Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2022-3171 (GCVE-0-2022-3171)
Vulnerability from cvelistv5 – Published: 2022-10-12 00:00 – Updated: 2025-04-21 13:47
VLAI
EPSS
Title
Memory handling vulnerability in ProtocolBuffers Java core and lite
Summary
A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Severity
4.3 (Medium)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/protocolbuffers/protobuf/secur… | |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisory |
| https://security.gentoo.org/glsa/202301-09 | vendor-advisory |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Google LLC | Protocolbuffers |
Affected:
3.21.7 , < 3.21.7
(custom)
Affected: 3.20.3 , < 3.20.3 (custom) Affected: 3.19.6 , < 3.19.6 (custom) Affected: 3.16.3 , < 3.16.3 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:00:10.773Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2"
},
{
"name": "FEDORA-2022-25f35ed634",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/"
},
{
"name": "GLSA-202301-09",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202301-09"
},
{
"name": "FEDORA-2022-15729fa33d",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-3171",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-21T13:36:41.564407Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-21T13:47:57.569Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"platforms": [
"core and lite"
],
"product": "Protocolbuffers",
"vendor": "Google LLC",
"versions": [
{
"lessThan": "3.21.7",
"status": "affected",
"version": "3.21.7",
"versionType": "custom"
},
{
"lessThan": "3.20.3",
"status": "affected",
"version": "3.20.3",
"versionType": "custom"
},
{
"lessThan": "3.19.6",
"status": "affected",
"version": "3.19.6",
"versionType": "custom"
},
{
"lessThan": "3.16.3",
"status": "affected",
"version": "3.16.3",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-27T00:00:00.000Z",
"orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"shortName": "Google"
},
"references": [
{
"url": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2"
},
{
"name": "FEDORA-2022-25f35ed634",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/"
},
{
"name": "GLSA-202301-09",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202301-09"
},
{
"name": "FEDORA-2022-15729fa33d",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Memory handling vulnerability in ProtocolBuffers Java core and lite",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"assignerShortName": "Google",
"cveId": "CVE-2022-3171",
"datePublished": "2022-10-12T00:00:00.000Z",
"dateReserved": "2022-09-09T00:00:00.000Z",
"dateUpdated": "2025-04-21T13:47:57.569Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2022-3171",
"date": "2026-05-29",
"epss": "0.0011",
"percentile": "0.29096"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-3171\",\"sourceIdentifier\":\"cve-coordination@google.com\",\"published\":\"2022-10-12T23:15:09.807\",\"lastModified\":\"2024-11-21T07:18:58.277\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.\"},{\"lang\":\"es\",\"value\":\"Un problema de an\u00e1lisis de datos binarios en protobuf-java core y lite versiones anteriores a 3.21.7, 3.20.3, 3.19.6 y 3.16.3, puede conllevar a un ataque de denegaci\u00f3n de servicio. Las entradas que contienen m\u00faltiples instancias de mensajes insertados no repetidos con campos repetidos o desconocidos causan que los objetos sean convertidos de ida y vuelta entre las formas mutables e inmutables, resultando en pausas de recolecci\u00f3n de basura potencialmente largas. Es recomendado actualizar a versiones mencionadas anteriormente\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cve-coordination@google.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"cve-coordination@google.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:google:google-protobuf:*:*:*:*:*:ruby:*:*\",\"versionEndExcluding\":\"3.16.3\",\"matchCriteriaId\":\"1097AC30-B07F-4759-B62E-86B7856DB9BF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:google:google-protobuf:*:*:*:*:*:ruby:*:*\",\"versionStartIncluding\":\"3.17.0\",\"versionEndExcluding\":\"3.19.6\",\"matchCriteriaId\":\"F9A3FACD-AB55-41D7-86E2-A49E55C901E9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:google:google-protobuf:*:*:*:*:*:ruby:*:*\",\"versionStartIncluding\":\"3.20.0\",\"versionEndExcluding\":\"3.20.3\",\"matchCriteriaId\":\"C92E0E73-782B-4ABB-A1C9-FB762744E1E8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:google:google-protobuf:*:*:*:*:*:ruby:*:*\",\"versionStartIncluding\":\"3.21.0\",\"versionEndExcluding\":\"3.21.7\",\"matchCriteriaId\":\"83C75530-D5AE-4AD9-A548-E4AD87300982\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.16.3\",\"matchCriteriaId\":\"DC11741F-5A8A-4EBA-B4F8-046866813A97\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.17.0\",\"versionEndExcluding\":\"3.19.6\",\"matchCriteriaId\":\"E669203D-A2DE-4148-A966-81843737603C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.20.0\",\"versionEndExcluding\":\"3.20.3\",\"matchCriteriaId\":\"56CA1E8D-A555-4F4F-80D8-F23D0DC50BB8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.21.0\",\"versionEndExcluding\":\"3.21.7\",\"matchCriteriaId\":\"E82CFAC2-2F65-45FD-88D9-D42145FC4A4F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.16.3\",\"matchCriteriaId\":\"50F55B55-9C50-4489-A1A7-9FD0893FB877\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.17.0\",\"versionEndExcluding\":\"3.19.6\",\"matchCriteriaId\":\"2B4050D4-2224-467C-B46D-2CD734B3B0FB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.20.0\",\"versionEndExcluding\":\"3.20.3\",\"matchCriteriaId\":\"459A8615-D2ED-49F3-A81C-DC4560D96C93\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.21.0\",\"versionEndExcluding\":\"3.21.7\",\"matchCriteriaId\":\"712693B9-41AB-41D1-97B2-560FDFEE0863\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.16.3\",\"matchCriteriaId\":\"78B4C867-FA47-464D-85D1-DB46E5F035A6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.17.0\",\"versionEndExcluding\":\"3.19.6\",\"matchCriteriaId\":\"DCCCC941-D98E-4B60-A1E2-282EBFF92B17\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.20.0\",\"versionEndExcluding\":\"3.20.3\",\"matchCriteriaId\":\"85E923BA-CB98-4B28-9BB5-A8D62E21D086\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.21.0\",\"versionEndExcluding\":\"3.21.7\",\"matchCriteriaId\":\"81C71355-5BBB-4197-A5A6-EFDF750C4C90\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:google:protobuf-kotlin-lite:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.16.3\",\"matchCriteriaId\":\"F758471D-1586-4A85-A567-85321F7B186F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:google:protobuf-kotlin-lite:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.17.0\",\"versionEndExcluding\":\"3.19.6\",\"matchCriteriaId\":\"DAA9ACA3-A94B-473B-9393-51C32473954F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:google:protobuf-kotlin-lite:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.20.0\",\"versionEndExcluding\":\"3.20.3\",\"matchCriteriaId\":\"2EE1D9B6-30FC-4AB9-921B-A4A8F4E41387\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:google:protobuf-kotlin-lite:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.21.0\",\"versionEndExcluding\":\"3.21.7\",\"matchCriteriaId\":\"9839B552-5DAF-4892-B34D-69201B0258A2\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E30D0E6F-4AE8-4284-8716-991DFA48CC5D\"}]}]}],\"references\":[{\"url\":\"https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2\",\"source\":\"cve-coordination@google.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/\",\"source\":\"cve-coordination@google.com\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/\",\"source\":\"cve-coordination@google.com\"},{\"url\":\"https://security.gentoo.org/glsa/202301-09\",\"source\":\"cve-coordination@google.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.gentoo.org/glsa/202301-09\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/\", \"name\": \"FEDORA-2022-25f35ed634\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"https://security.gentoo.org/glsa/202301-09\", \"name\": \"GLSA-202301-09\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/\", \"name\": \"FEDORA-2022-15729fa33d\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T01:00:10.773Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-3171\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-21T13:36:41.564407Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-21T13:36:42.997Z\"}}], \"cna\": {\"title\": \"Memory handling vulnerability in ProtocolBuffers Java core and lite\", \"source\": {\"discovery\": \"INTERNAL\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.3, \"attackVector\": \"ADJACENT_NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"Google LLC\", \"product\": \"Protocolbuffers\", \"versions\": [{\"status\": \"affected\", \"version\": \"3.21.7\", \"lessThan\": \"3.21.7\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"3.20.3\", \"lessThan\": \"3.20.3\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"3.19.6\", \"lessThan\": \"3.19.6\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"3.16.3\", \"lessThan\": \"3.16.3\", \"versionType\": \"custom\"}], \"platforms\": [\"core and lite\"]}], \"references\": [{\"url\": \"https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/\", \"name\": \"FEDORA-2022-25f35ed634\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://security.gentoo.org/glsa/202301-09\", \"name\": \"GLSA-202301-09\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/\", \"name\": \"FEDORA-2022-15729fa33d\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.0.9\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-20\", \"description\": \"CWE-20 Improper Input Validation\"}]}], \"providerMetadata\": {\"orgId\": \"14ed7db2-1595-443d-9d34-6215bf890778\", \"shortName\": \"Google\", \"dateUpdated\": \"2023-04-27T00:00:00.000Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2022-3171\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-21T13:47:57.569Z\", \"dateReserved\": \"2022-09-09T00:00:00.000Z\", \"assignerOrgId\": \"14ed7db2-1595-443d-9d34-6215bf890778\", \"datePublished\": \"2022-10-12T00:00:00.000Z\", \"assignerShortName\": \"Google\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
cleanstart-2026-vh41554
Vulnerability from cleanstart
Published
2026-04-06 02:48
Modified
2026-04-03 09:17
Summary
Security fixes for CVE-2018-10237, CVE-2020-8908, CVE-2021-41973, CVE-2022-24823, CVE-2022-3171, CVE-2022-3509, CVE-2022-3510, CVE-2022-41881, CVE-2023-1370, CVE-2023-2976, CVE-2023-34453, CVE-2023-34454, CVE-2023-34455, CVE-2023-34462, CVE-2023-43642, CVE-2023-44487, CVE-2023-52428, CVE-2024-12798, CVE-2024-12801, CVE-2024-13009, CVE-2024-21634, CVE-2024-25638, CVE-2024-27137, CVE-2024-29025, CVE-2024-35255, CVE-2024-40094, CVE-2024-47535, CVE-2024-47554, CVE-2024-52046, CVE-2024-6763, CVE-2024-7254, CVE-2024-8184, CVE-2024-9823, CVE-2025-23015, CVE-2025-24860, CVE-2025-24970, CVE-2025-25193, CVE-2025-46392, CVE-2025-48734, CVE-2025-48924, CVE-2025-53864, CVE-2025-55163, CVE-2025-58056, CVE-2025-58057, CVE-2025-59419, CVE-2025-67735, CVE-2026-1225, CVE-2026-33870, CVE-2026-33871, ghsa-25qh-j22f-pwp8, ghsa-264p-99wq-f4j6, ghsa-269q-hmxg-m83q, ghsa-389x-839f-4rhx, ghsa-3p8m-j85q-pgmj, ghsa-493p-pfq6-5258, ghsa-4g8c-wm8x-jfhw, ghsa-4gg5-vx3j-xwc7, ghsa-55g7-9cwv-5qfv, ghsa-5jpm-x58v-624v, ghsa-5mg8-w23w-74h3, ghsa-6mjq-h674-j845, ghsa-6v67-2wr5-gvf4, ghsa-735f-pc8j-v9w8, ghsa-76h9-2vwh-w278, ghsa-78wr-2p64-hpwj, ghsa-7g45-4rm6-3mm3, ghsa-84h7-rjj3-6jx4, ghsa-cfxw-4h78-h7fw, ghsa-fghv-69vj-qj49, ghsa-fjpj-2g6w-x25r, ghsa-fx2c-96vj-985v, ghsa-g5ww-5jh7-63cx, ghsa-g8m5-722r-8whq, ghsa-gvpg-vgmx-xg6w, ghsa-h4h5-3hr4-j3g2, ghsa-h9mq-f6q5-6c8m, ghsa-j26w-f9rq-mr2q, ghsa-j288-q9x7-2f5v, ghsa-jq43-27x9-3v86, ghsa-mvr2-9pj6-7w5j, ghsa-pqr6-cmr2-h8hf, ghsa-pr98-23f8-jwxv, ghsa-prj3-ccx8-p6x4, ghsa-q4rv-gq96-w7c5, ghsa-qcwq-55hx-v3vh, ghsa-qqpg-mvqg-649v, ghsa-wxr5-93ph-8wr9, ghsa-xpw8-rcwv-8f8p, ghsa-xq3w-v528-46rv, ghsa-xwmg-2g98-w7v9 applied in versions: 1.0.90-r4, 1.0.91-r0, 1.0.91-r1
Details
Multiple security vulnerabilities affect the stargate package. These issues are resolved in later releases. See references for individual vulnerability details.
References
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "stargate"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.91-r1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the stargate package. These issues are resolved in later releases. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-VH41554",
"modified": "2026-04-03T09:17:16Z",
"published": "2026-04-06T02:48:54.465143Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-VH41554.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2018-10237"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2020-8908"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2021-41973"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-24823"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-3171"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-3509"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-3510"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-41881"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2023-1370"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2023-2976"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2023-34453"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2023-34454"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2023-34455"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2023-34462"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2023-43642"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2023-44487"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2023-52428"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-12798"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-12801"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-13009"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-21634"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-25638"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-27137"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-29025"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-35255"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-40094"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-47535"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-47554"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-52046"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-6763"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-7254"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-8184"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-9823"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-23015"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-24860"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-24970"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-25193"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-46392"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-48734"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-48924"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-53864"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-55163"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-58056"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-58057"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-59419"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-67735"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1225"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33870"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33871"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-25qh-j22f-pwp8"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-264p-99wq-f4j6"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-269q-hmxg-m83q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-389x-839f-4rhx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-3p8m-j85q-pgmj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-493p-pfq6-5258"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-4g8c-wm8x-jfhw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-4gg5-vx3j-xwc7"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-55g7-9cwv-5qfv"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-5jpm-x58v-624v"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-5mg8-w23w-74h3"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-6mjq-h674-j845"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-6v67-2wr5-gvf4"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-735f-pc8j-v9w8"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-76h9-2vwh-w278"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-78wr-2p64-hpwj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-7g45-4rm6-3mm3"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-84h7-rjj3-6jx4"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-cfxw-4h78-h7fw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-fghv-69vj-qj49"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-fjpj-2g6w-x25r"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-fx2c-96vj-985v"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-g5ww-5jh7-63cx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-g8m5-722r-8whq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-gvpg-vgmx-xg6w"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-h4h5-3hr4-j3g2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-h9mq-f6q5-6c8m"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-j26w-f9rq-mr2q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-j288-q9x7-2f5v"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-jq43-27x9-3v86"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-mvr2-9pj6-7w5j"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-pqr6-cmr2-h8hf"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-pr98-23f8-jwxv"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-prj3-ccx8-p6x4"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-q4rv-gq96-w7c5"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qcwq-55hx-v3vh"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qqpg-mvqg-649v"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-wxr5-93ph-8wr9"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-xpw8-rcwv-8f8p"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-xq3w-v528-46rv"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-xwmg-2g98-w7v9"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10237"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8908"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41973"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24823"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3171"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3509"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3510"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41881"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1370"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2976"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34453"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34454"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34455"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34462"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43642"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52428"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12798"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12801"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13009"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21634"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25638"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27137"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29025"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35255"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40094"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47535"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47554"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52046"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6763"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7254"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8184"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9823"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23015"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24860"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24970"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25193"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46392"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48734"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48924"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53864"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55163"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58056"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58057"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59419"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67735"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1225"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33870"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33871"
}
],
"related": [],
"schema_version": "1.7.3",
"summary": "Security fixes for CVE-2018-10237, CVE-2020-8908, CVE-2021-41973, CVE-2022-24823, CVE-2022-3171, CVE-2022-3509, CVE-2022-3510, CVE-2022-41881, CVE-2023-1370, CVE-2023-2976, CVE-2023-34453, CVE-2023-34454, CVE-2023-34455, CVE-2023-34462, CVE-2023-43642, CVE-2023-44487, CVE-2023-52428, CVE-2024-12798, CVE-2024-12801, CVE-2024-13009, CVE-2024-21634, CVE-2024-25638, CVE-2024-27137, CVE-2024-29025, CVE-2024-35255, CVE-2024-40094, CVE-2024-47535, CVE-2024-47554, CVE-2024-52046, CVE-2024-6763, CVE-2024-7254, CVE-2024-8184, CVE-2024-9823, CVE-2025-23015, CVE-2025-24860, CVE-2025-24970, CVE-2025-25193, CVE-2025-46392, CVE-2025-48734, CVE-2025-48924, CVE-2025-53864, CVE-2025-55163, CVE-2025-58056, CVE-2025-58057, CVE-2025-59419, CVE-2025-67735, CVE-2026-1225, CVE-2026-33870, CVE-2026-33871, ghsa-25qh-j22f-pwp8, ghsa-264p-99wq-f4j6, ghsa-269q-hmxg-m83q, ghsa-389x-839f-4rhx, ghsa-3p8m-j85q-pgmj, ghsa-493p-pfq6-5258, ghsa-4g8c-wm8x-jfhw, ghsa-4gg5-vx3j-xwc7, ghsa-55g7-9cwv-5qfv, ghsa-5jpm-x58v-624v, ghsa-5mg8-w23w-74h3, ghsa-6mjq-h674-j845, ghsa-6v67-2wr5-gvf4, ghsa-735f-pc8j-v9w8, ghsa-76h9-2vwh-w278, ghsa-78wr-2p64-hpwj, ghsa-7g45-4rm6-3mm3, ghsa-84h7-rjj3-6jx4, ghsa-cfxw-4h78-h7fw, ghsa-fghv-69vj-qj49, ghsa-fjpj-2g6w-x25r, ghsa-fx2c-96vj-985v, ghsa-g5ww-5jh7-63cx, ghsa-g8m5-722r-8whq, ghsa-gvpg-vgmx-xg6w, ghsa-h4h5-3hr4-j3g2, ghsa-h9mq-f6q5-6c8m, ghsa-j26w-f9rq-mr2q, ghsa-j288-q9x7-2f5v, ghsa-jq43-27x9-3v86, ghsa-mvr2-9pj6-7w5j, ghsa-pqr6-cmr2-h8hf, ghsa-pr98-23f8-jwxv, ghsa-prj3-ccx8-p6x4, ghsa-q4rv-gq96-w7c5, ghsa-qcwq-55hx-v3vh, ghsa-qqpg-mvqg-649v, ghsa-wxr5-93ph-8wr9, ghsa-xpw8-rcwv-8f8p, ghsa-xq3w-v528-46rv, ghsa-xwmg-2g98-w7v9 applied in versions: 1.0.90-r4, 1.0.91-r0, 1.0.91-r1",
"upstream": [
"CVE-2018-10237",
"CVE-2020-8908",
"CVE-2021-41973",
"CVE-2022-24823",
"CVE-2022-3171",
"CVE-2022-3509",
"CVE-2022-3510",
"CVE-2022-41881",
"CVE-2023-1370",
"CVE-2023-2976",
"CVE-2023-34453",
"CVE-2023-34454",
"CVE-2023-34455",
"CVE-2023-34462",
"CVE-2023-43642",
"CVE-2023-44487",
"CVE-2023-52428",
"CVE-2024-12798",
"CVE-2024-12801",
"CVE-2024-13009",
"CVE-2024-21634",
"CVE-2024-25638",
"CVE-2024-27137",
"CVE-2024-29025",
"CVE-2024-35255",
"CVE-2024-40094",
"CVE-2024-47535",
"CVE-2024-47554",
"CVE-2024-52046",
"CVE-2024-6763",
"CVE-2024-7254",
"CVE-2024-8184",
"CVE-2024-9823",
"CVE-2025-23015",
"CVE-2025-24860",
"CVE-2025-24970",
"CVE-2025-25193",
"CVE-2025-46392",
"CVE-2025-48734",
"CVE-2025-48924",
"CVE-2025-53864",
"CVE-2025-55163",
"CVE-2025-58056",
"CVE-2025-58057",
"CVE-2025-59419",
"CVE-2025-67735",
"CVE-2026-1225",
"CVE-2026-33870",
"CVE-2026-33871",
"ghsa-25qh-j22f-pwp8",
"ghsa-264p-99wq-f4j6",
"ghsa-269q-hmxg-m83q",
"ghsa-389x-839f-4rhx",
"ghsa-3p8m-j85q-pgmj",
"ghsa-493p-pfq6-5258",
"ghsa-4g8c-wm8x-jfhw",
"ghsa-4gg5-vx3j-xwc7",
"ghsa-55g7-9cwv-5qfv",
"ghsa-5jpm-x58v-624v",
"ghsa-5mg8-w23w-74h3",
"ghsa-6mjq-h674-j845",
"ghsa-6v67-2wr5-gvf4",
"ghsa-735f-pc8j-v9w8",
"ghsa-76h9-2vwh-w278",
"ghsa-78wr-2p64-hpwj",
"ghsa-7g45-4rm6-3mm3",
"ghsa-84h7-rjj3-6jx4",
"ghsa-cfxw-4h78-h7fw",
"ghsa-fghv-69vj-qj49",
"ghsa-fjpj-2g6w-x25r",
"ghsa-fx2c-96vj-985v",
"ghsa-g5ww-5jh7-63cx",
"ghsa-g8m5-722r-8whq",
"ghsa-gvpg-vgmx-xg6w",
"ghsa-h4h5-3hr4-j3g2",
"ghsa-h9mq-f6q5-6c8m",
"ghsa-j26w-f9rq-mr2q",
"ghsa-j288-q9x7-2f5v",
"ghsa-jq43-27x9-3v86",
"ghsa-mvr2-9pj6-7w5j",
"ghsa-pqr6-cmr2-h8hf",
"ghsa-pr98-23f8-jwxv",
"ghsa-prj3-ccx8-p6x4",
"ghsa-q4rv-gq96-w7c5",
"ghsa-qcwq-55hx-v3vh",
"ghsa-qqpg-mvqg-649v",
"ghsa-wxr5-93ph-8wr9",
"ghsa-xpw8-rcwv-8f8p",
"ghsa-xq3w-v528-46rv",
"ghsa-xwmg-2g98-w7v9"
]
}
cleanstart-2026-wk99982
Vulnerability from cleanstart
Published
2026-05-18 13:11
Modified
2026-05-14 06:06
Summary
Security fixes for CVE-2018-10237, CVE-2020-8908, CVE-2021-22569, CVE-2021-22570, CVE-2022-2047, CVE-2022-3171, CVE-2022-3509, CVE-2022-3510, CVE-2022-36364, CVE-2022-41881, CVE-2023-20861, CVE-2023-20863, CVE-2023-26048, CVE-2023-26049, CVE-2023-2976, CVE-2023-34462, CVE-2023-36479, CVE-2023-40167, CVE-2023-41900, CVE-2023-42503, CVE-2023-44981, CVE-2024-13009, CVE-2024-23454, CVE-2024-23944, CVE-2024-25710, CVE-2024-26308, CVE-2024-29131, CVE-2024-29133, CVE-2024-38808, CVE-2024-38820, CVE-2024-38827, CVE-2024-47554, CVE-2024-47561, CVE-2024-52046, CVE-2024-6763, CVE-2024-7254, CVE-2024-8184, CVE-2025-11143, CVE-2025-22233, CVE-2025-24970, CVE-2025-25193, CVE-2025-27821, CVE-2025-41249, CVE-2025-48734, CVE-2025-48924, CVE-2025-49128, CVE-2025-52999, CVE-2025-53864, CVE-2025-55163, CVE-2025-58056, CVE-2025-58057, CVE-2025-59419, CVE-2025-67735, CVE-2025-68161, CVE-2025-8916, CVE-2026-24281, CVE-2026-24308, CVE-2026-33870, CVE-2026-33871, CVE-2026-40490, CVE-2026-41417, CVE-2026-42578, CVE-2026-42579, CVE-2026-42583, CVE-2026-42586, CVE-2026-44248, CVE-2026-5588, ghsa-58qw-p7qm-5rvh, ghsa-72hv-8253-57qq, ghsa-mj4r-2hfc-f8p6 applied in versions: 4.0.1-r0, 4.0.1-r1, 4.0.1-r2
Details
Multiple security vulnerabilities affect the apache-hive package. These issues are resolved in later releases. See references for individual vulnerability details.
References
| URL | Type | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "apache-hive"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.0.1-r2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the apache-hive package. These issues are resolved in later releases. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-WK99982",
"modified": "2026-05-14T06:06:15Z",
"published": "2026-05-18T13:11:47.355078Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-WK99982.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2018-10237"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2020-8908"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2021-22569"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2021-22570"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-2047"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-3171"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-3509"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-3510"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-36364"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-41881"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2023-20861"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2023-20863"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2023-26048"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2023-26049"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2023-2976"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2023-34462"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2023-36479"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2023-40167"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2023-41900"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2023-42503"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2023-44981"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-13009"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-23454"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-23944"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-25710"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-26308"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-29131"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-29133"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-38808"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-38820"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-38827"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-47554"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-47561"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-52046"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-6763"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-7254"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-8184"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-11143"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-22233"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-24970"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-25193"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-27821"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-41249"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-48734"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-48924"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-49128"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-52999"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-53864"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-55163"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-58056"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-58057"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-59419"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-67735"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-68161"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-8916"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-24281"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-24308"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33870"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33871"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-40490"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-41417"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42578"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42579"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42583"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42586"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-44248"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-5588"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-58qw-p7qm-5rvh"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-72hv-8253-57qq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-mj4r-2hfc-f8p6"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10237"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8908"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22569"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22570"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2047"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3171"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3509"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3510"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36364"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41881"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20861"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20863"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26048"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26049"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2976"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34462"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36479"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40167"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41900"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42503"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44981"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13009"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23454"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23944"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25710"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26308"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29131"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29133"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38808"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38820"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38827"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47554"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47561"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52046"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6763"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7254"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8184"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11143"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22233"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24970"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25193"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27821"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41249"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48734"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48924"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49128"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52999"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53864"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55163"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58056"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58057"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59419"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67735"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68161"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8916"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24281"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24308"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33870"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33871"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40490"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41417"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42578"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42579"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42583"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42586"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44248"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5588"
}
],
"related": [],
"schema_version": "1.7.3",
"summary": "Security fixes for CVE-2018-10237, CVE-2020-8908, CVE-2021-22569, CVE-2021-22570, CVE-2022-2047, CVE-2022-3171, CVE-2022-3509, CVE-2022-3510, CVE-2022-36364, CVE-2022-41881, CVE-2023-20861, CVE-2023-20863, CVE-2023-26048, CVE-2023-26049, CVE-2023-2976, CVE-2023-34462, CVE-2023-36479, CVE-2023-40167, CVE-2023-41900, CVE-2023-42503, CVE-2023-44981, CVE-2024-13009, CVE-2024-23454, CVE-2024-23944, CVE-2024-25710, CVE-2024-26308, CVE-2024-29131, CVE-2024-29133, CVE-2024-38808, CVE-2024-38820, CVE-2024-38827, CVE-2024-47554, CVE-2024-47561, CVE-2024-52046, CVE-2024-6763, CVE-2024-7254, CVE-2024-8184, CVE-2025-11143, CVE-2025-22233, CVE-2025-24970, CVE-2025-25193, CVE-2025-27821, CVE-2025-41249, CVE-2025-48734, CVE-2025-48924, CVE-2025-49128, CVE-2025-52999, CVE-2025-53864, CVE-2025-55163, CVE-2025-58056, CVE-2025-58057, CVE-2025-59419, CVE-2025-67735, CVE-2025-68161, CVE-2025-8916, CVE-2026-24281, CVE-2026-24308, CVE-2026-33870, CVE-2026-33871, CVE-2026-40490, CVE-2026-41417, CVE-2026-42578, CVE-2026-42579, CVE-2026-42583, CVE-2026-42586, CVE-2026-44248, CVE-2026-5588, ghsa-58qw-p7qm-5rvh, ghsa-72hv-8253-57qq, ghsa-mj4r-2hfc-f8p6 applied in versions: 4.0.1-r0, 4.0.1-r1, 4.0.1-r2",
"upstream": [
"CVE-2018-10237",
"CVE-2020-8908",
"CVE-2021-22569",
"CVE-2021-22570",
"CVE-2022-2047",
"CVE-2022-3171",
"CVE-2022-3509",
"CVE-2022-3510",
"CVE-2022-36364",
"CVE-2022-41881",
"CVE-2023-20861",
"CVE-2023-20863",
"CVE-2023-26048",
"CVE-2023-26049",
"CVE-2023-2976",
"CVE-2023-34462",
"CVE-2023-36479",
"CVE-2023-40167",
"CVE-2023-41900",
"CVE-2023-42503",
"CVE-2023-44981",
"CVE-2024-13009",
"CVE-2024-23454",
"CVE-2024-23944",
"CVE-2024-25710",
"CVE-2024-26308",
"CVE-2024-29131",
"CVE-2024-29133",
"CVE-2024-38808",
"CVE-2024-38820",
"CVE-2024-38827",
"CVE-2024-47554",
"CVE-2024-47561",
"CVE-2024-52046",
"CVE-2024-6763",
"CVE-2024-7254",
"CVE-2024-8184",
"CVE-2025-11143",
"CVE-2025-22233",
"CVE-2025-24970",
"CVE-2025-25193",
"CVE-2025-27821",
"CVE-2025-41249",
"CVE-2025-48734",
"CVE-2025-48924",
"CVE-2025-49128",
"CVE-2025-52999",
"CVE-2025-53864",
"CVE-2025-55163",
"CVE-2025-58056",
"CVE-2025-58057",
"CVE-2025-59419",
"CVE-2025-67735",
"CVE-2025-68161",
"CVE-2025-8916",
"CVE-2026-24281",
"CVE-2026-24308",
"CVE-2026-33870",
"CVE-2026-33871",
"CVE-2026-40490",
"CVE-2026-41417",
"CVE-2026-42578",
"CVE-2026-42579",
"CVE-2026-42583",
"CVE-2026-42586",
"CVE-2026-44248",
"CVE-2026-5588",
"ghsa-58qw-p7qm-5rvh",
"ghsa-72hv-8253-57qq",
"ghsa-mj4r-2hfc-f8p6"
]
}
FKIE_CVE-2022-3171
Vulnerability from fkie_nvd - Published: 2022-10-12 23:15 - Updated: 2024-11-21 07:18
Severity
4.3 (Medium) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
References
| URL | Tags | ||
|---|---|---|---|
| cve-coordination@google.com | https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2 | Third Party Advisory | |
| cve-coordination@google.com | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/ | ||
| cve-coordination@google.com | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/ | ||
| cve-coordination@google.com | https://security.gentoo.org/glsa/202301-09 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gentoo.org/glsa/202301-09 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| google-protobuf | * | ||
| google-protobuf | * | ||
| google-protobuf | * | ||
| google-protobuf | * | ||
| protobuf-java | * | ||
| protobuf-java | * | ||
| protobuf-java | * | ||
| protobuf-java | * | ||
| protobuf-javalite | * | ||
| protobuf-javalite | * | ||
| protobuf-javalite | * | ||
| protobuf-javalite | * | ||
| protobuf-kotlin | * | ||
| protobuf-kotlin | * | ||
| protobuf-kotlin | * | ||
| protobuf-kotlin | * | ||
| protobuf-kotlin-lite | * | ||
| protobuf-kotlin-lite | * | ||
| protobuf-kotlin-lite | * | ||
| protobuf-kotlin-lite | * | ||
| fedoraproject | fedora | 37 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:google:google-protobuf:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "1097AC30-B07F-4759-B62E-86B7856DB9BF",
"versionEndExcluding": "3.16.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:google:google-protobuf:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "F9A3FACD-AB55-41D7-86E2-A49E55C901E9",
"versionEndExcluding": "3.19.6",
"versionStartIncluding": "3.17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:google:google-protobuf:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "C92E0E73-782B-4ABB-A1C9-FB762744E1E8",
"versionEndExcluding": "3.20.3",
"versionStartIncluding": "3.20.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:google:google-protobuf:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "83C75530-D5AE-4AD9-A548-E4AD87300982",
"versionEndExcluding": "3.21.7",
"versionStartIncluding": "3.21.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DC11741F-5A8A-4EBA-B4F8-046866813A97",
"versionEndExcluding": "3.16.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E669203D-A2DE-4148-A966-81843737603C",
"versionEndExcluding": "3.19.6",
"versionStartIncluding": "3.17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*",
"matchCriteriaId": "56CA1E8D-A555-4F4F-80D8-F23D0DC50BB8",
"versionEndExcluding": "3.20.3",
"versionStartIncluding": "3.20.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E82CFAC2-2F65-45FD-88D9-D42145FC4A4F",
"versionEndExcluding": "3.21.7",
"versionStartIncluding": "3.21.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*",
"matchCriteriaId": "50F55B55-9C50-4489-A1A7-9FD0893FB877",
"versionEndExcluding": "3.16.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2B4050D4-2224-467C-B46D-2CD734B3B0FB",
"versionEndExcluding": "3.19.6",
"versionStartIncluding": "3.17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*",
"matchCriteriaId": "459A8615-D2ED-49F3-A81C-DC4560D96C93",
"versionEndExcluding": "3.20.3",
"versionStartIncluding": "3.20.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*",
"matchCriteriaId": "712693B9-41AB-41D1-97B2-560FDFEE0863",
"versionEndExcluding": "3.21.7",
"versionStartIncluding": "3.21.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "78B4C867-FA47-464D-85D1-DB46E5F035A6",
"versionEndExcluding": "3.16.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DCCCC941-D98E-4B60-A1E2-282EBFF92B17",
"versionEndExcluding": "3.19.6",
"versionStartIncluding": "3.17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "85E923BA-CB98-4B28-9BB5-A8D62E21D086",
"versionEndExcluding": "3.20.3",
"versionStartIncluding": "3.20.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "81C71355-5BBB-4197-A5A6-EFDF750C4C90",
"versionEndExcluding": "3.21.7",
"versionStartIncluding": "3.21.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:google:protobuf-kotlin-lite:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F758471D-1586-4A85-A567-85321F7B186F",
"versionEndExcluding": "3.16.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:google:protobuf-kotlin-lite:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DAA9ACA3-A94B-473B-9393-51C32473954F",
"versionEndExcluding": "3.19.6",
"versionStartIncluding": "3.17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:google:protobuf-kotlin-lite:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2EE1D9B6-30FC-4AB9-921B-A4A8F4E41387",
"versionEndExcluding": "3.20.3",
"versionStartIncluding": "3.20.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:google:protobuf-kotlin-lite:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9839B552-5DAF-4892-B34D-69201B0258A2",
"versionEndExcluding": "3.21.7",
"versionStartIncluding": "3.21.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*",
"matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above."
},
{
"lang": "es",
"value": "Un problema de an\u00e1lisis de datos binarios en protobuf-java core y lite versiones anteriores a 3.21.7, 3.20.3, 3.19.6 y 3.16.3, puede conllevar a un ataque de denegaci\u00f3n de servicio. Las entradas que contienen m\u00faltiples instancias de mensajes insertados no repetidos con campos repetidos o desconocidos causan que los objetos sean convertidos de ida y vuelta entre las formas mutables e inmutables, resultando en pausas de recolecci\u00f3n de basura potencialmente largas. Es recomendado actualizar a versiones mencionadas anteriormente"
}
],
"id": "CVE-2022-3171",
"lastModified": "2024-11-21T07:18:58.277",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "cve-coordination@google.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-10-12T23:15:09.807",
"references": [
{
"source": "cve-coordination@google.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2"
},
{
"source": "cve-coordination@google.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/"
},
{
"source": "cve-coordination@google.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/"
},
{
"source": "cve-coordination@google.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202301-09"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202301-09"
}
],
"sourceIdentifier": "cve-coordination@google.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "cve-coordination@google.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-H4H5-3HR4-J3G2
Vulnerability from github – Published: 2022-10-04 22:17 – Updated: 2022-10-04 22:17
VLAI
Summary
protobuf-java has a potential Denial of Service issue
Details
Summary
A potential Denial of Service issue in protobuf-java core and lite was discovered in the parsing procedure for binary and text format data. Input streams containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses.
Reporter: OSS Fuzz
Affected versions: This issue affects both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime.
Severity
CVE-2022-3171 Medium - CVSS Score: 5.7 (NOTE: there may be a delay in publication)
Remediation and Mitigation
Please update to the latest available versions of the following packages:
protobuf-java (3.21.7, 3.20.3, 3.19.6, 3.16.3) protobuf-javalite (3.21.7, 3.20.3, 3.19.6, 3.16.3) protobuf-kotlin (3.21.7, 3.20.3, 3.19.6, 3.16.3) protobuf-kotlin-lite (3.21.7, 3.20.3, 3.19.6, 3.16.3) google-protobuf [JRuby gem only] (3.21.7, 3.20.3, 3.19.6)
Severity
5.7 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.google.protobuf:protobuf-java"
},
"ranges": [
{
"events": [
{
"introduced": "3.21.0-rc-1"
},
{
"fixed": "3.21.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.google.protobuf:protobuf-kotlin"
},
"ranges": [
{
"events": [
{
"introduced": "3.21.0-rc-1"
},
{
"fixed": "3.21.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "google-protobuf"
},
"ranges": [
{
"events": [
{
"introduced": "3.21.0.rc.1"
},
{
"fixed": "3.21.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.google.protobuf:protobuf-javalite"
},
"ranges": [
{
"events": [
{
"introduced": "3.21.0-rc-1"
},
{
"fixed": "3.21.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.google.protobuf:protobuf-kotlin-lite"
},
"ranges": [
{
"events": [
{
"introduced": "3.21.0-rc-1"
},
{
"fixed": "3.21.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.google.protobuf:protobuf-java"
},
"ranges": [
{
"events": [
{
"introduced": "3.20.0-rc-1"
},
{
"fixed": "3.20.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.google.protobuf:protobuf-java"
},
"ranges": [
{
"events": [
{
"introduced": "3.17.0-rc-1"
},
{
"fixed": "3.19.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.google.protobuf:protobuf-java"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.16.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.google.protobuf:protobuf-kotlin"
},
"ranges": [
{
"events": [
{
"introduced": "3.20.0-rc-1"
},
{
"fixed": "3.20.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.google.protobuf:protobuf-kotlin"
},
"ranges": [
{
"events": [
{
"introduced": "3.17.0-rc-1"
},
{
"fixed": "3.19.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.google.protobuf:protobuf-kotlin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.16.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "google-protobuf"
},
"ranges": [
{
"events": [
{
"introduced": "3.20.0.rc.1"
},
{
"fixed": "3.20.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "google-protobuf"
},
"ranges": [
{
"events": [
{
"introduced": "3.17.0.rc.1"
},
{
"fixed": "3.19.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "google-protobuf"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.16.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.google.protobuf:protobuf-javalite"
},
"ranges": [
{
"events": [
{
"introduced": "3.20.0-rc-1"
},
{
"fixed": "3.20.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.google.protobuf:protobuf-javalite"
},
"ranges": [
{
"events": [
{
"introduced": "3.17.0-rc-1"
},
{
"fixed": "3.19.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.google.protobuf:protobuf-javalite"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.16.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.google.protobuf:protobuf-kotlin-lite"
},
"ranges": [
{
"events": [
{
"introduced": "3.20.0-rc-1"
},
{
"fixed": "3.20.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.google.protobuf:protobuf-kotlin-lite"
},
"ranges": [
{
"events": [
{
"introduced": "3.17.0-rc-1"
},
{
"fixed": "3.19.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.google.protobuf:protobuf-kotlin-lite"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.16.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-3171"
],
"database_specific": {
"cwe_ids": [
"CWE-20"
],
"github_reviewed": true,
"github_reviewed_at": "2022-10-04T22:17:15Z",
"nvd_published_at": "2022-10-12T23:15:00Z",
"severity": "MODERATE"
},
"details": "## Summary\nA potential Denial of Service issue in `protobuf-java` core and lite was discovered in the parsing procedure for binary and text format data. Input streams containing multiple instances of non-repeated [embedded messages](http://developers.google.com/protocol-buffers/docs/encoding#embedded) with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. \n\nReporter: [OSS Fuzz](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48771)\n\nAffected versions: This issue affects both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime.\n\n## Severity\n\n[CVE-2022-3171](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3171) Medium - CVSS Score: 5.7 (NOTE: there may be a delay in publication)\n\n## Remediation and Mitigation\n\nPlease update to the latest available versions of the following packages:\n\nprotobuf-java (3.21.7, 3.20.3, 3.19.6, 3.16.3)\nprotobuf-javalite (3.21.7, 3.20.3, 3.19.6, 3.16.3)\nprotobuf-kotlin (3.21.7, 3.20.3, 3.19.6, 3.16.3)\nprotobuf-kotlin-lite (3.21.7, 3.20.3, 3.19.6, 3.16.3)\ngoogle-protobuf [JRuby gem only] (3.21.7, 3.20.3, 3.19.6)\n",
"id": "GHSA-h4h5-3hr4-j3g2",
"modified": "2022-10-04T22:17:15Z",
"published": "2022-10-04T22:17:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3171"
},
{
"type": "WEB",
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48771"
},
{
"type": "PACKAGE",
"url": "https://github.com/protocolbuffers/protobuf"
},
{
"type": "WEB",
"url": "https://github.com/protocolbuffers/protobuf/releases/tag/v21.7"
},
{
"type": "WEB",
"url": "https://github.com/protocolbuffers/protobuf/releases/tag/v3.16.3"
},
{
"type": "WEB",
"url": "https://github.com/protocolbuffers/protobuf/releases/tag/v3.19.6"
},
{
"type": "WEB",
"url": "https://github.com/protocolbuffers/protobuf/releases/tag/v3.20.3"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/google-protobuf/CVE-2022-3171.yml"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202301-09"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "protobuf-java has a potential Denial of Service issue"
}
GSD-2022-3171
Vulnerability from gsd - Updated: 2022-10-04 00:00Details
## Summary
A potential Denial of Service issue in `protobuf-java` core and lite was
discovered in the parsing procedure for binary and text format data.
Input streams containing multiple instances of non-repeated [embedded
messages](http://developers.google.com/protocol-buffers/docs/encoding#embedded)
with repeated or unknown fields causes objects to be converted back-n-forth
between mutable and immutable forms, resulting in potentially long garbage
collection pauses.
Reporter: [OSS Fuzz](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48771)
Affected versions: This issue affects both the Java full and lite Protobuf
runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the
Java Protobuf runtime.
## Severity
[CVE-2022-3171](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3171)
Medium - CVSS Score: 5.7 (NOTE: there may be a delay in publication)
## Remediation and Mitigation
Please update to the latest available versions of the following packages:
* protobuf-java (3.21.7, 3.20.3, 3.19.6, 3.16.3)
* protobuf-javalite (3.21.7, 3.20.3, 3.19.6, 3.16.3)
* protobuf-kotlin (3.21.7, 3.20.3, 3.19.6, 3.16.3)
* protobuf-kotlin-lite (3.21.7, 3.20.3, 3.19.6, 3.16.3)
* google-protobuf [JRuby gem only] (3.21.7, 3.20.3, 3.19.6)
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-3171",
"id": "GSD-2022-3171",
"references": [
"https://access.redhat.com/errata/RHSA-2022:7896",
"https://access.redhat.com/errata/RHSA-2022:9023",
"https://www.suse.com/security/cve/CVE-2022-3171.html",
"https://access.redhat.com/errata/RHSA-2023:1006"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "google-protobuf",
"purl": "pkg:gem/google-protobuf"
}
}
],
"aliases": [
"CVE-2022-3171",
"GHSA-h4h5-3hr4-j3g2"
],
"details": "## Summary\nA potential Denial of Service issue in `protobuf-java` core and lite was\ndiscovered in the parsing procedure for binary and text format data.\nInput streams containing multiple instances of non-repeated [embedded\nmessages](http://developers.google.com/protocol-buffers/docs/encoding#embedded)\nwith repeated or unknown fields causes objects to be converted back-n-forth\nbetween mutable and immutable forms, resulting in potentially long garbage\ncollection pauses.\n\nReporter: [OSS Fuzz](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48771)\n\nAffected versions: This issue affects both the Java full and lite Protobuf\nruntimes, as well as Protobuf for Kotlin and JRuby, which themselves use the\nJava Protobuf runtime.\n\n## Severity\n\n[CVE-2022-3171](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3171)\nMedium - CVSS Score: 5.7 (NOTE: there may be a delay in publication)\n\n## Remediation and Mitigation\n\nPlease update to the latest available versions of the following packages:\n\n* protobuf-java (3.21.7, 3.20.3, 3.19.6, 3.16.3)\n* protobuf-javalite (3.21.7, 3.20.3, 3.19.6, 3.16.3)\n* protobuf-kotlin (3.21.7, 3.20.3, 3.19.6, 3.16.3)\n* protobuf-kotlin-lite (3.21.7, 3.20.3, 3.19.6, 3.16.3)\n* google-protobuf [JRuby gem only] (3.21.7, 3.20.3, 3.19.6)\n",
"id": "GSD-2022-3171",
"modified": "2022-10-04T00:00:00.000Z",
"published": "2022-10-04T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2"
},
{
"type": "WEB",
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48771"
},
{
"type": "WEB",
"url": "https://github.com/protocolbuffers/protobuf/releases/tag/v21.7"
},
{
"type": "WEB",
"url": "https://github.com/protocolbuffers/protobuf/releases/tag/v3.16.3"
},
{
"type": "WEB",
"url": "https://github.com/protocolbuffers/protobuf/releases/tag/v3.19.6"
},
{
"type": "WEB",
"url": "https://github.com/protocolbuffers/protobuf/releases/tag/v3.20.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 5.7,
"type": "CVSS_V3"
}
],
"summary": "protobuf-java has a potential Denial of Service issue"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security@google.com",
"ID": "CVE-2022-3171",
"STATE": "PUBLIC",
"TITLE": "Memory handling vulnerability in ProtocolBuffers Java core and lite"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Protocolbuffers",
"version": {
"version_data": [
{
"platform": "core and lite",
"version_affected": "\u003c",
"version_name": "3.21.7",
"version_value": "3.21.7"
},
{
"platform": "core and lite",
"version_affected": "\u003c",
"version_name": "3.20.3",
"version_value": "3.20.3"
},
{
"platform": "core and lite",
"version_affected": "\u003c",
"version_name": "3.19.6",
"version_value": "3.19.6"
},
{
"platform": "core and lite",
"version_affected": "\u003c",
"version_name": "3.16.3",
"version_value": "3.16.3"
}
]
}
}
]
},
"vendor_name": "Google LLC"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2",
"refsource": "CONFIRM",
"url": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2"
},
{
"name": "FEDORA-2022-25f35ed634",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/"
},
{
"name": "GLSA-202301-09",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202301-09"
},
{
"name": "FEDORA-2022-15729fa33d",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/"
}
]
},
"source": {
"discovery": "INTERNAL"
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2022-3171",
"cvss_v3": 5.7,
"date": "2022-10-04",
"description": "## Summary\nA potential Denial of Service issue in `protobuf-java` core and lite was\ndiscovered in the parsing procedure for binary and text format data.\nInput streams containing multiple instances of non-repeated [embedded\nmessages](http://developers.google.com/protocol-buffers/docs/encoding#embedded)\nwith repeated or unknown fields causes objects to be converted back-n-forth\nbetween mutable and immutable forms, resulting in potentially long garbage\ncollection pauses.\n\nReporter: [OSS Fuzz](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48771)\n\nAffected versions: This issue affects both the Java full and lite Protobuf\nruntimes, as well as Protobuf for Kotlin and JRuby, which themselves use the\nJava Protobuf runtime.\n\n## Severity\n\n[CVE-2022-3171](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3171)\nMedium - CVSS Score: 5.7 (NOTE: there may be a delay in publication)\n\n## Remediation and Mitigation\n\nPlease update to the latest available versions of the following packages:\n\n* protobuf-java (3.21.7, 3.20.3, 3.19.6, 3.16.3)\n* protobuf-javalite (3.21.7, 3.20.3, 3.19.6, 3.16.3)\n* protobuf-kotlin (3.21.7, 3.20.3, 3.19.6, 3.16.3)\n* protobuf-kotlin-lite (3.21.7, 3.20.3, 3.19.6, 3.16.3)\n* google-protobuf [JRuby gem only] (3.21.7, 3.20.3, 3.19.6)\n",
"gem": "google-protobuf",
"ghsa": "h4h5-3hr4-j3g2",
"patched_versions": [
"~\u003e 3.16.3",
"~\u003e 3.19.6",
"~\u003e 3.20.3",
"\u003e= 3.21.7"
],
"platform": "jruby",
"related": {
"url": [
"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48771",
"https://github.com/protocolbuffers/protobuf/releases/tag/v21.7",
"https://github.com/protocolbuffers/protobuf/releases/tag/v3.16.3",
"https://github.com/protocolbuffers/protobuf/releases/tag/v3.19.6",
"https://github.com/protocolbuffers/protobuf/releases/tag/v3.20.3"
]
},
"title": "protobuf-java has a potential Denial of Service issue",
"url": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c3.16.3||\u003e=3.17.0 \u003c3.19.6||\u003e=3.20.0 \u003c3.20.3||\u003e=3.21.0 \u003c3.21.7",
"affected_versions": "All versions before 3.16.3, all versions starting from 3.17.0 before 3.19.6, all versions starting from 3.20.0 before 3.20.3, all versions starting from 3.21.0 before 3.21.7",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2023-04-27",
"description": "A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.",
"fixed_versions": [
"3.17.0.rc.1",
"3.19.6",
"3.20.3",
"3.21.7"
],
"identifier": "CVE-2022-3171",
"identifiers": [
"CVE-2022-3171",
"GHSA-h4h5-3hr4-j3g2",
"GMS-2022-5022"
],
"not_impacted": "All versions starting from 3.16.3 before 3.17.0, all versions starting from 3.19.6 before 3.20.0, all versions starting from 3.20.3 before 3.21.0, all versions starting from 3.21.7",
"package_slug": "gem/google-protobuf",
"pubdate": "2022-10-12",
"solution": "Upgrade to versions 3.17.0.rc.1, 3.19.6, 3.20.3, 3.21.7 or above.",
"title": "Uncontrolled Resource Consumption",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-3171",
"https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2",
"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48771",
"https://github.com/protocolbuffers/protobuf/releases/tag/v21.7",
"https://github.com/protocolbuffers/protobuf/releases/tag/v3.16.3",
"https://github.com/protocolbuffers/protobuf/releases/tag/v3.19.6",
"https://github.com/protocolbuffers/protobuf/releases/tag/v3.20.3",
"https://github.com/advisories/GHSA-h4h5-3hr4-j3g2"
],
"uuid": "5456716e-62ac-408e-99e0-8d7290e335c7"
},
{
"affected_range": "\u003c0",
"affected_versions": "All versions before 3.16.3, all versions starting from 3.17.0.rc.1 before 3.19.6, all versions starting from 3.20.0.rc.1 before 3.20.3, all versions starting from 3.21.0.rc.1 before 3.21.7",
"cwe_ids": [
"CWE-1035",
"CWE-707",
"CWE-937"
],
"date": "2022-10-04",
"description": "Improper Neutralization in google-protobuf.",
"fixed_versions": [
"3.20.3",
"3.21.7",
"3.16.3",
"3.19.6"
],
"identifier": "GMS-2022-5022",
"identifiers": [
"GHSA-h4h5-3hr4-j3g2",
"GMS-2022-5022",
"CVE-2022-3171"
],
"not_impacted": "All versions starting from 3.16.3 before 3.17.0.rc.1, all versions starting from 3.19.6 before 3.20.0.rc.1, all versions starting from 3.20.3 before 3.21.0.rc.1, all versions starting from 3.21.7",
"package_slug": "gem/google-protobuf",
"pubdate": "2022-10-04",
"solution": "Upgrade to versions 3.20.3, 3.21.7, 3.16.3, 3.19.6 or above.",
"title": "Duplicate of ./gem/google-protobuf/CVE-2022-3171.yml",
"urls": [
"https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2",
"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48771",
"https://github.com/protocolbuffers/protobuf/releases/tag/v21.7",
"https://github.com/protocolbuffers/protobuf/releases/tag/v3.16.3",
"https://github.com/protocolbuffers/protobuf/releases/tag/v3.19.6",
"https://github.com/protocolbuffers/protobuf/releases/tag/v3.20.3",
"https://github.com/advisories/GHSA-h4h5-3hr4-j3g2"
],
"uuid": "1ba67fcd-46ea-4ae7-b1bf-c3b1adb769d9"
},
{
"affected_range": "(,3.16.3),[3.17.0,3.19.6),[3.20.0,3.20.3),[3.21.0,3.21.7)",
"affected_versions": "All versions before 3.16.3, all versions starting from 3.17.0 before 3.19.6, all versions starting from 3.20.0 before 3.20.3, all versions starting from 3.21.0 before 3.21.7",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2023-04-27",
"description": "A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.",
"fixed_versions": [
"3.16.3",
"3.19.6",
"3.20.3",
"3.21.7"
],
"identifier": "CVE-2022-3171",
"identifiers": [
"CVE-2022-3171",
"GHSA-h4h5-3hr4-j3g2",
"GMS-2022-4942"
],
"not_impacted": "All versions starting from 3.16.3 before 3.17.0, all versions starting from 3.19.6 before 3.20.0, all versions starting from 3.20.3 before 3.21.0, all versions starting from 3.21.7",
"package_slug": "maven/com.google.protobuf/protobuf-java",
"pubdate": "2022-10-12",
"solution": "Upgrade to versions 3.16.3, 3.19.6, 3.20.3, 3.21.7 or above.",
"title": "Improper Input Validation",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-3171",
"https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2",
"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48771",
"https://github.com/protocolbuffers/protobuf/releases/tag/v21.7",
"https://github.com/protocolbuffers/protobuf/releases/tag/v3.16.3",
"https://github.com/protocolbuffers/protobuf/releases/tag/v3.19.6",
"https://github.com/protocolbuffers/protobuf/releases/tag/v3.20.3",
"https://github.com/advisories/GHSA-h4h5-3hr4-j3g2"
],
"uuid": "bc13f0b9-f5ec-4ebc-853e-73168937cae0"
},
{
"affected_range": "(,0)",
"affected_versions": "All versions before 3.16.3, all versions starting from 3.17.0-rc-1 before 3.19.6, all versions starting from 3.20.0-rc-1 before 3.20.3, all versions starting from 3.21.0-rc-1 before 3.21.7",
"cwe_ids": [
"CWE-1035",
"CWE-707",
"CWE-937"
],
"date": "2022-10-04",
"description": "Improper Neutralization in com.google.protobuf:protobuf-java.",
"fixed_versions": [
"3.20.3",
"3.21.7",
"3.16.3",
"3.19.6"
],
"identifier": "GMS-2022-4942",
"identifiers": [
"GHSA-h4h5-3hr4-j3g2",
"GMS-2022-4942",
"CVE-2022-3171"
],
"not_impacted": "All versions starting from 3.16.3 before 3.17.0-rc-1, all versions starting from 3.19.6 before 3.20.0-rc-1, all versions starting from 3.20.3 before 3.21.0-rc-1, all versions starting from 3.21.7",
"package_slug": "maven/com.google.protobuf/protobuf-java",
"pubdate": "2022-10-04",
"solution": "Upgrade to versions 3.20.3, 3.21.7, 3.16.3, 3.19.6 or above.",
"title": "Duplicate of ./maven/com.google.protobuf/protobuf-java/CVE-2022-3171.yml",
"urls": [
"https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2",
"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48771",
"https://github.com/protocolbuffers/protobuf/releases/tag/v21.7",
"https://github.com/protocolbuffers/protobuf/releases/tag/v3.16.3",
"https://github.com/protocolbuffers/protobuf/releases/tag/v3.19.6",
"https://github.com/protocolbuffers/protobuf/releases/tag/v3.20.3",
"https://github.com/advisories/GHSA-h4h5-3hr4-j3g2"
],
"uuid": "f185007f-fc92-4539-b022-c32f609f9b04"
},
{
"affected_range": "(,3.16.3),[3.17.0-rc-1,3.19.6),[3.20.0-rc-1,3.20.3),[3.21.0-rc-1,3.21.7)",
"affected_versions": "All versions before 3.16.3, all versions starting from 3.17.0-rc-1 before 3.19.6, all versions starting from 3.20.0-rc-1 before 3.20.3, all versions starting from 3.21.0-rc-1 before 3.21.7",
"cwe_ids": [
"CWE-1035",
"CWE-707",
"CWE-937"
],
"date": "2022-10-04",
"description": "Improper Neutralization in com.google.protobuf:protobuf-javalite.",
"fixed_versions": [
"3.20.3",
"3.21.7",
"3.16.3",
"3.19.6"
],
"identifier": "GMS-2022-4943",
"identifiers": [
"GHSA-h4h5-3hr4-j3g2",
"GMS-2022-4943",
"CVE-2022-3171"
],
"not_impacted": "All versions starting from 3.16.3 before 3.17.0-rc-1, all versions starting from 3.19.6 before 3.20.0-rc-1, all versions starting from 3.20.3 before 3.21.0-rc-1, all versions starting from 3.21.7",
"package_slug": "maven/com.google.protobuf/protobuf-javalite",
"pubdate": "2022-10-04",
"solution": "Upgrade to versions 3.20.3, 3.21.7, 3.16.3, 3.19.6 or above.",
"title": "Improper Neutralization",
"urls": [
"https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2",
"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48771",
"https://github.com/protocolbuffers/protobuf/releases/tag/v21.7",
"https://github.com/protocolbuffers/protobuf/releases/tag/v3.16.3",
"https://github.com/protocolbuffers/protobuf/releases/tag/v3.19.6",
"https://github.com/protocolbuffers/protobuf/releases/tag/v3.20.3",
"https://github.com/advisories/GHSA-h4h5-3hr4-j3g2"
],
"uuid": "c03d4a97-b267-45f8-a21b-b9044ade791b"
},
{
"affected_range": "(,3.16.3),[3.17.0-rc-1,3.19.6),[3.20.0-rc-1,3.20.3),[3.21.0-rc-1,3.21.7)",
"affected_versions": "All versions before 3.16.3, all versions starting from 3.17.0-rc-1 before 3.19.6, all versions starting from 3.20.0-rc-1 before 3.20.3, all versions starting from 3.21.0-rc-1 before 3.21.7",
"cwe_ids": [
"CWE-1035",
"CWE-707",
"CWE-937"
],
"date": "2022-10-04",
"description": "Improper Neutralization in com.google.protobuf:protobuf-kotlin-lite.",
"fixed_versions": [
"3.20.3",
"3.21.7",
"3.16.3",
"3.19.6"
],
"identifier": "GMS-2022-4945",
"identifiers": [
"GHSA-h4h5-3hr4-j3g2",
"GMS-2022-4945",
"CVE-2022-3171"
],
"not_impacted": "All versions starting from 3.16.3 before 3.17.0-rc-1, all versions starting from 3.19.6 before 3.20.0-rc-1, all versions starting from 3.20.3 before 3.21.0-rc-1, all versions starting from 3.21.7",
"package_slug": "maven/com.google.protobuf/protobuf-kotlin-lite",
"pubdate": "2022-10-04",
"solution": "Upgrade to versions 3.20.3, 3.21.7, 3.16.3, 3.19.6 or above.",
"title": "Improper Neutralization",
"urls": [
"https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2",
"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48771",
"https://github.com/protocolbuffers/protobuf/releases/tag/v21.7",
"https://github.com/protocolbuffers/protobuf/releases/tag/v3.16.3",
"https://github.com/protocolbuffers/protobuf/releases/tag/v3.19.6",
"https://github.com/protocolbuffers/protobuf/releases/tag/v3.20.3",
"https://github.com/advisories/GHSA-h4h5-3hr4-j3g2"
],
"uuid": "128f2825-cbe0-47b1-ae20-0ed8af3df6e3"
},
{
"affected_range": "(,3.16.3),[3.17.0,3.19.6),[3.20.0,3.20.3),[3.21.0,3.21.7)",
"affected_versions": "All versions before 3.16.3, all versions starting from 3.17.0 before 3.19.6, all versions starting from 3.20.0 before 3.20.3, all versions starting from 3.21.0 before 3.21.7",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2023-04-27",
"description": "A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.",
"fixed_versions": [
"3.16.3",
"3.19.6",
"3.20.3",
"3.21.7"
],
"identifier": "CVE-2022-3171",
"identifiers": [
"CVE-2022-3171",
"GHSA-h4h5-3hr4-j3g2",
"GMS-2022-4944"
],
"not_impacted": "",
"package_slug": "maven/com.google.protobuf/protobuf-kotlin",
"pubdate": "2022-10-12",
"solution": "Upgrade to versions 3.16.3, 3.19.6, 3.20.3, 3.21.7 or above.",
"title": "Uncontrolled Resource Consumption",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-3171",
"https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2",
"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48771",
"https://github.com/protocolbuffers/protobuf/releases/tag/v21.7",
"https://github.com/protocolbuffers/protobuf/releases/tag/v3.16.3",
"https://github.com/protocolbuffers/protobuf/releases/tag/v3.19.6",
"https://github.com/protocolbuffers/protobuf/releases/tag/v3.20.3",
"https://github.com/advisories/GHSA-h4h5-3hr4-j3g2"
],
"uuid": "89cbf335-663b-4d85-8566-cf821a9a413f"
},
{
"affected_range": "(,0)",
"affected_versions": "All versions before 3.16.3, all versions starting from 3.17.0-rc-1 before 3.19.6, all versions starting from 3.20.0-rc-1 before 3.20.3, all versions starting from 3.21.0-rc-1 before 3.21.7",
"cwe_ids": [
"CWE-1035",
"CWE-707",
"CWE-937"
],
"date": "2022-10-04",
"description": "Improper Neutralization in com.google.protobuf:protobuf-kotlin.",
"fixed_versions": [
"3.20.3",
"3.21.7",
"3.16.3",
"3.19.6"
],
"identifier": "GMS-2022-4944",
"identifiers": [
"GHSA-h4h5-3hr4-j3g2",
"GMS-2022-4944",
"CVE-2022-3171"
],
"not_impacted": "All versions starting from 3.16.3 before 3.17.0-rc-1, all versions starting from 3.19.6 before 3.20.0-rc-1, all versions starting from 3.20.3 before 3.21.0-rc-1, all versions starting from 3.21.7",
"package_slug": "maven/com.google.protobuf/protobuf-kotlin",
"pubdate": "2022-10-04",
"solution": "Upgrade to versions 3.20.3, 3.21.7, 3.16.3, 3.19.6 or above.",
"title": "Duplicate of ./maven/com.google.protobuf/protobuf-kotlin/CVE-2022-3171.yml",
"urls": [
"https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2",
"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48771",
"https://github.com/protocolbuffers/protobuf/releases/tag/v21.7",
"https://github.com/protocolbuffers/protobuf/releases/tag/v3.16.3",
"https://github.com/protocolbuffers/protobuf/releases/tag/v3.19.6",
"https://github.com/protocolbuffers/protobuf/releases/tag/v3.20.3",
"https://github.com/advisories/GHSA-h4h5-3hr4-j3g2"
],
"uuid": "ae48f926-fc89-4d4c-a370-50c09bb5766b"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.16.3",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:google:protobuf-kotlin-lite:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.19.6",
"versionStartIncluding": "3.17.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:google:protobuf-kotlin-lite:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.20.3",
"versionStartIncluding": "3.20.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:google:protobuf-kotlin-lite:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.21.7",
"versionStartIncluding": "3.21.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:google:protobuf-kotlin-lite:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.16.3",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.16.3",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.21.7",
"versionStartIncluding": "3.21.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.20.3",
"versionStartIncluding": "3.20.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.19.6",
"versionStartIncluding": "3.17.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.19.6",
"versionStartIncluding": "3.17.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.20.3",
"versionStartIncluding": "3.20.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.21.7",
"versionStartIncluding": "3.21.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.16.3",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.21.7",
"versionStartIncluding": "3.21.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.20.3",
"versionStartIncluding": "3.20.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.19.6",
"versionStartIncluding": "3.17.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:google:google-protobuf:*:*:*:*:*:ruby:*:*",
"cpe_name": [],
"versionEndExcluding": "3.21.7",
"versionStartIncluding": "3.21.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:google:google-protobuf:*:*:*:*:*:ruby:*:*",
"cpe_name": [],
"versionEndExcluding": "3.20.3",
"versionStartIncluding": "3.20.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:google:google-protobuf:*:*:*:*:*:ruby:*:*",
"cpe_name": [],
"versionEndExcluding": "3.19.6",
"versionStartIncluding": "3.17.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:google:google-protobuf:*:*:*:*:*:ruby:*:*",
"cpe_name": [],
"versionEndExcluding": "3.16.3",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security@google.com",
"ID": "CVE-2022-3171"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2"
},
{
"name": "FEDORA-2022-25f35ed634",
"refsource": "FEDORA",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/"
},
{
"name": "GLSA-202301-09",
"refsource": "GENTOO",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202301-09"
},
{
"name": "FEDORA-2022-15729fa33d",
"refsource": "FEDORA",
"tags": [],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6
}
},
"lastModifiedDate": "2023-04-27T03:15Z",
"publishedDate": "2022-10-12T23:15Z"
}
}
}
MSRC_CVE-2022-3171
Vulnerability from csaf_microsoft - Published: 2022-10-02 00:00 - Updated: 2026-02-18 01:44Summary
Memory handling vulnerability in ProtocolBuffers Java core and lite
Notes
Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle
Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
7.5 (High)
Affected products
Fixed
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 17021-17084 | — | ||
| Unresolved product id: 19696-17084 | — |
Known affected
2 products
Known not affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 17084-2 | — |
References
4 references
| URL | Category |
|---|---|
| https://msrc.microsoft.com/csaf/vex/2022/msrc_cve… | self |
| https://support.microsoft.com/lifecycle | external |
| https://www.first.org/cvss | external |
| https://msrc.microsoft.com/csaf/vex/2022/msrc_cve… | self |
{
"document": {
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Public",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
"title": "Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "secure@microsoft.com",
"name": "Microsoft Security Response Center",
"namespace": "https://msrc.microsoft.com"
},
"references": [
{
"category": "self",
"summary": "CVE-2022-3171 Memory handling vulnerability in ProtocolBuffers Java core and lite - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2022/msrc_cve-2022-3171.json"
},
{
"category": "external",
"summary": "Microsoft Support Lifecycle",
"url": "https://support.microsoft.com/lifecycle"
},
{
"category": "external",
"summary": "Common Vulnerability Scoring System",
"url": "https://www.first.org/cvss"
}
],
"title": "Memory handling vulnerability in ProtocolBuffers Java core and lite",
"tracking": {
"current_release_date": "2026-02-18T01:44:15.000Z",
"generator": {
"date": "2026-02-18T14:37:35.386Z",
"engine": {
"name": "MSRC Generator",
"version": "1.0"
}
},
"id": "msrc_CVE-2022-3171",
"initial_release_date": "2022-10-02T00:00:00.000Z",
"revision_history": [
{
"date": "2024-09-11T00:00:00.000Z",
"legacy_version": "1",
"number": "1",
"summary": "Information published."
},
{
"date": "2026-02-18T01:44:15.000Z",
"legacy_version": "1.1",
"number": "2",
"summary": "Information published."
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "3.0",
"product": {
"name": "Azure Linux 3.0",
"product_id": "17084"
}
}
],
"category": "product_name",
"name": "Azure Linux"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cazl3 python-tensorboard 2.16.2-2",
"product": {
"name": "\u003cazl3 python-tensorboard 2.16.2-2",
"product_id": "3"
}
},
{
"category": "product_version",
"name": "azl3 python-tensorboard 2.16.2-2",
"product": {
"name": "azl3 python-tensorboard 2.16.2-2",
"product_id": "17021"
}
},
{
"category": "product_version_range",
"name": "\u003cazl3 python-tensorboard 2.11.0-3",
"product": {
"name": "\u003cazl3 python-tensorboard 2.11.0-3",
"product_id": "1"
}
},
{
"category": "product_version",
"name": "azl3 python-tensorboard 2.11.0-3",
"product": {
"name": "azl3 python-tensorboard 2.11.0-3",
"product_id": "19696"
}
}
],
"category": "product_name",
"name": "python-tensorboard"
},
{
"category": "product_name",
"name": "azl3 pytorch 2.2.2-7",
"product": {
"name": "azl3 pytorch 2.2.2-7",
"product_id": "2"
}
}
],
"category": "vendor",
"name": "Microsoft"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 python-tensorboard 2.16.2-2 as a component of Azure Linux 3.0",
"product_id": "17084-3"
},
"product_reference": "3",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 python-tensorboard 2.16.2-2 as a component of Azure Linux 3.0",
"product_id": "17021-17084"
},
"product_reference": "17021",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 pytorch 2.2.2-7 as a component of Azure Linux 3.0",
"product_id": "17084-2"
},
"product_reference": "2",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 python-tensorboard 2.11.0-3 as a component of Azure Linux 3.0",
"product_id": "17084-1"
},
"product_reference": "1",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 python-tensorboard 2.11.0-3 as a component of Azure Linux 3.0",
"product_id": "19696-17084"
},
"product_reference": "19696",
"relates_to_product_reference": "17084"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-3171",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"flags": [
{
"label": "component_not_present",
"product_ids": [
"17084-2"
]
}
],
"notes": [
{
"category": "general",
"text": "Google",
"title": "Assigning CNA"
}
],
"product_status": {
"fixed": [
"17021-17084",
"19696-17084"
],
"known_affected": [
"17084-3",
"17084-1"
],
"known_not_affected": [
"17084-2"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2022-3171 Memory handling vulnerability in ProtocolBuffers Java core and lite - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2022/msrc_cve-2022-3171.json"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2024-09-11T00:00:00.000Z",
"details": "2.16.2-2:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17084-3",
"17084-1"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalsScore": 0.0,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"17084-3",
"17084-1"
]
}
],
"title": "Memory handling vulnerability in ProtocolBuffers Java core and lite"
}
]
}
RHSA-2022:7896
Vulnerability from csaf_redhat - Published: 2022-11-09 13:48 - Updated: 2026-05-14 22:32Summary
Red Hat Security Advisory: Red Hat Integration Debezium 1.9.7 security update
Severity
Moderate
Notes
Topic: A security update for Debezium is now available for Red Hat Integration.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Debezium is a distributed platform that turns your existing databases into event streams, so applications can see and respond immediately to each row-level change in the databases.
Debezium is built on top of Apache Kafka and provides Kafka Connect compatible connectors that monitor specific database management systems. Debezium records the history of data changes in Kafka logs, from where your application consumes them. This makes it possible for your application to easily consume all of the events correctly and completely. Even if your application stops unexpectedly, it will not miss anything: when the application restarts, it will resume consuming the events where it left off.
Security Fix(es):
* protobuf-java: potential DoS in the parsing procedure for binary data (CVE-2021-22569)
* protobuf-java: timeout in parser leads to DoS (CVE-2022-3171)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in protobuf-java. Google Protocol Buffer (protobuf-java) allows the interleaving of com.google.protobuf.UnknownFieldSet fields. By persuading a victim to open specially-crafted content, a remote attacker could cause a timeout in the ProtobufFuzzer function, resulting in a denial of service.
5.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHINT Debezium 1.9.7
Red Hat / Red Hat Integration
|
cpe:/a:redhat:integration:1
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHINT Debezium 1.9.7
Red Hat / Red Hat Integration
|
cpe:/a:redhat:integration:1
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
17 references
| URL | Category |
|---|---|
| https://access.redhat.com/errata/RHSA-2022:7896 | self |
| https://access.redhat.com/security/updates/classi… | external |
| https://access.redhat.com/jbossnetwork/restricted… | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2039903 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2137645 | external |
| https://security.access.redhat.com/data/csaf/v2/a… | self |
| https://access.redhat.com/security/cve/CVE-2021-22569 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2039903 | external |
| https://www.cve.org/CVERecord?id=CVE-2021-22569 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2021-22569 | external |
| https://github.com/protocolbuffers/protobuf/commi… | external |
| https://github.com/protocolbuffers/protobuf/secur… | external |
| https://access.redhat.com/security/cve/CVE-2022-3171 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2137645 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-3171 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-3171 | external |
| https://github.com/protocolbuffers/protobuf/secur… | external |
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "A security update for Debezium is now available for Red Hat Integration.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Debezium is a distributed platform that turns your existing databases into event streams, so applications can see and respond immediately to each row-level change in the databases.\n\nDebezium is built on top of Apache Kafka and provides Kafka Connect compatible connectors that monitor specific database management systems. Debezium records the history of data changes in Kafka logs, from where your application consumes them. This makes it possible for your application to easily consume all of the events correctly and completely. Even if your application stops unexpectedly, it will not miss anything: when the application restarts, it will resume consuming the events where it left off.\n\nSecurity Fix(es):\n\n* protobuf-java: potential DoS in the parsing procedure for binary data (CVE-2021-22569)\n\n* protobuf-java: timeout in parser leads to DoS (CVE-2022-3171)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:7896",
"url": "https://access.redhat.com/errata/RHSA-2022:7896"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=red.hat.integration\u0026version=2022-Q4",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=red.hat.integration\u0026version=2022-Q4"
},
{
"category": "external",
"summary": "2039903",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2039903"
},
{
"category": "external",
"summary": "2137645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2137645"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_7896.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Integration Debezium 1.9.7 security update",
"tracking": {
"current_release_date": "2026-05-14T22:32:54+00:00",
"generator": {
"date": "2026-05-14T22:32:54+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2022:7896",
"initial_release_date": "2022-11-09T13:48:40+00:00",
"revision_history": [
{
"date": "2022-11-09T13:48:40+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-11-09T13:48:40+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-14T22:32:54+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "RHINT Debezium 1.9.7",
"product": {
"name": "RHINT Debezium 1.9.7",
"product_id": "RHINT Debezium 1.9.7",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:integration:1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Integration"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-22569",
"cwe": {
"id": "CWE-696",
"name": "Incorrect Behavior Order"
},
"discovery_date": "2022-01-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2039903"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in protobuf-java. Google Protocol Buffer (protobuf-java) allows the interleaving of com.google.protobuf.UnknownFieldSet fields. By persuading a victim to open specially-crafted content, a remote attacker could cause a timeout in the ProtobufFuzzer function, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "protobuf-java: potential DoS in the parsing procedure for binary data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Debezium 1.9.7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-22569"
},
{
"category": "external",
"summary": "RHBZ#2039903",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2039903"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-22569",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22569"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-22569",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22569"
},
{
"category": "external",
"summary": "https://github.com/protocolbuffers/protobuf/commit/b3093dce58bc9d3042f085666d83c8ef1f51fe7b",
"url": "https://github.com/protocolbuffers/protobuf/commit/b3093dce58bc9d3042f085666d83c8ef1f51fe7b"
},
{
"category": "external",
"summary": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-wrvw-hg22-4m67",
"url": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-wrvw-hg22-4m67"
}
],
"release_date": "2022-01-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-09T13:48:40+00:00",
"details": "To apply this update just follow standard installation procedure\n\nhttps://access.redhat.com/documentation/en-us/red_hat_integration/2022.q4/html/installing_debezium_on_openshift/index\nhttps://access.redhat.com/documentation/en-us/red_hat_integration/2022.q4/html/installing_debezium_on_rhel/index",
"product_ids": [
"RHINT Debezium 1.9.7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7896"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHINT Debezium 1.9.7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "protobuf-java: potential DoS in the parsing procedure for binary data"
},
{
"cve": "CVE-2022-3171",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2137645"
}
],
"notes": [
{
"category": "description",
"text": "A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "protobuf-java: timeout in parser leads to DoS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Debezium 1.9.7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3171"
},
{
"category": "external",
"summary": "RHBZ#2137645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2137645"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3171",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3171"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3171",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3171"
},
{
"category": "external",
"summary": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2",
"url": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2"
}
],
"release_date": "2022-10-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-11-09T13:48:40+00:00",
"details": "To apply this update just follow standard installation procedure\n\nhttps://access.redhat.com/documentation/en-us/red_hat_integration/2022.q4/html/installing_debezium_on_openshift/index\nhttps://access.redhat.com/documentation/en-us/red_hat_integration/2022.q4/html/installing_debezium_on_rhel/index",
"product_ids": [
"RHINT Debezium 1.9.7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:7896"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHINT Debezium 1.9.7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "protobuf-java: timeout in parser leads to DoS"
}
]
}
RHSA-2022:9023
Vulnerability from csaf_redhat - Published: 2022-12-14 13:15 - Updated: 2026-05-05 10:06Summary
Red Hat Security Advisory: Red Hat build of Quarkus 2.13.5 release and security update
Severity
Important
Notes
Topic: An update is now available for Red Hat build of Quarkus. Red Hat Product
Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.
Details: This release of Red Hat build of Quarkus 2.13.5 includes security updates, bug
fixes, and enhancements. For more information, see the release notes page listed in the References section.
Security Fix(es):
* CVE-2022-4147 quarkus-vertx-http: Security misconfiguration of CORS : OWASP A05_2021 level in Quarkus
* CVE-2022-4116 quarkus_dev_ui: Dev UI Config Editor is vulnerable to drive-by localhost attacks leading to RCE
* CVE-2022-37734 graphql-java: DoS by malicious query
* CVE-2022-3171 protobuf-java: timeout in parser leads to DoS
* CVE-2022-42889 commons-text: apache-commons-text: variable interpolation RCE
* CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
* CVE-2022-42004 jackson-databind: use of deeply nested arrays
* CVE-2022-31197 postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Quarkus 2.13.5
Red Hat / Red Hat build of Quarkus
|
cpe:/a:redhat:quarkus:2.13
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A vulnerability was found in quarkus. This issue occurs in Dev UI Config Editor, which is vulnerable to drive-by localhost attacks leading to remote code execution.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Quarkus 2.13.5
Red Hat / Red Hat build of Quarkus
|
cpe:/a:redhat:quarkus:2.13
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A vulnerability was found in Quarkus. The Quarkus CORS filter allows simple GET and POST requests with an invalid Origin to proceed. Simple GET or POST requests made with XMLHttpRequest have no event listeners registered on the object returned by the XMLHttpRequest upload property, and have no ReadableStream object used in the request.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Quarkus 2.13.5
Red Hat / Red Hat build of Quarkus
|
cpe:/a:redhat:quarkus:2.13
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in PostgresQL. This flaw allows an attacker to benefit from a miss escaping character and leads to a SQL injection attack due to Java.sql.ResultRow.refreshRow() implementation from PGSQL.
8.0 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Quarkus 2.13.5
Red Hat / Red Hat build of Quarkus
|
cpe:/a:redhat:quarkus:2.13
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in GraphQL Java. This flaw allows an attacker to use a malicious query in GraphQL to cause a denial of service due to inefficient lexer input validation.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Quarkus 2.13.5
Red Hat / Red Hat build of Quarkus
|
cpe:/a:redhat:quarkus:2.13
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Quarkus 2.13.5
Red Hat / Red Hat build of Quarkus
|
cpe:/a:redhat:quarkus:2.13
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Quarkus 2.13.5
Red Hat / Red Hat build of Quarkus
|
cpe:/a:redhat:quarkus:2.13
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Apache Commons Text packages 1.5 through 1.9. The affected versions allow an attacker to benefit from a variable interpolation process contained in Apache Commons Text, which can cause properties to be dynamically defined. Server applications are vulnerable to remote code execution (RCE) and unintentional contact with untrusted remote servers.
9.8 (Critical)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Quarkus 2.13.5
Red Hat / Red Hat build of Quarkus
|
cpe:/a:redhat:quarkus:2.13
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
50 references
| URL | Category |
|---|---|
| https://access.redhat.com/errata/RHSA-2022:9023 | self |
| https://access.redhat.com/security/updates/classi… | external |
| https://access.redhat.com/articles/4966181 | external |
| https://access.redhat.com/jbossnetwork/restricted… | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2126809 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2129428 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2135244 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2135247 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2135435 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2137645 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2144748 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2148867 | external |
| https://security.access.redhat.com/data/csaf/v2/a… | self |
| https://access.redhat.com/security/cve/CVE-2022-3171 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2137645 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-3171 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-3171 | external |
| https://github.com/protocolbuffers/protobuf/secur… | external |
| https://access.redhat.com/security/cve/CVE-2022-4116 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2144748 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-4116 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-4116 | external |
| https://access.redhat.com/security/cve/CVE-2022-4147 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2148867 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-4147 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-4147 | external |
| https://access.redhat.com/security/cve/CVE-2022-31197 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2129428 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-31197 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-31197 | external |
| https://github.com/pgjdbc/pgjdbc/security/advisor… | external |
| https://access.redhat.com/security/cve/CVE-2022-37734 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2126809 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-37734 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-37734 | external |
| https://access.redhat.com/security/cve/CVE-2022-42003 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2135244 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-42003 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-42003 | external |
| https://access.redhat.com/security/cve/CVE-2022-42004 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2135247 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-42004 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-42004 | external |
| https://access.redhat.com/security/cve/CVE-2022-42889 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2135435 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-42889 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-42889 | external |
| https://blogs.apache.org/security/entry/cve-2022-42889 | external |
| https://lists.apache.org/thread/n2bd4vdsgkqh2tm14… | external |
| https://seclists.org/oss-sec/2022/q4/22 | external |
Acknowledgments
Contrast Security
Joseph Beeton
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat build of Quarkus. Red Hat Product\nSecurity has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "This release of Red Hat build of Quarkus 2.13.5 includes security updates, bug\nfixes, and enhancements. For more information, see the release notes page listed in the References section.\n\nSecurity Fix(es):\n\n* CVE-2022-4147 quarkus-vertx-http: Security misconfiguration of CORS : OWASP A05_2021 level in Quarkus \n\n* CVE-2022-4116 quarkus_dev_ui: Dev UI Config Editor is vulnerable to drive-by localhost attacks leading to RCE\n\n* CVE-2022-37734 graphql-java: DoS by malicious query\n\n* CVE-2022-3171 protobuf-java: timeout in parser leads to DoS\n\n* CVE-2022-42889 commons-text: apache-commons-text: variable interpolation RCE\n\n* CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS\n\n* CVE-2022-42004 jackson-databind: use of deeply nested arrays \n\n* CVE-2022-31197 postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:9023",
"url": "https://access.redhat.com/errata/RHSA-2022:9023"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/articles/4966181",
"url": "https://access.redhat.com/articles/4966181"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=redhat.quarkus\u0026version=2.13.5",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=redhat.quarkus\u0026version=2.13.5"
},
{
"category": "external",
"summary": "2126809",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126809"
},
{
"category": "external",
"summary": "2129428",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129428"
},
{
"category": "external",
"summary": "2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "2135435",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135435"
},
{
"category": "external",
"summary": "2137645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2137645"
},
{
"category": "external",
"summary": "2144748",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144748"
},
{
"category": "external",
"summary": "2148867",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148867"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_9023.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of Quarkus 2.13.5 release and security update",
"tracking": {
"current_release_date": "2026-05-05T10:06:07+00:00",
"generator": {
"date": "2026-05-05T10:06:07+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.9"
}
},
"id": "RHSA-2022:9023",
"initial_release_date": "2022-12-14T13:15:01+00:00",
"revision_history": [
{
"date": "2022-12-14T13:15:01+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-12-14T13:15:01+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-05T10:06:07+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Quarkus 2.13.5",
"product": {
"name": "Red Hat build of Quarkus 2.13.5",
"product_id": "Red Hat build of Quarkus 2.13.5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:quarkus:2.13"
}
}
}
],
"category": "product_family",
"name": "Red Hat build of Quarkus"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-3171",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2137645"
}
],
"notes": [
{
"category": "description",
"text": "A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "protobuf-java: timeout in parser leads to DoS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 2.13.5"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3171"
},
{
"category": "external",
"summary": "RHBZ#2137645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2137645"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3171",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3171"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3171",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3171"
},
{
"category": "external",
"summary": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2",
"url": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2"
}
],
"release_date": "2022-10-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-12-14T13:15:01+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 2.13.5"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:9023"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 2.13.5"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "protobuf-java: timeout in parser leads to DoS"
},
{
"acknowledgments": [
{
"names": [
"Joseph Beeton"
],
"organization": "Contrast Security"
}
],
"cve": "CVE-2022-4116",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"discovery_date": "2022-11-22T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2144748"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in quarkus. This issue occurs in Dev UI Config Editor, which is vulnerable to drive-by localhost attacks leading to remote code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "quarkus_dev_ui: Dev UI Config Editor is vulnerable to drive-by localhost attacks leading to RCE",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 2.13.5"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-4116"
},
{
"category": "external",
"summary": "RHBZ#2144748",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144748"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-4116",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-4116"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-4116",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4116"
}
],
"release_date": "2022-11-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-12-14T13:15:01+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 2.13.5"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:9023"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 2.13.5"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "quarkus_dev_ui: Dev UI Config Editor is vulnerable to drive-by localhost attacks leading to RCE"
},
{
"cve": "CVE-2022-4147",
"cwe": {
"id": "CWE-1026",
"name": "CWE-1026"
},
"discovery_date": "2022-11-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2148867"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Quarkus. The Quarkus CORS filter allows simple GET and POST requests with an invalid Origin to proceed. Simple GET or POST requests made with XMLHttpRequest have no event listeners registered on the object returned by the XMLHttpRequest upload property, and have no ReadableStream object used in the request.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "quarkus-vertx-http: Security misconfiguration of CORS : OWASP A05_2021 level in Quarkus",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 2.13.5"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-4147"
},
{
"category": "external",
"summary": "RHBZ#2148867",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148867"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-4147",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-4147"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-4147",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4147"
}
],
"release_date": "2022-11-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-12-14T13:15:01+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 2.13.5"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:9023"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 2.13.5"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "quarkus-vertx-http: Security misconfiguration of CORS : OWASP A05_2021 level in Quarkus"
},
{
"cve": "CVE-2022-31197",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"discovery_date": "2022-09-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129428"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in PostgresQL. This flaw allows an attacker to benefit from a miss escaping character and leads to a SQL injection attack due to Java.sql.ResultRow.refreshRow() implementation from PGSQL.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "User applications that do not invoke the `ResultSet.refreshRow()` method are not impacted.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be presented soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 2.13.5"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-31197"
},
{
"category": "external",
"summary": "RHBZ#2129428",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129428"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-31197",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31197"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31197",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31197"
},
{
"category": "external",
"summary": "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-r38f-c4h4-hqq2",
"url": "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-r38f-c4h4-hqq2"
}
],
"release_date": "2022-08-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-12-14T13:15:01+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 2.13.5"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:9023"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 2.13.5"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names"
},
{
"cve": "CVE-2022-37734",
"cwe": {
"id": "CWE-1333",
"name": "Inefficient Regular Expression Complexity"
},
"discovery_date": "2022-09-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2126809"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in GraphQL Java. This flaw allows an attacker to use a malicious query in GraphQL to cause a denial of service due to inefficient lexer input validation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "graphql-java: DoS by malicious query",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 2.13.5"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-37734"
},
{
"category": "external",
"summary": "RHBZ#2126809",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126809"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-37734",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37734"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-37734",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37734"
}
],
"release_date": "2022-09-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-12-14T13:15:01+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 2.13.5"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:9023"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 2.13.5"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "graphql-java: DoS by malicious query"
},
{
"cve": "CVE-2022-42003",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135244"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 2.13.5"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42003"
},
{
"category": "external",
"summary": "RHBZ#2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-12-14T13:15:01+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 2.13.5"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:9023"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 2.13.5"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS"
},
{
"cve": "CVE-2022-42004",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135247"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: use of deeply nested arrays",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 2.13.5"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42004"
},
{
"category": "external",
"summary": "RHBZ#2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-12-14T13:15:01+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 2.13.5"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:9023"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 2.13.5"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: use of deeply nested arrays"
},
{
"cve": "CVE-2022-42889",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"discovery_date": "2022-10-15T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135435"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Commons Text packages 1.5 through 1.9. The affected versions allow an attacker to benefit from a variable interpolation process contained in Apache Commons Text, which can cause properties to be dynamically defined. Server applications are vulnerable to remote code execution (RCE) and unintentional contact with untrusted remote servers.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-commons-text: variable interpolation RCE",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In order to carry successful exploitation of this vulnerability, the following conditions must be in place on the affected target:\n - Usage of specific methods that interpolate the variables as described in the flaw\n - Usage of external input for those methods\n - Usage of that external input has to be unsanitized/no \"allow list\"/etc.\n\nThe following products have *Low* impact because they have maven references to the affected package but do not ship it nor use the code:\n- Red Hat EAP Expansion Pack (EAP-XP)\n- Red Hat Camel-K\n- Red Hat Camel-Quarkus\n\nRed Hat Satellite ships Candlepin that embeds Apache Commons Text, however, it is not vulnerable to the flaw since the library has not been exposed in the product code. In Candlepin, the Commons Text is being pulled for the Liquibase and ActiveMQ Artemis libraries as a dependency. Red Hat Product Security has evaluated and rated the impact of the flaw as Low for Satellite since there was no harm identified to the confidentiality, integrity, or availability of systems.\n\n- The OCP has a *Moderate* impact because the affected library is a third-party library in the OCP jenkins-2-plugin component which reduces the possibilities of successful exploitation.\n- The OCP-4.8 is affected by this CVE and is in an extended life phase. For versions of products in the Extended Life Phase, Red Hat will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 2.13.5"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42889"
},
{
"category": "external",
"summary": "RHBZ#2135435",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135435"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42889",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42889"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42889",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42889"
},
{
"category": "external",
"summary": "https://blogs.apache.org/security/entry/cve-2022-42889",
"url": "https://blogs.apache.org/security/entry/cve-2022-42889"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om",
"url": "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om"
},
{
"category": "external",
"summary": "https://seclists.org/oss-sec/2022/q4/22",
"url": "https://seclists.org/oss-sec/2022/q4/22"
}
],
"release_date": "2022-10-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-12-14T13:15:01+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 2.13.5"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:9023"
},
{
"category": "workaround",
"details": "This flaw may be avoided by ensuring that any external inputs used with the Commons-Text lookup methods are sanitized properly. Untrusted input should always be thoroughly sanitized before using in any potentially risky situations.",
"product_ids": [
"Red Hat build of Quarkus 2.13.5"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 2.13.5"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "apache-commons-text: variable interpolation RCE"
}
]
}
RHSA-2023:1006
Vulnerability from csaf_redhat - Published: 2023-03-08 14:54 - Updated: 2026-05-17 02:00Summary
Red Hat Security Advisory: Red Hat build of Quarkus 2.7.7 release and security update
Severity
Important
Notes
Topic: An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.
Details: This release of Red Hat build of Quarkus 2.7.7 includes security updates, bug
fixes, and enhancements. For more information, see the release notes page listed
in the References section.
Security Fix(es):
*CVE-2023-0044 quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure [quarkus-2]
*CVE-2022-41946 jdbc-postgresql: postgresql-jdbc: PreparedStatement.setText(int, InputStream) will create a temporary file if the InputStream is larger than 2k [quarkus-2]
*CVE-2022-31197 postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names [quarkus-2.7]
*CVE-2022-42004 jackson-databind: use of deeply nested arrays [quarkus-2.7]
*CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS [quarkus-2.7]
*CVE-2022-42889 commons-text: apache-commons-text: variable interpolation RCE [quarkus-2.7]
*CVE-2022-1471 snakeyaml: Constructor Deserialization Remote Code Execution [quarkus-2]
*CVE-2022-41966 xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow [quarkus-2.7]
*CVE-2022-3171 protobuf-java: timeout in parser leads to DoS [quarkus-2]
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).
6.2 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Quarkus 2.7.7
Red Hat / Red Hat build of Quarkus
|
cpe:/a:redhat:quarkus:2.7
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Quarkus 2.7.7
Red Hat / Red Hat build of Quarkus
|
cpe:/a:redhat:quarkus:2.7
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in PostgresQL. This flaw allows an attacker to benefit from a miss escaping character and leads to a SQL injection attack due to Java.sql.ResultRow.refreshRow() implementation from PGSQL.
8.0 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Quarkus 2.7.7
Red Hat / Red Hat build of Quarkus
|
cpe:/a:redhat:quarkus:2.7
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in org.postgresql. This issue allows the creation of a temporary file when using PreparedStatement.setText(int, InputStream) and PreparedStatemet.setBytea(int, InputStream). This could allow a user to create an unexpected file available to all users, which could end in unexpected behavior.
5.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Quarkus 2.7.7
Red Hat / Red Hat build of Quarkus
|
cpe:/a:redhat:quarkus:2.7
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the xstream package. This flaw allows an attacker to cause a denial of service by injecting recursive collections or maps, raising a stack overflow.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Quarkus 2.7.7
Red Hat / Red Hat build of Quarkus
|
cpe:/a:redhat:quarkus:2.7
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Quarkus 2.7.7
Red Hat / Red Hat build of Quarkus
|
cpe:/a:redhat:quarkus:2.7
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Quarkus 2.7.7
Red Hat / Red Hat build of Quarkus
|
cpe:/a:redhat:quarkus:2.7
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Apache Commons Text packages 1.5 through 1.9. The affected versions allow an attacker to benefit from a variable interpolation process contained in Apache Commons Text, which can cause properties to be dynamically defined. Server applications are vulnerable to remote code execution (RCE) and unintentional contact with untrusted remote servers.
9.8 (Critical)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Quarkus 2.7.7
Red Hat / Red Hat build of Quarkus
|
cpe:/a:redhat:quarkus:2.7
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Critical
A flaw was found in Quarkus. If the Quarkus Form Authentication session cookie Path attribute is set to `/`, then a cross-site attack may be initiated, which might lead to information disclosure.
5.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Quarkus 2.7.7
Red Hat / Red Hat build of Quarkus
|
cpe:/a:redhat:quarkus:2.7
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Low
References
89 references
| URL | Category |
|---|---|
| https://access.redhat.com/errata/RHSA-2023:1006 | self |
| https://access.redhat.com/security/updates/classi… | external |
| https://access.redhat.com/articles/4966181 | external |
| https://access.redhat.com/jbossnetwork/restricted… | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2129428 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2135244 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2135247 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2135435 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2137645 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2150009 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2153399 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2158081 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2170431 | external |
| https://issues.redhat.com/browse/QUARKUS-2593 | external |
| https://issues.redhat.com/browse/QUARKUS-2705 | external |
| https://issues.redhat.com/browse/QUARKUS-2852 | external |
| https://issues.redhat.com/browse/QUARKUS-2854 | external |
| https://issues.redhat.com/browse/QUARKUS-2855 | external |
| https://issues.redhat.com/browse/QUARKUS-2856 | external |
| https://issues.redhat.com/browse/QUARKUS-2861 | external |
| https://issues.redhat.com/browse/QUARKUS-2862 | external |
| https://issues.redhat.com/browse/QUARKUS-2864 | external |
| https://issues.redhat.com/browse/QUARKUS-2865 | external |
| https://issues.redhat.com/browse/QUARKUS-2866 | external |
| https://issues.redhat.com/browse/QUARKUS-2867 | external |
| https://issues.redhat.com/browse/QUARKUS-2869 | external |
| https://issues.redhat.com/browse/QUARKUS-2871 | external |
| https://issues.redhat.com/browse/QUARKUS-2872 | external |
| https://issues.redhat.com/browse/QUARKUS-2873 | external |
| https://issues.redhat.com/browse/QUARKUS-2874 | external |
| https://issues.redhat.com/browse/QUARKUS-2876 | external |
| https://issues.redhat.com/browse/QUARKUS-2877 | external |
| https://issues.redhat.com/browse/QUARKUS-2879 | external |
| https://issues.redhat.com/browse/QUARKUS-2880 | external |
| https://issues.redhat.com/browse/QUARKUS-2882 | external |
| https://issues.redhat.com/browse/QUARKUS-2883 | external |
| https://issues.redhat.com/browse/QUARKUS-2884 | external |
| https://issues.redhat.com/browse/QUARKUS-2885 | external |
| https://issues.redhat.com/browse/QUARKUS-2886 | external |
| https://issues.redhat.com/browse/QUARKUS-2887 | external |
| https://issues.redhat.com/browse/QUARKUS-2888 | external |
| https://issues.redhat.com/browse/QUARKUS-2889 | external |
| https://issues.redhat.com/browse/QUARKUS-2893 | external |
| https://issues.redhat.com/browse/QUARKUS-2895 | external |
| https://security.access.redhat.com/data/csaf/v2/a… | self |
| https://access.redhat.com/security/cve/CVE-2022-1471 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2150009 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-1471 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-1471 | external |
| https://github.com/google/security-research/secur… | external |
| https://access.redhat.com/security/cve/CVE-2022-3171 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2137645 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-3171 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-3171 | external |
| https://github.com/protocolbuffers/protobuf/secur… | external |
| https://access.redhat.com/security/cve/CVE-2022-31197 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2129428 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-31197 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-31197 | external |
| https://github.com/pgjdbc/pgjdbc/security/advisor… | external |
| https://access.redhat.com/security/cve/CVE-2022-41946 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2153399 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-41946 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-41946 | external |
| https://access.redhat.com/security/cve/CVE-2022-41966 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2170431 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-41966 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-41966 | external |
| https://github.com/x-stream/xstream/security/advi… | external |
| https://access.redhat.com/security/cve/CVE-2022-42003 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2135244 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-42003 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-42003 | external |
| https://access.redhat.com/security/cve/CVE-2022-42004 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2135247 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-42004 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-42004 | external |
| https://access.redhat.com/security/cve/CVE-2022-42889 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2135435 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-42889 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-42889 | external |
| https://blogs.apache.org/security/entry/cve-2022-42889 | external |
| https://lists.apache.org/thread/n2bd4vdsgkqh2tm14… | external |
| https://seclists.org/oss-sec/2022/q4/22 | external |
| https://access.redhat.com/security/cve/CVE-2023-0044 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2158081 | external |
| https://www.cve.org/CVERecord?id=CVE-2023-0044 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2023-0044 | external |
| https://github.com/advisories/GHSA-c57v-hc7m-8px2 | external |
Acknowledgments
Red Hat
Paulo Lopes
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "This release of Red Hat build of Quarkus 2.7.7 includes security updates, bug\nfixes, and enhancements. For more information, see the release notes page listed\nin the References section.\n\nSecurity Fix(es):\n\n*CVE-2023-0044 quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure [quarkus-2]\n\n*CVE-2022-41946 jdbc-postgresql: postgresql-jdbc: PreparedStatement.setText(int, InputStream) will create a temporary file if the InputStream is larger than 2k [quarkus-2]\n\n*CVE-2022-31197 postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names [quarkus-2.7]\n\n*CVE-2022-42004 jackson-databind: use of deeply nested arrays [quarkus-2.7]\n\n*CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS [quarkus-2.7]\n\n*CVE-2022-42889 commons-text: apache-commons-text: variable interpolation RCE [quarkus-2.7]\n\n*CVE-2022-1471 snakeyaml: Constructor Deserialization Remote Code Execution [quarkus-2]\n\n*CVE-2022-41966 xstream: Denial of Service by injecting recursive collections or maps based on element\u0027s hash values raising a stack overflow [quarkus-2.7]\n\n*CVE-2022-3171 protobuf-java: timeout in parser leads to DoS [quarkus-2]",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:1006",
"url": "https://access.redhat.com/errata/RHSA-2023:1006"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/articles/4966181",
"url": "https://access.redhat.com/articles/4966181"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=redhat.quarkus\u0026version=2.7.7",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=redhat.quarkus\u0026version=2.7.7"
},
{
"category": "external",
"summary": "2129428",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129428"
},
{
"category": "external",
"summary": "2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "2135435",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135435"
},
{
"category": "external",
"summary": "2137645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2137645"
},
{
"category": "external",
"summary": "2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "2153399",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153399"
},
{
"category": "external",
"summary": "2158081",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158081"
},
{
"category": "external",
"summary": "2170431",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2170431"
},
{
"category": "external",
"summary": "QUARKUS-2593",
"url": "https://issues.redhat.com/browse/QUARKUS-2593"
},
{
"category": "external",
"summary": "QUARKUS-2705",
"url": "https://issues.redhat.com/browse/QUARKUS-2705"
},
{
"category": "external",
"summary": "QUARKUS-2852",
"url": "https://issues.redhat.com/browse/QUARKUS-2852"
},
{
"category": "external",
"summary": "QUARKUS-2854",
"url": "https://issues.redhat.com/browse/QUARKUS-2854"
},
{
"category": "external",
"summary": "QUARKUS-2855",
"url": "https://issues.redhat.com/browse/QUARKUS-2855"
},
{
"category": "external",
"summary": "QUARKUS-2856",
"url": "https://issues.redhat.com/browse/QUARKUS-2856"
},
{
"category": "external",
"summary": "QUARKUS-2861",
"url": "https://issues.redhat.com/browse/QUARKUS-2861"
},
{
"category": "external",
"summary": "QUARKUS-2862",
"url": "https://issues.redhat.com/browse/QUARKUS-2862"
},
{
"category": "external",
"summary": "QUARKUS-2864",
"url": "https://issues.redhat.com/browse/QUARKUS-2864"
},
{
"category": "external",
"summary": "QUARKUS-2865",
"url": "https://issues.redhat.com/browse/QUARKUS-2865"
},
{
"category": "external",
"summary": "QUARKUS-2866",
"url": "https://issues.redhat.com/browse/QUARKUS-2866"
},
{
"category": "external",
"summary": "QUARKUS-2867",
"url": "https://issues.redhat.com/browse/QUARKUS-2867"
},
{
"category": "external",
"summary": "QUARKUS-2869",
"url": "https://issues.redhat.com/browse/QUARKUS-2869"
},
{
"category": "external",
"summary": "QUARKUS-2871",
"url": "https://issues.redhat.com/browse/QUARKUS-2871"
},
{
"category": "external",
"summary": "QUARKUS-2872",
"url": "https://issues.redhat.com/browse/QUARKUS-2872"
},
{
"category": "external",
"summary": "QUARKUS-2873",
"url": "https://issues.redhat.com/browse/QUARKUS-2873"
},
{
"category": "external",
"summary": "QUARKUS-2874",
"url": "https://issues.redhat.com/browse/QUARKUS-2874"
},
{
"category": "external",
"summary": "QUARKUS-2876",
"url": "https://issues.redhat.com/browse/QUARKUS-2876"
},
{
"category": "external",
"summary": "QUARKUS-2877",
"url": "https://issues.redhat.com/browse/QUARKUS-2877"
},
{
"category": "external",
"summary": "QUARKUS-2879",
"url": "https://issues.redhat.com/browse/QUARKUS-2879"
},
{
"category": "external",
"summary": "QUARKUS-2880",
"url": "https://issues.redhat.com/browse/QUARKUS-2880"
},
{
"category": "external",
"summary": "QUARKUS-2882",
"url": "https://issues.redhat.com/browse/QUARKUS-2882"
},
{
"category": "external",
"summary": "QUARKUS-2883",
"url": "https://issues.redhat.com/browse/QUARKUS-2883"
},
{
"category": "external",
"summary": "QUARKUS-2884",
"url": "https://issues.redhat.com/browse/QUARKUS-2884"
},
{
"category": "external",
"summary": "QUARKUS-2885",
"url": "https://issues.redhat.com/browse/QUARKUS-2885"
},
{
"category": "external",
"summary": "QUARKUS-2886",
"url": "https://issues.redhat.com/browse/QUARKUS-2886"
},
{
"category": "external",
"summary": "QUARKUS-2887",
"url": "https://issues.redhat.com/browse/QUARKUS-2887"
},
{
"category": "external",
"summary": "QUARKUS-2888",
"url": "https://issues.redhat.com/browse/QUARKUS-2888"
},
{
"category": "external",
"summary": "QUARKUS-2889",
"url": "https://issues.redhat.com/browse/QUARKUS-2889"
},
{
"category": "external",
"summary": "QUARKUS-2893",
"url": "https://issues.redhat.com/browse/QUARKUS-2893"
},
{
"category": "external",
"summary": "QUARKUS-2895",
"url": "https://issues.redhat.com/browse/QUARKUS-2895"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_1006.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of Quarkus 2.7.7 release and security update",
"tracking": {
"current_release_date": "2026-05-17T02:00:39+00:00",
"generator": {
"date": "2026-05-17T02:00:39+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2023:1006",
"initial_release_date": "2023-03-08T14:54:57+00:00",
"revision_history": [
{
"date": "2023-03-08T14:54:57+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-03-08T14:54:57+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-17T02:00:39+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Quarkus 2.7.7",
"product": {
"name": "Red Hat build of Quarkus 2.7.7",
"product_id": "Red Hat build of Quarkus 2.7.7",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:quarkus:2.7"
}
}
}
],
"category": "product_family",
"name": "Red Hat build of Quarkus"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-1471",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-12-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2150009"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "SnakeYaml: Constructor Deserialization Remote Code Execution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In the Red Hat Process Automation 7 (RHPAM) the untrusted, malicious YAML file for deserialization by the vulnerable Snakeyaml\u0027s SafeConstructor class must be provided intentionally by the RHPAM user which requires high privileges. The potential attack complexity is also high because it depends on conditions that are beyond the attacker\u0027s control. Due to that the impact for RHPAM is reduced to Low.\n\nRed Hat Fuse 7 does not expose by default any endpoint that passes incoming data/request into vulnerable Snakeyaml\u0027s Constructor class nor pass untrusted data to this class. When this class is used, it\u2019s still only used to parse internal configuration, hence the impact by this vulnerability to Red Hat Fuse 7 is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 2.7.7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1471"
},
{
"category": "external",
"summary": "RHBZ#2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1471",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1471"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471"
},
{
"category": "external",
"summary": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2",
"url": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2"
}
],
"release_date": "2022-10-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-08T14:54:57+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 2.7.7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1006"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 2.7.7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "SnakeYaml: Constructor Deserialization Remote Code Execution"
},
{
"cve": "CVE-2022-3171",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2137645"
}
],
"notes": [
{
"category": "description",
"text": "A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "protobuf-java: timeout in parser leads to DoS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 2.7.7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3171"
},
{
"category": "external",
"summary": "RHBZ#2137645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2137645"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3171",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3171"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3171",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3171"
},
{
"category": "external",
"summary": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2",
"url": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2"
}
],
"release_date": "2022-10-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-08T14:54:57+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 2.7.7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1006"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 2.7.7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "protobuf-java: timeout in parser leads to DoS"
},
{
"cve": "CVE-2022-31197",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"discovery_date": "2022-09-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129428"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in PostgresQL. This flaw allows an attacker to benefit from a miss escaping character and leads to a SQL injection attack due to Java.sql.ResultRow.refreshRow() implementation from PGSQL.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "User applications that do not invoke the `ResultSet.refreshRow()` method are not impacted.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be presented soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 2.7.7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-31197"
},
{
"category": "external",
"summary": "RHBZ#2129428",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129428"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-31197",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31197"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31197",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31197"
},
{
"category": "external",
"summary": "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-r38f-c4h4-hqq2",
"url": "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-r38f-c4h4-hqq2"
}
],
"release_date": "2022-08-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-08T14:54:57+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 2.7.7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1006"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 2.7.7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names"
},
{
"cve": "CVE-2022-41946",
"cwe": {
"id": "CWE-377",
"name": "Insecure Temporary File"
},
"discovery_date": "2022-12-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2153399"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in org.postgresql. This issue allows the creation of a temporary file when using PreparedStatement.setText(int, InputStream) and PreparedStatemet.setBytea(int, InputStream). This could allow a user to create an unexpected file available to all users, which could end in unexpected behavior.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite ships a PostgreSQL JDBC Driver for Hibernate ORM framework, which is embeds into Candlepin. Although Candlepin itself doesn\u0027t make direct use of the PreparedStatement methods from the PostgreSQL JDBC Driver, Hibernate ORM does utilize these methods, potentially making framework affected. Satellite server operating in an environment with untrusted users while the driver is running are vulnerable to the flaw, however, deployments without untrusted users are considered safe. A future Satellite update should address this issue.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 2.7.7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41946"
},
{
"category": "external",
"summary": "RHBZ#2153399",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153399"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41946",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41946"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41946",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41946"
}
],
"release_date": "2022-11-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-08T14:54:57+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 2.7.7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1006"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 2.7.7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions"
},
{
"cve": "CVE-2022-41966",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2023-02-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2170431"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the xstream package. This flaw allows an attacker to cause a denial of service by injecting recursive collections or maps, raising a stack overflow.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Denial of Service by injecting recursive collections or maps based on element\u0027s hash values raising a stack overflow",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Fuse 7 ships an affected version of XStream. No endpoint in any flavor of Fuse is accepting by default an unverified input stream passed directly to XStream unmarshaller. Documentation always recommend all the endpoints (TCP/UDP/HTTP(S)/other listeners) to have at least one layer of authentication/authorization and Fuse in general itself in particular has a lot of mechanisms to protect the endpoints.\n\nRed Hat Single Sign-On contains XStream as a transitive dependency from Infinispan and the same is not affected as NO_REFERENCE is in use.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 2.7.7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41966"
},
{
"category": "external",
"summary": "RHBZ#2170431",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2170431"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41966",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41966"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41966",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41966"
},
{
"category": "external",
"summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv"
}
],
"release_date": "2022-12-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-08T14:54:57+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 2.7.7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1006"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 2.7.7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "xstream: Denial of Service by injecting recursive collections or maps based on element\u0027s hash values raising a stack overflow"
},
{
"cve": "CVE-2022-42003",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135244"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 2.7.7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42003"
},
{
"category": "external",
"summary": "RHBZ#2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-08T14:54:57+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 2.7.7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1006"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 2.7.7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS"
},
{
"cve": "CVE-2022-42004",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135247"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: use of deeply nested arrays",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 2.7.7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42004"
},
{
"category": "external",
"summary": "RHBZ#2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-08T14:54:57+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 2.7.7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1006"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 2.7.7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: use of deeply nested arrays"
},
{
"cve": "CVE-2022-42889",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"discovery_date": "2022-10-15T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135435"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Commons Text packages 1.5 through 1.9. The affected versions allow an attacker to benefit from a variable interpolation process contained in Apache Commons Text, which can cause properties to be dynamically defined. Server applications are vulnerable to remote code execution (RCE) and unintentional contact with untrusted remote servers.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-commons-text: variable interpolation RCE",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In order to carry successful exploitation of this vulnerability, the following conditions must be in place on the affected target:\n - Usage of specific methods that interpolate the variables as described in the flaw\n - Usage of external input for those methods\n - Usage of that external input has to be unsanitized/no \"allow list\"/etc.\n\nThe following products have *Low* impact because they have maven references to the affected package but do not ship it nor use the code:\n- Red Hat EAP Expansion Pack (EAP-XP)\n- Red Hat Camel-K\n- Red Hat Camel-Quarkus\n\nRed Hat Satellite ships Candlepin that embeds Apache Commons Text, however, it is not vulnerable to the flaw since the library has not been exposed in the product code. In Candlepin, the Commons Text is being pulled for the Liquibase and ActiveMQ Artemis libraries as a dependency. Red Hat Product Security has evaluated and rated the impact of the flaw as Low for Satellite since there was no harm identified to the confidentiality, integrity, or availability of systems.\n\n- The OCP has a *Moderate* impact because the affected library is a third-party library in the OCP jenkins-2-plugin component which reduces the possibilities of successful exploitation.\n- The OCP-4.8 is affected by this CVE and is in an extended life phase. For versions of products in the Extended Life Phase, Red Hat will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 2.7.7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42889"
},
{
"category": "external",
"summary": "RHBZ#2135435",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135435"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42889",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42889"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42889",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42889"
},
{
"category": "external",
"summary": "https://blogs.apache.org/security/entry/cve-2022-42889",
"url": "https://blogs.apache.org/security/entry/cve-2022-42889"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om",
"url": "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om"
},
{
"category": "external",
"summary": "https://seclists.org/oss-sec/2022/q4/22",
"url": "https://seclists.org/oss-sec/2022/q4/22"
}
],
"release_date": "2022-10-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-08T14:54:57+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 2.7.7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1006"
},
{
"category": "workaround",
"details": "This flaw may be avoided by ensuring that any external inputs used with the Commons-Text lookup methods are sanitized properly. Untrusted input should always be thoroughly sanitized before using in any potentially risky situations.",
"product_ids": [
"Red Hat build of Quarkus 2.7.7"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 2.7.7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "apache-commons-text: variable interpolation RCE"
},
{
"acknowledgments": [
{
"names": [
"Paulo Lopes"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2023-0044",
"discovery_date": "2023-01-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2158081"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Quarkus. If the Quarkus Form Authentication session cookie Path attribute is set to `/`, then a cross-site attack may be initiated, which might lead to information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 2.7.7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0044"
},
{
"category": "external",
"summary": "RHBZ#2158081",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158081"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0044",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0044"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0044",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0044"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-c57v-hc7m-8px2",
"url": "https://github.com/advisories/GHSA-c57v-hc7m-8px2"
}
],
"release_date": "2023-01-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-08T14:54:57+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 2.7.7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1006"
},
{
"category": "workaround",
"details": "This attack can be prevented with the Quarkus CSRF Prevention feature.",
"product_ids": [
"Red Hat build of Quarkus 2.7.7"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 2.7.7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure"
}
]
}
RHSA-2023:4983
Vulnerability from csaf_redhat - Published: 2023-09-05 18:37 - Updated: 2026-05-14 22:33Summary
Red Hat Security Advisory: Red Hat Process Automation Manager 7.13.4 security update
Severity
Important
Notes
Topic: An update is now available for Red Hat Process Automation Manager.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which provides a detailed severity rating, is available for each vulnerability from the CVE links in the References section.
Details: Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.
This asynchronous security patch is an update to Red Hat Process Automation Manager 7.
Security Fixes:
* apache-bcel: Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)
* decode-uri-component: improper input validation resulting in DoS (CVE-2022-38900)
* mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883)
* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)
* loader-utils: regular expression denial of service in interpolateName.js (CVE-2022-37599)
* protobuf-java: timeout in parser leads to DoS (CVE-2022-3171)
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)
* RESTEasy: creation of insecure temp files (CVE-2023-0482)
* sshd-core: mina-sshd-core: Memory leak denial of service in Apache Mina SSHD Server (CVE-2021-30129)
For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE pages listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A vulnerability in sshd-core of Apache Mina SSHD allows an attacker to overflow the server causing an OutOfMemory error. This issue affects the SFTP and port forwarding features of Apache Mina SSHD version 2.0.0 and later versions. It was addressed in Apache Mina SSHD 2.7.0
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHPAM 7.13.4 async
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in Wildfly-elytron. Wildfly-elytron uses java.util.Arrays.equals in several places, which is unsafe and vulnerable to timing attacks. To compare values securely, use java.security.MessageDigest.isEqual instead. This flaw allows an attacker to access secure information or impersonate an authed user.
7.4 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHPAM 7.13.4 async
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHPAM 7.13.4 async
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Textformat in protobuf-java core that can lead to a denial of service. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields can cause objects to convert between mutable and immutable forms, resulting in long garbage collection pauses.
5.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHPAM 7.13.4 async
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Message-Type Extensions in protobuf-java core that can lead to a denial of service. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields can cause objects to convert between mutable and immutable forms, resulting in long garbage collection pauses.
5.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHPAM 7.13.4 async
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in undertow. The undertow client is not checking the server identity the server certificate presents in HTTPS connections. This is a compulsory step ( that should at least be performed by default) in HTTPS and in http/2.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHPAM 7.13.4 async
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.
5.9 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHPAM 7.13.4 async
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the interpolateName function in interpolateName.js in the webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js. This flaw can lead to a regular expression denial of service (ReDoS).
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHPAM 7.13.4 async
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in decode-uri-component. This issue occurs due to a specially crafted input, resulting in a denial of service.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHPAM 7.13.4 async
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in the FasterXML/woodstox package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization. An attacker may benefit from the parser sending a malicious input that may cause a crash. This vulnerability is only relevant for users using the DTD parsing functionality.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHPAM 7.13.4 async
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHPAM 7.13.4 async
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
An out-of-bounds (OOB) write flaw was found in Apache Commons BCEL API. This flaw can be used to produce arbitrary bytecode and may abuse applications that pass attacker-controlled data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected.
8.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHPAM 7.13.4 async
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.
9.8 (Critical)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHPAM 7.13.4 async
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
In RESTEasy the insecure File.createTempFile() is used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes which creates temp files with insecure permissions that could be read by a local user.
5.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHPAM 7.13.4 async
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in Spring Framework. In this vulnerability, a security bypass is possible due to the behavior of the wildcard pattern.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHPAM 7.13.4 async
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw found was found in Spring Framework. This flaw allows a malicious user to use a specially crafted SpEL expression that causes a denial of service (DoS).
5.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHPAM 7.13.4 async
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Spring Boot, occurring prominently in Spring MVC with a reverse proxy cache. This issue requires Spring MVC to have auto-configuration enabled and the application to use Spring Boot's welcome page support, either static or templated, resulting in the application being deployed behind a proxy that caches 404 responses. This issue may cause a denial of service (DoS) attack.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHPAM 7.13.4 async
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in Apache Commons FileUpload, where it does not limit the number of parts being processed in a request. This issue may allow an attacker to use a malicious upload or series of uploads to trigger a denial of service. While Red Hat Satellite relies upon Apache Tomcat, it does not directly ship it. Tomcat is shipped with Red Hat Enterprise Linux and consumed by the Candlepin component of Satellite. Red Hat Satellite users are therefore advised to check the impact state of Red Hat Enterprise Linux, since any necessary fixes will be distributed through the platform.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RHPAM 7.13.4 async
Red Hat / Red Hat Process Automation Manager
|
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
100 references
| URL | Category |
|---|---|
| https://access.redhat.com/errata/RHSA-2023:4983 | self |
| https://access.redhat.com/security/updates/classi… | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=1981527 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2126789 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2134291 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2134872 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2137645 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2142707 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2145194 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2166004 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2170644 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2180528 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2209342 | external |
| https://issues.redhat.com/browse/RHPAM-4639 | external |
| https://security.access.redhat.com/data/csaf/v2/a… | self |
| https://access.redhat.com/security/cve/CVE-2021-30129 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=1981527 | external |
| https://www.cve.org/CVERecord?id=CVE-2021-30129 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2021-30129 | external |
| https://access.redhat.com/security/cve/CVE-2022-3143 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2124682 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-3143 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-3143 | external |
| https://access.redhat.com/security/cve/CVE-2022-3171 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2137645 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-3171 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-3171 | external |
| https://github.com/protocolbuffers/protobuf/secur… | external |
| https://access.redhat.com/security/cve/CVE-2022-3509 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2184161 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-3509 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-3509 | external |
| https://access.redhat.com/security/cve/CVE-2022-3510 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2184176 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-3510 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-3510 | external |
| https://access.redhat.com/security/cve/CVE-2022-4492 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2153260 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-4492 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-4492 | external |
| https://access.redhat.com/security/cve/CVE-2022-25857 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2126789 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-25857 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-25857 | external |
| https://bitbucket.org/snakeyaml/snakeyaml/issues/525 | external |
| https://access.redhat.com/security/cve/CVE-2022-37599 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2134872 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-37599 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-37599 | external |
| https://github.com/advisories/GHSA-hhq3-ff78-jv3g | external |
| https://github.com/webpack/loader-utils/issues/211 | external |
| https://access.redhat.com/security/cve/CVE-2022-38900 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2170644 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-38900 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-38900 | external |
| https://github.com/SamVerschueren/decode-uri-comp… | external |
| https://github.com/advisories/GHSA-w573-4hg7-7wgq | external |
| https://access.redhat.com/security/cve/CVE-2022-40152 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2134291 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-40152 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-40152 | external |
| https://github.com/advisories/GHSA-3f7h-mf4q-vrm4 | external |
| https://access.redhat.com/security/cve/CVE-2022-41854 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2151988 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-41854 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-41854 | external |
| https://bitbucket.org/snakeyaml/snakeyaml/issues/… | external |
| https://bugs.chromium.org/p/oss-fuzz/issues/detai… | external |
| https://access.redhat.com/security/cve/CVE-2022-42920 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2142707 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-42920 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-42920 | external |
| https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm… | external |
| https://access.redhat.com/security/cve/CVE-2022-45047 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2145194 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-45047 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-45047 | external |
| https://www.mail-archive.com/dev@mina.apache.org/… | external |
| https://access.redhat.com/security/cve/CVE-2023-0482 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2166004 | external |
| https://www.cve.org/CVERecord?id=CVE-2023-0482 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2023-0482 | external |
| https://access.redhat.com/security/cve/CVE-2023-20860 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2180528 | external |
| https://www.cve.org/CVERecord?id=CVE-2023-20860 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2023-20860 | external |
| https://spring.io/blog/2023/03/20/spring-framewor… | external |
| https://access.redhat.com/security/cve/CVE-2023-20861 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2180530 | external |
| https://www.cve.org/CVERecord?id=CVE-2023-20861 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2023-20861 | external |
| https://access.redhat.com/security/cve/CVE-2023-20883 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2209342 | external |
| https://www.cve.org/CVERecord?id=CVE-2023-20883 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2023-20883 | external |
| https://access.redhat.com/security/cve/CVE-2023-24998 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2172298 | external |
| https://www.cve.org/CVERecord?id=CVE-2023-24998 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2023-24998 | external |
| https://commons.apache.org/proper/commons-fileupl… | external |
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat Process Automation Manager.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which provides a detailed severity rating, is available for each vulnerability from the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.\n\nThis asynchronous security patch is an update to Red Hat Process Automation Manager 7.\n\nSecurity Fixes:\n\n* apache-bcel: Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)\n\n* decode-uri-component: improper input validation resulting in DoS (CVE-2022-38900)\n\n* mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)\n\n* spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883)\n\n* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)\n\n* loader-utils: regular expression denial of service in interpolateName.js (CVE-2022-37599)\n\n* protobuf-java: timeout in parser leads to DoS (CVE-2022-3171)\n\n* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)\n\n* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)\n\n* RESTEasy: creation of insecure temp files (CVE-2023-0482)\n\n* sshd-core: mina-sshd-core: Memory leak denial of service in Apache Mina SSHD Server (CVE-2021-30129)\n\nFor more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE pages listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:4983",
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1981527",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1981527"
},
{
"category": "external",
"summary": "2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "2134291",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134291"
},
{
"category": "external",
"summary": "2134872",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134872"
},
{
"category": "external",
"summary": "2137645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2137645"
},
{
"category": "external",
"summary": "2142707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2142707"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "2166004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2166004"
},
{
"category": "external",
"summary": "2170644",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2170644"
},
{
"category": "external",
"summary": "2180528",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2180528"
},
{
"category": "external",
"summary": "2209342",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2209342"
},
{
"category": "external",
"summary": "RHPAM-4639",
"url": "https://issues.redhat.com/browse/RHPAM-4639"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_4983.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Process Automation Manager 7.13.4 security update",
"tracking": {
"current_release_date": "2026-05-14T22:33:03+00:00",
"generator": {
"date": "2026-05-14T22:33:03+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2023:4983",
"initial_release_date": "2023-09-05T18:37:03+00:00",
"revision_history": [
{
"date": "2023-09-05T18:37:03+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-09-05T18:37:03+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-14T22:33:03+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "RHPAM 7.13.4 async",
"product": {
"name": "RHPAM 7.13.4 async",
"product_id": "RHPAM 7.13.4 async",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13"
}
}
}
],
"category": "product_family",
"name": "Red Hat Process Automation Manager"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-30129",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2021-07-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1981527"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability in sshd-core of Apache Mina SSHD allows an attacker to overflow the server causing an OutOfMemory error. This issue affects the SFTP and port forwarding features of Apache Mina SSHD version 2.0.0 and later versions. It was addressed in Apache Mina SSHD 2.7.0",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd-core: Memory leak denial of service in Apache Mina SSHD Server",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Critical flaws.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-30129"
},
{
"category": "external",
"summary": "RHBZ#1981527",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1981527"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-30129",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-30129"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-30129",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30129"
}
],
"release_date": "2021-07-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "mina-sshd-core: Memory leak denial of service in Apache Mina SSHD Server"
},
{
"cve": "CVE-2022-3143",
"cwe": {
"id": "CWE-208",
"name": "Observable Timing Discrepancy"
},
"discovery_date": "2022-09-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2124682"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Wildfly-elytron. Wildfly-elytron uses java.util.Arrays.equals in several places, which is unsafe and vulnerable to timing attacks. To compare values securely, use java.security.MessageDigest.isEqual instead. This flaw allows an attacker to access secure information or impersonate an authed user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "wildfly-elytron: possible timing attacks via use of unsafe comparator",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3143"
},
{
"category": "external",
"summary": "RHBZ#2124682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124682"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3143",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3143"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3143",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3143"
}
],
"release_date": "2022-09-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "wildfly-elytron: possible timing attacks via use of unsafe comparator"
},
{
"cve": "CVE-2022-3171",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2137645"
}
],
"notes": [
{
"category": "description",
"text": "A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "protobuf-java: timeout in parser leads to DoS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3171"
},
{
"category": "external",
"summary": "RHBZ#2137645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2137645"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3171",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3171"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3171",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3171"
},
{
"category": "external",
"summary": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2",
"url": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2"
}
],
"release_date": "2022-10-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "protobuf-java: timeout in parser leads to DoS"
},
{
"cve": "CVE-2022-3509",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2022-12-15T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2184161"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Textformat in protobuf-java core that can lead to a denial of service. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields can cause objects to convert between mutable and immutable forms, resulting in long garbage collection pauses.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "protobuf-java: Textformat parsing issue leads to DoS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3509"
},
{
"category": "external",
"summary": "RHBZ#2184161",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2184161"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3509",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3509"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3509",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3509"
}
],
"release_date": "2022-12-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "protobuf-java: Textformat parsing issue leads to DoS"
},
{
"cve": "CVE-2022-3510",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2022-12-15T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2184176"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Message-Type Extensions in protobuf-java core that can lead to a denial of service. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields can cause objects to convert between mutable and immutable forms, resulting in long garbage collection pauses.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "protobuf-java: Message-Type Extensions parsing issue leads to DoS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3510"
},
{
"category": "external",
"summary": "RHBZ#2184176",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2184176"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3510",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3510"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3510",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3510"
}
],
"release_date": "2022-12-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "protobuf-java: Message-Type Extensions parsing issue leads to DoS"
},
{
"cve": "CVE-2022-4492",
"cwe": {
"id": "CWE-550",
"name": "Server-generated Error Message Containing Sensitive Information"
},
"discovery_date": "2022-12-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2153260"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in undertow. The undertow client is not checking the server identity the server certificate presents in HTTPS connections. This is a compulsory step ( that should at least be performed by default) in HTTPS and in http/2.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "undertow: Server identity in https connection is not checked by the undertow client",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-4492"
},
{
"category": "external",
"summary": "RHBZ#2153260",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153260"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-4492",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-4492"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-4492",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4492"
}
],
"release_date": "2022-12-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "undertow: Server identity in https connection is not checked by the undertow client"
},
{
"cve": "CVE-2022-25857",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-09-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2126789"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Denial of Service due to missing nested depth limitation for collections",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For RHEL-8 it\u0027s downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn\u0027t shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it\u0027s not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-25857"
},
{
"category": "external",
"summary": "RHBZ#2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-25857",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25857"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857"
},
{
"category": "external",
"summary": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525",
"url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525"
}
],
"release_date": "2022-08-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Denial of Service due to missing nested depth limitation for collections"
},
{
"cve": "CVE-2022-37599",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-10-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2134872"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the interpolateName function in interpolateName.js in the webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js. This flaw can lead to a regular expression denial of service (ReDoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "loader-utils: regular expression denial of service in interpolateName.js",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In Red Hat OpenShift Logging the openshift-logging/kibana6-rhel8 container and openshift-logging/logging-view-plugin-rhel8 bundles many nodejs packages as a build time dependencies, including loader-utils package. The vulnerable code is not used hence the impact to OpenShift Logging by this vulnerability is Low.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-37599"
},
{
"category": "external",
"summary": "RHBZ#2134872",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134872"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-37599",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37599"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-37599",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37599"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-hhq3-ff78-jv3g",
"url": "https://github.com/advisories/GHSA-hhq3-ff78-jv3g"
},
{
"category": "external",
"summary": "https://github.com/webpack/loader-utils/issues/211",
"url": "https://github.com/webpack/loader-utils/issues/211"
}
],
"release_date": "2022-10-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"RHPAM 7.13.4 async"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "loader-utils: regular expression denial of service in interpolateName.js"
},
{
"cve": "CVE-2022-38900",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2023-02-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2170644"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in decode-uri-component. This issue occurs due to a specially crafted input, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "decode-uri-component: improper input validation resulting in DoS",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For OpenShift Container Platform (OCP), Advanced Clusters Management for Kubernetes (ACM) and Advanced Cluster Security (ACS), the NPM decode-uri-component package is only present in source repositories as a development dependency, it is not used in production. Therefore this vulnerability is rated Low for OCP and ACS.\n\nIn Red Hat OpenShift Logging the openshift-logging/kibana6-rhel8 container bundles many nodejs packages as a build time dependencies, including the decode-uri-component package. \nThe vulnerable code is not used, hence the impact to OpenShift Logging by this vulnerability is Low.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38900"
},
{
"category": "external",
"summary": "RHBZ#2170644",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2170644"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38900",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38900"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38900",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38900"
},
{
"category": "external",
"summary": "https://github.com/SamVerschueren/decode-uri-component/issues/5",
"url": "https://github.com/SamVerschueren/decode-uri-component/issues/5"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-w573-4hg7-7wgq",
"url": "https://github.com/advisories/GHSA-w573-4hg7-7wgq"
}
],
"release_date": "2022-11-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "decode-uri-component: improper input validation resulting in DoS"
},
{
"cve": "CVE-2022-40152",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-10-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2134291"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the FasterXML/woodstox package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization. An attacker may benefit from the parser sending a malicious input that may cause a crash. This vulnerability is only relevant for users using the DTD parsing functionality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40152"
},
{
"category": "external",
"summary": "RHBZ#2134291",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134291"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40152",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40152"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4",
"url": "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4"
}
],
"release_date": "2022-09-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks"
},
{
"cve": "CVE-2022-41854",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-12-08T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2151988"
}
],
"notes": [
{
"category": "description",
"text": "Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "dev-java/snakeyaml: DoS via stack overflow",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41854"
},
{
"category": "external",
"summary": "RHBZ#2151988",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2151988"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41854",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41854"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41854",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41854"
},
{
"category": "external",
"summary": "https://bitbucket.org/snakeyaml/snakeyaml/issues/543/stackoverflow-oss-fuzz-50355",
"url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/543/stackoverflow-oss-fuzz-50355"
},
{
"category": "external",
"summary": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355",
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355"
}
],
"release_date": "2022-11-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "dev-java/snakeyaml: DoS via stack overflow"
},
{
"cve": "CVE-2022-42920",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-11-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2142707"
}
],
"notes": [
{
"category": "description",
"text": "An out-of-bounds (OOB) write flaw was found in Apache Commons BCEL API. This flaw can be used to produce arbitrary bytecode and may abuse applications that pass attacker-controlled data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Fuse 7 ships the code in question but does not utilize it in the product, so it is affected at a reduced impact of Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42920"
},
{
"category": "external",
"summary": "RHBZ#2142707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2142707"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42920",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42920"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42920",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42920"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4",
"url": "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4"
}
],
"release_date": "2022-11-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"RHPAM 7.13.4 async"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
},
{
"cve": "CVE-2023-0482",
"cwe": {
"id": "CWE-378",
"name": "Creation of Temporary File With Insecure Permissions"
},
"discovery_date": "2023-01-31T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2166004"
}
],
"notes": [
{
"category": "description",
"text": "In RESTEasy the insecure File.createTempFile() is used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes which creates temp files with insecure permissions that could be read by a local user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "RESTEasy: creation of insecure temp files",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0482"
},
{
"category": "external",
"summary": "RHBZ#2166004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2166004"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0482",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0482"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0482",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0482"
}
],
"release_date": "2023-01-31T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "RESTEasy: creation of insecure temp files"
},
{
"cve": "CVE-2023-20860",
"cwe": {
"id": "CWE-155",
"name": "Improper Neutralization of Wildcards or Matching Symbols"
},
"discovery_date": "2023-03-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2180528"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Spring Framework. In this vulnerability, a security bypass is possible due to the behavior of the wildcard pattern.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-20860"
},
{
"category": "external",
"summary": "RHBZ#2180528",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2180528"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-20860",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-20860"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-20860",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20860"
},
{
"category": "external",
"summary": "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861",
"url": "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861"
}
],
"release_date": "2023-03-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern"
},
{
"cve": "CVE-2023-20861",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2023-03-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2180530"
}
],
"notes": [
{
"category": "description",
"text": "A flaw found was found in Spring Framework. This flaw allows a malicious user to use a specially crafted SpEL expression that causes a denial of service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "springframework: Spring Expression DoS Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-20861"
},
{
"category": "external",
"summary": "RHBZ#2180530",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2180530"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-20861",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-20861"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-20861",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20861"
},
{
"category": "external",
"summary": "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861",
"url": "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861"
}
],
"release_date": "2023-03-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "springframework: Spring Expression DoS Vulnerability"
},
{
"cve": "CVE-2023-20883",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2023-05-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2209342"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Spring Boot, occurring prominently in Spring MVC with a reverse proxy cache. This issue requires Spring MVC to have auto-configuration enabled and the application to use Spring Boot\u0027s welcome page support, either static or templated, resulting in the application being deployed behind a proxy that caches 404 responses. This issue may cause a denial of service (DoS) attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "spring-boot: Spring Boot Welcome Page DoS Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-20883"
},
{
"category": "external",
"summary": "RHBZ#2209342",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2209342"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-20883",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-20883"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-20883",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20883"
}
],
"release_date": "2023-05-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "spring-boot: Spring Boot Welcome Page DoS Vulnerability"
},
{
"cve": "CVE-2023-24998",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2023-02-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2172298"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Commons FileUpload, where it does not limit the number of parts being processed in a request. This issue may allow an attacker to use a malicious upload or series of uploads to trigger a denial of service.\r\n\r\nWhile Red Hat Satellite relies upon Apache Tomcat, it does not directly ship it. Tomcat is shipped with Red Hat Enterprise Linux and consumed by the Candlepin component of Satellite. Red Hat Satellite users are therefore advised to check the impact state of Red Hat Enterprise Linux, since any necessary fixes will be distributed through the platform.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "FileUpload: FileUpload DoS with excessive parts",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-24998"
},
{
"category": "external",
"summary": "RHBZ#2172298",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2172298"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-24998",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24998"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-24998",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24998"
},
{
"category": "external",
"summary": "https://commons.apache.org/proper/commons-fileupload/security-reports.html#Fixed_in_Apache_Commons_FileUpload_1.5",
"url": "https://commons.apache.org/proper/commons-fileupload/security-reports.html#Fixed_in_Apache_Commons_FileUpload_1.5"
}
],
"release_date": "2023-02-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "FileUpload: FileUpload DoS with excessive parts"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…