": \"Red Hat\", \"product\": \"Cryostat 2 on RHEL 8\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"2.4.0-4\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"cryostat-tech-preview/jfr-datasource-rhel8\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8\"], \"vendor\": \"Red Hat\", \"product\": \"Migration Toolkit for Runtimes 1 on RHEL 8\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1.2-18\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"mtr/mtr-operator-bundle\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8\"], \"vendor\": \"Red Hat\", \"product\": \"Migration Toolkit for Runtimes 1 on RHEL 8\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1.2-11\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"mtr/mtr-rhel8-operator\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8\"], \"vendor\": \"Red Hat\", \"product\": \"Migration Toolkit for Runtimes 1 on RHEL 8\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1.2-12\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"mtr/mtr-web-container-rhel8\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8\"], \"vendor\": \"Red Hat\", \"product\": \"Migration Toolkit for Runtimes 1 on RHEL 8\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1.2-10\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"mtr/mtr-web-executor-container-rhel8\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:migration_toolkit_applications:6.2::el9\", \"cpe:/a:redhat:migration_toolkit_applications:6.2::el8\"], \"vendor\": \"Red Hat\", \"product\": \"MTA-6.2-RHEL-9\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"6.2.3-2\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"mta/mta-windup-addon-rhel9\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:amq_streams:2\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat AMQ Streams 2.7.0\", \"packageName\": \"vertx-core\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:apache_camel_spring_boot:4.4::el6\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2\", \"packageName\": \"vertx-core\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:quarkus:3.2::el8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Quarkus 3.2.11.Final\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"4.4.8.redhat-00001\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"io.vertx/vertx-core\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:service_registry:2.5\"], \"vendor\": \"Red Hat\", \"product\": \"RHINT Service Registry 2.5.11 GA\", \"packageName\": \"vertx-core\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:a_mq_clients:2\"], \"vendor\": \"Red Hat\", \"product\": \"A-MQ Clients 2\", \"packageName\": \"vertx-core\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:serverless:1\"], \"vendor\": \"Red Hat\", \"product\": \"OpenShift Serverless\", \"packageName\": \"vertx-core\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:amq_broker:7\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat AMQ Broker 7\", \"packageName\": \"vertx-core\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:camel_spring_boot:3\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Apache Camel for Spring Boot 3\", \"packageName\": \"vertx-core\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:build_keycloak:\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Build of Keycloak\", \"packageName\": \"vertx-core\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:optaplanner:::el6\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of OptaPlanner 8\", \"packageName\": \"vertx-core\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:quarkus:2\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Quarkus\", \"packageName\": \"io.vertx/vertx-core\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:jboss_data_grid:8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Data Grid 8\", \"packageName\": \"vertx-core\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:jboss_fuse:7\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Fuse 7\", \"packageName\": \"vertx-core\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:integration:1\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Integration Camel K 1\", \"packageName\": \"vertx-core\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:camel_quarkus:2\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Integration Camel Quarkus 2\", \"packageName\": \"vertx-core\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:jboss_data_grid:7\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat JBoss Data Grid 7\", \"packageName\": \"vertx-core\", \"collectionURL\": \"https://access.redhat.com/jbossnetwork/restricted/listSoftware.html\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:jboss_enterprise_application_platform:7\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat JBoss Enterprise Application Platform 7\", \"packageName\": \"vertx-core\", \"collectionURL\": \"https://access.redhat.com/jbossnetwork/restricted/listSoftware.html\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:jboss_enterprise_application_platform:8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat JBoss Enterprise Application Platform 8\", \"packageName\": \"vertx-core\", \"collectionURL\": \"https://access.redhat.com/jbossnetwork/restricted/listSoftware.html\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:jbosseapxp\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat JBoss Enterprise Application Platform Expansion Pack\", \"packageName\": \"vertx-core\", \"collectionURL\": \"https://access.redhat.com/jbossnetwork/restricted/listSoftware.html\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:jboss_enterprise_bpms_platform:7\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Process Automation 7\", \"packageName\": \"vertx-core\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2024-02-07T00:00:00.000Z\", \"value\": \"Reported to Red Hat.\"}, {\"lang\": \"en\", \"time\": \"2024-02-06T00:00:00.000Z\", \"value\": \"Made public.\"}], \"datePublic\": \"2024-02-06T00:00:00.000Z\", \"references\": [{\"url\": \"https://access.redhat.com/errata/RHSA-2024:1662\", \"name\": \"RHSA-2024:1662\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2024:1706\", \"name\": \"RHSA-2024:1706\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2024:1923\", \"name\": \"RHSA-2024:1923\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2024:2088\", \"name\": \"RHSA-2024:2088\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2024:2833\", \"name\": \"RHSA-2024:2833\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2024:3527\", \"name\": \"RHSA-2024:3527\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2024:3989\", \"name\": \"RHSA-2024:3989\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2024:4884\", \"name\": \"RHSA-2024:4884\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/security/cve/CVE-2024-1300\", \"tags\": [\"vdb-entry\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2263139\", \"name\": \"RHBZ#2263139\", \"tags\": [\"issue-tracking\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://vertx.io/docs/vertx-core/java/#_server_name_indication_sni.\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.\"}], \"x_generator\": {\"engine\": \"cvelib 1.8.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-772\", \"description\": \"Missing Release of Resource after Effective Lifetime\"}]}], \"providerMetadata\": {\"orgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"shortName\": \"redhat\", \"dateUpdated\": \"2026-02-25T19:31:07.332Z\"}, \"x_redhatCweChain\": \"CWE-772: Missing Release of Resource after Effective Lifetime\"}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-1300\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-25T19:31:07.332Z\", \"dateReserved\": \"2024-02-07T07:11:11.156Z\", \"assignerOrgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"datePublished\": \"2024-04-02T07:33:05.215Z\", \"assignerShortName\": \"redhat\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
RHSA-2024:3989
Vulnerability from csaf_redhat - Published: 2024-06-20 00:34 - Updated: 2026-05-16 23:26Summary
Red Hat Security Advisory: Migration Toolkit for Applications security and bug fix update
Severity
Important
Notes
Topic: Migration Toolkit for Applications 6.2.3 release
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
Details: Migration Toolkit for Applications 6.2.3 Images
Security Fix(es) from Bugzilla:
* keycloak: path transversal in redirection validation (CVE-2024-1132)
* webpack-dev-middleware: lack of URL validation may lead to file leak (CVE-2024-29180)
* axios: exposure of confidential data stored in cookies (CVE-2023-45857)
* css-tools: Improper Input Validation causes Denial of Service via Regular Expression (CVE-2023-26364)
* css-tools: regular expression denial of service (ReDoS) when parsing CSS (CVE-2023-48631)
* follow-redirects: Improper Input Validation due to the improper handling of URLs by the url.parse() (CVE-2023-26159)
* io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx (CVE-2024-1023)
* io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support (CVE-2024-1300)
* commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file (CVE-2024-25710)
* commons-compress: OutOfMemoryError unpacking broken Pack200 file (CVE-2024-26308)
* follow-redirects: Possible credential leak (CVE-2024-28849)
* jetty: Improper addition of quotation marks to user inputs in CgiServlet (CVE-2023-36479)
* commons-configuration: StackOverflowError calling ListDelimiterHandler.flatten(Object, int) with a cyclical object tree (CVE-2024-29133)
* commons-configuration: StackOverflowError adding property in AbstractListDelimiterHandler.flattenIterator() (CVE-2024-29131)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
An Improper Input Validation flaw was found in follow-redirects due to the improper handling of URLs by the url.parse() function. When a new URL() throws an error, it can be manipulated to misinterpret the hostname. This issue could allow an attacker to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.
6.1 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64 | — |
Workaround
|
Threats
Impact
Moderate
A flaw was found in Adobe CSS Tools. An improper input validation could result in a minor denial of service while parsing a malicious CSS with the parse component. User interaction and privileges are not required to jeopardize an environment.
5.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64 | — |
Workaround
|
Threats
Impact
Moderate
A flaw was found in Jetty's CGI servlet which permits incorrect command execution in specific circumstances such as requests with certain characters in requested filenames. This issue could allow an attacker to run permitted commands other than the one requested.
CWE-149 - Improper Neutralization of Quoting SyntaxAffected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64 | — |
Vendor Fix
fix
|
Known not affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64 | — | ||
| Unresolved product id: 9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64 | — | ||
| Unresolved product id: 9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64 | — | ||
| Unresolved product id: 9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64 | — | ||
| Unresolved product id: 9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64 | — |
Threats
Impact
Low
A flaw was found in Axios that may expose a confidential session token. This issue can allow a remote attacker to bypass security measures and view sensitive data.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64 | — |
Workaround
|
Threats
Impact
Moderate
A Regular Expression Denial of Service (ReDoS) vulnerability was found in Adobe's css-tools when parsing CSS. This issue occurs due to improper input validation and may allow an attacker to use a carefully crafted input string to cause a denial of service, especially when attempting to parse CSS.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64 | — |
Workaround
|
Threats
Impact
Moderate
A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate runtime knowledge, allowing an attacker to exploit this vulnerability. For instance, a server accepting arbitrary internet addresses could serve as an attack vector by connecting to these addresses, thereby accelerating the memory leak.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64 | — |
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field, and requires user interaction within the malicious URL.
8.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64 | — |
Workaround
|
Threats
Impact
Important
A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.
5.4 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64 | — |
Workaround
|
Threats
Impact
Moderate
A loop with an unreachable exit condition (Infinite Loop) vulnerability was found in Apache Common Compress. This issue can lead to a denial of service.
5.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64 | — |
Workaround
|
Threats
Impact
Moderate
An allocation of resources without limits or throttling vulnerability was found in Apache Commons Compress. This issue can lead to an out-of-memory error.
5.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64 | — |
Workaround
|
Threats
Impact
Moderate
A vulnerability was found in the follow-redirects package. While processing the cross-domain redirection, `follow-redirects` clears authorization headers, however, it misses clearing proxy-authentication headers, which contain credentials as well. This issue may lead to credential leaking, having a high impact on data confidentiality.
6.5 (Medium)
Affected products
Fixed
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64 | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64 | — | ||
| Unresolved product id: 9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64 | — | ||
| Unresolved product id: 9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64 | — | ||
| Unresolved product id: 9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64 | — |
Threats
Impact
Moderate
A vulnerability was found in Apache Commons-Configuration2, where a Stack Overflow Error can occur when adding a property in AbstractListDelimiterHandler.flattenIterator(). This issue could allow an attacker to corrupt memory or execute a denial of service attack by crafting malicious property that triggers an out-of-bounds write issue when processed by the vulnerable method.
4.4 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64 | — |
Workaround
|
Threats
Impact
Low
A vulnerability was found in Apache Commons-Configuration2, where a Stack Overflow Error occurs when calling ListDelimiterHandler.flatten(Object, int) with a cyclical object tree. This issue could allow an attacker to trigger an out-of-bounds write that could lead to memory corruption or cause a denial of service condition.
4.4 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64 | — |
Workaround
|
Threats
Impact
Low
A flaw was found in the webpack-dev-middleware package, where it failed to validate the supplied URL address sufficiently before returning local files. This flaw allows an attacker to craft URLs to return arbitrary local files from the developer's machine. The lack of normalization before calling the middleware also allows the attacker to perform path traversal attacks on the target environment.
7.4 (High)
Affected products
Fixed
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64 | — |
Workaround
|
Threats
Impact
Important
References
90 references
Acknowledgments
Axel Flamcourt
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Migration Toolkit for Applications 6.2.3 release\n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Migration Toolkit for Applications 6.2.3 Images\n\nSecurity Fix(es) from Bugzilla:\n\n* keycloak: path transversal in redirection validation (CVE-2024-1132)\n\n* webpack-dev-middleware: lack of URL validation may lead to file leak (CVE-2024-29180)\n\n* axios: exposure of confidential data stored in cookies (CVE-2023-45857)\n\n* css-tools: Improper Input Validation causes Denial of Service via Regular Expression (CVE-2023-26364)\n\n* css-tools: regular expression denial of service (ReDoS) when parsing CSS (CVE-2023-48631)\n\n* follow-redirects: Improper Input Validation due to the improper handling of URLs by the url.parse() (CVE-2023-26159)\n\n* io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx (CVE-2024-1023)\n\n* io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support (CVE-2024-1300)\n\n* commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file (CVE-2024-25710)\n\n* commons-compress: OutOfMemoryError unpacking broken Pack200 file (CVE-2024-26308)\n\n* follow-redirects: Possible credential leak (CVE-2024-28849)\n\n* jetty: Improper addition of quotation marks to user inputs in CgiServlet (CVE-2023-36479)\n\n* commons-configuration: StackOverflowError calling ListDelimiterHandler.flatten(Object, int) with a cyclical object tree (CVE-2024-29133)\n\n* commons-configuration: StackOverflowError adding property in AbstractListDelimiterHandler.flattenIterator() (CVE-2024-29131)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2024:3989",
"url": "https://access.redhat.com/errata/RHSA-2024:3989"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2239630",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2239630"
},
{
"category": "external",
"summary": "2248979",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2248979"
},
{
"category": "external",
"summary": "2250364",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2250364"
},
{
"category": "external",
"summary": "2254559",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254559"
},
{
"category": "external",
"summary": "2256413",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2256413"
},
{
"category": "external",
"summary": "2260840",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2260840"
},
{
"category": "external",
"summary": "2262117",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2262117"
},
{
"category": "external",
"summary": "2263139",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2263139"
},
{
"category": "external",
"summary": "2264988",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2264988"
},
{
"category": "external",
"summary": "2264989",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2264989"
},
{
"category": "external",
"summary": "2269576",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2269576"
},
{
"category": "external",
"summary": "2270673",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270673"
},
{
"category": "external",
"summary": "2270674",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270674"
},
{
"category": "external",
"summary": "2270863",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270863"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_3989.json"
}
],
"title": "Red Hat Security Advisory: Migration Toolkit for Applications security and bug fix update",
"tracking": {
"current_release_date": "2026-05-16T23:26:26+00:00",
"generator": {
"date": "2026-05-16T23:26:26+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2024:3989",
"initial_release_date": "2024-06-20T00:34:55+00:00",
"revision_history": [
{
"date": "2024-06-20T00:34:55+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2024-06-20T00:34:55+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-16T23:26:26+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "MTA 6.2 for RHEL 8",
"product": {
"name": "MTA 6.2 for RHEL 8",
"product_id": "9Base-MTA-6.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:migration_toolkit_applications:6.2::el9"
}
}
},
{
"category": "product_name",
"name": "MTA 6.2 for RHEL 8",
"product": {
"name": "MTA 6.2 for RHEL 8",
"product_id": "8Base-MTA-6.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:migration_toolkit_applications:6.2::el8"
}
}
}
],
"category": "product_family",
"name": "Migration Toolkit for Applications"
},
{
"branches": [
{
"category": "product_version",
"name": "mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"product": {
"name": "mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"product_id": "mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e?arch=amd64\u0026repository_url=registry.redhat.io/mta/mta-hub-rhel9\u0026tag=6.2.3-1"
}
}
},
{
"category": "product_version",
"name": "mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"product": {
"name": "mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"product_id": "mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589?arch=amd64\u0026repository_url=registry.redhat.io/mta/mta-operator-bundle\u0026tag=6.2.3-4"
}
}
},
{
"category": "product_version",
"name": "mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"product": {
"name": "mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"product_id": "mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e?arch=amd64\u0026repository_url=registry.redhat.io/mta/mta-rhel8-operator\u0026tag=6.2.3-1"
}
}
},
{
"category": "product_version",
"name": "mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"product": {
"name": "mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"product_id": "mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0?arch=amd64\u0026repository_url=registry.redhat.io/mta/mta-pathfinder-rhel9\u0026tag=6.2.3-1"
}
}
},
{
"category": "product_version",
"name": "mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64",
"product": {
"name": "mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64",
"product_id": "mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec?arch=amd64\u0026repository_url=registry.redhat.io/mta/mta-ui-rhel9\u0026tag=6.2.3-2"
}
}
},
{
"category": "product_version",
"name": "mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64",
"product": {
"name": "mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64",
"product_id": "mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64",
"product_identification_helper": {
"purl": "pkg:oci/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003?arch=amd64\u0026repository_url=registry.redhat.io/mta/mta-windup-addon-rhel9\u0026tag=6.2.3-2"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64 as a component of MTA 6.2 for RHEL 8",
"product_id": "8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64"
},
"product_reference": "mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"relates_to_product_reference": "8Base-MTA-6.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64 as a component of MTA 6.2 for RHEL 8",
"product_id": "9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64"
},
"product_reference": "mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"relates_to_product_reference": "9Base-MTA-6.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64 as a component of MTA 6.2 for RHEL 8",
"product_id": "9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64"
},
"product_reference": "mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"relates_to_product_reference": "9Base-MTA-6.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64 as a component of MTA 6.2 for RHEL 8",
"product_id": "9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64"
},
"product_reference": "mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"relates_to_product_reference": "9Base-MTA-6.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64 as a component of MTA 6.2 for RHEL 8",
"product_id": "9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64"
},
"product_reference": "mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64",
"relates_to_product_reference": "9Base-MTA-6.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64 as a component of MTA 6.2 for RHEL 8",
"product_id": "9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
},
"product_reference": "mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64",
"relates_to_product_reference": "9Base-MTA-6.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-26159",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2024-01-02T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2256413"
}
],
"notes": [
{
"category": "description",
"text": "An Improper Input Validation flaw was found in follow-redirects due to the improper handling of URLs by the url.parse() function. When a new URL() throws an error, it can be manipulated to misinterpret the hostname. This issue could allow an attacker to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "follow-redirects: Improper Input Validation due to the improper handling of URLs by the url.parse()",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "follow-redirects is a transitive dependency of Grafana, and does not affect Red Hat Enterprise Linux 8.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64"
],
"known_not_affected": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-26159"
},
{
"category": "external",
"summary": "RHBZ#2256413",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2256413"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-26159",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-26159"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-26159",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26159"
}
],
"release_date": "2024-01-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-06-20T00:34:55+00:00",
"details": "For details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:3989"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64",
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64",
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "follow-redirects: Improper Input Validation due to the improper handling of URLs by the url.parse()"
},
{
"cve": "CVE-2023-26364",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2023-11-17T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2250364"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Adobe CSS Tools. An improper input validation could result in a minor denial of service while parsing a malicious CSS with the parse component. User interaction and privileges are not required to jeopardize an environment.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "css-tools: Improper Input Validation causes Denial of Service via Regular Expression",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
],
"known_not_affected": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-26364"
},
{
"category": "external",
"summary": "RHBZ#2250364",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2250364"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-26364",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-26364"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-26364",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26364"
},
{
"category": "external",
"summary": "https://github.com/adobe/css-tools/security/advisories/GHSA-hpx4-r86g-5jrg",
"url": "https://github.com/adobe/css-tools/security/advisories/GHSA-hpx4-r86g-5jrg"
}
],
"release_date": "2023-11-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-06-20T00:34:55+00:00",
"details": "For details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:3989"
},
{
"category": "workaround",
"details": "No mitigation is yet available for this vulnerability.",
"product_ids": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64",
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64",
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "css-tools: Improper Input Validation causes Denial of Service via Regular Expression"
},
{
"cve": "CVE-2023-36479",
"cwe": {
"id": "CWE-149",
"name": "Improper Neutralization of Quoting Syntax"
},
"discovery_date": "2023-09-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2239630"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jetty\u0027s CGI servlet which permits incorrect command execution in specific circumstances such as requests with certain characters in requested filenames. This issue could allow an attacker to run permitted commands other than the one requested.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jetty: Improper addition of quotation marks to user inputs in CgiServlet",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
],
"known_not_affected": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-36479"
},
{
"category": "external",
"summary": "RHBZ#2239630",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2239630"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-36479",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-36479"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-36479",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36479"
}
],
"release_date": "2023-09-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-06-20T00:34:55+00:00",
"details": "For details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:3989"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64",
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jetty: Improper addition of quotation marks to user inputs in CgiServlet"
},
{
"cve": "CVE-2023-45857",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2023-11-09T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2248979"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios that may expose a confidential session token. This issue can allow a remote attacker to bypass security measures and view sensitive data.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: exposure of confidential data stored in cookies",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For Red Hat Advanced Cluster Management for Kubernetes (RHACM), the affected container was deprecated in ACM 2.5 version which is not anymore supported. Following versions of this product are not impacted by this issue.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
],
"known_not_affected": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-45857"
},
{
"category": "external",
"summary": "RHBZ#2248979",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2248979"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-45857",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45857"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-45857",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45857"
}
],
"release_date": "2023-11-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-06-20T00:34:55+00:00",
"details": "For details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:3989"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64",
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64",
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "axios: exposure of confidential data stored in cookies"
},
{
"cve": "CVE-2023-48631",
"cwe": {
"id": "CWE-1333",
"name": "Inefficient Regular Expression Complexity"
},
"discovery_date": "2023-12-14T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2254559"
}
],
"notes": [
{
"category": "description",
"text": "A Regular Expression Denial of Service (ReDoS) vulnerability was found in Adobe\u0027s css-tools when parsing CSS. This issue occurs due to improper input validation and may allow an attacker to use a carefully crafted input string to cause a denial of service, especially when attempting to parse CSS.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "css-tools: regular expression denial of service (ReDoS) when parsing CSS",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The Regular Expression Denial of Service (ReDoS) vulnerability in css-tools, triggered by improper input validation when parsing CSS, is considered of moderate severity. While it can lead to a denial of service by causing the application to become unresponsive, the impact is limited to scenarios where an attacker can provide crafted input. Additionally, the absence of evidence of active exploitation in the wild and contextual factors, such as the software\u0027s usage, contribute to the moderate severity rating.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
],
"known_not_affected": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-48631"
},
{
"category": "external",
"summary": "RHBZ#2254559",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254559"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-48631",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-48631"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-48631",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48631"
},
{
"category": "external",
"summary": "https://github.com/adobe/css-tools/security/advisories/GHSA-prr3-c3m5-p7q2",
"url": "https://github.com/adobe/css-tools/security/advisories/GHSA-prr3-c3m5-p7q2"
}
],
"release_date": "2023-12-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-06-20T00:34:55+00:00",
"details": "For details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:3989"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64",
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64",
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "css-tools: regular expression denial of service (ReDoS) when parsing CSS"
},
{
"cve": "CVE-2024-1023",
"cwe": {
"id": "CWE-401",
"name": "Missing Release of Memory after Effective Lifetime"
},
"discovery_date": "2024-01-29T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2260840"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate runtime knowledge, allowing an attacker to exploit this vulnerability. For instance, a server accepting arbitrary internet addresses could serve as an attack vector by connecting to these addresses, thereby accelerating the memory leak.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
],
"known_not_affected": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-1023"
},
{
"category": "external",
"summary": "RHBZ#2260840",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2260840"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-1023",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-1023"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-1023",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1023"
},
{
"category": "external",
"summary": "https://github.com/eclipse-vertx/vert.x/issues/5078",
"url": "https://github.com/eclipse-vertx/vert.x/issues/5078"
},
{
"category": "external",
"summary": "https://github.com/eclipse-vertx/vert.x/pull/5080",
"url": "https://github.com/eclipse-vertx/vert.x/pull/5080"
},
{
"category": "external",
"summary": "https://github.com/eclipse-vertx/vert.x/pull/5082",
"url": "https://github.com/eclipse-vertx/vert.x/pull/5082"
}
],
"release_date": "2024-01-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-06-20T00:34:55+00:00",
"details": "For details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:3989"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64",
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64",
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx"
},
{
"acknowledgments": [
{
"names": [
"Axel Flamcourt"
]
}
],
"cve": "CVE-2024-1132",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2024-01-31T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2262117"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field, and requires user interaction within the malicious URL.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: path transversal in redirection validation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not impacted as this CVE affects the server-side Keycloak execution, but Quarkus only acts as a Keycloak client in its quarkus-keycloak-authorization extension. For this reason, Quarkus is marked as having a Low impact.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
],
"known_not_affected": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-1132"
},
{
"category": "external",
"summary": "RHBZ#2262117",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2262117"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-1132",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-1132"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-1132",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1132"
}
],
"release_date": "2024-04-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-06-20T00:34:55+00:00",
"details": "For details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:3989"
},
{
"category": "workaround",
"details": "No current mitigation is available for this vulnerability.",
"product_ids": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64",
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64",
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: path transversal in redirection validation"
},
{
"cve": "CVE-2024-1300",
"cwe": {
"id": "CWE-772",
"name": "Missing Release of Resource after Effective Lifetime"
},
"discovery_date": "2024-02-07T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2263139"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This affects only TLS servers with SNI enabled.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
],
"known_not_affected": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-1300"
},
{
"category": "external",
"summary": "RHBZ#2263139",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2263139"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-1300",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-1300"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-1300",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1300"
},
{
"category": "external",
"summary": "https://vertx.io/docs/vertx-core/java/#_server_name_indication_sni.",
"url": "https://vertx.io/docs/vertx-core/java/#_server_name_indication_sni."
}
],
"release_date": "2024-02-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-06-20T00:34:55+00:00",
"details": "For details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:3989"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64",
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"products": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64",
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support"
},
{
"cve": "CVE-2024-25710",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"discovery_date": "2024-02-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2264988"
}
],
"notes": [
{
"category": "description",
"text": "A loop with an unreachable exit condition (Infinite Loop) vulnerability was found in Apache Common Compress. This issue can lead to a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
],
"known_not_affected": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-25710"
},
{
"category": "external",
"summary": "RHBZ#2264988",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2264988"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-25710",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25710"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-25710",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25710"
},
{
"category": "external",
"summary": "http://www.openwall.com/lists/oss-security/2024/02/19/1",
"url": "http://www.openwall.com/lists/oss-security/2024/02/19/1"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/cz8qkcwphy4cx8gltn932ln51cbtq6kf",
"url": "https://lists.apache.org/thread/cz8qkcwphy4cx8gltn932ln51cbtq6kf"
}
],
"release_date": "2024-02-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-06-20T00:34:55+00:00",
"details": "For details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:3989"
},
{
"category": "workaround",
"details": "No mitigation is currently available for this vulnerability.",
"product_ids": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64",
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64",
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file"
},
{
"cve": "CVE-2024-26308",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2024-02-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2264989"
}
],
"notes": [
{
"category": "description",
"text": "An allocation of resources without limits or throttling vulnerability was found in Apache Commons Compress. This issue can lead to an out-of-memory error.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "commons-compress: OutOfMemoryError unpacking broken Pack200 file",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
],
"known_not_affected": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-26308"
},
{
"category": "external",
"summary": "RHBZ#2264989",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2264989"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-26308",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26308"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-26308",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26308"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/ch5yo2d21p7vlqrhll9b17otbyq4npfg",
"url": "https://lists.apache.org/thread/ch5yo2d21p7vlqrhll9b17otbyq4npfg"
},
{
"category": "external",
"summary": "https://www.openwall.com/lists/oss-security/2024/02/19/2",
"url": "https://www.openwall.com/lists/oss-security/2024/02/19/2"
}
],
"release_date": "2024-02-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-06-20T00:34:55+00:00",
"details": "For details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:3989"
},
{
"category": "workaround",
"details": "No mitigation is currently available for this vulnerability.",
"product_ids": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64",
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64",
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "commons-compress: OutOfMemoryError unpacking broken Pack200 file"
},
{
"cve": "CVE-2024-28849",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2024-03-14T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2269576"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in the follow-redirects package. While processing the cross-domain redirection, `follow-redirects` clears authorization headers, however, it misses clearing proxy-authentication headers, which contain credentials as well. This issue may lead to credential leaking, having a high impact on data confidentiality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "follow-redirects: Possible credential leak",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64",
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
],
"known_not_affected": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-28849"
},
{
"category": "external",
"summary": "RHBZ#2269576",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2269576"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-28849",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-28849"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-28849",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28849"
},
{
"category": "external",
"summary": "https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp",
"url": "https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp"
}
],
"release_date": "2024-03-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-06-20T00:34:55+00:00",
"details": "For details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64",
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:3989"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64",
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "follow-redirects: Possible credential leak"
},
{
"cve": "CVE-2024-29131",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2024-03-21T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2270674"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Apache Commons-Configuration2, where a Stack Overflow Error can occur when adding a property in AbstractListDelimiterHandler.flattenIterator(). This issue could allow an attacker to corrupt memory or execute a denial of service attack by crafting malicious property that triggers an out-of-bounds write issue when processed by the vulnerable method.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "commons-configuration: StackOverflowError adding property in AbstractListDelimiterHandler.flattenIterator()",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
],
"known_not_affected": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-29131"
},
{
"category": "external",
"summary": "RHBZ#2270674",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270674"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-29131",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29131"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-29131",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29131"
},
{
"category": "external",
"summary": "https://github.com/apache/commons-configuration/commit/56b5c4dcdffbde27870df5a3105d6a5f9b22f554",
"url": "https://github.com/apache/commons-configuration/commit/56b5c4dcdffbde27870df5a3105d6a5f9b22f554"
},
{
"category": "external",
"summary": "https://github.com/apache/commons-configuration/commit/7d7d399d0598cb0ca5f81891de34694178156dab",
"url": "https://github.com/apache/commons-configuration/commit/7d7d399d0598cb0ca5f81891de34694178156dab"
},
{
"category": "external",
"summary": "https://issues.apache.org/jira/browse/CONFIGURATION-840",
"url": "https://issues.apache.org/jira/browse/CONFIGURATION-840"
}
],
"release_date": "2024-03-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-06-20T00:34:55+00:00",
"details": "For details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:3989"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64",
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"products": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64",
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "commons-configuration: StackOverflowError adding property in AbstractListDelimiterHandler.flattenIterator()"
},
{
"cve": "CVE-2024-29133",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2024-03-21T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2270673"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Apache Commons-Configuration2, where a Stack Overflow Error occurs when calling ListDelimiterHandler.flatten(Object, int) with a cyclical object tree. This issue could allow an attacker to trigger an out-of-bounds write that could lead to memory corruption or cause a denial of service condition.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "commons-configuration: StackOverflowError calling ListDelimiterHandler.flatten(Object, int) with a cyclical object tree",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
],
"known_not_affected": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-29133"
},
{
"category": "external",
"summary": "RHBZ#2270673",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270673"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-29133",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29133"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-29133",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29133"
},
{
"category": "external",
"summary": "https://github.com/apache/commons-configuration/commit/43f4dab021e9acb8db390db2ae80aa0cee4f9ee4",
"url": "https://github.com/apache/commons-configuration/commit/43f4dab021e9acb8db390db2ae80aa0cee4f9ee4"
},
{
"category": "external",
"summary": "https://issues.apache.org/jira/browse/CONFIGURATION-841",
"url": "https://issues.apache.org/jira/browse/CONFIGURATION-841"
}
],
"release_date": "2024-03-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-06-20T00:34:55+00:00",
"details": "For details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:3989"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64",
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"products": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64",
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "commons-configuration: StackOverflowError calling ListDelimiterHandler.flatten(Object, int) with a cyclical object tree"
},
{
"cve": "CVE-2024-29180",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2024-03-21T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2270863"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the webpack-dev-middleware package, where it failed to validate the supplied URL address sufficiently before returning local files. This flaw allows an attacker to craft URLs to return arbitrary local files from the developer\u0027s machine. The lack of normalization before calling the middleware also allows the attacker to perform path traversal attacks on the target environment.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "webpack-dev-middleware: lack of URL validation may lead to file leak",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The vulnerability in webpack-dev represents a important security issue due to its potential to expose sensitive files and compromise developer machines. By failing to validate URLs and normalize paths effectively, the middleware allows attackers to craft malicious requests that can retrieve arbitrary local files or perform unauthorized path traversal. This could lead to unauthorized access to confidential information, including source code, configuration files, and even system-level files. Given the widespread use of webpack-dev-middleware in web development environments, addressing this vulnerability promptly is important to prevent serious data breaches and protect the integrity of development processes.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64",
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
],
"known_not_affected": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-29180"
},
{
"category": "external",
"summary": "RHBZ#2270863",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270863"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-29180",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29180"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-29180",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29180"
},
{
"category": "external",
"summary": "https://github.com/webpack/webpack-dev-middleware/security/advisories/GHSA-wr3j-pwj9-hqq6",
"url": "https://github.com/webpack/webpack-dev-middleware/security/advisories/GHSA-wr3j-pwj9-hqq6"
}
],
"release_date": "2024-03-21T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-06-20T00:34:55+00:00",
"details": "For details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64",
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:3989"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64",
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e_amd64",
"9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e_amd64",
"9Base-MTA-6.2:mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589_amd64",
"9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0_amd64",
"9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec_amd64",
"9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "webpack-dev-middleware: lack of URL validation may lead to file leak"
}
]
}
RHSA-2024:4884
Vulnerability from csaf_redhat - Published: 2024-07-25 19:26 - Updated: 2026-04-30 13:21Summary
Red Hat Security Advisory: Red Hat Build of Apache Camel 4.4.1 for Spring Boot security update.
Severity
Important
Notes
Topic: Red Hat build of Apache Camel 4.4.1 for Spring Boot release and security update is now available.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat build of Apache Camel 4.4.1 for Spring Boot release and security update is now available.
The purpose of this text-only errata is to inform you about the security issues fixed.
Security Fix(es):
* undertow: response write hangs in case of Java 17 TLSv1.3 NewSessionTicket (CVE-2024-5971)
* pgjdbc: PostgreSQL JDBC Driver allows attacker to inject SQL if using PreferQueryMode=SIMPLE (CVE-2024-1597)
* vert.x: io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx (CVE-2024-1023)
* vertx-core: io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI supportd (CVE-2024-1300)
* pgjdbc: PostgreSQL JDBC Driver allows attacker to inject SQL if using PreferQueryMode=SIMPLE (CVE-2024-1597)
* undertow: url-encoded request path information can be broken on ajp-listener (CVE-2024-6162)
* jetty: stop accepting new connections from valid clients (CVE-2024-22201)
* threetenbp: null pointer exception (CVE-2024-23081)
* org.bouncycastle:bcprov-jdk18on: org.bouncycastle: Importing an EC certificate with crafted F2m parameters may lead to Denial of Service (CVE-2024-29857)
* org.bouncycastle-bcprov-jdk18on: bc-java: BouncyCastle vulnerable to a timing variant of Bleichenbacher (Marvin Attack) (CVE-2024-30171)
* org.bouncycastle:bcprov-jdk18on: Infinite loop in ED25519 verification in the ScalarUtil class (CVE-2024-30172)
* mvel: TimeOut error when calling ParseTools.subCompileExpression() function (CVE-2023-51079)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
[DISPUTED] A vulnerability was found in the ParseTools.subCompileExpression() method in the Mvel package. This vulnerability manifests as a TimeOut error, and may allow an attacker to leverage the TimeOut error to disrupt the normal functioning of the system or application, potentially leading to undesired outcomes or disruptions.
5.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_spring_boot:4.4::el6
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate runtime knowledge, allowing an attacker to exploit this vulnerability. For instance, a server accepting arbitrary internet addresses could serve as an attack vector by connecting to these addresses, thereby accelerating the memory leak.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_spring_boot:4.4::el6
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.
5.4 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_spring_boot:4.4::el6
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in the PostgreSQL JDBC Driver. A SQL injection is possible when using the non-default connection property preferQueryMode=simple in combination with application code that has a vulnerable SQL that negates a parameter value.
9.8 (Critical)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_spring_boot:4.4::el6
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Low
A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available. At HTTP upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting ServerConnectionOpenListener. Because the remoting connection originates in Undertow as part of the HTTP upgrade, there is an external layer to the remoting connection. This connection is unaware of the outermost layer when closing the connection during the connection opening procedure. Hence, the Undertow WriteTimeoutStreamSinkConduit is not notified of the closed connection in this scenario. Because WriteTimeoutStreamSinkConduit creates a timeout task, the whole dependency tree leaks via that task, which is added to XNIO WorkerThread. So, the workerThread points to the Undertow conduit, which contains the connections and causes the leak.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_spring_boot:4.4::el6
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A vulnerability was found in Undertow, where the chunked response hangs after the body was flushed. The response headers and body were sent but the client would continue waiting as Undertow does not send the expected 0\r\n termination of the chunked response. This results in uncontrolled resource consumption, leaving the server side to a denial of service attack. This happens only with Java 17 TLSv1.3 scenarios.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_spring_boot:4.4::el6
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A vulnerability was found in Undertow, where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener. This issue arises because the same buffer is used to decode the paths for multiple requests simultaneously, leading to incorrect path information being processed. As a result, the server may attempt to access the wrong path, causing errors such as "404 Not Found" or other application failures. This flaw can potentially lead to a denial of service, as legitimate resources become inaccessible due to the path mix-up.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_spring_boot:4.4::el6
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Jetty, a Java based web server and servlet engine. If an HTTP/2 connection gets TCP congested, it remains open and idle, and connections may be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_spring_boot:4.4::el6
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A vulnerability was found in Spring Security. This issue may lead to Broken Access Control, allowing a malicious user to impact the Confidentiality and Integrity of an application or server. This requires the application to use AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly and have a null authentication parameter passed to it, resulting in an erroneous true return value.
7.4 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_spring_boot:4.4::el6
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A broken access control flaw was found in Spring Security. Applications may be vulnerable when directly using the AuthenticatedVoter#vote passing a NULL authentication parameter.
9.8 (Critical)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_spring_boot:4.4::el6
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A null pointer exception vulnerability was found in Threeten Backport. If the other parameter is null in ChronoLocalDate, a NullPointerException is thrown.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_spring_boot:4.4::el6
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in the io.netty:netty-codec-http package. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling issues due to the accumulation of data in the HttpPostRequestDecoder. The decoder cumulates bytes in the undecodedChunk buffer until it can decode a field, allowing data to accumulate without limits. This flaw allows an attacker to cause a denial of service by sending a chunked post consisting of many small fields that will be accumulated in the bodyListHttpData list.
5.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_spring_boot:4.4::el6
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A vulnerability was found in Bouncy Castle. An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java). Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_spring_boot:4.4::el6
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the Bouncy Castle Java cryptography APIs. Affected versions of the org.bouncycastle:bcprov-jdk18on package are vulnerable to Observable Timing Discrepancy via the PKCS#1 1.5 and OAEP decryption process (a.k.a. Marvin Attack). An attacker can recover cipher-texts via a side-channel attack by exploiting the Marvin security flaw. The PKCS#1 1.5 attack vector leaks data via javax.crypto.Cipher exceptions and the OAEP interface vector leaks via the bit size of the decrypted data.
5.9 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_spring_boot:4.4::el6
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in the Bouncy Castle Java Cryptography APIs. Affected versions of this package are vulnerable to an Infinite loop issue in ED25519 verification in the ScalarUtil class. This flaw allows an attacker to send a malicious signature and public key to trigger a denial of service.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_spring_boot:4.4::el6
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Bouncy Castle Java Cryptography APIs. Affected versions of this package are vulnerable to a use of incorrectly-resolved name or reference issue when resolving domain names over an SSL socket that was created without an explicit hostname, such as in the HttpsURLConnection() function. If endpoint identification is enabled, this flow allows an attacker to trigger hostname verification against a DNS-resolved address.
5.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_spring_boot:4.4::el6
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
100 references
Acknowledgments
Red Hat
Hubert Kario
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat build of Apache Camel 4.4.1 for Spring Boot release and security update is now available.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat build of Apache Camel 4.4.1 for Spring Boot release and security update is now available.\n\nThe purpose of this text-only errata is to inform you about the security issues fixed.\n\nSecurity Fix(es):\n\n* undertow: response write hangs in case of Java 17 TLSv1.3 NewSessionTicket (CVE-2024-5971)\n\n* pgjdbc: PostgreSQL JDBC Driver allows attacker to inject SQL if using PreferQueryMode=SIMPLE (CVE-2024-1597)\n\n* vert.x: io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx (CVE-2024-1023)\n\n* vertx-core: io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI supportd (CVE-2024-1300)\n\n* pgjdbc: PostgreSQL JDBC Driver allows attacker to inject SQL if using PreferQueryMode=SIMPLE (CVE-2024-1597)\n\n* undertow: url-encoded request path information can be broken on ajp-listener (CVE-2024-6162)\n\n* jetty: stop accepting new connections from valid clients (CVE-2024-22201)\n\n* threetenbp: null pointer exception (CVE-2024-23081)\n\n* org.bouncycastle:bcprov-jdk18on: org.bouncycastle: Importing an EC certificate with crafted F2m parameters may lead to Denial of Service (CVE-2024-29857)\n\n* org.bouncycastle-bcprov-jdk18on: bc-java: BouncyCastle vulnerable to a timing variant of Bleichenbacher (Marvin Attack) (CVE-2024-30171)\n\n* org.bouncycastle:bcprov-jdk18on: Infinite loop in ED25519 verification in the ScalarUtil class (CVE-2024-30172)\n\n* mvel: TimeOut error when calling ParseTools.subCompileExpression() function (CVE-2023-51079)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2024:4884",
"url": "https://access.redhat.com/errata/RHSA-2024:4884"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2256065",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2256065"
},
{
"category": "external",
"summary": "2260840",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2260840"
},
{
"category": "external",
"summary": "2263139",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2263139"
},
{
"category": "external",
"summary": "2266136",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2266136"
},
{
"category": "external",
"summary": "2266523",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2266523"
},
{
"category": "external",
"summary": "2274197",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2274197"
},
{
"category": "external",
"summary": "2276360",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2276360"
},
{
"category": "external",
"summary": "2292211",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2292211"
},
{
"category": "external",
"summary": "2293025",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2293025"
},
{
"category": "external",
"summary": "2293028",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2293028"
},
{
"category": "external",
"summary": "2293069",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2293069"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_4884.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Build of Apache Camel 4.4.1 for Spring Boot security update.",
"tracking": {
"current_release_date": "2026-04-30T13:21:04+00:00",
"generator": {
"date": "2026-04-30T13:21:04+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.7"
}
},
"id": "RHSA-2024:4884",
"initial_release_date": "2024-07-25T19:26:07+00:00",
"revision_history": [
{
"date": "2024-07-25T19:26:07+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-06-24T15:24:54+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-04-30T13:21:04+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2",
"product": {
"name": "Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2",
"product_id": "Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:apache_camel_spring_boot:4.4::el6"
}
}
}
],
"category": "product_family",
"name": "Red Hat Build of Apache Camel"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-51079",
"discovery_date": "2023-12-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2256065"
}
],
"notes": [
{
"category": "description",
"text": "[DISPUTED] A vulnerability was found in the ParseTools.subCompileExpression() method in the Mvel package. This vulnerability manifests as a TimeOut error, and may allow an attacker to leverage the TimeOut error to disrupt the normal functioning of the system or application, potentially leading to undesired outcomes or disruptions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mvel: TimeOut error when calling ParseTools.subCompileExpression() function",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This CVE is disputed because the only anticipated outcome is that the parser will take an exceptionally long time to complete its task.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-51079"
},
{
"category": "external",
"summary": "RHBZ#2256065",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2256065"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-51079",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-51079"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-51079",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51079"
},
{
"category": "external",
"summary": "https://github.com/mvel/mvel/issues/348",
"url": "https://github.com/mvel/mvel/issues/348"
}
],
"release_date": "2023-12-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-07-25T19:26:07+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:4884"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "mvel: TimeOut error when calling ParseTools.subCompileExpression() function"
},
{
"cve": "CVE-2024-1023",
"cwe": {
"id": "CWE-401",
"name": "Missing Release of Memory after Effective Lifetime"
},
"discovery_date": "2024-01-29T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2260840"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate runtime knowledge, allowing an attacker to exploit this vulnerability. For instance, a server accepting arbitrary internet addresses could serve as an attack vector by connecting to these addresses, thereby accelerating the memory leak.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-1023"
},
{
"category": "external",
"summary": "RHBZ#2260840",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2260840"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-1023",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-1023"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-1023",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1023"
},
{
"category": "external",
"summary": "https://github.com/eclipse-vertx/vert.x/issues/5078",
"url": "https://github.com/eclipse-vertx/vert.x/issues/5078"
},
{
"category": "external",
"summary": "https://github.com/eclipse-vertx/vert.x/pull/5080",
"url": "https://github.com/eclipse-vertx/vert.x/pull/5080"
},
{
"category": "external",
"summary": "https://github.com/eclipse-vertx/vert.x/pull/5082",
"url": "https://github.com/eclipse-vertx/vert.x/pull/5082"
}
],
"release_date": "2024-01-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-07-25T19:26:07+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:4884"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx"
},
{
"cve": "CVE-2024-1300",
"cwe": {
"id": "CWE-772",
"name": "Missing Release of Resource after Effective Lifetime"
},
"discovery_date": "2024-02-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2263139"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This affects only TLS servers with SNI enabled.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-1300"
},
{
"category": "external",
"summary": "RHBZ#2263139",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2263139"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-1300",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-1300"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-1300",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1300"
},
{
"category": "external",
"summary": "https://vertx.io/docs/vertx-core/java/#_server_name_indication_sni.",
"url": "https://vertx.io/docs/vertx-core/java/#_server_name_indication_sni."
}
],
"release_date": "2024-02-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-07-25T19:26:07+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:4884"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"products": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support"
},
{
"cve": "CVE-2024-1597",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"discovery_date": "2024-02-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2266523"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the PostgreSQL JDBC Driver. A SQL injection is possible when using the non-default connection property preferQueryMode=simple in combination with application code that has a vulnerable SQL that negates a parameter value.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "pgjdbc: PostgreSQL JDBC Driver allows attacker to inject SQL if using PreferQueryMode=SIMPLE",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The PostgreSQL JDBC Driver is not affected in the default query mode. Users that do not override the query mode are not impacted.\n\nThe described SQL injection vulnerability, while significant, is categorized as important rather than critical due to several factors. Firstly, the exploitation relies on specific conditions, including the use of a non-default query mode (preferQueryMode=simple) and the precise arrangement of user-controlled parameters within the SQL query. This limits the potential attack surface and reduces the likelihood of widespread exploitation across systems. Additionally, the vulnerability does not pose an immediate and severe risk of system compromise or data breach; rather, it enables attackers to manipulate SQL queries and potentially execute arbitrary commands within the context of the application\u0027s database. Furthermore, the vulnerability can be effectively mitigated by applying the provided patch or by avoiding the use of the vulnerable query mode, thus reducing the risk of exploitation.\n\nRed Hat Satellite ships a PostgreSQL JDBC Driver which embeds into Candlepin. However, Candlepin doesn\u0027t directly utilize the PostgreSQL JDBC Driver and doesn\u0027t set PreferQueryMode. Therefore, although the affected component is shipped, the product impact is considered Low. This issue may be addressed in a future Satellite release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-1597"
},
{
"category": "external",
"summary": "RHBZ#2266523",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2266523"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-1597",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-1597"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-1597",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1597"
},
{
"category": "external",
"summary": "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56",
"url": "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56"
},
{
"category": "external",
"summary": "https://www.enterprisedb.com/docs/jdbc_connector/latest/01_jdbc_rel_notes/",
"url": "https://www.enterprisedb.com/docs/jdbc_connector/latest/01_jdbc_rel_notes/"
},
{
"category": "external",
"summary": "https://www.enterprisedb.com/docs/security/assessments/cve-2024-1597/",
"url": "https://www.enterprisedb.com/docs/security/assessments/cve-2024-1597/"
}
],
"release_date": "2024-02-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-07-25T19:26:07+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:4884"
},
{
"category": "workaround",
"details": "Do not use the connection propertypreferQueryMode=simple. If you do not explicitly specify a query mode, then you are using the default of extended and are not impacted by this issue.",
"product_ids": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "pgjdbc: PostgreSQL JDBC Driver allows attacker to inject SQL if using PreferQueryMode=SIMPLE"
},
{
"cve": "CVE-2024-1635",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2024-02-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2264928"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available. \r\n\r\nAt HTTP upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting ServerConnectionOpenListener. Because the remoting connection originates in Undertow as part of the HTTP upgrade, there is an external layer to the remoting connection. This connection is unaware of the outermost layer when closing the connection during the connection opening procedure. Hence, the Undertow WriteTimeoutStreamSinkConduit is not notified of the closed connection in this scenario. Because WriteTimeoutStreamSinkConduit creates a timeout task, the whole dependency tree leaks via that task, which is added to XNIO WorkerThread. So, the workerThread points to the Undertow conduit, which contains the connections and causes the leak.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "undertow: Out-of-memory Error after several closed connections with wildfly-http-client protocol",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is rated as Important due to the fact that this might be an unauthenticated remote issue exploited by a malicious user, causing a denial of service (DoS) to the affected server.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-1635"
},
{
"category": "external",
"summary": "RHBZ#2264928",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2264928"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-1635",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-1635"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-1635",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1635"
}
],
"release_date": "2023-10-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-07-25T19:26:07+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:4884"
},
{
"category": "workaround",
"details": "No mitigation is currently available for this vulnerability. However, there might be some protections, such as request limits by a load balancer in front of JBoss EAP/Wildfly or even Undertow, that could minimize the impact.",
"product_ids": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "undertow: Out-of-memory Error after several closed connections with wildfly-http-client protocol"
},
{
"cve": "CVE-2024-5971",
"cwe": {
"id": "CWE-674",
"name": "Uncontrolled Recursion"
},
"discovery_date": "2024-06-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2292211"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Undertow, where the chunked response hangs after the body was flushed. The response headers and body were sent but the client would continue waiting as Undertow does not send the expected 0\\r\\n termination of the chunked response. This results in uncontrolled resource consumption, leaving the server side to a denial of service attack. This happens only with Java 17 TLSv1.3 scenarios.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "undertow: response write hangs in case of Java 17 TLSv1.3 NewSessionTicket",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The identified vulnerability in Undertow, where chunked responses fail to terminate properly under Java 17 with TLSv1.3, represents a significant security concern due to its potential for uncontrolled resource consumption and denial of service (DoS) attacks. This issue arises from Undertow\u0027s mishandling of chunked response termination after initial data flushing, leading to clients waiting indefinitely for completion signals that are not sent. Such behavior could be exploited by malicious actors to exhaust server resources, resulting in service degradation or unavailability.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-5971"
},
{
"category": "external",
"summary": "RHBZ#2292211",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2292211"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-5971",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-5971"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-5971",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5971"
}
],
"release_date": "2024-07-08T20:46:55+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-07-25T19:26:07+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:4884"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "undertow: response write hangs in case of Java 17 TLSv1.3 NewSessionTicket"
},
{
"cve": "CVE-2024-6162",
"cwe": {
"id": "CWE-488",
"name": "Exposure of Data Element to Wrong Session"
},
"discovery_date": "2024-06-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2293069"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Undertow, where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener. This issue arises because the same buffer is used to decode the paths for multiple requests simultaneously, leading to incorrect path information being processed. As a result, the server may attempt to access the wrong path, causing errors such as \"404 Not Found\" or other application failures. This flaw can potentially lead to a denial of service, as legitimate resources become inaccessible due to the path mix-up.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "undertow: url-encoded request path information can be broken on ajp-listener",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue is classified as moderate severity rather than important because it specifically affects URL-encoded request paths under concurrent access conditions, primarily through the AJP listener. While it can lead to 404 errors or application failures, it does not inherently compromise data integrity, security, or lead to direct unauthorized access. The impact is limited to incorrect handling of certain URL-encoded paths, which means it primarily disrupts access to static or encoded resources rather than posing a broader risk to the system\u2019s overall security or functionality.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-6162"
},
{
"category": "external",
"summary": "RHBZ#2293069",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2293069"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-6162",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-6162"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-6162",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6162"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/JBEAP-26268",
"url": "https://issues.redhat.com/browse/JBEAP-26268"
}
],
"release_date": "2024-06-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-07-25T19:26:07+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:4884"
},
{
"category": "workaround",
"details": "To mitigate this issue, you can either switch to a different listener like the http-listener, or adjust the AJP listener configuration. By setting decode-url=\"false\" on the AJP listener and configuring a separate URL decoding filter, you can prevent the path decoding errors. This adjustment ensures that each request is processed correctly without interference from concurrent requests.",
"product_ids": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "undertow: url-encoded request path information can be broken on ajp-listener"
},
{
"cve": "CVE-2024-22201",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2024-02-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2266136"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jetty, a Java based web server and servlet engine. If an HTTP/2 connection gets TCP congested, it remains open and idle, and connections may be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jetty: stop accepting new connections from valid clients",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The issue in Jetty where HTTP/2 connections can enter a congested, idle state and potentially exhaust server file descriptors represents a moderate severity due to its impact on system resources and service availability. While the vulnerability requires the deliberate creation of numerous congested connections by an attacker, its exploitation can lead to denial-of-service conditions by consuming all available file descriptors. This scenario could disrupt legitimate client connections and impair server responsiveness.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-22201"
},
{
"category": "external",
"summary": "RHBZ#2266136",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2266136"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-22201",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22201"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-22201",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22201"
},
{
"category": "external",
"summary": "https://github.com/jetty/jetty.project/issues/11256",
"url": "https://github.com/jetty/jetty.project/issues/11256"
},
{
"category": "external",
"summary": "https://github.com/jetty/jetty.project/security/advisories/GHSA-rggv-cv7r-mw98",
"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-rggv-cv7r-mw98"
}
],
"release_date": "2024-02-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-07-25T19:26:07+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:4884"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jetty: stop accepting new connections from valid clients"
},
{
"cve": "CVE-2024-22234",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"discovery_date": "2024-02-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2265172"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Spring Security. This issue may lead to Broken Access Control, allowing a malicious user to impact the Confidentiality and Integrity of an application or server. This requires the application to use AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly and have a null authentication parameter passed to it, resulting in an erroneous true return value.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "spring-security: Broken Access Control in Spring Security With Direct Use of isFullyAuthenticated",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat considers this as a Moderate impact since it requires the malicious user to have knowledge of how a server implements the authentication resolver from Spring Security. A validation is also suggested to make sure there are no null parameters and no erroneous true is triggered from this method.\n\nAn application is not vulnerable if any of the following are true:\n- The application does not use AuthenticationTrustResolver.isFullyAuthenticated(Authentication) directly\n- The application does not pass null to AuthenticationTrustResolver.isFullyAuthenticated\n- The application only uses isFullyAuthenticated via Method Security or HTTP Request Security",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-22234"
},
{
"category": "external",
"summary": "RHBZ#2265172",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2265172"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-22234",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22234"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-22234",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22234"
},
{
"category": "external",
"summary": "https://spring.io/security/cve-2024-22234",
"url": "https://spring.io/security/cve-2024-22234"
}
],
"release_date": "2024-02-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-07-25T19:26:07+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:4884"
},
{
"category": "workaround",
"details": "Make sure the application is not vulnerable according to the description bullet points mentioned in this page.",
"product_ids": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "spring-security: Broken Access Control in Spring Security With Direct Use of isFullyAuthenticated"
},
{
"cve": "CVE-2024-22257",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"discovery_date": "2024-03-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2270158"
}
],
"notes": [
{
"category": "description",
"text": "A broken access control flaw was found in Spring Security. Applications may be vulnerable when directly using the AuthenticatedVoter#vote passing a NULL authentication parameter.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "spring-security: Broken Access Control With Direct Use of AuthenticatedVoter",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The AuthenticatedVoter class was deprecated since Spring Security 5.8 is used in favor of the AuthorizationManager class, which is not vulnerable to this issue.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-22257"
},
{
"category": "external",
"summary": "RHBZ#2270158",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270158"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-22257",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22257"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-22257",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22257"
},
{
"category": "external",
"summary": "https://spring.io/security/cve-2024-22257",
"url": "https://spring.io/security/cve-2024-22257"
}
],
"release_date": "2024-03-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-07-25T19:26:07+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:4884"
},
{
"category": "workaround",
"details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
"product_ids": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "spring-security: Broken Access Control With Direct Use of AuthenticatedVoter"
},
{
"cve": "CVE-2024-23081",
"cwe": {
"id": "CWE-754",
"name": "Improper Check for Unusual or Exceptional Conditions"
},
"discovery_date": "2024-04-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2274197"
}
],
"notes": [
{
"category": "description",
"text": "A null pointer exception vulnerability was found in Threeten Backport. If the other parameter is null in ChronoLocalDate, a NullPointerException is thrown.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "threetenbp: null pointer exception",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-23081"
},
{
"category": "external",
"summary": "RHBZ#2274197",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2274197"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-23081",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-23081"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-23081",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23081"
},
{
"category": "external",
"summary": "https://gist.github.com/LLM4IG/3cc9183dcd887020368a0bafeafec5e3",
"url": "https://gist.github.com/LLM4IG/3cc9183dcd887020368a0bafeafec5e3"
},
{
"category": "external",
"summary": "https://github.com/ThreeTen/threetenbp/blob/adcdbc462b4e93e68e6f9c9a82217d0478b7d635/src/site/markdown/security.md?plain=1#L17",
"url": "https://github.com/ThreeTen/threetenbp/blob/adcdbc462b4e93e68e6f9c9a82217d0478b7d635/src/site/markdown/security.md?plain=1#L17"
},
{
"category": "external",
"summary": "https://github.com/ThreeTen/threetenbp/blob/main/src/main/java/org/threeten/bp/LocalDate.java#L1671",
"url": "https://github.com/ThreeTen/threetenbp/blob/main/src/main/java/org/threeten/bp/LocalDate.java#L1671"
}
],
"release_date": "2024-04-08T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-07-25T19:26:07+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:4884"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "threetenbp: null pointer exception"
},
{
"cve": "CVE-2024-29025",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2024-04-03T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2272907"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the io.netty:netty-codec-http package. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling issues due to the accumulation of data in the HttpPostRequestDecoder. The decoder cumulates bytes in the undecodedChunk buffer until it can decode a field, allowing data to accumulate without limits. This flaw allows an attacker to cause a denial of service by sending a chunked post consisting of many small fields that will be accumulated in the bodyListHttpData list.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty-codec-http: Allocation of Resources Without Limits or Throttling",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The vulnerability in io.netty:netty-codec-http, allowing for Allocation of Resources Without Limits or Throttling issues, is assessed as moderate severity due to its potential impact on system availability and performance. By exploiting the flaw in HttpPostRequestDecoder, an attacker can craft chunked POST requests with numerous small fields, causing excessive accumulation of data in memory buffers. This unrestricted accumulation can lead to significant memory consumption on the server, potentially exhausting available resources and resulting in denial of service (DoS) conditions.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-29025"
},
{
"category": "external",
"summary": "RHBZ#2272907",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272907"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-29025",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29025"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-29025",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29025"
},
{
"category": "external",
"summary": "https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3",
"url": "https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c",
"url": "https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v",
"url": "https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v"
},
{
"category": "external",
"summary": "https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-6483812",
"url": "https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-6483812"
}
],
"release_date": "2024-03-25T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-07-25T19:26:07+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:4884"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "netty-codec-http: Allocation of Resources Without Limits or Throttling"
},
{
"cve": "CVE-2024-29857",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2024-06-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2293028"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Bouncy Castle. An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java). Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.bouncycastle: Importing an EC certificate with crafted F2m parameters may lead to Denial of Service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-29857"
},
{
"category": "external",
"summary": "RHBZ#2293028",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2293028"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-29857",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29857"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-29857",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29857"
}
],
"release_date": "2024-06-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-07-25T19:26:07+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:4884"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.bouncycastle: Importing an EC certificate with crafted F2m parameters may lead to Denial of Service"
},
{
"acknowledgments": [
{
"names": [
"Hubert Kario"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2024-30171",
"cwe": {
"id": "CWE-208",
"name": "Observable Timing Discrepancy"
},
"discovery_date": "2024-04-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2276360"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Bouncy Castle Java cryptography APIs. Affected versions of the org.bouncycastle:bcprov-jdk18on package are vulnerable to Observable Timing Discrepancy via the PKCS#1 1.5 and OAEP decryption process (a.k.a. Marvin Attack). An attacker can recover cipher-texts via a side-channel attack by exploiting the Marvin security flaw. The PKCS#1 1.5 attack vector leaks data via javax.crypto.Cipher exceptions and the OAEP interface vector leaks via the bit size of the decrypted data.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bc-java: BouncyCastle vulnerable to a timing variant of Bleichenbacher (Marvin Attack)",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-30171"
},
{
"category": "external",
"summary": "RHBZ#2276360",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2276360"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-30171",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-30171"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-30171",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30171"
},
{
"category": "external",
"summary": "https://people.redhat.com/~hkario/marvin/",
"url": "https://people.redhat.com/~hkario/marvin/"
}
],
"release_date": "2024-04-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-07-25T19:26:07+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:4884"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bc-java: BouncyCastle vulnerable to a timing variant of Bleichenbacher (Marvin Attack)"
},
{
"cve": "CVE-2024-30172",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"discovery_date": "2024-06-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2293025"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Bouncy Castle Java Cryptography APIs. Affected versions of this package are vulnerable to an Infinite loop issue in ED25519 verification in the ScalarUtil class. This flaw allows an attacker to send a malicious signature and public key to trigger a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.bouncycastle:bcprov-jdk18on: Infinite loop in ED25519 verification in the ScalarUtil class",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-30172"
},
{
"category": "external",
"summary": "RHBZ#2293025",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2293025"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-30172",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-30172"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-30172",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30172"
},
{
"category": "external",
"summary": "https://www.bouncycastle.org/latest_releases.html",
"url": "https://www.bouncycastle.org/latest_releases.html"
}
],
"release_date": "2024-05-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-07-25T19:26:07+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:4884"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.bouncycastle:bcprov-jdk18on: Infinite loop in ED25519 verification in the ScalarUtil class"
},
{
"cve": "CVE-2024-34447",
"cwe": {
"id": "CWE-706",
"name": "Use of Incorrectly-Resolved Name or Reference"
},
"discovery_date": "2024-05-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2279227"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Bouncy Castle Java Cryptography APIs. Affected versions of this package are vulnerable to a use of incorrectly-resolved name or reference issue when resolving domain names over an SSL socket that was created without an explicit hostname, such as in the HttpsURLConnection() function. If endpoint identification is enabled, this flow allows an attacker to trigger hostname verification against a DNS-resolved address.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.bouncycastle: Use of Incorrectly-Resolved Name or Reference",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The vulnerability in Bouncy Castle Java Cryptography APIs, allowing for incorrect resolution of domain names during SSL/TLS connections without explicitly specifying a hostname, is assessed as moderate severity due to its potential impact on security. By exploiting this flaw, an attacker could manipulate DNS resolution to present a different server\u0027s certificate, leading to a mismatch between expected and verified hostnames. While this could facilitate a man-in-the-middle attack under specific conditions, its severity is moderated by the prerequisite of the attacker controlling DNS responses or intercepting network traffic.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-34447"
},
{
"category": "external",
"summary": "RHBZ#2279227",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2279227"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-34447",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-34447"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-34447",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34447"
}
],
"release_date": "2024-05-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-07-25T19:26:07+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:4884"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.bouncycastle: Use of Incorrectly-Resolved Name or Reference"
}
]
}
WID-SEC-W-2024-0818
Vulnerability from csaf_certbund - Published: 2024-04-08 22:00 - Updated: 2025-11-18 23:00Summary
Red Hat Integration: Mehrere Schwachstellen
Severity
Mittel
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Red Hat Integration umfasst diverse Integrations- und Messaging-Technologien, mit denen sich Anwendungen und Daten in Hybrid-Infrastrukturen verbinden lassen.
Angriff: Ein entfernter authentifizierter oder anonymer Angreifer kann mehrere Schwachstellen in Red Hat Integration ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder Sicherheitsmaßnahmen zu umgehen.
Betroffene Betriebssysteme: - Linux
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Red Hat Integration
Red Hat
|
cpe:/a:redhat:integration:-
|
— | |
|
Red Hat Enterprise Linux AMQ Streams 2
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:amq_streams_2
|
AMQ Streams 2 | |
|
Atlassian Bitbucket <9.4.13 (LTS)
Atlassian / Bitbucket
|
<9.4.13 (LTS) | ||
|
Hitachi Ops Center
Hitachi
|
cpe:/a:hitachi:ops_center:-
|
— | |
|
Atlassian Bitbucket <8.19.25 (LTS)
Atlassian / Bitbucket
|
<8.19.25 (LTS) | ||
|
Atlassian Bitbucket <10.0.2
Atlassian / Bitbucket
|
<10.0.2 |
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Red Hat Integration
Red Hat
|
cpe:/a:redhat:integration:-
|
— | |
|
Red Hat Enterprise Linux AMQ Streams 2
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:amq_streams_2
|
AMQ Streams 2 | |
|
Atlassian Bitbucket <9.4.13 (LTS)
Atlassian / Bitbucket
|
<9.4.13 (LTS) | ||
|
Hitachi Ops Center
Hitachi
|
cpe:/a:hitachi:ops_center:-
|
— | |
|
Atlassian Bitbucket <8.19.25 (LTS)
Atlassian / Bitbucket
|
<8.19.25 (LTS) | ||
|
Atlassian Bitbucket <10.0.2
Atlassian / Bitbucket
|
<10.0.2 |
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Red Hat Integration
Red Hat
|
cpe:/a:redhat:integration:-
|
— | |
|
Red Hat Enterprise Linux AMQ Streams 2
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:amq_streams_2
|
AMQ Streams 2 | |
|
Atlassian Bitbucket <9.4.13 (LTS)
Atlassian / Bitbucket
|
<9.4.13 (LTS) | ||
|
Hitachi Ops Center
Hitachi
|
cpe:/a:hitachi:ops_center:-
|
— | |
|
Atlassian Bitbucket <8.19.25 (LTS)
Atlassian / Bitbucket
|
<8.19.25 (LTS) | ||
|
Atlassian Bitbucket <10.0.2
Atlassian / Bitbucket
|
<10.0.2 |
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Red Hat Integration
Red Hat
|
cpe:/a:redhat:integration:-
|
— | |
|
Red Hat Enterprise Linux AMQ Streams 2
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:amq_streams_2
|
AMQ Streams 2 | |
|
Atlassian Bitbucket <9.4.13 (LTS)
Atlassian / Bitbucket
|
<9.4.13 (LTS) | ||
|
Hitachi Ops Center
Hitachi
|
cpe:/a:hitachi:ops_center:-
|
— | |
|
Atlassian Bitbucket <8.19.25 (LTS)
Atlassian / Bitbucket
|
<8.19.25 (LTS) | ||
|
Atlassian Bitbucket <10.0.2
Atlassian / Bitbucket
|
<10.0.2 |
References
11 references
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Red Hat Integration umfasst diverse Integrations- und Messaging-Technologien, mit denen sich Anwendungen und Daten in Hybrid-Infrastrukturen verbinden lassen.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter authentifizierter oder anonymer Angreifer kann mehrere Schwachstellen in Red Hat Integration ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder Sicherheitsma\u00dfnahmen zu umgehen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2024-0818 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0818.json"
},
{
"category": "self",
"summary": "WID-SEC-2024-0818 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0818"
},
{
"category": "external",
"summary": "RedHat Security Advisory vom 2024-04-08",
"url": "https://access.redhat.com/errata/RHSA-2024:1706"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2024:1923 vom 2024-04-18",
"url": "https://access.redhat.com/errata/RHSA-2024:1923"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2024:2833 vom 2024-05-14",
"url": "https://access.redhat.com/errata/RHSA-2024:2833"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2024:3527 vom 2024-05-30",
"url": "https://access.redhat.com/errata/RHSA-2024:3527"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2024:3989 vom 2024-06-20",
"url": "https://access.redhat.com/errata/RHSA-2024:3989"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2024:4884 vom 2024-07-26",
"url": "https://access.redhat.com/errata/RHSA-2024:4884"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2024:6536 vom 2024-09-10",
"url": "https://access.redhat.com/errata/RHSA-2024:6536"
},
{
"category": "external",
"summary": "Hitachi Vulnerability Information HITACHI-SEC-2024-150 vom 2024-12-17",
"url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2024-150/index.html"
},
{
"category": "external",
"summary": "Atlassian Security Bulletin - November 18 2025",
"url": "https://confluence.atlassian.com/security/security-bulletin-november-18-2025-1671463469.html"
}
],
"source_lang": "en-US",
"title": "Red Hat Integration: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2025-11-18T23:00:00.000+00:00",
"generator": {
"date": "2025-11-19T09:42:47.696+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.5.0"
}
},
"id": "WID-SEC-W-2024-0818",
"initial_release_date": "2024-04-08T22:00:00.000+00:00",
"revision_history": [
{
"date": "2024-04-08T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2024-04-18T22:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2024-05-13T22:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2024-05-30T22:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2024-06-19T22:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2024-07-25T22:00:00.000+00:00",
"number": "6",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2024-09-10T22:00:00.000+00:00",
"number": "7",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2024-12-17T23:00:00.000+00:00",
"number": "8",
"summary": "Neue Updates von HITACHI aufgenommen"
},
{
"date": "2025-11-18T23:00:00.000+00:00",
"number": "9",
"summary": "Neue Updates aufgenommen"
}
],
"status": "final",
"version": "9"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c10.0.2",
"product": {
"name": "Atlassian Bitbucket \u003c10.0.2",
"product_id": "T048675"
}
},
{
"category": "product_version",
"name": "10.0.2",
"product": {
"name": "Atlassian Bitbucket 10.0.2",
"product_id": "T048675-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:atlassian:bitbucket:10.0.2"
}
}
},
{
"category": "product_version_range",
"name": "\u003c8.19.25 (LTS)",
"product": {
"name": "Atlassian Bitbucket \u003c8.19.25 (LTS)",
"product_id": "T048676"
}
},
{
"category": "product_version",
"name": "8.19.25 (LTS)",
"product": {
"name": "Atlassian Bitbucket 8.19.25 (LTS)",
"product_id": "T048676-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:atlassian:bitbucket:8.19.25_%28lts%29"
}
}
},
{
"category": "product_version_range",
"name": "\u003c9.4.13 (LTS)",
"product": {
"name": "Atlassian Bitbucket \u003c9.4.13 (LTS)",
"product_id": "T048677"
}
},
{
"category": "product_version",
"name": "9.4.13 (LTS)",
"product": {
"name": "Atlassian Bitbucket 9.4.13 (LTS)",
"product_id": "T048677-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:atlassian:bitbucket:9.4.13_%28lts%29"
}
}
}
],
"category": "product_name",
"name": "Bitbucket"
}
],
"category": "vendor",
"name": "Atlassian"
},
{
"branches": [
{
"category": "product_name",
"name": "Hitachi Ops Center",
"product": {
"name": "Hitachi Ops Center",
"product_id": "T038840",
"product_identification_helper": {
"cpe": "cpe:/a:hitachi:ops_center:-"
}
}
}
],
"category": "vendor",
"name": "Hitachi"
},
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
},
{
"category": "product_version",
"name": "AMQ Streams 2",
"product": {
"name": "Red Hat Enterprise Linux AMQ Streams 2",
"product_id": "T037463",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:amq_streams_2"
}
}
}
],
"category": "product_name",
"name": "Enterprise Linux"
},
{
"category": "product_name",
"name": "Red Hat Integration",
"product": {
"name": "Red Hat Integration",
"product_id": "T033960",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:integration:-"
}
}
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-1023",
"product_status": {
"known_affected": [
"67646",
"T033960",
"T037463",
"T048677",
"T038840",
"T048676",
"T048675"
]
},
"release_date": "2024-04-08T22:00:00.000+00:00",
"title": "CVE-2024-1023"
},
{
"cve": "CVE-2024-25710",
"product_status": {
"known_affected": [
"67646",
"T033960",
"T037463",
"T048677",
"T038840",
"T048676",
"T048675"
]
},
"release_date": "2024-04-08T22:00:00.000+00:00",
"title": "CVE-2024-25710"
},
{
"cve": "CVE-2024-26308",
"product_status": {
"known_affected": [
"67646",
"T033960",
"T037463",
"T048677",
"T038840",
"T048676",
"T048675"
]
},
"release_date": "2024-04-08T22:00:00.000+00:00",
"title": "CVE-2024-26308"
},
{
"cve": "CVE-2024-1300",
"product_status": {
"known_affected": [
"67646",
"T033960",
"T037463",
"T048677",
"T038840",
"T048676",
"T048675"
]
},
"release_date": "2024-04-08T22:00:00.000+00:00",
"title": "CVE-2024-1300"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…