Vulnerability-Lookup

CVE-2024-47554 (GCVE-0-2024-47554)

Vulnerability from cvelistv5 – Published: 2024-10-03 11:32 – Updated: 2025-01-31 15:02

Title

Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader

Summary

Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input. This issue affects Apache Commons IO: from 2.0 before 2.14.0. Users are recommended to upgrade to version 2.14.0 or later, which fixes the issue.

Severity

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

apache

References

3 references

URL	Tags
https://lists.apache.org/thread/6ozr91rr9cj5lm0zy…	vendor-advisory
http://www.openwall.com/lists/oss-security/2024/10/03/2
https://security.netapp.com/advisory/ntap-2025013…

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Commons IO	Affected: 2.0 , < 2.14.0 (semver)

Credits

CodeQL

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 4.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-47554",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-03T13:00:56.326970Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-04T15:03:37.949Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-01-31T15:02:47.229Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2024/10/03/2"
          },
          {
            "url": "https://security.netapp.com/advisory/ntap-20250131-0010/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "commons-io:commons-io",
          "product": "Apache Commons IO",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "2.14.0",
              "status": "affected",
              "version": "2.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "tool",
          "value": "CodeQL"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eUncontrolled Resource Consumption vulnerability in Apache Commons IO.\u003c/p\u003e\u003cp\u003eThe org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input.\u003cbr\u003e\u003c/p\u003e\u003cp\u003eThis issue affects Apache Commons IO: from 2.0 before 2.14.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.14.0 or later, which fixes the issue.\u003c/p\u003e"
            }
          ],
          "value": "Uncontrolled Resource Consumption vulnerability in Apache Commons IO.\n\nThe org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input.\n\n\nThis issue affects Apache Commons IO: from 2.0 before 2.14.0.\n\nUsers are recommended to upgrade to version 2.14.0 or later, which fixes the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "low"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400 Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-03T11:32:48.936Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2024-47554",
    "datePublished": "2024-10-03T11:32:48.936Z",
    "dateReserved": "2024-09-26T16:12:46.116Z",
    "dateUpdated": "2025-01-31T15:02:47.229Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-47554",
      "date": "2026-06-05",
      "epss": "0.00131",
      "percentile": "0.32141"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-47554\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2024-10-03T12:15:02.613\",\"lastModified\":\"2025-07-10T21:10:32.113\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Uncontrolled Resource Consumption vulnerability in Apache Commons IO.\\n\\nThe org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input.\\n\\n\\nThis issue affects Apache Commons IO: from 2.0 before 2.14.0.\\n\\nUsers are recommended to upgrade to version 2.14.0 or later, which fixes the issue.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de consumo descontrolado de recursos en Apache Commons IO. La clase org.apache.commons.io.input.XmlStreamReader puede consumir recursos de CPU en exceso al procesar una entrada manipulada con fines malintencionados. Este problema afecta a Apache Commons IO: desde la versi\u00f3n 2.0 hasta la 2.14.0. Se recomienda a los usuarios que actualicen a la versi\u00f3n 2.14.0 o posterior, que soluciona el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:commons_io:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.0\",\"versionEndExcluding\":\"2.14.0\",\"matchCriteriaId\":\"133FC9D6-82C4-40E3-AB39-FE04E5A0BF4D\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*\",\"matchCriteriaId\":\"F3E0B672-3E06-4422-B2A4-0BD073AEC2A1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*\",\"matchCriteriaId\":\"3A756737-1CC4-42C2-A4DF-E1C893B4E2D5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*\",\"matchCriteriaId\":\"B55E8D50-99B4-47EC-86F9-699B67D473CE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:bluexp:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FC1AE8BD-EE3F-494C-9F03-D4B2B7233106\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:e-series_santricity_unified_manager:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BB695329-036B-447D-BEB0-AA4D89D1D99C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:e-series_santricity_web_services_proxy:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"23F148EC-6D6D-4C4F-B57C-CFBCD3D32B41\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:ontap_tools:9:*:*:*:*:vmware_vsphere:*:*\",\"matchCriteriaId\":\"C2D814BE-93EC-42EF-88C5-EA7E7DF07BE5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:ontap_tools:10:*:*:*:*:vmware_vsphere:*:*\",\"matchCriteriaId\":\"5333B745-F7A3-46CB-8437-8668DB08CD6F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:santricity_storage_plugin:-:*:*:*:*:vcenter:*:*\",\"matchCriteriaId\":\"82E94B87-065E-475F-815C-F49978CE22FC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BDFB1169-41A0-4A86-8E4F-FDA9730B1E94\"}]}]}],\"references\":[{\"url\":\"https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2024/10/03/2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20250131-0010/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2024/10/03/2\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20250131-0010/\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-01-31T15:02:47.229Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-47554\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-03T13:00:56.326970Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-03T13:00:59.433Z\"}}], \"cna\": {\"title\": \"Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"tool\", \"value\": \"CodeQL\"}], \"metrics\": [{\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"low\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache Commons IO\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.0\", \"lessThan\": \"2.14.0\", \"versionType\": \"semver\"}], \"packageName\": \"commons-io:commons-io\", \"collectionURL\": \"https://repo.maven.apache.org/maven2\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Uncontrolled Resource Consumption vulnerability in Apache Commons IO.\\n\\nThe org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input.\\n\\n\\nThis issue affects Apache Commons IO: from 2.0 before 2.14.0.\\n\\nUsers are recommended to upgrade to version 2.14.0 or later, which fixes the issue.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eUncontrolled Resource Consumption vulnerability in Apache Commons IO.\u003c/p\u003e\u003cp\u003eThe org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input.\u003cbr\u003e\u003c/p\u003e\u003cp\u003eThis issue affects Apache Commons IO: from 2.0 before 2.14.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.14.0 or later, which fixes the issue.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-400\", \"description\": \"CWE-400 Uncontrolled Resource Consumption\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2024-10-03T11:32:48.936Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-47554\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-01-31T15:02:47.229Z\", \"dateReserved\": \"2024-09-26T16:12:46.116Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2024-10-03T11:32:48.936Z\", \"assignerShortName\": \"apache\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

NCSC-2026-0027

Vulnerability from csaf_ncscnl - Published: 2026-01-21 10:08 - Updated: 2026-01-21 10:08

Summary

Kwetsbaarheden verholpen in Oracle Fusion Middleware

Notes

The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions: NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein. NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory. This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.

Feiten: Oracle heeft kwetsbaarheden verholpen in verschillende producten, waaronder Oracle HTTP Server, Oracle WebLogic Server, en Oracle Fusion Middleware.

Interpretaties: De kwetsbaarheden in de Oracle producten stellen ongeauthenticeerde aanvallers in staat om toegang te krijgen tot gevoelige gegevens, Denial-of-Service (DoS) aanvallen uit te voeren, en de integriteit van systemen te compromitteren. Specifieke kwetsbaarheden omvatten onjuist beheer van HTTP-headers, ongecontroleerde recursie, en onvoldoende bufferbeperkingen, wat kan leiden tot systeemcrashes en gegevensverlies.

Oplossingen: Oracle heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.

Kans: medium

Schade: high

CWE-20: Improper Input Validation

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-94: Improper Control of Generation of Code ('Code Injection')

CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

CWE-117: Improper Output Neutralization for Logs

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

CWE-122: Heap-based Buffer Overflow

CWE-125: Out-of-bounds Read

CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences

CWE-209: Generation of Error Message Containing Sensitive Information

CWE-252: Unchecked Return Value

CWE-284: Improper Access Control

CWE-285: Improper Authorization

CWE-289: Authentication Bypass by Alternate Name

CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CWE-400: Uncontrolled Resource Consumption

CWE-404: Improper Resource Shutdown or Release

CWE-457: Use of Uninitialized Variable

CWE-476: NULL Pointer Dereference

CWE-611: Improper Restriction of XML External Entity Reference

CWE-674: Uncontrolled Recursion

CWE-770: Allocation of Resources Without Limits or Throttling

CWE-787: Out-of-bounds Write

CWE-827: Improper Control of Document Type Definition

CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')

CWE-863: Incorrect Authorization

CWE-918: Server-Side Request Forgery (SSRF)

CWE-937: CWE-937

CWE-1035: CWE-1035

CVE-2021-45105

Multiple vulnerabilities across Apache Log4j, Oracle products, and various dependencies expose systems to denial-of-service and remote code execution risks, necessitating updates to secure versions.

10.0 (Critical)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE-674 - Uncontrolled Recursion

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2022-41342

Recent vulnerabilities in Oracle products, including the Oracle HTTP Server and Database, allow for potential privilege escalation, remote code execution, and denial of service, with varying CVSS scores indicating significant risk.

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2024-13009

Recent vulnerabilities in Oracle JD Edwards, Oracle Middleware, Eclipse Jetty, HPE Telco IP Mediation, and SAP Commerce Cloud expose systems to unauthorized access and data corruption, with CVSS scores reaching 7.2.

7.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE-404 - Improper Resource Shutdown or Release

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2024-42516

Multiple vulnerabilities in Apache HTTP Server and Oracle HTTP Server, including CVE-2023-38709 and CVE-2024-42516, expose systems to risks such as HTTP response splitting, SSRF, and unauthorized access.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-20 - Improper Input Validation

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2024-43204

Apache HTTP Server versions prior to 2.4.64 are vulnerable to multiple security issues, including SSRF and HTTP response splitting, affecting mod_proxy and mod_headers configurations, with critical vulnerabilities also identified in Oracle HTTP Server.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-918 - Server-Side Request Forgery (SSRF)

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2024-47252

Multiple vulnerabilities in Apache HTTP Server versions 2.4.63 and earlier, including insufficient escaping in mod_ssl, allow untrusted clients to compromise log integrity and potentially lead to unauthorized access and denial of service.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-150 - Improper Neutralization of Escape, Meta, or Control Sequences

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2024-47554

Multiple vulnerabilities across Oracle Middleware, Documaker, and Apache Commons IO allow for denial of service attacks, with CVSS scores ranging from 4.3 to 7.5, affecting various versions of these products.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2024-56406

Multiple vulnerabilities in Oracle Fusion Middleware and Perl, including heap buffer overflows and denial of service risks, affect various versions, with CVSS scores indicating significant severity.

8.6 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

CWE-787 - Out-of-bounds Write

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-4949

Multiple vulnerabilities across Oracle Database Server, Oracle Fusion Middleware, and Eclipse JGit expose systems to unauthorized access, severe impacts, and information disclosure through various attack vectors.

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-611 - Improper Restriction of XML External Entity Reference

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-5115

Multiple vulnerabilities, including the 'MadeYouReset' attack in HTTP/2 and unauthenticated issues in Oracle products, can lead to denial of service across various platforms such as Eclipse Jetty and SAP Commerce Cloud.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-12383

Oracle Database Server versions 23.4.0-23.26.0 have a vulnerability in the Fleet Patching and Provisioning component, while Eclipse Jersey versions 2.45, 3.0.16, and 3.1.9 may ignore critical SSL configurations due to a race condition.

8.7 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-23048

Multiple vulnerabilities in Apache HTTP Server versions 2.4.35 to 2.4.63 and Oracle HTTP Server allow unauthorized access, data modification, and denial of service, particularly through TLS session resumption and other exploit vectors.

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-284 - Improper Access Control

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-26333

Oracle Database Server and Oracle GoldenGate have Security-in-Depth issues related to Dell BSAFE Crypto-J, which cannot be exploited within their respective contexts, although error messages may expose sensitive information.

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-209 - Generation of Error Message Containing Sensitive Information

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-31672

Multiple vulnerabilities have been identified across various Oracle and Apache POI products, including improper input validation and unauthorized data access, affecting versions 5.4.0 and earlier, with CVSS scores of 5.3.

6.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

CWE-20 - Improper Input Validation

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-41248

Recent vulnerabilities in Oracle Financial Services Model Management and Spring Framework versions expose critical data and may lead to authorization bypass, with significant confidentiality impacts.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-289 - Authentication Bypass by Alternate Name

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-41249

Multiple vulnerabilities have been identified in Oracle Financial Services and Retail products, as well as the Spring Framework, allowing unauthorized access to sensitive data and potentially leading to information disclosure.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-285 - Improper Authorization

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-43967

Oracle Hyperion Financial Reporting (version 11.2.23) has a denial of service vulnerability (CVSS 7.5), while libheif library versions prior to 1.19.6 have a NULL pointer dereference issue in the ImageItem_Grid::get_decoder function.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-476 - NULL Pointer Dereference

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-48924

Multiple vulnerabilities have been identified in Oracle WebLogic Server and Oracle Communications ASAP, both allowing unauthenticated partial denial of service, alongside an uncontrolled recursion issue in Apache Commons Lang leading to potential application crashes.

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE-674 - Uncontrolled Recursion

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-48976

Multiple denial-of-service vulnerabilities have been identified in Oracle Application Testing Suite, Oracle Agile PLM, Apache Commons FileUpload, and HPE IceWall Identity Manager, with CVSS scores of 7.5 for some products.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-49796

Multiple vulnerabilities across Oracle Banking Branch and Oracle Communications Cloud Native Core Certificate Management products, as well as libxml2, could lead to critical data compromise and denial of service, with CVSS scores reaching 9.1.

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE-125 - Out-of-bounds Read

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-53864

Multiple vulnerabilities across Oracle WebLogic Server, Oracle GoldenGate, and Connect2id Nimbus JOSE + JWT allow unauthenticated attackers to exploit denial of service conditions, affecting various versions with CVSS scores of 5.8.

5.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

CWE-674 - Uncontrolled Recursion

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-54571

Recent vulnerabilities in Oracle HTTP Server and ModSecurity allow for denial of service and potential XSS attacks, affecting specific versions with significant severity scores.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-252 - Unchecked Return Value

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-54874

Oracle Fusion Middleware has a critical vulnerability (CVSS 9.8) allowing unauthenticated access, while OpenJPEG versions 2.5.1 to 2.5.3 contain a flaw leading to out-of-bounds heap memory writes.

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-457 - Use of Uninitialized Variable

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-54988

Apache Tika versions 1.13 to 3.2.1 have a critical XXE vulnerability, while Oracle PeopleSoft's OpenSearch component in versions 8.60 to 8.62 is also affected by an easily exploitable vulnerability.

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-611 - Improper Restriction of XML External Entity Reference

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-55163

Recent updates to Netty and Oracle Communications products address critical vulnerabilities, including the 'MadeYouReset' attack in HTTP/2, which can lead to denial of service and resource exhaustion.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-59375

Multiple vulnerabilities, including a memory amplification issue in libexpat and a DoS vulnerability in Oracle Communications Network Analytics, can lead to denial-of-service attacks without enabling arbitrary code execution.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-66516

Apache Tika has a critical XML External Entity (XXE) injection vulnerability affecting multiple modules, particularly in PDF parsing, allowing remote attackers to exploit crafted files for sensitive information disclosure or remote code execution.

10.0 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE-611 - Improper Restriction of XML External Entity Reference

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2026-21962

A critical vulnerability in Oracle HTTP Server and Oracle Weblogic Server Proxy Plug-in allows unauthenticated attackers to compromise systems, affecting specific versions with a CVSS score of 10.0.

10.0 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

References

29 references

URL	Category
https://www.oracle.com/security-alerts/cpujan2026.html	external
https://vulnerabilities.ncsc.nl/csaf/v2/2021/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2022/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-…	self

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "nl",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n    NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n    NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n    This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
      },
      {
        "category": "description",
        "text": "Oracle heeft kwetsbaarheden verholpen in verschillende producten, waaronder Oracle HTTP Server, Oracle WebLogic Server, en Oracle Fusion Middleware.",
        "title": "Feiten"
      },
      {
        "category": "description",
        "text": "De kwetsbaarheden in de Oracle producten stellen ongeauthenticeerde aanvallers in staat om toegang te krijgen tot gevoelige gegevens, Denial-of-Service (DoS) aanvallen uit te voeren, en de integriteit van systemen te compromitteren. Specifieke kwetsbaarheden omvatten onjuist beheer van HTTP-headers, ongecontroleerde recursie, en onvoldoende bufferbeperkingen, wat kan leiden tot systeemcrashes en gegevensverlies.",
        "title": "Interpretaties"
      },
      {
        "category": "description",
        "text": "Oracle heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
        "title": "Oplossingen"
      },
      {
        "category": "general",
        "text": "medium",
        "title": "Kans"
      },
      {
        "category": "general",
        "text": "high",
        "title": "Schade"
      },
      {
        "category": "general",
        "text": "Improper Input Validation",
        "title": "CWE-20"
      },
      {
        "category": "general",
        "text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
        "title": "CWE-79"
      },
      {
        "category": "general",
        "text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
        "title": "CWE-94"
      },
      {
        "category": "general",
        "text": "Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)",
        "title": "CWE-113"
      },
      {
        "category": "general",
        "text": "Improper Output Neutralization for Logs",
        "title": "CWE-117"
      },
      {
        "category": "general",
        "text": "Improper Restriction of Operations within the Bounds of a Memory Buffer",
        "title": "CWE-119"
      },
      {
        "category": "general",
        "text": "Heap-based Buffer Overflow",
        "title": "CWE-122"
      },
      {
        "category": "general",
        "text": "Out-of-bounds Read",
        "title": "CWE-125"
      },
      {
        "category": "general",
        "text": "Improper Neutralization of Escape, Meta, or Control Sequences",
        "title": "CWE-150"
      },
      {
        "category": "general",
        "text": "Generation of Error Message Containing Sensitive Information",
        "title": "CWE-209"
      },
      {
        "category": "general",
        "text": "Unchecked Return Value",
        "title": "CWE-252"
      },
      {
        "category": "general",
        "text": "Improper Access Control",
        "title": "CWE-284"
      },
      {
        "category": "general",
        "text": "Improper Authorization",
        "title": "CWE-285"
      },
      {
        "category": "general",
        "text": "Authentication Bypass by Alternate Name",
        "title": "CWE-289"
      },
      {
        "category": "general",
        "text": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
        "title": "CWE-362"
      },
      {
        "category": "general",
        "text": "Uncontrolled Resource Consumption",
        "title": "CWE-400"
      },
      {
        "category": "general",
        "text": "Improper Resource Shutdown or Release",
        "title": "CWE-404"
      },
      {
        "category": "general",
        "text": "Use of Uninitialized Variable",
        "title": "CWE-457"
      },
      {
        "category": "general",
        "text": "NULL Pointer Dereference",
        "title": "CWE-476"
      },
      {
        "category": "general",
        "text": "Improper Restriction of XML External Entity Reference",
        "title": "CWE-611"
      },
      {
        "category": "general",
        "text": "Uncontrolled Recursion",
        "title": "CWE-674"
      },
      {
        "category": "general",
        "text": "Allocation of Resources Without Limits or Throttling",
        "title": "CWE-770"
      },
      {
        "category": "general",
        "text": "Out-of-bounds Write",
        "title": "CWE-787"
      },
      {
        "category": "general",
        "text": "Improper Control of Document Type Definition",
        "title": "CWE-827"
      },
      {
        "category": "general",
        "text": "Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)",
        "title": "CWE-843"
      },
      {
        "category": "general",
        "text": "Incorrect Authorization",
        "title": "CWE-863"
      },
      {
        "category": "general",
        "text": "Server-Side Request Forgery (SSRF)",
        "title": "CWE-918"
      },
      {
        "category": "general",
        "text": "CWE-937",
        "title": "CWE-937"
      },
      {
        "category": "general",
        "text": "CWE-1035",
        "title": "CWE-1035"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "cert@ncsc.nl",
      "name": "Nationaal Cyber Security Centrum",
      "namespace": "https://www.ncsc.nl/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Reference",
        "url": "https://www.oracle.com/security-alerts/cpujan2026.html"
      }
    ],
    "title": "Kwetsbaarheden verholpen in Oracle Fusion Middleware",
    "tracking": {
      "current_release_date": "2026-01-21T10:08:59.379774Z",
      "generator": {
        "date": "2025-08-04T16:30:00Z",
        "engine": {
          "name": "V.A.",
          "version": "1.3"
        }
      },
      "id": "NCSC-2026-0027",
      "initial_release_date": "2026-01-21T10:08:59.379774Z",
      "revision_history": [
        {
          "date": "2026-01-21T10:08:59.379774Z",
          "number": "1.0.0",
          "summary": "Initiele versie"
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-1"
                }
              }
            ],
            "category": "product_name",
            "name": "Data Integrator"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-2"
                }
              }
            ],
            "category": "product_name",
            "name": "Fusion Middleware"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-3"
                }
              }
            ],
            "category": "product_name",
            "name": "Identity Manager Connector"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-4"
                }
              }
            ],
            "category": "product_name",
            "name": "Managed File Transfer"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-5"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Business Process Management Suite"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-6"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Coherence"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-7"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Global Lifecycle Management NextGen OUI Framework"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-8"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle HTTP Server"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-9"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-10"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Identity Manager"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-11"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Outside In Technology"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-12"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle SOA Suite"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-13"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Security Service"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-14"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Service Bus"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-15"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Unified Directory"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-16"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle WebCenter Enterprise Capture"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-17"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle WebLogic Server"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-18"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Weblogic Server Proxy Plug-in"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-19"
                }
              }
            ],
            "category": "product_name",
            "name": "Service Delivery Platform"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-20"
                }
              }
            ],
            "category": "product_name",
            "name": "WebCenter Sites"
          }
        ],
        "category": "vendor",
        "name": "Oracle"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-45105",
      "cwe": {
        "id": "CWE-674",
        "name": "Uncontrolled Recursion"
      },
      "notes": [
        {
          "category": "other",
          "text": "Uncontrolled Recursion",
          "title": "CWE-674"
        },
        {
          "category": "other",
          "text": "Improper Input Validation",
          "title": "CWE-20"
        },
        {
          "category": "other",
          "text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
          "title": "CWE-94"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities across Apache Log4j, Oracle products, and various dependencies expose systems to denial-of-service and remote code execution risks, necessitating updates to secure versions.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2021-45105 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2021/cve-2021-45105.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 10.0,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2021-45105"
    },
    {
      "cve": "CVE-2022-41342",
      "notes": [
        {
          "category": "description",
          "text": "Recent vulnerabilities in Oracle products, including the Oracle HTTP Server and Database, allow for potential privilege escalation, remote code execution, and denial of service, with varying CVSS scores indicating significant risk.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2022-41342 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2022/cve-2022-41342.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2022-41342"
    },
    {
      "cve": "CVE-2024-13009",
      "cwe": {
        "id": "CWE-404",
        "name": "Improper Resource Shutdown or Release"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Resource Shutdown or Release",
          "title": "CWE-404"
        },
        {
          "category": "description",
          "text": "Recent vulnerabilities in Oracle JD Edwards, Oracle Middleware, Eclipse Jetty, HPE Telco IP Mediation, and SAP Commerce Cloud expose systems to unauthorized access and data corruption, with CVSS scores reaching 7.2.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-13009 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-13009.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2024-13009"
    },
    {
      "cve": "CVE-2024-42516",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Input Validation",
          "title": "CWE-20"
        },
        {
          "category": "other",
          "text": "Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)",
          "title": "CWE-113"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities in Apache HTTP Server and Oracle HTTP Server, including CVE-2023-38709 and CVE-2024-42516, expose systems to risks such as HTTP response splitting, SSRF, and unauthorized access.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-42516 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-42516.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2024-42516"
    },
    {
      "cve": "CVE-2024-43204",
      "cwe": {
        "id": "CWE-918",
        "name": "Server-Side Request Forgery (SSRF)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Server-Side Request Forgery (SSRF)",
          "title": "CWE-918"
        },
        {
          "category": "description",
          "text": "Apache HTTP Server versions prior to 2.4.64 are vulnerable to multiple security issues, including SSRF and HTTP response splitting, affecting mod_proxy and mod_headers configurations, with critical vulnerabilities also identified in Oracle HTTP Server.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-43204 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-43204.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2024-43204"
    },
    {
      "cve": "CVE-2024-47252",
      "cwe": {
        "id": "CWE-150",
        "name": "Improper Neutralization of Escape, Meta, or Control Sequences"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Neutralization of Escape, Meta, or Control Sequences",
          "title": "CWE-150"
        },
        {
          "category": "other",
          "text": "Improper Output Neutralization for Logs",
          "title": "CWE-117"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities in Apache HTTP Server versions 2.4.63 and earlier, including insufficient escaping in mod_ssl, allow untrusted clients to compromise log integrity and potentially lead to unauthorized access and denial of service.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-47252 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-47252.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2024-47252"
    },
    {
      "cve": "CVE-2024-47554",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "notes": [
        {
          "category": "other",
          "text": "Uncontrolled Resource Consumption",
          "title": "CWE-400"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities across Oracle Middleware, Documaker, and Apache Commons IO allow for denial of service attacks, with CVSS scores ranging from 4.3 to 7.5, affecting various versions of these products.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-47554 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-47554.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2024-47554"
    },
    {
      "cve": "CVE-2024-56406",
      "cwe": {
        "id": "CWE-787",
        "name": "Out-of-bounds Write"
      },
      "notes": [
        {
          "category": "other",
          "text": "Out-of-bounds Write",
          "title": "CWE-787"
        },
        {
          "category": "other",
          "text": "Heap-based Buffer Overflow",
          "title": "CWE-122"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities in Oracle Fusion Middleware and Perl, including heap buffer overflows and denial of service risks, affect various versions, with CVSS scores indicating significant severity.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-56406 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-56406.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2024-56406"
    },
    {
      "cve": "CVE-2025-4949",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Restriction of XML External Entity Reference",
          "title": "CWE-611"
        },
        {
          "category": "other",
          "text": "Improper Control of Document Type Definition",
          "title": "CWE-827"
        },
        {
          "category": "other",
          "text": "CWE-1035",
          "title": "CWE-1035"
        },
        {
          "category": "other",
          "text": "CWE-937",
          "title": "CWE-937"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities across Oracle Database Server, Oracle Fusion Middleware, and Eclipse JGit expose systems to unauthorized access, severe impacts, and information disclosure through various attack vectors.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/S:N/AU:Y/R:U/V:D/RE:L/U:Green",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-4949 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-4949.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-4949"
    },
    {
      "cve": "CVE-2025-5115",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "notes": [
        {
          "category": "other",
          "text": "Uncontrolled Resource Consumption",
          "title": "CWE-400"
        },
        {
          "category": "other",
          "text": "Allocation of Resources Without Limits or Throttling",
          "title": "CWE-770"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities, including the \u0027MadeYouReset\u0027 attack in HTTP/2 and unauthenticated issues in Oracle products, can lead to denial of service across various platforms such as Eclipse Jetty and SAP Commerce Cloud.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-5115 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-5115.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-5115"
    },
    {
      "cve": "CVE-2025-12383",
      "cwe": {
        "id": "CWE-362",
        "name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
          "title": "CWE-362"
        },
        {
          "category": "other",
          "text": "CWE-1035",
          "title": "CWE-1035"
        },
        {
          "category": "other",
          "text": "CWE-937",
          "title": "CWE-937"
        },
        {
          "category": "description",
          "text": "Oracle Database Server versions 23.4.0-23.26.0 have a vulnerability in the Fleet Patching and Provisioning component, while Eclipse Jersey versions 2.45, 3.0.16, and 3.1.9 may ignore critical SSL configurations due to a race condition.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-12383 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-12383.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-12383"
    },
    {
      "cve": "CVE-2025-23048",
      "cwe": {
        "id": "CWE-284",
        "name": "Improper Access Control"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Access Control",
          "title": "CWE-284"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities in Apache HTTP Server versions 2.4.35 to 2.4.63 and Oracle HTTP Server allow unauthorized access, data modification, and denial of service, particularly through TLS session resumption and other exploit vectors.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-23048 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-23048.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-23048"
    },
    {
      "cve": "CVE-2025-26333",
      "cwe": {
        "id": "CWE-209",
        "name": "Generation of Error Message Containing Sensitive Information"
      },
      "notes": [
        {
          "category": "other",
          "text": "Generation of Error Message Containing Sensitive Information",
          "title": "CWE-209"
        },
        {
          "category": "description",
          "text": "Oracle Database Server and Oracle GoldenGate have Security-in-Depth issues related to Dell BSAFE Crypto-J, which cannot be exploited within their respective contexts, although error messages may expose sensitive information.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-26333 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-26333.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-26333"
    },
    {
      "cve": "CVE-2025-31672",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Input Validation",
          "title": "CWE-20"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities have been identified across various Oracle and Apache POI products, including improper input validation and unauthorized data access, affecting versions 5.4.0 and earlier, with CVSS scores of 5.3.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-31672 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-31672.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-31672"
    },
    {
      "cve": "CVE-2025-41248",
      "cwe": {
        "id": "CWE-289",
        "name": "Authentication Bypass by Alternate Name"
      },
      "notes": [
        {
          "category": "other",
          "text": "Authentication Bypass by Alternate Name",
          "title": "CWE-289"
        },
        {
          "category": "other",
          "text": "Incorrect Authorization",
          "title": "CWE-863"
        },
        {
          "category": "other",
          "text": "CWE-1035",
          "title": "CWE-1035"
        },
        {
          "category": "other",
          "text": "CWE-937",
          "title": "CWE-937"
        },
        {
          "category": "description",
          "text": "Recent vulnerabilities in Oracle Financial Services Model Management and Spring Framework versions expose critical data and may lead to authorization bypass, with significant confidentiality impacts.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-41248 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-41248.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-41248"
    },
    {
      "cve": "CVE-2025-41249",
      "cwe": {
        "id": "CWE-285",
        "name": "Improper Authorization"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Authorization",
          "title": "CWE-285"
        },
        {
          "category": "other",
          "text": "Incorrect Authorization",
          "title": "CWE-863"
        },
        {
          "category": "other",
          "text": "CWE-1035",
          "title": "CWE-1035"
        },
        {
          "category": "other",
          "text": "CWE-937",
          "title": "CWE-937"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities have been identified in Oracle Financial Services and Retail products, as well as the Spring Framework, allowing unauthorized access to sensitive data and potentially leading to information disclosure.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-41249 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-41249.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-41249"
    },
    {
      "cve": "CVE-2025-43967",
      "cwe": {
        "id": "CWE-476",
        "name": "NULL Pointer Dereference"
      },
      "notes": [
        {
          "category": "other",
          "text": "NULL Pointer Dereference",
          "title": "CWE-476"
        },
        {
          "category": "description",
          "text": "Oracle Hyperion Financial Reporting (version 11.2.23) has a denial of service vulnerability (CVSS 7.5), while libheif library versions prior to 1.19.6 have a NULL pointer dereference issue in the ImageItem_Grid::get_decoder function.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-43967 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-43967.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-43967"
    },
    {
      "cve": "CVE-2025-48924",
      "cwe": {
        "id": "CWE-674",
        "name": "Uncontrolled Recursion"
      },
      "notes": [
        {
          "category": "other",
          "text": "Uncontrolled Recursion",
          "title": "CWE-674"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities have been identified in Oracle WebLogic Server and Oracle Communications ASAP, both allowing unauthenticated partial denial of service, alongside an uncontrolled recursion issue in Apache Commons Lang leading to potential application crashes.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-48924 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48924.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-48924"
    },
    {
      "cve": "CVE-2025-48976",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "notes": [
        {
          "category": "other",
          "text": "Allocation of Resources Without Limits or Throttling",
          "title": "CWE-770"
        },
        {
          "category": "description",
          "text": "Multiple denial-of-service vulnerabilities have been identified in Oracle Application Testing Suite, Oracle Agile PLM, Apache Commons FileUpload, and HPE IceWall Identity Manager, with CVSS scores of 7.5 for some products.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-48976 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48976.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-48976"
    },
    {
      "cve": "CVE-2025-49796",
      "cwe": {
        "id": "CWE-125",
        "name": "Out-of-bounds Read"
      },
      "notes": [
        {
          "category": "other",
          "text": "Out-of-bounds Read",
          "title": "CWE-125"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities across Oracle Banking Branch and Oracle Communications Cloud Native Core Certificate Management products, as well as libxml2, could lead to critical data compromise and denial of service, with CVSS scores reaching 9.1.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-49796 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-49796.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-49796"
    },
    {
      "cve": "CVE-2025-53864",
      "cwe": {
        "id": "CWE-674",
        "name": "Uncontrolled Recursion"
      },
      "notes": [
        {
          "category": "other",
          "text": "Uncontrolled Recursion",
          "title": "CWE-674"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities across Oracle WebLogic Server, Oracle GoldenGate, and Connect2id Nimbus JOSE + JWT allow unauthenticated attackers to exploit denial of service conditions, affecting various versions with CVSS scores of 5.8.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-53864 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-53864.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-53864"
    },
    {
      "cve": "CVE-2025-54571",
      "cwe": {
        "id": "CWE-252",
        "name": "Unchecked Return Value"
      },
      "notes": [
        {
          "category": "other",
          "text": "Unchecked Return Value",
          "title": "CWE-252"
        },
        {
          "category": "other",
          "text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
          "title": "CWE-79"
        },
        {
          "category": "description",
          "text": "Recent vulnerabilities in Oracle HTTP Server and ModSecurity allow for denial of service and potential XSS attacks, affecting specific versions with significant severity scores.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-54571 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-54571.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-54571"
    },
    {
      "cve": "CVE-2025-54874",
      "cwe": {
        "id": "CWE-457",
        "name": "Use of Uninitialized Variable"
      },
      "notes": [
        {
          "category": "other",
          "text": "Use of Uninitialized Variable",
          "title": "CWE-457"
        },
        {
          "category": "description",
          "text": "Oracle Fusion Middleware has a critical vulnerability (CVSS 9.8) allowing unauthenticated access, while OpenJPEG versions 2.5.1 to 2.5.3 contain a flaw leading to out-of-bounds heap memory writes.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-54874 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-54874.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-54874"
    },
    {
      "cve": "CVE-2025-54988",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Restriction of XML External Entity Reference",
          "title": "CWE-611"
        },
        {
          "category": "other",
          "text": "CWE-1035",
          "title": "CWE-1035"
        },
        {
          "category": "other",
          "text": "CWE-937",
          "title": "CWE-937"
        },
        {
          "category": "description",
          "text": "Apache Tika versions 1.13 to 3.2.1 have a critical XXE vulnerability, while Oracle PeopleSoft\u0027s OpenSearch component in versions 8.60 to 8.62 is also affected by an easily exploitable vulnerability.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-54988 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-54988.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-54988"
    },
    {
      "cve": "CVE-2025-55163",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "notes": [
        {
          "category": "other",
          "text": "Allocation of Resources Without Limits or Throttling",
          "title": "CWE-770"
        },
        {
          "category": "other",
          "text": "CWE-1035",
          "title": "CWE-1035"
        },
        {
          "category": "other",
          "text": "CWE-937",
          "title": "CWE-937"
        },
        {
          "category": "description",
          "text": "Recent updates to Netty and Oracle Communications products address critical vulnerabilities, including the \u0027MadeYouReset\u0027 attack in HTTP/2, which can lead to denial of service and resource exhaustion.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-55163 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-55163.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-55163"
    },
    {
      "cve": "CVE-2025-59375",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "notes": [
        {
          "category": "other",
          "text": "Allocation of Resources Without Limits or Throttling",
          "title": "CWE-770"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities, including a memory amplification issue in libexpat and a DoS vulnerability in Oracle Communications Network Analytics, can lead to denial-of-service attacks without enabling arbitrary code execution.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-59375 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-59375.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-59375"
    },
    {
      "cve": "CVE-2025-66516",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Restriction of XML External Entity Reference",
          "title": "CWE-611"
        },
        {
          "category": "other",
          "text": "CWE-1035",
          "title": "CWE-1035"
        },
        {
          "category": "other",
          "text": "CWE-937",
          "title": "CWE-937"
        },
        {
          "category": "description",
          "text": "Apache Tika has a critical XML External Entity (XXE) injection vulnerability affecting multiple modules, particularly in PDF parsing, allowing remote attackers to exploit crafted files for sensitive information disclosure or remote code execution.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-66516 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-66516.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 10.0,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-66516"
    },
    {
      "cve": "CVE-2026-21962",
      "notes": [
        {
          "category": "description",
          "text": "A critical vulnerability in Oracle HTTP Server and Oracle Weblogic Server Proxy Plug-in allows unauthenticated attackers to compromise systems, affecting specific versions with a CVSS score of 10.0.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2026-21962 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-21962.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 10.0,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2026-21962"
    }
  ]
}

OPENSUSE-SU-2024:14387-1

Vulnerability from csaf_opensuse - Published: 2024-10-08 00:00 - Updated: 2024-10-08 00:00

Summary

apache-commons-io-2.17.0-2.1 on GA media

Severity

Moderate

Notes

Title of the patch: apache-commons-io-2.17.0-2.1 on GA media

Description of the patch: These are all security issues fixed in the apache-commons-io-2.17.0-2.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2024-14387

CVE-2024-47554

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:apache-commons-io-2.17.0-2.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:apache-commons-io-2.17.0-2.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:apache-commons-io-2.17.0-2.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:apache-commons-io-2.17.0-2.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:apache-commons-io-javadoc-2.17.0-2.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:apache-commons-io-javadoc-2.17.0-2.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:apache-commons-io-javadoc-2.17.0-2.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:apache-commons-io-javadoc-2.17.0-2.1.x86_64	—	Vendor Fix

Threats

Impact moderate

References

7 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://lists.opensuse.org/archives/list/security…	self
https://lists.opensuse.org/archives/list/security…	self
https://www.suse.com/security/cve/CVE-2024-47554/	self
https://www.suse.com/security/cve/CVE-2024-47554	external
https://bugzilla.suse.com/1231298	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "apache-commons-io-2.17.0-2.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the apache-commons-io-2.17.0-2.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-14387",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_14387-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2024:14387-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JRY5QEEISAVBMYG363PQWMMY2EMLEE5E/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2024:14387-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JRY5QEEISAVBMYG363PQWMMY2EMLEE5E/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-47554 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-47554/"
      }
    ],
    "title": "apache-commons-io-2.17.0-2.1 on GA media",
    "tracking": {
      "current_release_date": "2024-10-08T00:00:00Z",
      "generator": {
        "date": "2024-10-08T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:14387-1",
      "initial_release_date": "2024-10-08T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-10-08T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "apache-commons-io-2.17.0-2.1.aarch64",
                "product": {
                  "name": "apache-commons-io-2.17.0-2.1.aarch64",
                  "product_id": "apache-commons-io-2.17.0-2.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "apache-commons-io-javadoc-2.17.0-2.1.aarch64",
                "product": {
                  "name": "apache-commons-io-javadoc-2.17.0-2.1.aarch64",
                  "product_id": "apache-commons-io-javadoc-2.17.0-2.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "apache-commons-io-2.17.0-2.1.ppc64le",
                "product": {
                  "name": "apache-commons-io-2.17.0-2.1.ppc64le",
                  "product_id": "apache-commons-io-2.17.0-2.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "apache-commons-io-javadoc-2.17.0-2.1.ppc64le",
                "product": {
                  "name": "apache-commons-io-javadoc-2.17.0-2.1.ppc64le",
                  "product_id": "apache-commons-io-javadoc-2.17.0-2.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "apache-commons-io-2.17.0-2.1.s390x",
                "product": {
                  "name": "apache-commons-io-2.17.0-2.1.s390x",
                  "product_id": "apache-commons-io-2.17.0-2.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "apache-commons-io-javadoc-2.17.0-2.1.s390x",
                "product": {
                  "name": "apache-commons-io-javadoc-2.17.0-2.1.s390x",
                  "product_id": "apache-commons-io-javadoc-2.17.0-2.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "apache-commons-io-2.17.0-2.1.x86_64",
                "product": {
                  "name": "apache-commons-io-2.17.0-2.1.x86_64",
                  "product_id": "apache-commons-io-2.17.0-2.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "apache-commons-io-javadoc-2.17.0-2.1.x86_64",
                "product": {
                  "name": "apache-commons-io-javadoc-2.17.0-2.1.x86_64",
                  "product_id": "apache-commons-io-javadoc-2.17.0-2.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache-commons-io-2.17.0-2.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:apache-commons-io-2.17.0-2.1.aarch64"
        },
        "product_reference": "apache-commons-io-2.17.0-2.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache-commons-io-2.17.0-2.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:apache-commons-io-2.17.0-2.1.ppc64le"
        },
        "product_reference": "apache-commons-io-2.17.0-2.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache-commons-io-2.17.0-2.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:apache-commons-io-2.17.0-2.1.s390x"
        },
        "product_reference": "apache-commons-io-2.17.0-2.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache-commons-io-2.17.0-2.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:apache-commons-io-2.17.0-2.1.x86_64"
        },
        "product_reference": "apache-commons-io-2.17.0-2.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache-commons-io-javadoc-2.17.0-2.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:apache-commons-io-javadoc-2.17.0-2.1.aarch64"
        },
        "product_reference": "apache-commons-io-javadoc-2.17.0-2.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache-commons-io-javadoc-2.17.0-2.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:apache-commons-io-javadoc-2.17.0-2.1.ppc64le"
        },
        "product_reference": "apache-commons-io-javadoc-2.17.0-2.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache-commons-io-javadoc-2.17.0-2.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:apache-commons-io-javadoc-2.17.0-2.1.s390x"
        },
        "product_reference": "apache-commons-io-javadoc-2.17.0-2.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache-commons-io-javadoc-2.17.0-2.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:apache-commons-io-javadoc-2.17.0-2.1.x86_64"
        },
        "product_reference": "apache-commons-io-javadoc-2.17.0-2.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-47554",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-47554"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Uncontrolled Resource Consumption vulnerability in Apache Commons IO.\n\nThe org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input.\n\n\nThis issue affects Apache Commons IO: from 2.0 before 2.14.0.\n\nUsers are recommended to upgrade to version 2.14.0 or later, which fixes the issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:apache-commons-io-2.17.0-2.1.aarch64",
          "openSUSE Tumbleweed:apache-commons-io-2.17.0-2.1.ppc64le",
          "openSUSE Tumbleweed:apache-commons-io-2.17.0-2.1.s390x",
          "openSUSE Tumbleweed:apache-commons-io-2.17.0-2.1.x86_64",
          "openSUSE Tumbleweed:apache-commons-io-javadoc-2.17.0-2.1.aarch64",
          "openSUSE Tumbleweed:apache-commons-io-javadoc-2.17.0-2.1.ppc64le",
          "openSUSE Tumbleweed:apache-commons-io-javadoc-2.17.0-2.1.s390x",
          "openSUSE Tumbleweed:apache-commons-io-javadoc-2.17.0-2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-47554",
          "url": "https://www.suse.com/security/cve/CVE-2024-47554"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1231298 for CVE-2024-47554",
          "url": "https://bugzilla.suse.com/1231298"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:apache-commons-io-2.17.0-2.1.aarch64",
            "openSUSE Tumbleweed:apache-commons-io-2.17.0-2.1.ppc64le",
            "openSUSE Tumbleweed:apache-commons-io-2.17.0-2.1.s390x",
            "openSUSE Tumbleweed:apache-commons-io-2.17.0-2.1.x86_64",
            "openSUSE Tumbleweed:apache-commons-io-javadoc-2.17.0-2.1.aarch64",
            "openSUSE Tumbleweed:apache-commons-io-javadoc-2.17.0-2.1.ppc64le",
            "openSUSE Tumbleweed:apache-commons-io-javadoc-2.17.0-2.1.s390x",
            "openSUSE Tumbleweed:apache-commons-io-javadoc-2.17.0-2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:apache-commons-io-2.17.0-2.1.aarch64",
            "openSUSE Tumbleweed:apache-commons-io-2.17.0-2.1.ppc64le",
            "openSUSE Tumbleweed:apache-commons-io-2.17.0-2.1.s390x",
            "openSUSE Tumbleweed:apache-commons-io-2.17.0-2.1.x86_64",
            "openSUSE Tumbleweed:apache-commons-io-javadoc-2.17.0-2.1.aarch64",
            "openSUSE Tumbleweed:apache-commons-io-javadoc-2.17.0-2.1.ppc64le",
            "openSUSE Tumbleweed:apache-commons-io-javadoc-2.17.0-2.1.s390x",
            "openSUSE Tumbleweed:apache-commons-io-javadoc-2.17.0-2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-10-08T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-47554"
    }
  ]
}

RHSA-2024:8826

Vulnerability from csaf_redhat - Published: 2024-11-04 20:56 - Updated: 2026-06-01 17:18

Summary

Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 8.0.4 Security update

Severity

Important

Notes

Topic: A security update is now available for Red Hat JBoss Enterprise Application Platform 8.0. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details: Red Hat JBoss Enterprise Application Platform 8 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 8.0.4 serves as a replacement for Red Hat JBoss Enterprise Application Platform 8.0.3, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 8.0.4 Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es): * org.apache.cxf/cxf-rt-transports-http: unrestricted memory consumption in CXF HTTP clients [eap-8.0.z] (CVE-2024-41172) * com.nimbusds/nimbus-jose-jwt: large JWE p2c header value causes Denial of Service [eap-8.0.z] (CVE-2023-52428) * wildfly-domain-http: wildfly: No timeout for EAP management interface may lead to Denial of Service (DoS) [eap-8.0.z] (CVE-2024-4029) * xalan: OpenJDK: integer truncation issue in Xalan-J (JAXP, 8285407) [eap-8.0.z] (CVE-2022-34169) * org.keycloak/keycloak-services: Vulnerable Redirect URI Validation Results in Open Redirec [eap-8.0.z] (CVE-2024-8883) * org.keycloak/keycloak-saml-core-public: Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak [eap-8.0.z] (CVE-2024-8698) * org.keycloak/keycloak-saml-core: Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak [eap-8.0.z] (CVE-2024-8698) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2022-34169

The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-192 - Integer Coercion Error

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat JBoss Enterprise Application Platform 8 Red Hat / Red Hat JBoss Enterprise Application Platform	`cpe:/a:redhat:jboss_enterprise_application_platform:8.0`	—	Vendor Fix fix

Threats

Impact Important

CVE-2023-52428

A vulnerability was found in the Nimbus Jose JWT package. By crafting a JWE with an excessively large p2c value, an attacker can trigger significant resource consumption during decryption, potentially leading to application slowdown or unavailability.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat JBoss Enterprise Application Platform 8 Red Hat / Red Hat JBoss Enterprise Application Platform	`cpe:/a:redhat:jboss_enterprise_application_platform:8.0`	—	Vendor Fix fix

Threats

Impact Important

CVE-2024-4029

A vulnerability was found in Wildfly’s management interface. Due to the lack of limitation of sockets for the management interface, it may be possible to cause a denial of service hitting the nofile limit as there is no possibility to configure or set a maximum number of connections.

4.1 (Medium)


                        
                          CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat JBoss Enterprise Application Platform 8 Red Hat / Red Hat JBoss Enterprise Application Platform	`cpe:/a:redhat:jboss_enterprise_application_platform:8.0`	—	Vendor Fix fix Workaround

Threats

Impact Low

CVE-2024-8698

A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.

7.7 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L

CWE-347 - Improper Verification of Cryptographic Signature

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat JBoss Enterprise Application Platform 8 Red Hat / Red Hat JBoss Enterprise Application Platform	`cpe:/a:redhat:jboss_enterprise_application_platform:8.0`	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2024-8883

A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat JBoss Enterprise Application Platform 8 Red Hat / Red Hat JBoss Enterprise Application Platform	`cpe:/a:redhat:jboss_enterprise_application_platform:8.0`	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2024-41172

A memory consumption flaw was found in Apache CXF. This issue may allow a CXF HTTP client conduit to prevent HTTPClient instances from being garbage collected, eventually causing the application to run out of memory.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-401 - Missing Release of Memory after Effective Lifetime

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat JBoss Enterprise Application Platform 8 Red Hat / Red Hat JBoss Enterprise Application Platform	`cpe:/a:redhat:jboss_enterprise_application_platform:8.0`	—	Vendor Fix fix

Threats

Impact Moderate

CVE-2024-47554

A vulnerability was found in the Apache Commons IO component in the org.apache.commons.io.input.XmlStreamReader class. Excessive CPU resource consumption can lead to a denial of service when an untrusted input is processed.

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

CWE-400 - Uncontrolled Resource Consumption

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat JBoss Enterprise Application Platform 8 Red Hat / Red Hat JBoss Enterprise Application Platform	`cpe:/a:redhat:jboss_enterprise_application_platform:8.0`	—	Vendor Fix fix

Threats

Impact Moderate

References

60 references

URL	Category
https://access.redhat.com/errata/RHSA-2024:8826	self
https://access.redhat.com/security/updates/classi…	external
https://docs.redhat.com/en/documentation/red_hat_…	external
https://bugzilla.redhat.com/show_bug.cgi?id=2108554	external
https://bugzilla.redhat.com/show_bug.cgi?id=2278615	external
https://bugzilla.redhat.com/show_bug.cgi?id=2298829	external
https://bugzilla.redhat.com/show_bug.cgi?id=2309764	external
https://bugzilla.redhat.com/show_bug.cgi?id=2311641	external
https://bugzilla.redhat.com/show_bug.cgi?id=2312511	external
https://issues.redhat.com/browse/JBEAP-24945	external
https://issues.redhat.com/browse/JBEAP-25035	external
https://issues.redhat.com/browse/JBEAP-27002	external
https://issues.redhat.com/browse/JBEAP-27194	external
https://issues.redhat.com/browse/JBEAP-27276	external
https://issues.redhat.com/browse/JBEAP-27293	external
https://issues.redhat.com/browse/JBEAP-27392	external
https://issues.redhat.com/browse/JBEAP-27543	external
https://issues.redhat.com/browse/JBEAP-27585	external
https://issues.redhat.com/browse/JBEAP-27643	external
https://issues.redhat.com/browse/JBEAP-27659	external
https://issues.redhat.com/browse/JBEAP-27688	external
https://issues.redhat.com/browse/JBEAP-27694	external
https://issues.redhat.com/browse/JBEAP-27957	external
https://issues.redhat.com/browse/JBEAP-28057	external
https://issues.redhat.com/browse/JBEAP-28278	external
https://issues.redhat.com/browse/JBEAP-28289	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2022-34169	self
https://bugzilla.redhat.com/show_bug.cgi?id=2108554	external
https://www.cve.org/CVERecord?id=CVE-2022-34169	external
https://nvd.nist.gov/vuln/detail/CVE-2022-34169	external
https://access.redhat.com/security/cve/CVE-2023-52428	self
https://bugzilla.redhat.com/show_bug.cgi?id=2309764	external
https://www.cve.org/CVERecord?id=CVE-2023-52428	external
https://nvd.nist.gov/vuln/detail/CVE-2023-52428	external
https://access.redhat.com/security/cve/CVE-2024-4029	self
https://bugzilla.redhat.com/show_bug.cgi?id=2278615	external
https://www.cve.org/CVERecord?id=CVE-2024-4029	external
https://nvd.nist.gov/vuln/detail/CVE-2024-4029	external
https://access.redhat.com/security/cve/CVE-2024-8698	self
https://bugzilla.redhat.com/show_bug.cgi?id=2311641	external
https://www.cve.org/CVERecord?id=CVE-2024-8698	external
https://nvd.nist.gov/vuln/detail/CVE-2024-8698	external
https://access.redhat.com/security/cve/CVE-2024-8883	self
https://bugzilla.redhat.com/show_bug.cgi?id=2312511	external
https://www.cve.org/CVERecord?id=CVE-2024-8883	external
https://nvd.nist.gov/vuln/detail/CVE-2024-8883	external
https://github.com/keycloak/keycloak/blob/main/se…	external
https://access.redhat.com/security/cve/CVE-2024-41172	self
https://bugzilla.redhat.com/show_bug.cgi?id=2298829	external
https://www.cve.org/CVERecord?id=CVE-2024-41172	external
https://nvd.nist.gov/vuln/detail/CVE-2024-41172	external
https://github.com/advisories/GHSA-4mgg-fqfq-64hg	external
https://lists.apache.org/thread/n2hvbrgwpdtcqdcco…	external
https://osv.dev/vulnerability/GHSA-4mgg-fqfq-64hg	external
https://access.redhat.com/security/cve/CVE-2024-47554	self
https://bugzilla.redhat.com/show_bug.cgi?id=2316271	external
https://www.cve.org/CVERecord?id=CVE-2024-47554	external
https://nvd.nist.gov/vuln/detail/CVE-2024-47554	external
https://lists.apache.org/thread/6ozr91rr9cj5lm0zy…	external

Acknowledgments

Tanner Emek

Niklas Conrad Karsten Meyer zu Selhausen

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 8.0. Red Hat Product Security has rated\nthis update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat JBoss Enterprise Application Platform 8 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 8.0.4 serves as a replacement for Red Hat JBoss Enterprise Application Platform 8.0.3, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 8.0.4 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* org.apache.cxf/cxf-rt-transports-http: unrestricted memory consumption in CXF HTTP clients [eap-8.0.z] (CVE-2024-41172)\n\n* com.nimbusds/nimbus-jose-jwt: large JWE p2c header value causes Denial of Service [eap-8.0.z] (CVE-2023-52428)\n\n* wildfly-domain-http: wildfly: No timeout for EAP management interface may lead to Denial of Service (DoS) [eap-8.0.z] (CVE-2024-4029)\n\n* xalan: OpenJDK: integer truncation issue in Xalan-J (JAXP, 8285407) [eap-8.0.z] (CVE-2022-34169)\n\n* org.keycloak/keycloak-services: Vulnerable Redirect URI Validation Results in Open Redirec [eap-8.0.z] (CVE-2024-8883)\n\n* org.keycloak/keycloak-saml-core-public: Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak [eap-8.0.z] (CVE-2024-8698)\n\n* org.keycloak/keycloak-saml-core: Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak [eap-8.0.z] (CVE-2024-8698)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2024:8826",
        "url": "https://access.redhat.com/errata/RHSA-2024:8826"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/8.0",
        "url": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/8.0"
      },
      {
        "category": "external",
        "summary": "2108554",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2108554"
      },
      {
        "category": "external",
        "summary": "2278615",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2278615"
      },
      {
        "category": "external",
        "summary": "2298829",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2298829"
      },
      {
        "category": "external",
        "summary": "2309764",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2309764"
      },
      {
        "category": "external",
        "summary": "2311641",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2311641"
      },
      {
        "category": "external",
        "summary": "2312511",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2312511"
      },
      {
        "category": "external",
        "summary": "JBEAP-24945",
        "url": "https://issues.redhat.com/browse/JBEAP-24945"
      },
      {
        "category": "external",
        "summary": "JBEAP-25035",
        "url": "https://issues.redhat.com/browse/JBEAP-25035"
      },
      {
        "category": "external",
        "summary": "JBEAP-27002",
        "url": "https://issues.redhat.com/browse/JBEAP-27002"
      },
      {
        "category": "external",
        "summary": "JBEAP-27194",
        "url": "https://issues.redhat.com/browse/JBEAP-27194"
      },
      {
        "category": "external",
        "summary": "JBEAP-27276",
        "url": "https://issues.redhat.com/browse/JBEAP-27276"
      },
      {
        "category": "external",
        "summary": "JBEAP-27293",
        "url": "https://issues.redhat.com/browse/JBEAP-27293"
      },
      {
        "category": "external",
        "summary": "JBEAP-27392",
        "url": "https://issues.redhat.com/browse/JBEAP-27392"
      },
      {
        "category": "external",
        "summary": "JBEAP-27543",
        "url": "https://issues.redhat.com/browse/JBEAP-27543"
      },
      {
        "category": "external",
        "summary": "JBEAP-27585",
        "url": "https://issues.redhat.com/browse/JBEAP-27585"
      },
      {
        "category": "external",
        "summary": "JBEAP-27643",
        "url": "https://issues.redhat.com/browse/JBEAP-27643"
      },
      {
        "category": "external",
        "summary": "JBEAP-27659",
        "url": "https://issues.redhat.com/browse/JBEAP-27659"
      },
      {
        "category": "external",
        "summary": "JBEAP-27688",
        "url": "https://issues.redhat.com/browse/JBEAP-27688"
      },
      {
        "category": "external",
        "summary": "JBEAP-27694",
        "url": "https://issues.redhat.com/browse/JBEAP-27694"
      },
      {
        "category": "external",
        "summary": "JBEAP-27957",
        "url": "https://issues.redhat.com/browse/JBEAP-27957"
      },
      {
        "category": "external",
        "summary": "JBEAP-28057",
        "url": "https://issues.redhat.com/browse/JBEAP-28057"
      },
      {
        "category": "external",
        "summary": "JBEAP-28278",
        "url": "https://issues.redhat.com/browse/JBEAP-28278"
      },
      {
        "category": "external",
        "summary": "JBEAP-28289",
        "url": "https://issues.redhat.com/browse/JBEAP-28289"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8826.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 8.0.4 Security update",
    "tracking": {
      "current_release_date": "2026-06-01T17:18:25+00:00",
      "generator": {
        "date": "2026-06-01T17:18:25+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.8.1"
        }
      },
      "id": "RHSA-2024:8826",
      "initial_release_date": "2024-11-04T20:56:02+00:00",
      "revision_history": [
        {
          "date": "2024-11-04T20:56:02+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2024-11-04T20:56:02+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-06-01T17:18:25+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss Enterprise Application Platform 8",
                "product": {
                  "name": "Red Hat JBoss Enterprise Application Platform 8",
                  "product_id": "Red Hat JBoss Enterprise Application Platform 8",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Enterprise Application Platform"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-34169",
      "cwe": {
        "id": "CWE-192",
        "name": "Integer Coercion Error"
      },
      "discovery_date": "2022-07-12T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2108554"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "OpenJDK: integer truncation issue in Xalan-J (JAXP, 8285407)",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 8"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-34169"
        },
        {
          "category": "external",
          "summary": "RHBZ#2108554",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2108554"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-34169",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-34169"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-34169",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34169"
        }
      ],
      "release_date": "2022-07-19T20:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-11-04T20:56:02+00:00",
          "details": "Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 8"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:8826"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 8"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "OpenJDK: integer truncation issue in Xalan-J (JAXP, 8285407)"
    },
    {
      "cve": "CVE-2023-52428",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2024-09-04T17:02:58.468000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2309764"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability was found in the Nimbus Jose JWT package. By crafting a JWE with an excessively large p2c value, an attacker can trigger significant resource consumption during decryption, potentially leading to application slowdown or unavailability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "nimbus-jose-jwt: large JWE p2c header value causes Denial of Service",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 8"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-52428"
        },
        {
          "category": "external",
          "summary": "RHBZ#2309764",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2309764"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-52428",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-52428"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-52428",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52428"
        }
      ],
      "release_date": "2024-02-11T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-11-04T20:56:02+00:00",
          "details": "Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 8"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:8826"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 8"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "nimbus-jose-jwt: large JWE p2c header value causes Denial of Service"
    },
    {
      "cve": "CVE-2024-4029",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2024-04-22T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2278615"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability was found in Wildfly\u2019s management interface. Due to the lack of limitation of sockets for the management interface, it may be possible to cause a denial of service hitting the nofile limit as there is no possibility to configure or set a maximum number of connections.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "wildfly: No timeout for EAP management interface may lead to Denial of Service (DoS)",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat rates this as a Low impact since this requires high privileges to jeopardize the system. The management interface is normally internal/local only and not exposed externally.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 8"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-4029"
        },
        {
          "category": "external",
          "summary": "RHBZ#2278615",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2278615"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-4029",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-4029"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-4029",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4029"
        }
      ],
      "release_date": "2024-05-02T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-11-04T20:56:02+00:00",
          "details": "Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 8"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:8826"
        },
        {
          "category": "workaround",
          "details": "Currently there is no available mitigation for this vulnerability. Please make sure to perform updates as they become available.",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 8"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 4.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 8"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "wildfly: No timeout for EAP management interface may lead to Denial of Service (DoS)"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Tanner Emek"
          ]
        }
      ],
      "cve": "CVE-2024-8698",
      "cwe": {
        "id": "CWE-347",
        "name": "Improper Verification of Cryptographic Signature"
      },
      "discovery_date": "2024-09-10T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2311641"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "keycloak-saml-core: Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability is of high severity due to its potential to facilitate privilege escalation and user impersonation in systems using SAML for authentication. The core issue stems from improper validation logic in Keycloak\u0027s signature validation method, which relies on the position of signatures rather than explicitly checking the referenced elements. By manipulating the XML structure, an attacker can bypass signature validation and inject an unsigned assertion while retaining a valid signed one. This allows unauthorized access to high-privileged accounts, leading to significant security risks in SAML-based identity providers and service providers.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 8"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-8698"
        },
        {
          "category": "external",
          "summary": "RHBZ#2311641",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2311641"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-8698",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-8698"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-8698",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8698"
        }
      ],
      "release_date": "2024-09-19T15:12:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-11-04T20:56:02+00:00",
          "details": "Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 8"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:8826"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 8"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 8"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "keycloak-saml-core: Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Niklas Conrad",
            "Karsten Meyer zu Selhausen"
          ]
        }
      ],
      "cve": "CVE-2024-8883",
      "cwe": {
        "id": "CWE-601",
        "name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
      },
      "discovery_date": "2024-09-16T06:17:01.573000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2312511"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a \u0027Valid Redirect URI\u0027 is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Keycloak: Vulnerable Redirect URI Validation Results in Open Redirec",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 8"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-8883"
        },
        {
          "category": "external",
          "summary": "RHBZ#2312511",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2312511"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-8883",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-8883"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-8883",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8883"
        },
        {
          "category": "external",
          "summary": "https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/protocol/oidc/utils/RedirectUtils.java",
          "url": "https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/protocol/oidc/utils/RedirectUtils.java"
        }
      ],
      "release_date": "2024-09-19T15:13:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-11-04T20:56:02+00:00",
          "details": "Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 8"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:8826"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 8"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 8"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "Keycloak: Vulnerable Redirect URI Validation Results in Open Redirec"
    },
    {
      "cve": "CVE-2024-41172",
      "cwe": {
        "id": "CWE-401",
        "name": "Missing Release of Memory after Effective Lifetime"
      },
      "discovery_date": "2024-07-19T09:20:34+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2298829"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A memory consumption flaw was found in Apache CXF. This issue may allow a CXF HTTP client conduit to prevent HTTPClient instances from being garbage collected, eventually causing the application to run out of memory.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "apache: cxf: org.apache.cxf:cxf-rt-transports-http: unrestricted memory consumption in CXF HTTP clients",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 8"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-41172"
        },
        {
          "category": "external",
          "summary": "RHBZ#2298829",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2298829"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-41172",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-41172"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-41172",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41172"
        },
        {
          "category": "external",
          "summary": "https://github.com/advisories/GHSA-4mgg-fqfq-64hg",
          "url": "https://github.com/advisories/GHSA-4mgg-fqfq-64hg"
        },
        {
          "category": "external",
          "summary": "https://lists.apache.org/thread/n2hvbrgwpdtcqdccod8by28ynnolybl6",
          "url": "https://lists.apache.org/thread/n2hvbrgwpdtcqdccod8by28ynnolybl6"
        },
        {
          "category": "external",
          "summary": "https://osv.dev/vulnerability/GHSA-4mgg-fqfq-64hg",
          "url": "https://osv.dev/vulnerability/GHSA-4mgg-fqfq-64hg"
        }
      ],
      "release_date": "2024-07-19T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-11-04T20:56:02+00:00",
          "details": "Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 8"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:8826"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 8"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "apache: cxf: org.apache.cxf:cxf-rt-transports-http: unrestricted memory consumption in CXF HTTP clients"
    },
    {
      "cve": "CVE-2024-47554",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2024-10-03T12:00:40.921058+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2316271"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability was found in the Apache Commons IO component in the org.apache.commons.io.input.XmlStreamReader class. Excessive CPU resource consumption can lead to a denial of service when an untrusted input is processed.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "apache-commons-io: Possible denial of service attack on untrusted input to XmlStreamReader",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 8"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-47554"
        },
        {
          "category": "external",
          "summary": "RHBZ#2316271",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316271"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-47554",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-47554"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-47554",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47554"
        },
        {
          "category": "external",
          "summary": "https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1",
          "url": "https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1"
        }
      ],
      "release_date": "2024-10-03T11:32:48.936000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-11-04T20:56:02+00:00",
          "details": "Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 8"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:8826"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 8"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "apache-commons-io: Possible denial of service attack on untrusted input to XmlStreamReader"
    }
  ]
}

RHSA-2024:9571

Vulnerability from csaf_redhat - Published: 2024-11-13 16:21 - Updated: 2026-06-02 15:18

Summary

Red Hat Security Advisory: Streams for Apache Kafka 2.8.0 release and security update

Severity

Moderate

Notes

Topic: Streams for Apache Kafka 2.8.0 is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details: Red Hat Streams for Apache Kafka, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. This release of Red Hat AMQ Streams 2.8.0 serves as a replacement for Red Hat AMQ Streams 2.7.0, and includes security and bug fixes, and enhancements. Security Fix(es): * Zookeeper, Kafka, Cruise Control: org.eclipse.jetty/jetty-server: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks [amq-st-2] "(CVE-2024-8184)" * Zookeeper, Kafka : org.eclipse.jetty/jetty-servlets: Jetty DOS vulnerability on DosFilter [amq-st-2] "(CVE-2024-9823)" * Zookeeper, Kafka, Drain Cleaner, Cruise Control: Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader "(CVE-2024-47554)" * Kafka: (com.google.protobuf:protobuf-java@3.23.4). Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users "(CVE-2024-7254)" "Drain Cleaner: Awaiting Analysis(CVE-2024-29025)" * Kroxylicoius: When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server's hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. "(CVE-2024-8285)"

CVE-2024-7254

A flaw was found in Protocol Buffers (protobuf). This issue can allows an attacker to cause a StackOverflow via parsing untrusted Protocol Buffers data containing arbitrarily nested SGROUP tags, leading to unbounded recursion.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Streams for Apache Kafka 2.8.0 Red Hat / Streams for Apache Kafka	`cpe:/a:redhat:amq_streams:2`	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2024-8184

A flaw was found in Jetty's ThreadLimitHandler.getRemote(). This flaw allows unauthorized users to cause remote denial of service (DoS) attacks. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Streams for Apache Kafka 2.8.0 Red Hat / Streams for Apache Kafka	`cpe:/a:redhat:amq_streams:2`	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2024-8285

A flaw was found in Kroxylicious. When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server's hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. This issue is considered a high complexity attack, with additional high privileges required, as the attack would need access to the Kroxylicious configuration or a peer system. The result of a successful attack impacts both data integrity and confidentiality.

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

CWE-297 - Improper Validation of Certificate with Host Mismatch

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Streams for Apache Kafka 2.8.0 Red Hat / Streams for Apache Kafka	`cpe:/a:redhat:amq_streams:2`	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2024-9823

A flaw was found in Jetty. The DosFilter can be exploited remotely by unauthorized users to trigger an out-of-memory condition by repeatedly sending specially crafted requests. This issue may cause a crash, leading to a denial of service.

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-400 - Uncontrolled Resource Consumption

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Streams for Apache Kafka 2.8.0 Red Hat / Streams for Apache Kafka	`cpe:/a:redhat:amq_streams:2`	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2024-29025

A flaw was found in the io.netty:netty-codec-http package. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling issues due to the accumulation of data in the HttpPostRequestDecoder. The decoder cumulates bytes in the undecodedChunk buffer until it can decode a field, allowing data to accumulate without limits. This flaw allows an attacker to cause a denial of service by sending a chunked post consisting of many small fields that will be accumulated in the bodyListHttpData list.

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Streams for Apache Kafka 2.8.0 Red Hat / Streams for Apache Kafka	`cpe:/a:redhat:amq_streams:2`	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2024-47554

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

CWE-400 - Uncontrolled Resource Consumption

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Streams for Apache Kafka 2.8.0 Red Hat / Streams for Apache Kafka	`cpe:/a:redhat:amq_streams:2`	—	Vendor Fix fix

Threats

Impact Moderate

References

69 references

URL	Category
https://access.redhat.com/errata/RHSA-2024:9571	self
https://access.redhat.com/security/updates/classi…	external
https://bugzilla.redhat.com/show_bug.cgi?id=2272907	external
https://bugzilla.redhat.com/show_bug.cgi?id=2308606	external
https://bugzilla.redhat.com/show_bug.cgi?id=2313454	external
https://bugzilla.redhat.com/show_bug.cgi?id=2316271	external
https://bugzilla.redhat.com/show_bug.cgi?id=2318564	external
https://bugzilla.redhat.com/show_bug.cgi?id=2318565	external
https://issues.redhat.com/browse/ASUI-91	external
https://issues.redhat.com/browse/ENTMQST-2632	external
https://issues.redhat.com/browse/ENTMQST-3288	external
https://issues.redhat.com/browse/ENTMQST-4019	external
https://issues.redhat.com/browse/ENTMQST-5199	external
https://issues.redhat.com/browse/ENTMQST-5669	external
https://issues.redhat.com/browse/ENTMQST-5674	external
https://issues.redhat.com/browse/ENTMQST-5740	external
https://issues.redhat.com/browse/ENTMQST-5789	external
https://issues.redhat.com/browse/ENTMQST-5843	external
https://issues.redhat.com/browse/ENTMQST-5850	external
https://issues.redhat.com/browse/ENTMQST-5863	external
https://issues.redhat.com/browse/ENTMQST-5865	external
https://issues.redhat.com/browse/ENTMQST-5915	external
https://issues.redhat.com/browse/ENTMQST-6028	external
https://issues.redhat.com/browse/ENTMQST-6032	external
https://issues.redhat.com/browse/ENTMQST-6129	external
https://issues.redhat.com/browse/ENTMQST-6183	external
https://issues.redhat.com/browse/ENTMQST-6205	external
https://issues.redhat.com/browse/ENTMQST-6225	external
https://issues.redhat.com/browse/ENTMQST-6341	external
https://issues.redhat.com/browse/ENTMQST-6421	external
https://issues.redhat.com/browse/ENTMQST-6422	external
https://issues.redhat.com/browse/ENTMQSTPR-43	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2024-7254	self
https://bugzilla.redhat.com/show_bug.cgi?id=2313454	external
https://www.cve.org/CVERecord?id=CVE-2024-7254	external
https://nvd.nist.gov/vuln/detail/CVE-2024-7254	external
https://github.com/protocolbuffers/protobuf/commi…	external
https://access.redhat.com/security/cve/CVE-2024-8184	self
https://bugzilla.redhat.com/show_bug.cgi?id=2318564	external
https://www.cve.org/CVERecord?id=CVE-2024-8184	external
https://nvd.nist.gov/vuln/detail/CVE-2024-8184	external
https://github.com/jetty/jetty.project/pull/11723	external
https://github.com/jetty/jetty.project/security/a…	external
https://gitlab.eclipse.org/security/cve-assigneme…	external
https://access.redhat.com/security/cve/CVE-2024-8285	self
https://bugzilla.redhat.com/show_bug.cgi?id=2308606	external
https://www.cve.org/CVERecord?id=CVE-2024-8285	external
https://nvd.nist.gov/vuln/detail/CVE-2024-8285	external
https://access.redhat.com/security/cve/CVE-2024-9823	self
https://bugzilla.redhat.com/show_bug.cgi?id=2318565	external
https://www.cve.org/CVERecord?id=CVE-2024-9823	external
https://nvd.nist.gov/vuln/detail/CVE-2024-9823	external
https://github.com/jetty/jetty.project/issues/1256	external
https://github.com/jetty/jetty.project/security/a…	external
https://gitlab.eclipse.org/security/cve-assigneme…	external
https://access.redhat.com/security/cve/CVE-2024-29025	self
https://bugzilla.redhat.com/show_bug.cgi?id=2272907	external
https://www.cve.org/CVERecord?id=CVE-2024-29025	external
https://nvd.nist.gov/vuln/detail/CVE-2024-29025	external
https://gist.github.com/vietj/f558b8ea81ec6505f1e…	external
https://github.com/netty/netty/commit/0d0c6ed782d…	external
https://github.com/netty/netty/security/advisorie…	external
https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-6483812	external
https://access.redhat.com/security/cve/CVE-2024-47554	self
https://bugzilla.redhat.com/show_bug.cgi?id=2316271	external
https://www.cve.org/CVERecord?id=CVE-2024-47554	external
https://nvd.nist.gov/vuln/detail/CVE-2024-47554	external
https://lists.apache.org/thread/6ozr91rr9cj5lm0zy…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Streams for Apache Kafka 2.8.0 is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat Streams for Apache Kafka, based on the Apache Kafka project, offers a distributed\nbackbone that allows microservices and other applications to share data with\nextremely high throughput and extremely low latency.\n\nThis release of Red Hat AMQ Streams 2.8.0 serves as a replacement for Red Hat\nAMQ Streams 2.7.0, and includes security and bug fixes, and enhancements.\n\nSecurity Fix(es):\n* Zookeeper, Kafka, Cruise Control: org.eclipse.jetty/jetty-server: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks [amq-st-2] \n\"(CVE-2024-8184)\"\n\n* Zookeeper, Kafka : org.eclipse.jetty/jetty-servlets: Jetty DOS vulnerability on DosFilter [amq-st-2] \"(CVE-2024-9823)\"\n\n* Zookeeper, Kafka, Drain Cleaner, Cruise Control: Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader \"(CVE-2024-47554)\"\n\n* Kafka: (com.google.protobuf:protobuf-java@3.23.4). Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users \"(CVE-2024-7254)\"\n\n\"Drain Cleaner: Awaiting Analysis(CVE-2024-29025)\"\n\n* Kroxylicoius: When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server\u0027s hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. \"(CVE-2024-8285)\"",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2024:9571",
        "url": "https://access.redhat.com/errata/RHSA-2024:9571"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "2272907",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272907"
      },
      {
        "category": "external",
        "summary": "2308606",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2308606"
      },
      {
        "category": "external",
        "summary": "2313454",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2313454"
      },
      {
        "category": "external",
        "summary": "2316271",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316271"
      },
      {
        "category": "external",
        "summary": "2318564",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318564"
      },
      {
        "category": "external",
        "summary": "2318565",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318565"
      },
      {
        "category": "external",
        "summary": "ASUI-91",
        "url": "https://issues.redhat.com/browse/ASUI-91"
      },
      {
        "category": "external",
        "summary": "ENTMQST-2632",
        "url": "https://issues.redhat.com/browse/ENTMQST-2632"
      },
      {
        "category": "external",
        "summary": "ENTMQST-3288",
        "url": "https://issues.redhat.com/browse/ENTMQST-3288"
      },
      {
        "category": "external",
        "summary": "ENTMQST-4019",
        "url": "https://issues.redhat.com/browse/ENTMQST-4019"
      },
      {
        "category": "external",
        "summary": "ENTMQST-5199",
        "url": "https://issues.redhat.com/browse/ENTMQST-5199"
      },
      {
        "category": "external",
        "summary": "ENTMQST-5669",
        "url": "https://issues.redhat.com/browse/ENTMQST-5669"
      },
      {
        "category": "external",
        "summary": "ENTMQST-5674",
        "url": "https://issues.redhat.com/browse/ENTMQST-5674"
      },
      {
        "category": "external",
        "summary": "ENTMQST-5740",
        "url": "https://issues.redhat.com/browse/ENTMQST-5740"
      },
      {
        "category": "external",
        "summary": "ENTMQST-5789",
        "url": "https://issues.redhat.com/browse/ENTMQST-5789"
      },
      {
        "category": "external",
        "summary": "ENTMQST-5843",
        "url": "https://issues.redhat.com/browse/ENTMQST-5843"
      },
      {
        "category": "external",
        "summary": "ENTMQST-5850",
        "url": "https://issues.redhat.com/browse/ENTMQST-5850"
      },
      {
        "category": "external",
        "summary": "ENTMQST-5863",
        "url": "https://issues.redhat.com/browse/ENTMQST-5863"
      },
      {
        "category": "external",
        "summary": "ENTMQST-5865",
        "url": "https://issues.redhat.com/browse/ENTMQST-5865"
      },
      {
        "category": "external",
        "summary": "ENTMQST-5915",
        "url": "https://issues.redhat.com/browse/ENTMQST-5915"
      },
      {
        "category": "external",
        "summary": "ENTMQST-6028",
        "url": "https://issues.redhat.com/browse/ENTMQST-6028"
      },
      {
        "category": "external",
        "summary": "ENTMQST-6032",
        "url": "https://issues.redhat.com/browse/ENTMQST-6032"
      },
      {
        "category": "external",
        "summary": "ENTMQST-6129",
        "url": "https://issues.redhat.com/browse/ENTMQST-6129"
      },
      {
        "category": "external",
        "summary": "ENTMQST-6183",
        "url": "https://issues.redhat.com/browse/ENTMQST-6183"
      },
      {
        "category": "external",
        "summary": "ENTMQST-6205",
        "url": "https://issues.redhat.com/browse/ENTMQST-6205"
      },
      {
        "category": "external",
        "summary": "ENTMQST-6225",
        "url": "https://issues.redhat.com/browse/ENTMQST-6225"
      },
      {
        "category": "external",
        "summary": "ENTMQST-6341",
        "url": "https://issues.redhat.com/browse/ENTMQST-6341"
      },
      {
        "category": "external",
        "summary": "ENTMQST-6421",
        "url": "https://issues.redhat.com/browse/ENTMQST-6421"
      },
      {
        "category": "external",
        "summary": "ENTMQST-6422",
        "url": "https://issues.redhat.com/browse/ENTMQST-6422"
      },
      {
        "category": "external",
        "summary": "ENTMQSTPR-43",
        "url": "https://issues.redhat.com/browse/ENTMQSTPR-43"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9571.json"
      }
    ],
    "title": "Red Hat Security Advisory: Streams for Apache Kafka 2.8.0 release and security update",
    "tracking": {
      "current_release_date": "2026-06-02T15:18:39+00:00",
      "generator": {
        "date": "2026-06-02T15:18:39+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.8.1"
        }
      },
      "id": "RHSA-2024:9571",
      "initial_release_date": "2024-11-13T16:21:03+00:00",
      "revision_history": [
        {
          "date": "2024-11-13T16:21:03+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2024-11-13T16:21:03+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-06-02T15:18:39+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Streams for Apache Kafka 2.8.0",
                "product": {
                  "name": "Streams for Apache Kafka 2.8.0",
                  "product_id": "Streams for Apache Kafka 2.8.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:amq_streams:2"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Streams for Apache Kafka"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-7254",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2024-09-19T01:20:29.981665+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2313454"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Protocol Buffers (protobuf). This issue can allows an attacker to cause a StackOverflow via parsing untrusted Protocol Buffers data containing arbitrarily nested SGROUP tags, leading to unbounded recursion.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "protobuf: StackOverflow vulnerability in Protocol Buffers",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue represents a significant severity risk because unbounded recursion in Protocol Buffers parsing can be exploited to trigger stack overflows, leading to Denial of Service (DoS). When parsers, such as `DiscardUnknownFieldsParser` or the Java Protobuf Lite parser, encounter arbitrarily nested groups or deeply recursive map fields, the lack of recursion depth limits can result in uncontrolled stack growth. Attackers can craft malicious protobuf messages that deliberately exceed the stack\u0027s capacity, causing the application to crash or become unresponsive.\n\nThe protobuf package as shipped in RHEL does not include the affected java or kotlin bindings, therefore RHEL is Not Affected.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Streams for Apache Kafka 2.8.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-7254"
        },
        {
          "category": "external",
          "summary": "RHBZ#2313454",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2313454"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-7254",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-7254"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-7254",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7254"
        },
        {
          "category": "external",
          "summary": "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa",
          "url": "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa"
        }
      ],
      "release_date": "2024-09-19T01:15:10.963000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-11-13T16:21:03+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Streams for Apache Kafka 2.8.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:9571"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Streams for Apache Kafka 2.8.0"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Streams for Apache Kafka 2.8.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "protobuf: StackOverflow vulnerability in Protocol Buffers"
    },
    {
      "cve": "CVE-2024-8184",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2024-10-14T16:01:01.239238+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2318564"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Jetty\u0027s ThreadLimitHandler.getRemote(). This flaw allows unauthorized users to cause remote denial of service (DoS) attacks. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server\u0027s memory.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "org.eclipse.jetty:jetty-server: jetty: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability is rated as moderate rather than important because it requires specific conditions to be met, including continuous, crafted requests that deliberately target memory allocation to exhaust resources. While it can cause a denial of service, it does not lead to direct compromise of sensitive data, unauthorized access, or code execution.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Streams for Apache Kafka 2.8.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-8184"
        },
        {
          "category": "external",
          "summary": "RHBZ#2318564",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318564"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-8184",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-8184"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-8184",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8184"
        },
        {
          "category": "external",
          "summary": "https://github.com/jetty/jetty.project/pull/11723",
          "url": "https://github.com/jetty/jetty.project/pull/11723"
        },
        {
          "category": "external",
          "summary": "https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq",
          "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq"
        },
        {
          "category": "external",
          "summary": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/30",
          "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/30"
        }
      ],
      "release_date": "2024-10-14T15:09:37.861000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-11-13T16:21:03+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Streams for Apache Kafka 2.8.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:9571"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Streams for Apache Kafka 2.8.0"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Streams for Apache Kafka 2.8.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "org.eclipse.jetty:jetty-server: jetty: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks"
    },
    {
      "cve": "CVE-2024-8285",
      "cwe": {
        "id": "CWE-297",
        "name": "Improper Validation of Certificate with Host Mismatch"
      },
      "discovery_date": "2024-08-29T22:39:10.882000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2308606"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Kroxylicious. When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server\u0027s hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. This issue is considered a high complexity attack, with additional high privileges required, as the attack would need access to the Kroxylicious configuration or a peer system. The result of a successful attack impacts both data integrity and confidentiality.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "kroxylicious: Missing upstream Kafka TLS hostname verification",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat have considered this vulnerability as a \u0027Moderate\u0027 severity given the complexity and the permission level required to perform a successful attacker.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Streams for Apache Kafka 2.8.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-8285"
        },
        {
          "category": "external",
          "summary": "RHBZ#2308606",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2308606"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-8285",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-8285"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-8285",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8285"
        }
      ],
      "release_date": "2024-08-27T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-11-13T16:21:03+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Streams for Apache Kafka 2.8.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:9571"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Streams for Apache Kafka 2.8.0"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Streams for Apache Kafka 2.8.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "kroxylicious: Missing upstream Kafka TLS hostname verification"
    },
    {
      "cve": "CVE-2024-9823",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2024-10-14T16:01:06.545771+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2318565"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Jetty. The DosFilter can be exploited remotely by unauthorized users to trigger an out-of-memory condition by repeatedly sending specially crafted requests. This issue may cause a crash, leading to a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "org.eclipse.jetty:jetty-servlets: jetty: Jetty DOS vulnerability on DosFilter",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Streams for Apache Kafka 2.8.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-9823"
        },
        {
          "category": "external",
          "summary": "RHBZ#2318565",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318565"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-9823",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-9823"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-9823",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9823"
        },
        {
          "category": "external",
          "summary": "https://github.com/jetty/jetty.project/issues/1256",
          "url": "https://github.com/jetty/jetty.project/issues/1256"
        },
        {
          "category": "external",
          "summary": "https://github.com/jetty/jetty.project/security/advisories/GHSA-7hcf-ppf8-5w5h",
          "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-7hcf-ppf8-5w5h"
        },
        {
          "category": "external",
          "summary": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/39",
          "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/39"
        }
      ],
      "release_date": "2024-10-14T15:03:02.293000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-11-13T16:21:03+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Streams for Apache Kafka 2.8.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:9571"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Streams for Apache Kafka 2.8.0"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "Streams for Apache Kafka 2.8.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "org.eclipse.jetty:jetty-servlets: jetty: Jetty DOS vulnerability on DosFilter"
    },
    {
      "cve": "CVE-2024-29025",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2024-04-03T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2272907"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the io.netty:netty-codec-http package. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling issues due to the accumulation of data in the HttpPostRequestDecoder. The decoder cumulates bytes in the undecodedChunk buffer until it can decode a field, allowing data to accumulate without limits. This flaw allows an attacker to cause a denial of service by sending a chunked post consisting of many small fields that will be accumulated in the bodyListHttpData list.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "netty-codec-http: Allocation of Resources Without Limits or Throttling",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "The vulnerability in io.netty:netty-codec-http, allowing for Allocation of Resources Without Limits or Throttling issues, is assessed as moderate severity due to its potential impact on system availability and performance. By exploiting the flaw in HttpPostRequestDecoder, an attacker can craft chunked POST requests with numerous small fields, causing excessive accumulation of data in memory buffers. This unrestricted accumulation can lead to significant memory consumption on the server, potentially exhausting available resources and resulting in denial of service (DoS) conditions.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Streams for Apache Kafka 2.8.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-29025"
        },
        {
          "category": "external",
          "summary": "RHBZ#2272907",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272907"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-29025",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-29025"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-29025",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29025"
        },
        {
          "category": "external",
          "summary": "https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3",
          "url": "https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3"
        },
        {
          "category": "external",
          "summary": "https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c",
          "url": "https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c"
        },
        {
          "category": "external",
          "summary": "https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v",
          "url": "https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v"
        },
        {
          "category": "external",
          "summary": "https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-6483812",
          "url": "https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-6483812"
        }
      ],
      "release_date": "2024-03-25T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-11-13T16:21:03+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Streams for Apache Kafka 2.8.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:9571"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Streams for Apache Kafka 2.8.0"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "Streams for Apache Kafka 2.8.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "netty-codec-http: Allocation of Resources Without Limits or Throttling"
    },
    {
      "cve": "CVE-2024-47554",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2024-10-03T12:00:40.921058+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2316271"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability was found in the Apache Commons IO component in the org.apache.commons.io.input.XmlStreamReader class. Excessive CPU resource consumption can lead to a denial of service when an untrusted input is processed.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "apache-commons-io: Possible denial of service attack on untrusted input to XmlStreamReader",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Streams for Apache Kafka 2.8.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-47554"
        },
        {
          "category": "external",
          "summary": "RHBZ#2316271",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316271"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-47554",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-47554"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-47554",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47554"
        },
        {
          "category": "external",
          "summary": "https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1",
          "url": "https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1"
        }
      ],
      "release_date": "2024-10-03T11:32:48.936000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-11-13T16:21:03+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Streams for Apache Kafka 2.8.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:9571"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "Streams for Apache Kafka 2.8.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "apache-commons-io: Possible denial of service attack on untrusted input to XmlStreamReader"
    }
  ]
}

RHSA-2025:2416

Vulnerability from csaf_redhat - Published: 2025-03-05 20:59 - Updated: 2026-06-04 00:11

Summary

Red Hat Security Advisory: Streams for Apache Kafka 2.9.0 release and security update

Severity

Important

Notes

Topic: Streams for Apache Kafka 2.9.0 is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details: Red Hat Streams for Apache Kafka, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. This release of Red Hat Streams for Apache Kafka 2.9.0 serves as a replacement for Red Hat Streams for Apache Kafka 2.8.0, and includes security and bug fixes, and enhancements. Security Fix(es): * Cruise Control:cio.netty:netty-common:4.1.115.Final-redhat [amq-st-2] "(CVE-2023-52428)" * Cruise Control:com.nimbusds:nimbus-jose-jwt:9.37.2.redhat [amq-st-2] "(CVE-2024-47535)" * Cruise Control:org.apache.kafka:kafka-clients:3.5.2.redhat+ [amq-st-2] "(CVE-2024-31141)" * Cruise Control:io:commons-io:2.15.1.redhat+ [amq-st-2] "(CVE-2024-47554)" * Cruise Control:org.eclipse.jetty:jetty-server:9.4.56.v20240826-redhat+ [amq-st-2] "(CVE-2024-8184)" * Cruise Control:org.eclipse.jetty/jetty-server: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks [amq-st-2] "(CVE-2024-8184)" * Kafka Exporter:golang-github-danielqsj-kafka_exporter: Golang FIPS zeroed buffer [amq-st-2] "(CVE-2024-9355)" * Kafka Exporter:golang-github-danielqsj-kafka_exporter: net/http: Denial of service due to improper 100-continue handling in net/http [amq-st-2] "(CVE-2024-24791)"

CVE-2023-52428

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Streams for Apache Kafka 2.9.0 Red Hat / Streams for Apache Kafka	`cpe:/a:redhat:amq_streams:2`	—	Vendor Fix fix

Threats

Impact Important

CVE-2024-8184

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Streams for Apache Kafka 2.9.0 Red Hat / Streams for Apache Kafka	`cpe:/a:redhat:amq_streams:2`	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2024-9355

A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.

6.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

CWE-457 - Use of Uninitialized Variable

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Streams for Apache Kafka 2.9.0 Red Hat / Streams for Apache Kafka	`cpe:/a:redhat:amq_streams:2`	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2024-24791

A flaw was found in Go. The net/http module mishandles specific server responses from HTTP/1.1 client requests. This issue may render a connection invalid and cause a denial of service.

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-20 - Improper Input Validation

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Streams for Apache Kafka 2.9.0 Red Hat / Streams for Apache Kafka	`cpe:/a:redhat:amq_streams:2`	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2024-31141

A flaw was found in Apache Kafka Clients. Apache Kafka Clients accepts configuration data for customizing behavior and includes ConfigProvider plugins to manipulate these configurations. Apache Kafka also provides FileConfigProvider, DirectoryConfigProvider, and EnvVarConfigProvider implementations, which include the ability to read from disk or environment variables. In applications where an untrusted party can specify Apache Kafka Clients configurations, attackers may use these ConfigProviders to read arbitrary contents of the disk and environment variables.

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-73 - External Control of File Name or Path

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Streams for Apache Kafka 2.9.0 Red Hat / Streams for Apache Kafka	`cpe:/a:redhat:amq_streams:2`	—	Vendor Fix fix

Threats

Impact Moderate

CVE-2024-47535

A flaw was found in Netty. An unsafe reading of the environment file could potentially cause a denial of service. When loaded on a Windows application, Netty attempts to load a file that does not exist. If an attacker creates a large file, the Netty application crashes.

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Streams for Apache Kafka 2.9.0 Red Hat / Streams for Apache Kafka	`cpe:/a:redhat:amq_streams:2`	—	Vendor Fix fix

Threats

Impact Moderate

CVE-2024-47554

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

CWE-400 - Uncontrolled Resource Consumption

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Streams for Apache Kafka 2.9.0 Red Hat / Streams for Apache Kafka	`cpe:/a:redhat:amq_streams:2`	—	Vendor Fix fix

Threats

Impact Moderate

References

49 references

URL	Category
https://access.redhat.com/errata/RHSA-2025:2416	self
https://access.redhat.com/security/updates/classi…	external
https://bugzilla.redhat.com/show_bug.cgi?id=2295310	external
https://bugzilla.redhat.com/show_bug.cgi?id=2309764	external
https://bugzilla.redhat.com/show_bug.cgi?id=2315719	external
https://bugzilla.redhat.com/show_bug.cgi?id=2316271	external
https://bugzilla.redhat.com/show_bug.cgi?id=2318564	external
https://bugzilla.redhat.com/show_bug.cgi?id=2325538	external
https://bugzilla.redhat.com/show_bug.cgi?id=2327264	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2023-52428	self
https://bugzilla.redhat.com/show_bug.cgi?id=2309764	external
https://www.cve.org/CVERecord?id=CVE-2023-52428	external
https://nvd.nist.gov/vuln/detail/CVE-2023-52428	external
https://access.redhat.com/security/cve/CVE-2024-8184	self
https://bugzilla.redhat.com/show_bug.cgi?id=2318564	external
https://www.cve.org/CVERecord?id=CVE-2024-8184	external
https://nvd.nist.gov/vuln/detail/CVE-2024-8184	external
https://github.com/jetty/jetty.project/pull/11723	external
https://github.com/jetty/jetty.project/security/a…	external
https://gitlab.eclipse.org/security/cve-assigneme…	external
https://access.redhat.com/security/cve/CVE-2024-9355	self
https://bugzilla.redhat.com/show_bug.cgi?id=2315719	external
https://www.cve.org/CVERecord?id=CVE-2024-9355	external
https://nvd.nist.gov/vuln/detail/CVE-2024-9355	external
https://github.com/golang-fips/openssl/pull/198	external
https://access.redhat.com/security/cve/CVE-2024-24791	self
https://bugzilla.redhat.com/show_bug.cgi?id=2295310	external
https://www.cve.org/CVERecord?id=CVE-2024-24791	external
https://nvd.nist.gov/vuln/detail/CVE-2024-24791	external
https://go.dev/cl/591255	external
https://go.dev/issue/67555	external
https://groups.google.com/g/golang-dev/c/t0rK-qHB…	external
https://access.redhat.com/security/cve/CVE-2024-31141	self
https://bugzilla.redhat.com/show_bug.cgi?id=2327264	external
https://www.cve.org/CVERecord?id=CVE-2024-31141	external
https://nvd.nist.gov/vuln/detail/CVE-2024-31141	external
https://lists.apache.org/thread/9whdzfr0zwdhr3646…	external
https://access.redhat.com/security/cve/CVE-2024-47535	self
https://bugzilla.redhat.com/show_bug.cgi?id=2325538	external
https://www.cve.org/CVERecord?id=CVE-2024-47535	external
https://nvd.nist.gov/vuln/detail/CVE-2024-47535	external
https://github.com/netty/netty/commit/fbf7a704a82…	external
https://github.com/netty/netty/security/advisorie…	external
https://access.redhat.com/security/cve/CVE-2024-47554	self
https://bugzilla.redhat.com/show_bug.cgi?id=2316271	external
https://www.cve.org/CVERecord?id=CVE-2024-47554	external
https://nvd.nist.gov/vuln/detail/CVE-2024-47554	external
https://lists.apache.org/thread/6ozr91rr9cj5lm0zy…	external

Acknowledgments

Red Hat David Benoit

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Streams for Apache Kafka 2.9.0 is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat Streams for Apache Kafka, based on the Apache Kafka project, offers a distributed\nbackbone that allows microservices and other applications to share data with\nextremely high throughput and extremely low latency.\n\nThis release of Red Hat Streams for Apache Kafka 2.9.0 serves as a replacement for Red Hat Streams for Apache Kafka 2.8.0, and includes security and bug fixes, and enhancements.\n\nSecurity Fix(es):\n* Cruise Control:cio.netty:netty-common:4.1.115.Final-redhat [amq-st-2] \"(CVE-2023-52428)\"\n\n* Cruise Control:com.nimbusds:nimbus-jose-jwt:9.37.2.redhat [amq-st-2] \"(CVE-2024-47535)\"\n\n* Cruise Control:org.apache.kafka:kafka-clients:3.5.2.redhat+ [amq-st-2] \"(CVE-2024-31141)\"\n\n* Cruise Control:io:commons-io:2.15.1.redhat+ [amq-st-2] \"(CVE-2024-47554)\"\n\n* Cruise Control:org.eclipse.jetty:jetty-server:9.4.56.v20240826-redhat+ [amq-st-2] \"(CVE-2024-8184)\"\n\n* Cruise Control:org.eclipse.jetty/jetty-server: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks [amq-st-2] \"(CVE-2024-8184)\"\n\n* Kafka Exporter:golang-github-danielqsj-kafka_exporter: Golang FIPS zeroed buffer [amq-st-2] \"(CVE-2024-9355)\"\n\n* Kafka Exporter:golang-github-danielqsj-kafka_exporter: net/http: Denial of service due to improper 100-continue handling in net/http [amq-st-2] \"(CVE-2024-24791)\"",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2025:2416",
        "url": "https://access.redhat.com/errata/RHSA-2025:2416"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "2295310",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2295310"
      },
      {
        "category": "external",
        "summary": "2309764",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2309764"
      },
      {
        "category": "external",
        "summary": "2315719",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315719"
      },
      {
        "category": "external",
        "summary": "2316271",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316271"
      },
      {
        "category": "external",
        "summary": "2318564",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318564"
      },
      {
        "category": "external",
        "summary": "2325538",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2325538"
      },
      {
        "category": "external",
        "summary": "2327264",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2327264"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_2416.json"
      }
    ],
    "title": "Red Hat Security Advisory: Streams for Apache Kafka 2.9.0 release and security update",
    "tracking": {
      "current_release_date": "2026-06-04T00:11:46+00:00",
      "generator": {
        "date": "2026-06-04T00:11:46+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.8.1"
        }
      },
      "id": "RHSA-2025:2416",
      "initial_release_date": "2025-03-05T20:59:06+00:00",
      "revision_history": [
        {
          "date": "2025-03-05T20:59:06+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2025-03-05T20:59:06+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-06-04T00:11:46+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Streams for Apache Kafka 2.9.0",
                "product": {
                  "name": "Streams for Apache Kafka 2.9.0",
                  "product_id": "Streams for Apache Kafka 2.9.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:amq_streams:2"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Streams for Apache Kafka"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-52428",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2024-09-04T17:02:58.468000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2309764"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability was found in the Nimbus Jose JWT package. By crafting a JWE with an excessively large p2c value, an attacker can trigger significant resource consumption during decryption, potentially leading to application slowdown or unavailability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "nimbus-jose-jwt: large JWE p2c header value causes Denial of Service",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Streams for Apache Kafka 2.9.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-52428"
        },
        {
          "category": "external",
          "summary": "RHBZ#2309764",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2309764"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-52428",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-52428"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-52428",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52428"
        }
      ],
      "release_date": "2024-02-11T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-03-05T20:59:06+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Streams for Apache Kafka 2.9.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:2416"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Streams for Apache Kafka 2.9.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "nimbus-jose-jwt: large JWE p2c header value causes Denial of Service"
    },
    {
      "cve": "CVE-2024-8184",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2024-10-14T16:01:01.239238+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2318564"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Jetty\u0027s ThreadLimitHandler.getRemote(). This flaw allows unauthorized users to cause remote denial of service (DoS) attacks. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server\u0027s memory.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "org.eclipse.jetty:jetty-server: jetty: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability is rated as moderate rather than important because it requires specific conditions to be met, including continuous, crafted requests that deliberately target memory allocation to exhaust resources. While it can cause a denial of service, it does not lead to direct compromise of sensitive data, unauthorized access, or code execution.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Streams for Apache Kafka 2.9.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-8184"
        },
        {
          "category": "external",
          "summary": "RHBZ#2318564",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318564"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-8184",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-8184"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-8184",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8184"
        },
        {
          "category": "external",
          "summary": "https://github.com/jetty/jetty.project/pull/11723",
          "url": "https://github.com/jetty/jetty.project/pull/11723"
        },
        {
          "category": "external",
          "summary": "https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq",
          "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq"
        },
        {
          "category": "external",
          "summary": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/30",
          "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/30"
        }
      ],
      "release_date": "2024-10-14T15:09:37.861000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-03-05T20:59:06+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Streams for Apache Kafka 2.9.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:2416"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Streams for Apache Kafka 2.9.0"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Streams for Apache Kafka 2.9.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "org.eclipse.jetty:jetty-server: jetty: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "David Benoit"
          ],
          "organization": "Red Hat",
          "summary": "This issue was discovered by Red Hat."
        }
      ],
      "cve": "CVE-2024-9355",
      "cwe": {
        "id": "CWE-457",
        "name": "Use of Uninitialized Variable"
      },
      "discovery_date": "2024-09-30T17:51:17.811000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2315719"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum.\u00a0 It is also possible to force a derived key to be all zeros instead of an unpredictable value.\u00a0 This may have follow-on implications for the Go TLS stack.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "golang-fips: Golang FIPS zeroed buffer",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue is specific to the Go language and only affects the test code in cri-o and conmon, not the production code. Since both projects use Go exclusively for testing purposes, this issue does not impact their production environment. Therefore, cri-o and conmon are not affected by this vulnerability.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Streams for Apache Kafka 2.9.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-9355"
        },
        {
          "category": "external",
          "summary": "RHBZ#2315719",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315719"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-9355",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-9355"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-9355",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9355"
        },
        {
          "category": "external",
          "summary": "https://github.com/golang-fips/openssl/pull/198",
          "url": "https://github.com/golang-fips/openssl/pull/198"
        }
      ],
      "release_date": "2024-09-30T20:53:42.833000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-03-05T20:59:06+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Streams for Apache Kafka 2.9.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:2416"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Streams for Apache Kafka 2.9.0"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
            "version": "3.1"
          },
          "products": [
            "Streams for Apache Kafka 2.9.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "golang-fips: Golang FIPS zeroed buffer"
    },
    {
      "cve": "CVE-2024-24791",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "discovery_date": "2024-07-02T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2295310"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Go. The net/http module mishandles specific server responses from HTTP/1.1 client requests. This issue may render a connection invalid and cause a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "net/http: Denial of service due to improper 100-continue handling in net/http",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "An attacker would need to control a malicious server and induce a client to connect to it, requiring some amount of preparation outside of the attacker\u0027s control. This reduces the severity score of this flaw to Moderate.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Streams for Apache Kafka 2.9.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-24791"
        },
        {
          "category": "external",
          "summary": "RHBZ#2295310",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2295310"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-24791",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-24791"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-24791",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24791"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/591255",
          "url": "https://go.dev/cl/591255"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/67555",
          "url": "https://go.dev/issue/67555"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/g/golang-dev/c/t0rK-qHBqzY/m/6MMoAZkMAgAJ",
          "url": "https://groups.google.com/g/golang-dev/c/t0rK-qHBqzY/m/6MMoAZkMAgAJ"
        }
      ],
      "release_date": "2024-07-02T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-03-05T20:59:06+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Streams for Apache Kafka 2.9.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:2416"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Streams for Apache Kafka 2.9.0"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Streams for Apache Kafka 2.9.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "net/http: Denial of service due to improper 100-continue handling in net/http"
    },
    {
      "cve": "CVE-2024-31141",
      "cwe": {
        "id": "CWE-73",
        "name": "External Control of File Name or Path"
      },
      "discovery_date": "2024-11-19T09:00:35.857468+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2327264"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Apache Kafka Clients. Apache Kafka Clients accepts configuration data for customizing behavior and includes ConfigProvider plugins to manipulate these configurations. Apache Kafka also provides FileConfigProvider, DirectoryConfigProvider, and EnvVarConfigProvider implementations, which include the ability to read from disk or environment variables. In applications where an untrusted party can specify Apache Kafka Clients configurations, attackers may use these ConfigProviders to read arbitrary contents of the disk and environment variables.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "kafka-clients: privilege escalation to filesystem read-access via automatic ConfigProvider",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Streams for Apache Kafka 2.9.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-31141"
        },
        {
          "category": "external",
          "summary": "RHBZ#2327264",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2327264"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-31141",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-31141"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-31141",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31141"
        },
        {
          "category": "external",
          "summary": "https://lists.apache.org/thread/9whdzfr0zwdhr364604w5ssnzmg4v2lv",
          "url": "https://lists.apache.org/thread/9whdzfr0zwdhr364604w5ssnzmg4v2lv"
        }
      ],
      "release_date": "2024-11-19T08:40:50.695000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-03-05T20:59:06+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Streams for Apache Kafka 2.9.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:2416"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "Streams for Apache Kafka 2.9.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "kafka-clients: privilege escalation to filesystem read-access via automatic ConfigProvider"
    },
    {
      "cve": "CVE-2024-47535",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2024-11-12T16:01:18.772613+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2325538"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Netty. An unsafe reading of the environment file could potentially cause a denial of service. When loaded on a Windows application, Netty attempts to load a file that does not exist. If an attacker creates a large file, the Netty application crashes.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "netty: Denial of Service attack on windows app using Netty",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Streams for Apache Kafka 2.9.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-47535"
        },
        {
          "category": "external",
          "summary": "RHBZ#2325538",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2325538"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-47535",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-47535"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-47535",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47535"
        },
        {
          "category": "external",
          "summary": "https://github.com/netty/netty/commit/fbf7a704a82e7449b48bd0bbb679f5661c6d61a3",
          "url": "https://github.com/netty/netty/commit/fbf7a704a82e7449b48bd0bbb679f5661c6d61a3"
        },
        {
          "category": "external",
          "summary": "https://github.com/netty/netty/security/advisories/GHSA-xq3w-v528-46rv",
          "url": "https://github.com/netty/netty/security/advisories/GHSA-xq3w-v528-46rv"
        }
      ],
      "release_date": "2024-11-12T15:50:08.334000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-03-05T20:59:06+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Streams for Apache Kafka 2.9.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:2416"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Streams for Apache Kafka 2.9.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "netty: Denial of Service attack on windows app using Netty"
    },
    {
      "cve": "CVE-2024-47554",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2024-10-03T12:00:40.921058+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2316271"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability was found in the Apache Commons IO component in the org.apache.commons.io.input.XmlStreamReader class. Excessive CPU resource consumption can lead to a denial of service when an untrusted input is processed.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "apache-commons-io: Possible denial of service attack on untrusted input to XmlStreamReader",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Streams for Apache Kafka 2.9.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-47554"
        },
        {
          "category": "external",
          "summary": "RHBZ#2316271",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316271"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-47554",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-47554"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-47554",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47554"
        },
        {
          "category": "external",
          "summary": "https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1",
          "url": "https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1"
        }
      ],
      "release_date": "2024-10-03T11:32:48.936000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-03-05T20:59:06+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Streams for Apache Kafka 2.9.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:2416"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "Streams for Apache Kafka 2.9.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "apache-commons-io: Possible denial of service attack on untrusted input to XmlStreamReader"
    }
  ]
}

SUSE-RU-2025:1150-1

Vulnerability from csaf_suse - Published: 2025-04-07 07:47 - Updated: 2025-04-07 07:47

Summary

Recommended update for apache-commons-io

Severity

Moderate

Notes

Title of the patch: Recommended update for apache-commons-io

Description of the patch: This update for apache-commons-io fixes the following issues: apache-commons-io was updated from version 2.15.1 to 2.18.0: - Key changes across versions: * Cleaner code and updated dependencies * Improved security when handling serialized data with the new safe deserialization feature * New features for advanced file and stream operations * Various bugs were fixed to improve reliability with fewer crashes and unexpected errors * For the full list of changes please consult the packaged RELEASE-NOTES.txt - Already fixed in previous version: * CVE-2024-47554: Untrusted input to XmlStreamReader can lead to uncontrolled resource consumption (bsc#1231298)

Patchnames: SUSE-2025-1150,SUSE-SLE-Module-Basesystem-15-SP6-2025-1150,SUSE-SLE-Product-HPC-15-SP3-LTSS-2025-1150,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2025-1150,SUSE-SLE-Product-HPC-15-SP4-LTSS-2025-1150,SUSE-SLE-Product-HPC-15-SP5-ESPOS-2025-1150,SUSE-SLE-Product-HPC-15-SP5-LTSS-2025-1150,SUSE-SLE-Product-SLES-15-SP3-LTSS-2025-1150,SUSE-SLE-Product-SLES-15-SP4-LTSS-2025-1150,SUSE-SLE-Product-SLES-15-SP5-LTSS-2025-1150,SUSE-SLE-Product-SLES_SAP-15-SP3-2025-1150,SUSE-SLE-Product-SLES_SAP-15-SP4-2025-1150,SUSE-SLE-Product-SLES_SAP-15-SP5-2025-1150,SUSE-SLE-Product-SUSE-Manager-Proxy-4.3-2025-1150,SUSE-SLE-Product-SUSE-Manager-Server-4.3-2025-1150,SUSE-Storage-7.1-2025-1150,openSUSE-SLE-15.6-2025-1150

CVE-2024-47554

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected products

Recommended 17 products

Product	Version	Remediation
Unresolved product id: SUSE Enterprise Storage 7.1:apache-commons-io-2.18.0-150200.3.15.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache-commons-io-2.18.0-150200.3.15.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:apache-commons-io-2.18.0-150200.3.15.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:apache-commons-io-2.18.0-150200.3.15.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:apache-commons-io-2.18.0-150200.3.15.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:apache-commons-io-2.18.0-150200.3.15.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP6:apache-commons-io-2.18.0-150200.3.15.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP3-LTSS:apache-commons-io-2.18.0-150200.3.15.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:apache-commons-io-2.18.0-150200.3.15.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:apache-commons-io-2.18.0-150200.3.15.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache-commons-io-2.18.0-150200.3.15.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:apache-commons-io-2.18.0-150200.3.15.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP5:apache-commons-io-2.18.0-150200.3.15.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Manager Proxy 4.3:apache-commons-io-2.18.0-150200.3.15.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Manager Server 4.3:apache-commons-io-2.18.0-150200.3.15.1.noarch	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:apache-commons-io-2.18.0-150200.3.15.1.noarch	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.6:apache-commons-io-javadoc-2.18.0-150200.3.15.1.noarch	—	Vendor Fix

Threats

Impact moderate

References

8 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/s…	self
https://www.suse.com/support/update/announcement/…	self
https://lists.suse.com/pipermail/sle-updates/2025…	self
https://bugzilla.suse.com/1231298	self
https://www.suse.com/security/cve/CVE-2024-47554/	self
https://www.suse.com/security/cve/CVE-2024-47554	external
https://bugzilla.suse.com/1231298	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Recommended update for apache-commons-io",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for apache-commons-io fixes the following issues:\n\napache-commons-io was updated from version 2.15.1 to 2.18.0:\n    \n- Key changes across versions:\n  * Cleaner code and updated dependencies\n  * Improved security when handling serialized data with the new safe deserialization feature\n  * New features for advanced file and stream operations\n  * Various bugs were fixed to improve reliability with fewer crashes and unexpected errors\n  * For the full list of changes please consult the packaged RELEASE-NOTES.txt\n    \n- Already fixed in previous version:\n  * CVE-2024-47554: Untrusted input to XmlStreamReader can lead to uncontrolled resource consumption (bsc#1231298)\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2025-1150,SUSE-SLE-Module-Basesystem-15-SP6-2025-1150,SUSE-SLE-Product-HPC-15-SP3-LTSS-2025-1150,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2025-1150,SUSE-SLE-Product-HPC-15-SP4-LTSS-2025-1150,SUSE-SLE-Product-HPC-15-SP5-ESPOS-2025-1150,SUSE-SLE-Product-HPC-15-SP5-LTSS-2025-1150,SUSE-SLE-Product-SLES-15-SP3-LTSS-2025-1150,SUSE-SLE-Product-SLES-15-SP4-LTSS-2025-1150,SUSE-SLE-Product-SLES-15-SP5-LTSS-2025-1150,SUSE-SLE-Product-SLES_SAP-15-SP3-2025-1150,SUSE-SLE-Product-SLES_SAP-15-SP4-2025-1150,SUSE-SLE-Product-SLES_SAP-15-SP5-2025-1150,SUSE-SLE-Product-SUSE-Manager-Proxy-4.3-2025-1150,SUSE-SLE-Product-SUSE-Manager-Server-4.3-2025-1150,SUSE-Storage-7.1-2025-1150,openSUSE-SLE-15.6-2025-1150",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-ru-2025_1150-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-RU-2025:1150-1",
        "url": "https://www.suse.com/support/update/announcement//suse-ru-20251150-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-RU-2025:1150-1",
        "url": "https://lists.suse.com/pipermail/sle-updates/2025-April/038917.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1231298",
        "url": "https://bugzilla.suse.com/1231298"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-47554 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-47554/"
      }
    ],
    "title": "Recommended update for apache-commons-io",
    "tracking": {
      "current_release_date": "2025-04-07T07:47:08Z",
      "generator": {
        "date": "2025-04-07T07:47:08Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-RU-2025:1150-1",
      "initial_release_date": "2025-04-07T07:47:08Z",
      "revision_history": [
        {
          "date": "2025-04-07T07:47:08Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "apache-commons-io-2.18.0-150200.3.15.1.noarch",
                "product": {
                  "name": "apache-commons-io-2.18.0-150200.3.15.1.noarch",
                  "product_id": "apache-commons-io-2.18.0-150200.3.15.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "apache-commons-io-javadoc-2.18.0-150200.3.15.1.noarch",
                "product": {
                  "name": "apache-commons-io-javadoc-2.18.0-150200.3.15.1.noarch",
                  "product_id": "apache-commons-io-javadoc-2.18.0-150200.3.15.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Module for Basesystem 15 SP6",
                "product": {
                  "name": "SUSE Linux Enterprise Module for Basesystem 15 SP6",
                  "product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP6",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-module-basesystem:15:sp6"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
                "product": {
                  "name": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
                  "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp3"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
                "product": {
                  "name": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
                  "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle_hpc-espos:15:sp4"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
                "product": {
                  "name": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
                  "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp4"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
                "product": {
                  "name": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
                  "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle_hpc-espos:15:sp5"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
                "product": {
                  "name": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
                  "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp5"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server 15 SP3-LTSS",
                "product": {
                  "name": "SUSE Linux Enterprise Server 15 SP3-LTSS",
                  "product_id": "SUSE Linux Enterprise Server 15 SP3-LTSS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles-ltss:15:sp3"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server 15 SP4-LTSS",
                "product": {
                  "name": "SUSE Linux Enterprise Server 15 SP4-LTSS",
                  "product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles-ltss:15:sp4"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server 15 SP5-LTSS",
                "product": {
                  "name": "SUSE Linux Enterprise Server 15 SP5-LTSS",
                  "product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles-ltss:15:sp5"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server for SAP Applications 15 SP3",
                "product": {
                  "name": "SUSE Linux Enterprise Server for SAP Applications 15 SP3",
                  "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP3",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles_sap:15:sp3"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
                "product": {
                  "name": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
                  "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles_sap:15:sp4"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
                "product": {
                  "name": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
                  "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles_sap:15:sp5"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Manager Proxy 4.3",
                "product": {
                  "name": "SUSE Manager Proxy 4.3",
                  "product_id": "SUSE Manager Proxy 4.3",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:suse-manager-proxy:4.3"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Manager Server 4.3",
                "product": {
                  "name": "SUSE Manager Server 4.3",
                  "product_id": "SUSE Manager Server 4.3",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:suse-manager-server:4.3"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Enterprise Storage 7.1",
                "product": {
                  "name": "SUSE Enterprise Storage 7.1",
                  "product_id": "SUSE Enterprise Storage 7.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:ses:7.1"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.6",
                "product": {
                  "name": "openSUSE Leap 15.6",
                  "product_id": "openSUSE Leap 15.6",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.6"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache-commons-io-2.18.0-150200.3.15.1.noarch as component of SUSE Linux Enterprise Module for Basesystem 15 SP6",
          "product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP6:apache-commons-io-2.18.0-150200.3.15.1.noarch"
        },
        "product_reference": "apache-commons-io-2.18.0-150200.3.15.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache-commons-io-2.18.0-150200.3.15.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
          "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache-commons-io-2.18.0-150200.3.15.1.noarch"
        },
        "product_reference": "apache-commons-io-2.18.0-150200.3.15.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache-commons-io-2.18.0-150200.3.15.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
          "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:apache-commons-io-2.18.0-150200.3.15.1.noarch"
        },
        "product_reference": "apache-commons-io-2.18.0-150200.3.15.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache-commons-io-2.18.0-150200.3.15.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
          "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:apache-commons-io-2.18.0-150200.3.15.1.noarch"
        },
        "product_reference": "apache-commons-io-2.18.0-150200.3.15.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache-commons-io-2.18.0-150200.3.15.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
          "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:apache-commons-io-2.18.0-150200.3.15.1.noarch"
        },
        "product_reference": "apache-commons-io-2.18.0-150200.3.15.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache-commons-io-2.18.0-150200.3.15.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
          "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:apache-commons-io-2.18.0-150200.3.15.1.noarch"
        },
        "product_reference": "apache-commons-io-2.18.0-150200.3.15.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache-commons-io-2.18.0-150200.3.15.1.noarch as component of SUSE Linux Enterprise Server 15 SP3-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP3-LTSS:apache-commons-io-2.18.0-150200.3.15.1.noarch"
        },
        "product_reference": "apache-commons-io-2.18.0-150200.3.15.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP3-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache-commons-io-2.18.0-150200.3.15.1.noarch as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:apache-commons-io-2.18.0-150200.3.15.1.noarch"
        },
        "product_reference": "apache-commons-io-2.18.0-150200.3.15.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache-commons-io-2.18.0-150200.3.15.1.noarch as component of SUSE Linux Enterprise Server 15 SP5-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS:apache-commons-io-2.18.0-150200.3.15.1.noarch"
        },
        "product_reference": "apache-commons-io-2.18.0-150200.3.15.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP5-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache-commons-io-2.18.0-150200.3.15.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP3",
          "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache-commons-io-2.18.0-150200.3.15.1.noarch"
        },
        "product_reference": "apache-commons-io-2.18.0-150200.3.15.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache-commons-io-2.18.0-150200.3.15.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP4",
          "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4:apache-commons-io-2.18.0-150200.3.15.1.noarch"
        },
        "product_reference": "apache-commons-io-2.18.0-150200.3.15.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache-commons-io-2.18.0-150200.3.15.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP5",
          "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP5:apache-commons-io-2.18.0-150200.3.15.1.noarch"
        },
        "product_reference": "apache-commons-io-2.18.0-150200.3.15.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache-commons-io-2.18.0-150200.3.15.1.noarch as component of SUSE Manager Proxy 4.3",
          "product_id": "SUSE Manager Proxy 4.3:apache-commons-io-2.18.0-150200.3.15.1.noarch"
        },
        "product_reference": "apache-commons-io-2.18.0-150200.3.15.1.noarch",
        "relates_to_product_reference": "SUSE Manager Proxy 4.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache-commons-io-2.18.0-150200.3.15.1.noarch as component of SUSE Manager Server 4.3",
          "product_id": "SUSE Manager Server 4.3:apache-commons-io-2.18.0-150200.3.15.1.noarch"
        },
        "product_reference": "apache-commons-io-2.18.0-150200.3.15.1.noarch",
        "relates_to_product_reference": "SUSE Manager Server 4.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache-commons-io-2.18.0-150200.3.15.1.noarch as component of SUSE Enterprise Storage 7.1",
          "product_id": "SUSE Enterprise Storage 7.1:apache-commons-io-2.18.0-150200.3.15.1.noarch"
        },
        "product_reference": "apache-commons-io-2.18.0-150200.3.15.1.noarch",
        "relates_to_product_reference": "SUSE Enterprise Storage 7.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache-commons-io-2.18.0-150200.3.15.1.noarch as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:apache-commons-io-2.18.0-150200.3.15.1.noarch"
        },
        "product_reference": "apache-commons-io-2.18.0-150200.3.15.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache-commons-io-javadoc-2.18.0-150200.3.15.1.noarch as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:apache-commons-io-javadoc-2.18.0-150200.3.15.1.noarch"
        },
        "product_reference": "apache-commons-io-javadoc-2.18.0-150200.3.15.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-47554",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-47554"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Uncontrolled Resource Consumption vulnerability in Apache Commons IO.\n\nThe org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input.\n\n\nThis issue affects Apache Commons IO: from 2.0 before 2.14.0.\n\nUsers are recommended to upgrade to version 2.14.0 or later, which fixes the issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Enterprise Storage 7.1:apache-commons-io-2.18.0-150200.3.15.1.noarch",
          "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache-commons-io-2.18.0-150200.3.15.1.noarch",
          "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:apache-commons-io-2.18.0-150200.3.15.1.noarch",
          "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:apache-commons-io-2.18.0-150200.3.15.1.noarch",
          "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:apache-commons-io-2.18.0-150200.3.15.1.noarch",
          "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:apache-commons-io-2.18.0-150200.3.15.1.noarch",
          "SUSE Linux Enterprise Module for Basesystem 15 SP6:apache-commons-io-2.18.0-150200.3.15.1.noarch",
          "SUSE Linux Enterprise Server 15 SP3-LTSS:apache-commons-io-2.18.0-150200.3.15.1.noarch",
          "SUSE Linux Enterprise Server 15 SP4-LTSS:apache-commons-io-2.18.0-150200.3.15.1.noarch",
          "SUSE Linux Enterprise Server 15 SP5-LTSS:apache-commons-io-2.18.0-150200.3.15.1.noarch",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache-commons-io-2.18.0-150200.3.15.1.noarch",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP4:apache-commons-io-2.18.0-150200.3.15.1.noarch",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP5:apache-commons-io-2.18.0-150200.3.15.1.noarch",
          "SUSE Manager Proxy 4.3:apache-commons-io-2.18.0-150200.3.15.1.noarch",
          "SUSE Manager Server 4.3:apache-commons-io-2.18.0-150200.3.15.1.noarch",
          "openSUSE Leap 15.6:apache-commons-io-2.18.0-150200.3.15.1.noarch",
          "openSUSE Leap 15.6:apache-commons-io-javadoc-2.18.0-150200.3.15.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-47554",
          "url": "https://www.suse.com/security/cve/CVE-2024-47554"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1231298 for CVE-2024-47554",
          "url": "https://bugzilla.suse.com/1231298"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Enterprise Storage 7.1:apache-commons-io-2.18.0-150200.3.15.1.noarch",
            "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache-commons-io-2.18.0-150200.3.15.1.noarch",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:apache-commons-io-2.18.0-150200.3.15.1.noarch",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:apache-commons-io-2.18.0-150200.3.15.1.noarch",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:apache-commons-io-2.18.0-150200.3.15.1.noarch",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:apache-commons-io-2.18.0-150200.3.15.1.noarch",
            "SUSE Linux Enterprise Module for Basesystem 15 SP6:apache-commons-io-2.18.0-150200.3.15.1.noarch",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:apache-commons-io-2.18.0-150200.3.15.1.noarch",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:apache-commons-io-2.18.0-150200.3.15.1.noarch",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:apache-commons-io-2.18.0-150200.3.15.1.noarch",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache-commons-io-2.18.0-150200.3.15.1.noarch",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP4:apache-commons-io-2.18.0-150200.3.15.1.noarch",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP5:apache-commons-io-2.18.0-150200.3.15.1.noarch",
            "SUSE Manager Proxy 4.3:apache-commons-io-2.18.0-150200.3.15.1.noarch",
            "SUSE Manager Server 4.3:apache-commons-io-2.18.0-150200.3.15.1.noarch",
            "openSUSE Leap 15.6:apache-commons-io-2.18.0-150200.3.15.1.noarch",
            "openSUSE Leap 15.6:apache-commons-io-javadoc-2.18.0-150200.3.15.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "SUSE Enterprise Storage 7.1:apache-commons-io-2.18.0-150200.3.15.1.noarch",
            "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache-commons-io-2.18.0-150200.3.15.1.noarch",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:apache-commons-io-2.18.0-150200.3.15.1.noarch",
            "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:apache-commons-io-2.18.0-150200.3.15.1.noarch",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:apache-commons-io-2.18.0-150200.3.15.1.noarch",
            "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:apache-commons-io-2.18.0-150200.3.15.1.noarch",
            "SUSE Linux Enterprise Module for Basesystem 15 SP6:apache-commons-io-2.18.0-150200.3.15.1.noarch",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:apache-commons-io-2.18.0-150200.3.15.1.noarch",
            "SUSE Linux Enterprise Server 15 SP4-LTSS:apache-commons-io-2.18.0-150200.3.15.1.noarch",
            "SUSE Linux Enterprise Server 15 SP5-LTSS:apache-commons-io-2.18.0-150200.3.15.1.noarch",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache-commons-io-2.18.0-150200.3.15.1.noarch",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP4:apache-commons-io-2.18.0-150200.3.15.1.noarch",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP5:apache-commons-io-2.18.0-150200.3.15.1.noarch",
            "SUSE Manager Proxy 4.3:apache-commons-io-2.18.0-150200.3.15.1.noarch",
            "SUSE Manager Server 4.3:apache-commons-io-2.18.0-150200.3.15.1.noarch",
            "openSUSE Leap 15.6:apache-commons-io-2.18.0-150200.3.15.1.noarch",
            "openSUSE Leap 15.6:apache-commons-io-javadoc-2.18.0-150200.3.15.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-04-07T07:47:08Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-47554"
    }
  ]
}

SUSE-SU-2024:3596-1

Vulnerability from csaf_suse - Published: 2024-10-11 08:38 - Updated: 2024-10-11 08:38

Summary

Security update for apache-commons-io

Severity

Moderate

Notes

Title of the patch: Security update for apache-commons-io

Description of the patch: This update for apache-commons-io fixes the following issues: Upgrade to 2.17.0: - CVE-2024-47554: Fixed untrusted input to XmlStreamReader can lead to uncontrolled resource consumption (bsc#1231298) Other changes: - https://commons.apache.org/proper/commons-io/changes-report.html#a2.17.0

Patchnames: SUSE-2024-3596,SUSE-SLE-SDK-12-SP5-2024-3596,SUSE-SLE-SERVER-12-SP5-2024-3596

CVE-2024-47554

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected products

Recommended 3 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Server 12 SP5:apache-commons-io-2.17.0-11.3.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache-commons-io-2.17.0-11.3.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Software Development Kit 12 SP5:apache-commons-io-2.17.0-11.3.1.noarch	—	Vendor Fix

Threats

Impact moderate

References

8 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/s…	self
https://www.suse.com/support/update/announcement/…	self
https://lists.suse.com/pipermail/sle-updates/2024…	self
https://bugzilla.suse.com/1231298	self
https://www.suse.com/security/cve/CVE-2024-47554/	self
https://www.suse.com/security/cve/CVE-2024-47554	external
https://bugzilla.suse.com/1231298	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for apache-commons-io",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for apache-commons-io fixes the following issues:\n\nUpgrade to 2.17.0:\n\n- CVE-2024-47554: Fixed untrusted input to XmlStreamReader can lead to uncontrolled resource consumption (bsc#1231298)\n\nOther changes:\n- https://commons.apache.org/proper/commons-io/changes-report.html#a2.17.0\n \n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2024-3596,SUSE-SLE-SDK-12-SP5-2024-3596,SUSE-SLE-SERVER-12-SP5-2024-3596",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2024_3596-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2024:3596-1",
        "url": "https://www.suse.com/support/update/announcement/2024/suse-su-20243596-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2024:3596-1",
        "url": "https://lists.suse.com/pipermail/sle-updates/2024-October/037218.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1231298",
        "url": "https://bugzilla.suse.com/1231298"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-47554 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-47554/"
      }
    ],
    "title": "Security update for apache-commons-io",
    "tracking": {
      "current_release_date": "2024-10-11T08:38:55Z",
      "generator": {
        "date": "2024-10-11T08:38:55Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2024:3596-1",
      "initial_release_date": "2024-10-11T08:38:55Z",
      "revision_history": [
        {
          "date": "2024-10-11T08:38:55Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "apache-commons-io-2.17.0-11.3.1.noarch",
                "product": {
                  "name": "apache-commons-io-2.17.0-11.3.1.noarch",
                  "product_id": "apache-commons-io-2.17.0-11.3.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "apache-commons-io-javadoc-2.17.0-11.3.1.noarch",
                "product": {
                  "name": "apache-commons-io-javadoc-2.17.0-11.3.1.noarch",
                  "product_id": "apache-commons-io-javadoc-2.17.0-11.3.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Software Development Kit 12 SP5",
                "product": {
                  "name": "SUSE Linux Enterprise Software Development Kit 12 SP5",
                  "product_id": "SUSE Linux Enterprise Software Development Kit 12 SP5",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-sdk:12:sp5"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server 12 SP5",
                "product": {
                  "name": "SUSE Linux Enterprise Server 12 SP5",
                  "product_id": "SUSE Linux Enterprise Server 12 SP5",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles:12:sp5"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server for SAP Applications 12 SP5",
                "product": {
                  "name": "SUSE Linux Enterprise Server for SAP Applications 12 SP5",
                  "product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP5",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles_sap:12:sp5"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache-commons-io-2.17.0-11.3.1.noarch as component of SUSE Linux Enterprise Software Development Kit 12 SP5",
          "product_id": "SUSE Linux Enterprise Software Development Kit 12 SP5:apache-commons-io-2.17.0-11.3.1.noarch"
        },
        "product_reference": "apache-commons-io-2.17.0-11.3.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Software Development Kit 12 SP5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache-commons-io-2.17.0-11.3.1.noarch as component of SUSE Linux Enterprise Server 12 SP5",
          "product_id": "SUSE Linux Enterprise Server 12 SP5:apache-commons-io-2.17.0-11.3.1.noarch"
        },
        "product_reference": "apache-commons-io-2.17.0-11.3.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache-commons-io-2.17.0-11.3.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 12 SP5",
          "product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache-commons-io-2.17.0-11.3.1.noarch"
        },
        "product_reference": "apache-commons-io-2.17.0-11.3.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP5"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-47554",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-47554"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Uncontrolled Resource Consumption vulnerability in Apache Commons IO.\n\nThe org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input.\n\n\nThis issue affects Apache Commons IO: from 2.0 before 2.14.0.\n\nUsers are recommended to upgrade to version 2.14.0 or later, which fixes the issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Server 12 SP5:apache-commons-io-2.17.0-11.3.1.noarch",
          "SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache-commons-io-2.17.0-11.3.1.noarch",
          "SUSE Linux Enterprise Software Development Kit 12 SP5:apache-commons-io-2.17.0-11.3.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-47554",
          "url": "https://www.suse.com/security/cve/CVE-2024-47554"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1231298 for CVE-2024-47554",
          "url": "https://bugzilla.suse.com/1231298"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Server 12 SP5:apache-commons-io-2.17.0-11.3.1.noarch",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache-commons-io-2.17.0-11.3.1.noarch",
            "SUSE Linux Enterprise Software Development Kit 12 SP5:apache-commons-io-2.17.0-11.3.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Server 12 SP5:apache-commons-io-2.17.0-11.3.1.noarch",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:apache-commons-io-2.17.0-11.3.1.noarch",
            "SUSE Linux Enterprise Software Development Kit 12 SP5:apache-commons-io-2.17.0-11.3.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-10-11T08:38:55Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-47554"
    }
  ]
}

WID-SEC-W-2024-3082

Vulnerability from csaf_certbund - Published: 2024-10-03 22:00 - Updated: 2025-12-17 23:00

Summary

Apache Commons IO: Schwachstelle ermöglicht Denial of Service

Severity

Mittel

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Apache Commons ist ein Apache-Projekt, das alle Aspekte der wiederverwendbaren Java-Komponenten behandelt.

Angriff: Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Apache Commons IO ausnutzen, um einen Denial of Service Angriff durchzuführen.

Betroffene Betriebssysteme: - Linux - UNIX

CVE-2024-47554

Affected products

Known affected 27 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
IBM Tivoli Network Manager IBM	`cpe:/a:ibm:tivoli_network_manager:ip_edition`	—
IBM SPSS 8.5 IBM / SPSS	`cpe:/a:ibm:spss:8.5`	8.5
IBM Integration Bus IBM	`cpe:/a:ibm:integration_bus:for_zos`	—
IBM QRadar SIEM IBM / QRadar SIEM	`cpe:/a:ibm:qradar_siem:-`	—
Trellix ePolicy Orchestrator <2025 Update 5 Trellix / ePolicy Orchestrator		<2025 Update 5
IBM Operational Decision Manager IBM	`cpe:/a:ibm:operational_decision_manager:-`	—
IBM Cognos Analytics <12.0.4 IF2 IBM / Cognos Analytics		<12.0.4 IF2
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
IBM Business Automation Workflow <21.0.3-IF039 IBM / Business Automation Workflow		<21.0.3-IF039
IBM Business Automation Workflow <24.0.0-IF004 IBM / Business Automation Workflow		<24.0.0-IF004
Apache Commons IO <2.14.0 Apache / Commons		IO <2.14.0
IBM QRadar SIEM <7.5.0 UP13 IBM / QRadar SIEM		<7.5.0 UP13
NetApp ActiveIQ Unified Manager NetApp	`cpe:/a:netapp:active_iq_unified_manager:-`	—
Fedora Linux Fedora	`cpe:/o:fedoraproject:fedora:-`	—
IBM Tivoli Netcool/OMNIbus WebGUI <8.1.0 Fix Pack 34 IBM / Tivoli Netcool/OMNIbus		WebGUI <8.1.0 Fix Pack 34
IBM App Connect Enterprise IBM	`cpe:/a:ibm:app_connect_enterprise:-`	—
IBM InfoSphere Identity Insight 9.0 IBM / InfoSphere Identity Insight	`cpe:/a:ibm:infosphere_identity_insight:9.0`	9
HCL Commerce <9.1.17.0 HCL / Commerce		<9.1.17.0
IBM Cognos Analytics <11.2.4 IF4 IBM / Cognos Analytics		<11.2.4 IF4
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
IBM InfoSphere Information Server 11.7 IBM / InfoSphere Information Server	`cpe:/a:ibm:infosphere_information_server:11.7`	11.7
IBM InfoSphere Identity Insight 10.0 IBM / InfoSphere Identity Insight	`cpe:/a:ibm:infosphere_identity_insight:10.0`	10
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
IBM InfoSphere Identity Insight 9.1 IBM / InfoSphere Identity Insight	`cpe:/a:ibm:infosphere_identity_insight:9.1`	9.1
IBM Tivoli Netcool/OMNIbus IBM / Tivoli Netcool/OMNIbus	`cpe:/a:ibm:tivoli_netcool%2fomnibus:-`	—
Red Hat JBoss A-MQ Streams 2 Red Hat / JBoss A-MQ	`cpe:/a:redhat:jboss_amq:streams_2`	Streams 2

References

27 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://github.com/advisories/GHSA-78wr-2p64-hpwj	external
https://bugzilla.redhat.com/show_bug.cgi?id=2316271	external
https://bodhi.fedoraproject.org/updates/FEDORA-20…	external
https://www.ibm.com/support/pages/node/7172522	external
https://lists.opensuse.org/archives/list/security…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://access.redhat.com/errata/RHSA-2024:9571	external
https://www.ibm.com/support/pages/node/7176463	external
https://www.ibm.com/support/pages/node/7176963	external
https://support.hcl-software.com/csm?id=kb_articl…	external
https://www.ibm.com/support/pages/node/7176903	external
https://www.ibm.com/support/pages/node/7178253	external
https://www.ibm.com/support/pages/node/7179125	external
https://www.ibm.com/support/pages/node/7181897	external
https://security.netapp.com/advisory/ntap-2025013…	external
https://www.ibm.com/support/pages/node/7182808	external
https://www.ibm.com/support/pages/node/7183676	external
https://access.redhat.com/errata/RHSA-2025:2416	external
https://www.ibm.com/support/pages/node/7230121	external
https://docs.trellix.com/bundle/epolicy-orchestra…	external
https://alas.aws.amazon.com/AL2/ALAS2-2025-2927.html	external
https://www.ibm.com/support/pages/node/7241589	external
https://www.ibm.com/support/pages/node/7248128	external
https://www.ibm.com/support/pages/node/7249276	external
https://www.ibm.com/support/pages/node/7252914	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Apache Commons ist ein Apache-Projekt, das alle Aspekte der wiederverwendbaren Java-Komponenten behandelt.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Apache Commons IO ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- UNIX",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-3082 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-3082.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-3082 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-3082"
      },
      {
        "category": "external",
        "summary": "GitHub Advisory Database vom 2024-10-03",
        "url": "https://github.com/advisories/GHSA-78wr-2p64-hpwj"
      },
      {
        "category": "external",
        "summary": "Red Hat Bugtracker #2316271 vom 2024-10-03",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316271"
      },
      {
        "category": "external",
        "summary": "Fedora Security Advisory FEDORA-2024-5D581B2365 vom 2024-10-04",
        "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2024-5d581b2365"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7172522 vom 2024-10-08",
        "url": "https://www.ibm.com/support/pages/node/7172522"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2024:14387-1 vom 2024-10-09",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/JRY5QEEISAVBMYG363PQWMMY2EMLEE5E/"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:3596-1 vom 2024-10-11",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-October/019590.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2024:9571 vom 2024-11-13",
        "url": "https://access.redhat.com/errata/RHSA-2024:9571"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7176463 vom 2024-11-19",
        "url": "https://www.ibm.com/support/pages/node/7176463"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7176963 vom 2024-11-22",
        "url": "https://www.ibm.com/support/pages/node/7176963"
      },
      {
        "category": "external",
        "summary": "HCL Article KB0117576 vom 2024-12-04",
        "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0117576"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7176903 vom 2024-12-05",
        "url": "https://www.ibm.com/support/pages/node/7176903"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7178253 vom 2024-12-09",
        "url": "https://www.ibm.com/support/pages/node/7178253"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7179125 vom 2024-12-17",
        "url": "https://www.ibm.com/support/pages/node/7179125"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7181897 vom 2025-01-29",
        "url": "https://www.ibm.com/support/pages/node/7181897"
      },
      {
        "category": "external",
        "summary": "NetApp Security Advisory NTAP-20250131-0010 vom 2025-01-31",
        "url": "https://security.netapp.com/advisory/ntap-20250131-0010/"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7182808 vom 2025-02-07",
        "url": "https://www.ibm.com/support/pages/node/7182808"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7183676 vom 2025-02-27",
        "url": "https://www.ibm.com/support/pages/node/7183676"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:2416 vom 2025-03-05",
        "url": "https://access.redhat.com/errata/RHSA-2025:2416"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7230121 vom 2025-04-04",
        "url": "https://www.ibm.com/support/pages/node/7230121"
      },
      {
        "category": "external",
        "summary": "Trellix 2025 Update 5 Release Notes vom 2025-06-25",
        "url": "https://docs.trellix.com/bundle/epolicy-orchestrator-saas-release-notes/page/UUID-bdfa33f8-426e-ec2b-a46a-a50c7743b530.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2-2025-2927 vom 2025-07-10",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2-2025-2927.html"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7241589 vom 2025-08-06",
        "url": "https://www.ibm.com/support/pages/node/7241589"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7248128 vom 2025-10-16",
        "url": "https://www.ibm.com/support/pages/node/7248128"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7249276 vom 2025-10-27",
        "url": "https://www.ibm.com/support/pages/node/7249276"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7252914 vom 2025-11-27",
        "url": "https://www.ibm.com/support/pages/node/7252914"
      }
    ],
    "source_lang": "en-US",
    "title": "Apache Commons IO: Schwachstelle erm\u00f6glicht Denial of Service",
    "tracking": {
      "current_release_date": "2025-12-17T23:00:00.000+00:00",
      "generator": {
        "date": "2025-12-18T08:50:25.878+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.5.0"
        }
      },
      "id": "WID-SEC-W-2024-3082",
      "initial_release_date": "2024-10-03T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-10-03T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2024-10-07T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2024-10-09T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von openSUSE aufgenommen"
        },
        {
          "date": "2024-10-13T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-11-13T23:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2024-11-18T23:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2024-11-24T23:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2024-12-04T23:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von HCL aufgenommen"
        },
        {
          "date": "2024-12-05T23:00:00.000+00:00",
          "number": "9",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2024-12-09T23:00:00.000+00:00",
          "number": "10",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2024-12-16T23:00:00.000+00:00",
          "number": "11",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2025-01-28T23:00:00.000+00:00",
          "number": "12",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2025-02-02T23:00:00.000+00:00",
          "number": "13",
          "summary": "Neue Updates von NetApp aufgenommen"
        },
        {
          "date": "2025-02-09T23:00:00.000+00:00",
          "number": "14",
          "summary": "Neue Updates von IBM und IBM-APAR aufgenommen"
        },
        {
          "date": "2025-02-27T23:00:00.000+00:00",
          "number": "15",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2025-03-05T23:00:00.000+00:00",
          "number": "16",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2025-04-03T22:00:00.000+00:00",
          "number": "17",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2025-06-24T22:00:00.000+00:00",
          "number": "18",
          "summary": "Neue Updates aufgenommen"
        },
        {
          "date": "2025-07-10T22:00:00.000+00:00",
          "number": "19",
          "summary": "Neue Updates von Amazon aufgenommen"
        },
        {
          "date": "2025-07-13T22:00:00.000+00:00",
          "number": "20",
          "summary": "Doppelte Eintragung bereinigt"
        },
        {
          "date": "2025-08-06T22:00:00.000+00:00",
          "number": "21",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2025-10-16T22:00:00.000+00:00",
          "number": "22",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2025-10-27T23:00:00.000+00:00",
          "number": "23",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2025-11-27T23:00:00.000+00:00",
          "number": "24",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2025-12-17T23:00:00.000+00:00",
          "number": "25",
          "summary": "Referenz(en) aufgenommen:"
        }
      ],
      "status": "final",
      "version": "25"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Amazon Linux 2",
            "product": {
              "name": "Amazon Linux 2",
              "product_id": "398363",
              "product_identification_helper": {
                "cpe": "cpe:/o:amazon:linux_2:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Amazon"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "IO \u003c2.14.0",
                "product": {
                  "name": "Apache Commons IO \u003c2.14.0",
                  "product_id": "T037949"
                }
              },
              {
                "category": "product_version",
                "name": "IO 2.14.0",
                "product": {
                  "name": "Apache Commons IO 2.14.0",
                  "product_id": "T037949-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apache:commons:io__2.14.0"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "IO \u003e=2.0",
                "product": {
                  "name": "Apache Commons IO \u003e=2.0",
                  "product_id": "T037950"
                }
              },
              {
                "category": "product_version_range",
                "name": "IO \u003e=2.0",
                "product": {
                  "name": "Apache Commons IO \u003e=2.0",
                  "product_id": "T037950-fixed"
                }
              }
            ],
            "category": "product_name",
            "name": "Commons"
          }
        ],
        "category": "vendor",
        "name": "Apache"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Fedora Linux",
            "product": {
              "name": "Fedora Linux",
              "product_id": "74185",
              "product_identification_helper": {
                "cpe": "cpe:/o:fedoraproject:fedora:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Fedora"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c9.1.17.0",
                "product": {
                  "name": "HCL Commerce \u003c9.1.17.0",
                  "product_id": "T039584"
                }
              },
              {
                "category": "product_version",
                "name": "9.1.17.0",
                "product": {
                  "name": "HCL Commerce 9.1.17.0",
                  "product_id": "T039584-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:hcltechsw:commerce:9.1.17.0"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Commerce"
          }
        ],
        "category": "vendor",
        "name": "HCL"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "IBM App Connect Enterprise",
            "product": {
              "name": "IBM App Connect Enterprise",
              "product_id": "T032495",
              "product_identification_helper": {
                "cpe": "cpe:/a:ibm:app_connect_enterprise:-"
              }
            }
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c24.0.0-IF004",
                "product": {
                  "name": "IBM Business Automation Workflow \u003c24.0.0-IF004",
                  "product_id": "T040915"
                }
              },
              {
                "category": "product_version",
                "name": "24.0.0-IF004",
                "product": {
                  "name": "IBM Business Automation Workflow 24.0.0-IF004",
                  "product_id": "T040915-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:business_automation_workflow:24.0.0-if004"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c21.0.3-IF039",
                "product": {
                  "name": "IBM Business Automation Workflow \u003c21.0.3-IF039",
                  "product_id": "T040916"
                }
              },
              {
                "category": "product_version",
                "name": "21.0.3-IF039",
                "product": {
                  "name": "IBM Business Automation Workflow 21.0.3-IF039",
                  "product_id": "T040916-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:business_automation_workflow:21.0.3-if039"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Business Automation Workflow"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c12.0.4 IF2",
                "product": {
                  "name": "IBM Cognos Analytics \u003c12.0.4 IF2",
                  "product_id": "T041469"
                }
              },
              {
                "category": "product_version",
                "name": "12.0.4 IF2",
                "product": {
                  "name": "IBM Cognos Analytics 12.0.4 IF2",
                  "product_id": "T041469-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:cognos_analytics:12.0.4_if2"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c11.2.4 IF4",
                "product": {
                  "name": "IBM Cognos Analytics \u003c11.2.4 IF4",
                  "product_id": "T041470"
                }
              },
              {
                "category": "product_version",
                "name": "11.2.4 IF4",
                "product": {
                  "name": "IBM Cognos Analytics 11.2.4 IF4",
                  "product_id": "T041470-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:cognos_analytics:11.2.4_if4"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Cognos Analytics"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "9",
                "product": {
                  "name": "IBM InfoSphere Identity Insight 9.0",
                  "product_id": "723109",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:infosphere_identity_insight:9.0"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "9.1",
                "product": {
                  "name": "IBM InfoSphere Identity Insight 9.1",
                  "product_id": "T024310",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:infosphere_identity_insight:9.1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "10",
                "product": {
                  "name": "IBM InfoSphere Identity Insight 10.0",
                  "product_id": "T024311",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:infosphere_identity_insight:10.0"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "InfoSphere Identity Insight"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "11.7",
                "product": {
                  "name": "IBM InfoSphere Information Server 11.7",
                  "product_id": "444803",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:infosphere_information_server:11.7"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "InfoSphere Information Server"
          },
          {
            "category": "product_name",
            "name": "IBM Integration Bus",
            "product": {
              "name": "IBM Integration Bus",
              "product_id": "T039654",
              "product_identification_helper": {
                "cpe": "cpe:/a:ibm:integration_bus:for_zos"
              }
            }
          },
          {
            "category": "product_name",
            "name": "IBM Operational Decision Manager",
            "product": {
              "name": "IBM Operational Decision Manager",
              "product_id": "T005180",
              "product_identification_helper": {
                "cpe": "cpe:/a:ibm:operational_decision_manager:-"
              }
            }
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "IBM QRadar SIEM",
                "product": {
                  "name": "IBM QRadar SIEM",
                  "product_id": "T021415",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:qradar_siem:-"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c7.5.0 UP13",
                "product": {
                  "name": "IBM QRadar SIEM \u003c7.5.0 UP13",
                  "product_id": "T045828"
                }
              },
              {
                "category": "product_version",
                "name": "7.5.0 UP13",
                "product": {
                  "name": "IBM QRadar SIEM 7.5.0 UP13",
                  "product_id": "T045828-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:qradar_siem:7.5.0_up13"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "QRadar SIEM"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "8.5",
                "product": {
                  "name": "IBM SPSS 8.5",
                  "product_id": "T038507",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:spss:8.5"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "SPSS"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "IBM Tivoli Netcool/OMNIbus",
                "product": {
                  "name": "IBM Tivoli Netcool/OMNIbus",
                  "product_id": "T004181",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:tivoli_netcool%2fomnibus:-"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "WebGUI \u003c8.1.0 Fix Pack 34",
                "product": {
                  "name": "IBM Tivoli Netcool/OMNIbus WebGUI \u003c8.1.0 Fix Pack 34",
                  "product_id": "T039247"
                }
              },
              {
                "category": "product_version",
                "name": "WebGUI 8.1.0 Fix Pack 34",
                "product": {
                  "name": "IBM Tivoli Netcool/OMNIbus WebGUI 8.1.0 Fix Pack 34",
                  "product_id": "T039247-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:tivoli_netcool%2fomnibus:webgui__8.1.0_fix_pack_34"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Tivoli Netcool/OMNIbus"
          },
          {
            "category": "product_name",
            "name": "IBM Tivoli Network Manager",
            "product": {
              "name": "IBM Tivoli Network Manager",
              "product_id": "T012578",
              "product_identification_helper": {
                "cpe": "cpe:/a:ibm:tivoli_network_manager:ip_edition"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "IBM"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "NetApp ActiveIQ Unified Manager",
            "product": {
              "name": "NetApp ActiveIQ Unified Manager",
              "product_id": "T016960",
              "product_identification_helper": {
                "cpe": "cpe:/a:netapp:active_iq_unified_manager:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "NetApp"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "Streams 2",
                "product": {
                  "name": "Red Hat JBoss A-MQ Streams 2",
                  "product_id": "T041596",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_amq:streams_2"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "JBoss A-MQ"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "SUSE openSUSE",
            "product": {
              "name": "SUSE openSUSE",
              "product_id": "T027843",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:opensuse:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c2025 Update 5",
                "product": {
                  "name": "Trellix ePolicy Orchestrator \u003c2025 Update 5",
                  "product_id": "T044835"
                }
              },
              {
                "category": "product_version",
                "name": "2025 Update 5",
                "product": {
                  "name": "Trellix ePolicy Orchestrator 2025 Update 5",
                  "product_id": "T044835-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:trellix:epolicy_orchestrator:2025_update_5"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "ePolicy Orchestrator"
          }
        ],
        "category": "vendor",
        "name": "Trellix"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-47554",
      "product_status": {
        "known_affected": [
          "67646",
          "T012578",
          "T038507",
          "T039654",
          "T021415",
          "T044835",
          "T005180",
          "T041469",
          "398363",
          "T040916",
          "T040915",
          "T037949",
          "T045828",
          "T016960",
          "74185",
          "T039247",
          "T032495",
          "723109",
          "T039584",
          "T041470",
          "T002207",
          "444803",
          "T024311",
          "T027843",
          "T024310",
          "T004181",
          "T041596"
        ]
      },
      "release_date": "2024-10-03T22:00:00.000+00:00",
      "title": "CVE-2024-47554"
    }
  ]
}

WID-SEC-W-2025-0001

Vulnerability from csaf_certbund - Published: 2025-01-01 23:00 - Updated: 2025-11-18 23:00

Summary

IBM DB2: Mehrere Schwachstellen

Severity

Hoch

Notes

Produktbeschreibung: IBM DB2 ist ein relationales Datenbanksystem (RDBS) von IBM.

Angriff: Ein entfernter oder lokaler Angreifer kann mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data ausnutzen, um seine Privilegien zu erhöhen, beliebigen Code auszuführen, vertrauliche Informationen offenzulegen, Sicherheitsmaßnahmen zu umgehen oder einen Denial-of-Service-Zustand zu erzeugen.

Betroffene Betriebssysteme: - Sonstiges

CVE-2021-32740

Affected products

Known affected 13 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence <10.1.1 Atlassian / Confluence		<10.1.1
IBM DB2 on Cloud Pak for Data IBM / DB2	`cpe:/a:ibm:db2:on_cloud_pak_for_data`	on Cloud Pak for Data
IBM DB2 Warehouse <5.1.0 IBM / DB2		Warehouse <5.1.0
IBM DB2 <5.1.0 IBM / DB2		<5.1.0
IBM Spectrum Protect Plus <10.1.6.4 IBM / Spectrum Protect Plus		<10.1.6.4
IBM Cognos Analytics <11.2.4 IF4 IBM / Cognos Analytics		<11.2.4 IF4
IBM QRadar SIEM IBM	`cpe:/a:ibm:qradar_siem:-`	—
Atlassian Confluence <10.0.2 Atlassian / Confluence		<10.0.2
IBM Cognos Analytics <12.0.4 IF2 IBM / Cognos Analytics		<12.0.4 IF2
IBM Spectrum Protect Plus <10.1.17.1 IBM / Spectrum Protect Plus		<10.1.17.1
Atlassian Confluence <8.5.25 Atlassian / Confluence		<8.5.25
Atlassian Confluence <9.2.7 Atlassian / Confluence		<9.2.7

CVE-2021-41186

Affected products

Known affected 13 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence <10.1.1 Atlassian / Confluence		<10.1.1
IBM DB2 on Cloud Pak for Data IBM / DB2	`cpe:/a:ibm:db2:on_cloud_pak_for_data`	on Cloud Pak for Data
IBM DB2 Warehouse <5.1.0 IBM / DB2		Warehouse <5.1.0
IBM DB2 <5.1.0 IBM / DB2		<5.1.0
IBM Spectrum Protect Plus <10.1.6.4 IBM / Spectrum Protect Plus		<10.1.6.4
IBM Cognos Analytics <11.2.4 IF4 IBM / Cognos Analytics		<11.2.4 IF4
IBM QRadar SIEM IBM	`cpe:/a:ibm:qradar_siem:-`	—
Atlassian Confluence <10.0.2 Atlassian / Confluence		<10.0.2
IBM Cognos Analytics <12.0.4 IF2 IBM / Cognos Analytics		<12.0.4 IF2
IBM Spectrum Protect Plus <10.1.17.1 IBM / Spectrum Protect Plus		<10.1.17.1
Atlassian Confluence <8.5.25 Atlassian / Confluence		<8.5.25
Atlassian Confluence <9.2.7 Atlassian / Confluence		<9.2.7

CVE-2022-0759

Affected products

Known affected 13 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence <10.1.1 Atlassian / Confluence		<10.1.1
IBM DB2 on Cloud Pak for Data IBM / DB2	`cpe:/a:ibm:db2:on_cloud_pak_for_data`	on Cloud Pak for Data
IBM DB2 Warehouse <5.1.0 IBM / DB2		Warehouse <5.1.0
IBM DB2 <5.1.0 IBM / DB2		<5.1.0
IBM Spectrum Protect Plus <10.1.6.4 IBM / Spectrum Protect Plus		<10.1.6.4
IBM Cognos Analytics <11.2.4 IF4 IBM / Cognos Analytics		<11.2.4 IF4
IBM QRadar SIEM IBM	`cpe:/a:ibm:qradar_siem:-`	—
Atlassian Confluence <10.0.2 Atlassian / Confluence		<10.0.2
IBM Cognos Analytics <12.0.4 IF2 IBM / Cognos Analytics		<12.0.4 IF2
IBM Spectrum Protect Plus <10.1.17.1 IBM / Spectrum Protect Plus		<10.1.17.1
Atlassian Confluence <8.5.25 Atlassian / Confluence		<8.5.25
Atlassian Confluence <9.2.7 Atlassian / Confluence		<9.2.7

CVE-2022-24795

Affected products

Known affected 13 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence <10.1.1 Atlassian / Confluence		<10.1.1
IBM DB2 on Cloud Pak for Data IBM / DB2	`cpe:/a:ibm:db2:on_cloud_pak_for_data`	on Cloud Pak for Data
IBM DB2 Warehouse <5.1.0 IBM / DB2		Warehouse <5.1.0
IBM DB2 <5.1.0 IBM / DB2		<5.1.0
IBM Spectrum Protect Plus <10.1.6.4 IBM / Spectrum Protect Plus		<10.1.6.4
IBM Cognos Analytics <11.2.4 IF4 IBM / Cognos Analytics		<11.2.4 IF4
IBM QRadar SIEM IBM	`cpe:/a:ibm:qradar_siem:-`	—
Atlassian Confluence <10.0.2 Atlassian / Confluence		<10.0.2
IBM Cognos Analytics <12.0.4 IF2 IBM / Cognos Analytics		<12.0.4 IF2
IBM Spectrum Protect Plus <10.1.17.1 IBM / Spectrum Protect Plus		<10.1.17.1
Atlassian Confluence <8.5.25 Atlassian / Confluence		<8.5.25
Atlassian Confluence <9.2.7 Atlassian / Confluence		<9.2.7

CVE-2022-31163

Affected products

Known affected 13 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence <10.1.1 Atlassian / Confluence		<10.1.1
IBM DB2 on Cloud Pak for Data IBM / DB2	`cpe:/a:ibm:db2:on_cloud_pak_for_data`	on Cloud Pak for Data
IBM DB2 Warehouse <5.1.0 IBM / DB2		Warehouse <5.1.0
IBM DB2 <5.1.0 IBM / DB2		<5.1.0
IBM Spectrum Protect Plus <10.1.6.4 IBM / Spectrum Protect Plus		<10.1.6.4
IBM Cognos Analytics <11.2.4 IF4 IBM / Cognos Analytics		<11.2.4 IF4
IBM QRadar SIEM IBM	`cpe:/a:ibm:qradar_siem:-`	—
Atlassian Confluence <10.0.2 Atlassian / Confluence		<10.0.2
IBM Cognos Analytics <12.0.4 IF2 IBM / Cognos Analytics		<12.0.4 IF2
IBM Spectrum Protect Plus <10.1.17.1 IBM / Spectrum Protect Plus		<10.1.17.1
Atlassian Confluence <8.5.25 Atlassian / Confluence		<8.5.25
Atlassian Confluence <9.2.7 Atlassian / Confluence		<9.2.7

CVE-2023-39325

Affected products

Known affected 13 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence <10.1.1 Atlassian / Confluence		<10.1.1
IBM DB2 on Cloud Pak for Data IBM / DB2	`cpe:/a:ibm:db2:on_cloud_pak_for_data`	on Cloud Pak for Data
IBM DB2 Warehouse <5.1.0 IBM / DB2		Warehouse <5.1.0
IBM DB2 <5.1.0 IBM / DB2		<5.1.0
IBM Spectrum Protect Plus <10.1.6.4 IBM / Spectrum Protect Plus		<10.1.6.4
IBM Cognos Analytics <11.2.4 IF4 IBM / Cognos Analytics		<11.2.4 IF4
IBM QRadar SIEM IBM	`cpe:/a:ibm:qradar_siem:-`	—
Atlassian Confluence <10.0.2 Atlassian / Confluence		<10.0.2
IBM Cognos Analytics <12.0.4 IF2 IBM / Cognos Analytics		<12.0.4 IF2
IBM Spectrum Protect Plus <10.1.17.1 IBM / Spectrum Protect Plus		<10.1.17.1
Atlassian Confluence <8.5.25 Atlassian / Confluence		<8.5.25
Atlassian Confluence <9.2.7 Atlassian / Confluence		<9.2.7

CVE-2023-41993

Affected products

Known affected 13 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence <10.1.1 Atlassian / Confluence		<10.1.1
IBM DB2 on Cloud Pak for Data IBM / DB2	`cpe:/a:ibm:db2:on_cloud_pak_for_data`	on Cloud Pak for Data
IBM DB2 Warehouse <5.1.0 IBM / DB2		Warehouse <5.1.0
IBM DB2 <5.1.0 IBM / DB2		<5.1.0
IBM Spectrum Protect Plus <10.1.6.4 IBM / Spectrum Protect Plus		<10.1.6.4
IBM Cognos Analytics <11.2.4 IF4 IBM / Cognos Analytics		<11.2.4 IF4
IBM QRadar SIEM IBM	`cpe:/a:ibm:qradar_siem:-`	—
Atlassian Confluence <10.0.2 Atlassian / Confluence		<10.0.2
IBM Cognos Analytics <12.0.4 IF2 IBM / Cognos Analytics		<12.0.4 IF2
IBM Spectrum Protect Plus <10.1.17.1 IBM / Spectrum Protect Plus		<10.1.17.1
Atlassian Confluence <8.5.25 Atlassian / Confluence		<8.5.25
Atlassian Confluence <9.2.7 Atlassian / Confluence		<9.2.7

CVE-2023-45283

Affected products

Known affected 13 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence <10.1.1 Atlassian / Confluence		<10.1.1
IBM DB2 on Cloud Pak for Data IBM / DB2	`cpe:/a:ibm:db2:on_cloud_pak_for_data`	on Cloud Pak for Data
IBM DB2 Warehouse <5.1.0 IBM / DB2		Warehouse <5.1.0
IBM DB2 <5.1.0 IBM / DB2		<5.1.0
IBM Spectrum Protect Plus <10.1.6.4 IBM / Spectrum Protect Plus		<10.1.6.4
IBM Cognos Analytics <11.2.4 IF4 IBM / Cognos Analytics		<11.2.4 IF4
IBM QRadar SIEM IBM	`cpe:/a:ibm:qradar_siem:-`	—
Atlassian Confluence <10.0.2 Atlassian / Confluence		<10.0.2
IBM Cognos Analytics <12.0.4 IF2 IBM / Cognos Analytics		<12.0.4 IF2
IBM Spectrum Protect Plus <10.1.17.1 IBM / Spectrum Protect Plus		<10.1.17.1
Atlassian Confluence <8.5.25 Atlassian / Confluence		<8.5.25
Atlassian Confluence <9.2.7 Atlassian / Confluence		<9.2.7

CVE-2023-45288

Affected products

Known affected 13 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence <10.1.1 Atlassian / Confluence		<10.1.1
IBM DB2 on Cloud Pak for Data IBM / DB2	`cpe:/a:ibm:db2:on_cloud_pak_for_data`	on Cloud Pak for Data
IBM DB2 Warehouse <5.1.0 IBM / DB2		Warehouse <5.1.0
IBM DB2 <5.1.0 IBM / DB2		<5.1.0
IBM Spectrum Protect Plus <10.1.6.4 IBM / Spectrum Protect Plus		<10.1.6.4
IBM Cognos Analytics <11.2.4 IF4 IBM / Cognos Analytics		<11.2.4 IF4
IBM QRadar SIEM IBM	`cpe:/a:ibm:qradar_siem:-`	—
Atlassian Confluence <10.0.2 Atlassian / Confluence		<10.0.2
IBM Cognos Analytics <12.0.4 IF2 IBM / Cognos Analytics		<12.0.4 IF2
IBM Spectrum Protect Plus <10.1.17.1 IBM / Spectrum Protect Plus		<10.1.17.1
Atlassian Confluence <8.5.25 Atlassian / Confluence		<8.5.25
Atlassian Confluence <9.2.7 Atlassian / Confluence		<9.2.7

CVE-2023-6597

Affected products

Known affected 13 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence <10.1.1 Atlassian / Confluence		<10.1.1
IBM DB2 on Cloud Pak for Data IBM / DB2	`cpe:/a:ibm:db2:on_cloud_pak_for_data`	on Cloud Pak for Data
IBM DB2 Warehouse <5.1.0 IBM / DB2		Warehouse <5.1.0
IBM DB2 <5.1.0 IBM / DB2		<5.1.0
IBM Spectrum Protect Plus <10.1.6.4 IBM / Spectrum Protect Plus		<10.1.6.4
IBM Cognos Analytics <11.2.4 IF4 IBM / Cognos Analytics		<11.2.4 IF4
IBM QRadar SIEM IBM	`cpe:/a:ibm:qradar_siem:-`	—
Atlassian Confluence <10.0.2 Atlassian / Confluence		<10.0.2
IBM Cognos Analytics <12.0.4 IF2 IBM / Cognos Analytics		<12.0.4 IF2
IBM Spectrum Protect Plus <10.1.17.1 IBM / Spectrum Protect Plus		<10.1.17.1
Atlassian Confluence <8.5.25 Atlassian / Confluence		<8.5.25
Atlassian Confluence <9.2.7 Atlassian / Confluence		<9.2.7

CVE-2024-0406

Affected products

Known affected 13 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence <10.1.1 Atlassian / Confluence		<10.1.1
IBM DB2 on Cloud Pak for Data IBM / DB2	`cpe:/a:ibm:db2:on_cloud_pak_for_data`	on Cloud Pak for Data
IBM DB2 Warehouse <5.1.0 IBM / DB2		Warehouse <5.1.0
IBM DB2 <5.1.0 IBM / DB2		<5.1.0
IBM Spectrum Protect Plus <10.1.6.4 IBM / Spectrum Protect Plus		<10.1.6.4
IBM Cognos Analytics <11.2.4 IF4 IBM / Cognos Analytics		<11.2.4 IF4
IBM QRadar SIEM IBM	`cpe:/a:ibm:qradar_siem:-`	—
Atlassian Confluence <10.0.2 Atlassian / Confluence		<10.0.2
IBM Cognos Analytics <12.0.4 IF2 IBM / Cognos Analytics		<12.0.4 IF2
IBM Spectrum Protect Plus <10.1.17.1 IBM / Spectrum Protect Plus		<10.1.17.1
Atlassian Confluence <8.5.25 Atlassian / Confluence		<8.5.25
Atlassian Confluence <9.2.7 Atlassian / Confluence		<9.2.7

CVE-2024-20918

Affected products

Known affected 13 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence <10.1.1 Atlassian / Confluence		<10.1.1
IBM DB2 on Cloud Pak for Data IBM / DB2	`cpe:/a:ibm:db2:on_cloud_pak_for_data`	on Cloud Pak for Data
IBM DB2 Warehouse <5.1.0 IBM / DB2		Warehouse <5.1.0
IBM DB2 <5.1.0 IBM / DB2		<5.1.0
IBM Spectrum Protect Plus <10.1.6.4 IBM / Spectrum Protect Plus		<10.1.6.4
IBM Cognos Analytics <11.2.4 IF4 IBM / Cognos Analytics		<11.2.4 IF4
IBM QRadar SIEM IBM	`cpe:/a:ibm:qradar_siem:-`	—
Atlassian Confluence <10.0.2 Atlassian / Confluence		<10.0.2
IBM Cognos Analytics <12.0.4 IF2 IBM / Cognos Analytics		<12.0.4 IF2
IBM Spectrum Protect Plus <10.1.17.1 IBM / Spectrum Protect Plus		<10.1.17.1
Atlassian Confluence <8.5.25 Atlassian / Confluence		<8.5.25
Atlassian Confluence <9.2.7 Atlassian / Confluence		<9.2.7

CVE-2024-20952

Affected products

Known affected 13 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence <10.1.1 Atlassian / Confluence		<10.1.1
IBM DB2 on Cloud Pak for Data IBM / DB2	`cpe:/a:ibm:db2:on_cloud_pak_for_data`	on Cloud Pak for Data
IBM DB2 Warehouse <5.1.0 IBM / DB2		Warehouse <5.1.0
IBM DB2 <5.1.0 IBM / DB2		<5.1.0
IBM Spectrum Protect Plus <10.1.6.4 IBM / Spectrum Protect Plus		<10.1.6.4
IBM Cognos Analytics <11.2.4 IF4 IBM / Cognos Analytics		<11.2.4 IF4
IBM QRadar SIEM IBM	`cpe:/a:ibm:qradar_siem:-`	—
Atlassian Confluence <10.0.2 Atlassian / Confluence		<10.0.2
IBM Cognos Analytics <12.0.4 IF2 IBM / Cognos Analytics		<12.0.4 IF2
IBM Spectrum Protect Plus <10.1.17.1 IBM / Spectrum Protect Plus		<10.1.17.1
Atlassian Confluence <8.5.25 Atlassian / Confluence		<8.5.25
Atlassian Confluence <9.2.7 Atlassian / Confluence		<9.2.7

CVE-2024-2398

Affected products

Known affected 13 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence <10.1.1 Atlassian / Confluence		<10.1.1
IBM DB2 on Cloud Pak for Data IBM / DB2	`cpe:/a:ibm:db2:on_cloud_pak_for_data`	on Cloud Pak for Data
IBM DB2 Warehouse <5.1.0 IBM / DB2		Warehouse <5.1.0
IBM DB2 <5.1.0 IBM / DB2		<5.1.0
IBM Spectrum Protect Plus <10.1.6.4 IBM / Spectrum Protect Plus		<10.1.6.4
IBM Cognos Analytics <11.2.4 IF4 IBM / Cognos Analytics		<11.2.4 IF4
IBM QRadar SIEM IBM	`cpe:/a:ibm:qradar_siem:-`	—
Atlassian Confluence <10.0.2 Atlassian / Confluence		<10.0.2
IBM Cognos Analytics <12.0.4 IF2 IBM / Cognos Analytics		<12.0.4 IF2
IBM Spectrum Protect Plus <10.1.17.1 IBM / Spectrum Protect Plus		<10.1.17.1
Atlassian Confluence <8.5.25 Atlassian / Confluence		<8.5.25
Atlassian Confluence <9.2.7 Atlassian / Confluence		<9.2.7

CVE-2024-24786

Affected products

Known affected 13 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence <10.1.1 Atlassian / Confluence		<10.1.1
IBM DB2 on Cloud Pak for Data IBM / DB2	`cpe:/a:ibm:db2:on_cloud_pak_for_data`	on Cloud Pak for Data
IBM DB2 Warehouse <5.1.0 IBM / DB2		Warehouse <5.1.0
IBM DB2 <5.1.0 IBM / DB2		<5.1.0
IBM Spectrum Protect Plus <10.1.6.4 IBM / Spectrum Protect Plus		<10.1.6.4
IBM Cognos Analytics <11.2.4 IF4 IBM / Cognos Analytics		<11.2.4 IF4
IBM QRadar SIEM IBM	`cpe:/a:ibm:qradar_siem:-`	—
Atlassian Confluence <10.0.2 Atlassian / Confluence		<10.0.2
IBM Cognos Analytics <12.0.4 IF2 IBM / Cognos Analytics		<12.0.4 IF2
IBM Spectrum Protect Plus <10.1.17.1 IBM / Spectrum Protect Plus		<10.1.17.1
Atlassian Confluence <8.5.25 Atlassian / Confluence		<8.5.25
Atlassian Confluence <9.2.7 Atlassian / Confluence		<9.2.7

CVE-2024-27281

Affected products

Known affected 13 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence <10.1.1 Atlassian / Confluence		<10.1.1
IBM DB2 on Cloud Pak for Data IBM / DB2	`cpe:/a:ibm:db2:on_cloud_pak_for_data`	on Cloud Pak for Data
IBM DB2 Warehouse <5.1.0 IBM / DB2		Warehouse <5.1.0
IBM DB2 <5.1.0 IBM / DB2		<5.1.0
IBM Spectrum Protect Plus <10.1.6.4 IBM / Spectrum Protect Plus		<10.1.6.4
IBM Cognos Analytics <11.2.4 IF4 IBM / Cognos Analytics		<11.2.4 IF4
IBM QRadar SIEM IBM	`cpe:/a:ibm:qradar_siem:-`	—
Atlassian Confluence <10.0.2 Atlassian / Confluence		<10.0.2
IBM Cognos Analytics <12.0.4 IF2 IBM / Cognos Analytics		<12.0.4 IF2
IBM Spectrum Protect Plus <10.1.17.1 IBM / Spectrum Protect Plus		<10.1.17.1
Atlassian Confluence <8.5.25 Atlassian / Confluence		<8.5.25
Atlassian Confluence <9.2.7 Atlassian / Confluence		<9.2.7

CVE-2024-2961

Affected products

Known affected 13 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence <10.1.1 Atlassian / Confluence		<10.1.1
IBM DB2 on Cloud Pak for Data IBM / DB2	`cpe:/a:ibm:db2:on_cloud_pak_for_data`	on Cloud Pak for Data
IBM DB2 Warehouse <5.1.0 IBM / DB2		Warehouse <5.1.0
IBM DB2 <5.1.0 IBM / DB2		<5.1.0
IBM Spectrum Protect Plus <10.1.6.4 IBM / Spectrum Protect Plus		<10.1.6.4
IBM Cognos Analytics <11.2.4 IF4 IBM / Cognos Analytics		<11.2.4 IF4
IBM QRadar SIEM IBM	`cpe:/a:ibm:qradar_siem:-`	—
Atlassian Confluence <10.0.2 Atlassian / Confluence		<10.0.2
IBM Cognos Analytics <12.0.4 IF2 IBM / Cognos Analytics		<12.0.4 IF2
IBM Spectrum Protect Plus <10.1.17.1 IBM / Spectrum Protect Plus		<10.1.17.1
Atlassian Confluence <8.5.25 Atlassian / Confluence		<8.5.25
Atlassian Confluence <9.2.7 Atlassian / Confluence		<9.2.7

CVE-2024-29857

Affected products

Known affected 13 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence <10.1.1 Atlassian / Confluence		<10.1.1
IBM DB2 on Cloud Pak for Data IBM / DB2	`cpe:/a:ibm:db2:on_cloud_pak_for_data`	on Cloud Pak for Data
IBM DB2 Warehouse <5.1.0 IBM / DB2		Warehouse <5.1.0
IBM DB2 <5.1.0 IBM / DB2		<5.1.0
IBM Spectrum Protect Plus <10.1.6.4 IBM / Spectrum Protect Plus		<10.1.6.4
IBM Cognos Analytics <11.2.4 IF4 IBM / Cognos Analytics		<11.2.4 IF4
IBM QRadar SIEM IBM	`cpe:/a:ibm:qradar_siem:-`	—
Atlassian Confluence <10.0.2 Atlassian / Confluence		<10.0.2
IBM Cognos Analytics <12.0.4 IF2 IBM / Cognos Analytics		<12.0.4 IF2
IBM Spectrum Protect Plus <10.1.17.1 IBM / Spectrum Protect Plus		<10.1.17.1
Atlassian Confluence <8.5.25 Atlassian / Confluence		<8.5.25
Atlassian Confluence <9.2.7 Atlassian / Confluence		<9.2.7

CVE-2024-33599

Affected products

Known affected 13 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence <10.1.1 Atlassian / Confluence		<10.1.1
IBM DB2 on Cloud Pak for Data IBM / DB2	`cpe:/a:ibm:db2:on_cloud_pak_for_data`	on Cloud Pak for Data
IBM DB2 Warehouse <5.1.0 IBM / DB2		Warehouse <5.1.0
IBM DB2 <5.1.0 IBM / DB2		<5.1.0
IBM Spectrum Protect Plus <10.1.6.4 IBM / Spectrum Protect Plus		<10.1.6.4
IBM Cognos Analytics <11.2.4 IF4 IBM / Cognos Analytics		<11.2.4 IF4
IBM QRadar SIEM IBM	`cpe:/a:ibm:qradar_siem:-`	—
Atlassian Confluence <10.0.2 Atlassian / Confluence		<10.0.2
IBM Cognos Analytics <12.0.4 IF2 IBM / Cognos Analytics		<12.0.4 IF2
IBM Spectrum Protect Plus <10.1.17.1 IBM / Spectrum Protect Plus		<10.1.17.1
Atlassian Confluence <8.5.25 Atlassian / Confluence		<8.5.25
Atlassian Confluence <9.2.7 Atlassian / Confluence		<9.2.7

CVE-2024-33883

Affected products

Known affected 13 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence <10.1.1 Atlassian / Confluence		<10.1.1
IBM DB2 on Cloud Pak for Data IBM / DB2	`cpe:/a:ibm:db2:on_cloud_pak_for_data`	on Cloud Pak for Data
IBM DB2 Warehouse <5.1.0 IBM / DB2		Warehouse <5.1.0
IBM DB2 <5.1.0 IBM / DB2		<5.1.0
IBM Spectrum Protect Plus <10.1.6.4 IBM / Spectrum Protect Plus		<10.1.6.4
IBM Cognos Analytics <11.2.4 IF4 IBM / Cognos Analytics		<11.2.4 IF4
IBM QRadar SIEM IBM	`cpe:/a:ibm:qradar_siem:-`	—
Atlassian Confluence <10.0.2 Atlassian / Confluence		<10.0.2
IBM Cognos Analytics <12.0.4 IF2 IBM / Cognos Analytics		<12.0.4 IF2
IBM Spectrum Protect Plus <10.1.17.1 IBM / Spectrum Protect Plus		<10.1.17.1
Atlassian Confluence <8.5.25 Atlassian / Confluence		<8.5.25
Atlassian Confluence <9.2.7 Atlassian / Confluence		<9.2.7

CVE-2024-37370

Affected products

Known affected 13 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence <10.1.1 Atlassian / Confluence		<10.1.1
IBM DB2 on Cloud Pak for Data IBM / DB2	`cpe:/a:ibm:db2:on_cloud_pak_for_data`	on Cloud Pak for Data
IBM DB2 Warehouse <5.1.0 IBM / DB2		Warehouse <5.1.0
IBM DB2 <5.1.0 IBM / DB2		<5.1.0
IBM Spectrum Protect Plus <10.1.6.4 IBM / Spectrum Protect Plus		<10.1.6.4
IBM Cognos Analytics <11.2.4 IF4 IBM / Cognos Analytics		<11.2.4 IF4
IBM QRadar SIEM IBM	`cpe:/a:ibm:qradar_siem:-`	—
Atlassian Confluence <10.0.2 Atlassian / Confluence		<10.0.2
IBM Cognos Analytics <12.0.4 IF2 IBM / Cognos Analytics		<12.0.4 IF2
IBM Spectrum Protect Plus <10.1.17.1 IBM / Spectrum Protect Plus		<10.1.17.1
Atlassian Confluence <8.5.25 Atlassian / Confluence		<8.5.25
Atlassian Confluence <9.2.7 Atlassian / Confluence		<9.2.7

CVE-2024-37371

Affected products

Known affected 13 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence <10.1.1 Atlassian / Confluence		<10.1.1
IBM DB2 on Cloud Pak for Data IBM / DB2	`cpe:/a:ibm:db2:on_cloud_pak_for_data`	on Cloud Pak for Data
IBM DB2 Warehouse <5.1.0 IBM / DB2		Warehouse <5.1.0
IBM DB2 <5.1.0 IBM / DB2		<5.1.0
IBM Spectrum Protect Plus <10.1.6.4 IBM / Spectrum Protect Plus		<10.1.6.4
IBM Cognos Analytics <11.2.4 IF4 IBM / Cognos Analytics		<11.2.4 IF4
IBM QRadar SIEM IBM	`cpe:/a:ibm:qradar_siem:-`	—
Atlassian Confluence <10.0.2 Atlassian / Confluence		<10.0.2
IBM Cognos Analytics <12.0.4 IF2 IBM / Cognos Analytics		<12.0.4 IF2
IBM Spectrum Protect Plus <10.1.17.1 IBM / Spectrum Protect Plus		<10.1.17.1
Atlassian Confluence <8.5.25 Atlassian / Confluence		<8.5.25
Atlassian Confluence <9.2.7 Atlassian / Confluence		<9.2.7

CVE-2024-37890

Affected products

Known affected 13 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence <10.1.1 Atlassian / Confluence		<10.1.1
IBM DB2 on Cloud Pak for Data IBM / DB2	`cpe:/a:ibm:db2:on_cloud_pak_for_data`	on Cloud Pak for Data
IBM DB2 Warehouse <5.1.0 IBM / DB2		Warehouse <5.1.0
IBM DB2 <5.1.0 IBM / DB2		<5.1.0
IBM Spectrum Protect Plus <10.1.6.4 IBM / Spectrum Protect Plus		<10.1.6.4
IBM Cognos Analytics <11.2.4 IF4 IBM / Cognos Analytics		<11.2.4 IF4
IBM QRadar SIEM IBM	`cpe:/a:ibm:qradar_siem:-`	—
Atlassian Confluence <10.0.2 Atlassian / Confluence		<10.0.2
IBM Cognos Analytics <12.0.4 IF2 IBM / Cognos Analytics		<12.0.4 IF2
IBM Spectrum Protect Plus <10.1.17.1 IBM / Spectrum Protect Plus		<10.1.17.1
Atlassian Confluence <8.5.25 Atlassian / Confluence		<8.5.25
Atlassian Confluence <9.2.7 Atlassian / Confluence		<9.2.7

CVE-2024-39338

Affected products

Known affected 13 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence <10.1.1 Atlassian / Confluence		<10.1.1
IBM DB2 on Cloud Pak for Data IBM / DB2	`cpe:/a:ibm:db2:on_cloud_pak_for_data`	on Cloud Pak for Data
IBM DB2 Warehouse <5.1.0 IBM / DB2		Warehouse <5.1.0
IBM DB2 <5.1.0 IBM / DB2		<5.1.0
IBM Spectrum Protect Plus <10.1.6.4 IBM / Spectrum Protect Plus		<10.1.6.4
IBM Cognos Analytics <11.2.4 IF4 IBM / Cognos Analytics		<11.2.4 IF4
IBM QRadar SIEM IBM	`cpe:/a:ibm:qradar_siem:-`	—
Atlassian Confluence <10.0.2 Atlassian / Confluence		<10.0.2
IBM Cognos Analytics <12.0.4 IF2 IBM / Cognos Analytics		<12.0.4 IF2
IBM Spectrum Protect Plus <10.1.17.1 IBM / Spectrum Protect Plus		<10.1.17.1
Atlassian Confluence <8.5.25 Atlassian / Confluence		<8.5.25
Atlassian Confluence <9.2.7 Atlassian / Confluence		<9.2.7

CVE-2024-4068

Affected products

Known affected 13 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence <10.1.1 Atlassian / Confluence		<10.1.1
IBM DB2 on Cloud Pak for Data IBM / DB2	`cpe:/a:ibm:db2:on_cloud_pak_for_data`	on Cloud Pak for Data
IBM DB2 Warehouse <5.1.0 IBM / DB2		Warehouse <5.1.0
IBM DB2 <5.1.0 IBM / DB2		<5.1.0
IBM Spectrum Protect Plus <10.1.6.4 IBM / Spectrum Protect Plus		<10.1.6.4
IBM Cognos Analytics <11.2.4 IF4 IBM / Cognos Analytics		<11.2.4 IF4
IBM QRadar SIEM IBM	`cpe:/a:ibm:qradar_siem:-`	—
Atlassian Confluence <10.0.2 Atlassian / Confluence		<10.0.2
IBM Cognos Analytics <12.0.4 IF2 IBM / Cognos Analytics		<12.0.4 IF2
IBM Spectrum Protect Plus <10.1.17.1 IBM / Spectrum Protect Plus		<10.1.17.1
Atlassian Confluence <8.5.25 Atlassian / Confluence		<8.5.25
Atlassian Confluence <9.2.7 Atlassian / Confluence		<9.2.7

CVE-2024-41110

Affected products

Known affected 13 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence <10.1.1 Atlassian / Confluence		<10.1.1
IBM DB2 on Cloud Pak for Data IBM / DB2	`cpe:/a:ibm:db2:on_cloud_pak_for_data`	on Cloud Pak for Data
IBM DB2 Warehouse <5.1.0 IBM / DB2		Warehouse <5.1.0
IBM DB2 <5.1.0 IBM / DB2		<5.1.0
IBM Spectrum Protect Plus <10.1.6.4 IBM / Spectrum Protect Plus		<10.1.6.4
IBM Cognos Analytics <11.2.4 IF4 IBM / Cognos Analytics		<11.2.4 IF4
IBM QRadar SIEM IBM	`cpe:/a:ibm:qradar_siem:-`	—
Atlassian Confluence <10.0.2 Atlassian / Confluence		<10.0.2
IBM Cognos Analytics <12.0.4 IF2 IBM / Cognos Analytics		<12.0.4 IF2
IBM Spectrum Protect Plus <10.1.17.1 IBM / Spectrum Protect Plus		<10.1.17.1
Atlassian Confluence <8.5.25 Atlassian / Confluence		<8.5.25
Atlassian Confluence <9.2.7 Atlassian / Confluence		<9.2.7

CVE-2024-41123

Affected products

Known affected 13 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence <10.1.1 Atlassian / Confluence		<10.1.1
IBM DB2 on Cloud Pak for Data IBM / DB2	`cpe:/a:ibm:db2:on_cloud_pak_for_data`	on Cloud Pak for Data
IBM DB2 Warehouse <5.1.0 IBM / DB2		Warehouse <5.1.0
IBM DB2 <5.1.0 IBM / DB2		<5.1.0
IBM Spectrum Protect Plus <10.1.6.4 IBM / Spectrum Protect Plus		<10.1.6.4
IBM Cognos Analytics <11.2.4 IF4 IBM / Cognos Analytics		<11.2.4 IF4
IBM QRadar SIEM IBM	`cpe:/a:ibm:qradar_siem:-`	—
Atlassian Confluence <10.0.2 Atlassian / Confluence		<10.0.2
IBM Cognos Analytics <12.0.4 IF2 IBM / Cognos Analytics		<12.0.4 IF2
IBM Spectrum Protect Plus <10.1.17.1 IBM / Spectrum Protect Plus		<10.1.17.1
Atlassian Confluence <8.5.25 Atlassian / Confluence		<8.5.25
Atlassian Confluence <9.2.7 Atlassian / Confluence		<9.2.7

CVE-2024-41946

Affected products

Known affected 13 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence <10.1.1 Atlassian / Confluence		<10.1.1
IBM DB2 on Cloud Pak for Data IBM / DB2	`cpe:/a:ibm:db2:on_cloud_pak_for_data`	on Cloud Pak for Data
IBM DB2 Warehouse <5.1.0 IBM / DB2		Warehouse <5.1.0
IBM DB2 <5.1.0 IBM / DB2		<5.1.0
IBM Spectrum Protect Plus <10.1.6.4 IBM / Spectrum Protect Plus		<10.1.6.4
IBM Cognos Analytics <11.2.4 IF4 IBM / Cognos Analytics		<11.2.4 IF4
IBM QRadar SIEM IBM	`cpe:/a:ibm:qradar_siem:-`	—
Atlassian Confluence <10.0.2 Atlassian / Confluence		<10.0.2
IBM Cognos Analytics <12.0.4 IF2 IBM / Cognos Analytics		<12.0.4 IF2
IBM Spectrum Protect Plus <10.1.17.1 IBM / Spectrum Protect Plus		<10.1.17.1
Atlassian Confluence <8.5.25 Atlassian / Confluence		<8.5.25
Atlassian Confluence <9.2.7 Atlassian / Confluence		<9.2.7

CVE-2024-45296

Affected products

Known affected 13 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence <10.1.1 Atlassian / Confluence		<10.1.1
IBM DB2 on Cloud Pak for Data IBM / DB2	`cpe:/a:ibm:db2:on_cloud_pak_for_data`	on Cloud Pak for Data
IBM DB2 Warehouse <5.1.0 IBM / DB2		Warehouse <5.1.0
IBM DB2 <5.1.0 IBM / DB2		<5.1.0
IBM Spectrum Protect Plus <10.1.6.4 IBM / Spectrum Protect Plus		<10.1.6.4
IBM Cognos Analytics <11.2.4 IF4 IBM / Cognos Analytics		<11.2.4 IF4
IBM QRadar SIEM IBM	`cpe:/a:ibm:qradar_siem:-`	—
Atlassian Confluence <10.0.2 Atlassian / Confluence		<10.0.2
IBM Cognos Analytics <12.0.4 IF2 IBM / Cognos Analytics		<12.0.4 IF2
IBM Spectrum Protect Plus <10.1.17.1 IBM / Spectrum Protect Plus		<10.1.17.1
Atlassian Confluence <8.5.25 Atlassian / Confluence		<8.5.25
Atlassian Confluence <9.2.7 Atlassian / Confluence		<9.2.7

CVE-2024-45491

Affected products

Known affected 13 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence <10.1.1 Atlassian / Confluence		<10.1.1
IBM DB2 on Cloud Pak for Data IBM / DB2	`cpe:/a:ibm:db2:on_cloud_pak_for_data`	on Cloud Pak for Data
IBM DB2 Warehouse <5.1.0 IBM / DB2		Warehouse <5.1.0
IBM DB2 <5.1.0 IBM / DB2		<5.1.0
IBM Spectrum Protect Plus <10.1.6.4 IBM / Spectrum Protect Plus		<10.1.6.4
IBM Cognos Analytics <11.2.4 IF4 IBM / Cognos Analytics		<11.2.4 IF4
IBM QRadar SIEM IBM	`cpe:/a:ibm:qradar_siem:-`	—
Atlassian Confluence <10.0.2 Atlassian / Confluence		<10.0.2
IBM Cognos Analytics <12.0.4 IF2 IBM / Cognos Analytics		<12.0.4 IF2
IBM Spectrum Protect Plus <10.1.17.1 IBM / Spectrum Protect Plus		<10.1.17.1
Atlassian Confluence <8.5.25 Atlassian / Confluence		<8.5.25
Atlassian Confluence <9.2.7 Atlassian / Confluence		<9.2.7

CVE-2024-45590

Affected products

Known affected 13 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence <10.1.1 Atlassian / Confluence		<10.1.1
IBM DB2 on Cloud Pak for Data IBM / DB2	`cpe:/a:ibm:db2:on_cloud_pak_for_data`	on Cloud Pak for Data
IBM DB2 Warehouse <5.1.0 IBM / DB2		Warehouse <5.1.0
IBM DB2 <5.1.0 IBM / DB2		<5.1.0
IBM Spectrum Protect Plus <10.1.6.4 IBM / Spectrum Protect Plus		<10.1.6.4
IBM Cognos Analytics <11.2.4 IF4 IBM / Cognos Analytics		<11.2.4 IF4
IBM QRadar SIEM IBM	`cpe:/a:ibm:qradar_siem:-`	—
Atlassian Confluence <10.0.2 Atlassian / Confluence		<10.0.2
IBM Cognos Analytics <12.0.4 IF2 IBM / Cognos Analytics		<12.0.4 IF2
IBM Spectrum Protect Plus <10.1.17.1 IBM / Spectrum Protect Plus		<10.1.17.1
Atlassian Confluence <8.5.25 Atlassian / Confluence		<8.5.25
Atlassian Confluence <9.2.7 Atlassian / Confluence		<9.2.7

CVE-2024-47220

Affected products

Known affected 13 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence <10.1.1 Atlassian / Confluence		<10.1.1
IBM DB2 on Cloud Pak for Data IBM / DB2	`cpe:/a:ibm:db2:on_cloud_pak_for_data`	on Cloud Pak for Data
IBM DB2 Warehouse <5.1.0 IBM / DB2		Warehouse <5.1.0
IBM DB2 <5.1.0 IBM / DB2		<5.1.0
IBM Spectrum Protect Plus <10.1.6.4 IBM / Spectrum Protect Plus		<10.1.6.4
IBM Cognos Analytics <11.2.4 IF4 IBM / Cognos Analytics		<11.2.4 IF4
IBM QRadar SIEM IBM	`cpe:/a:ibm:qradar_siem:-`	—
Atlassian Confluence <10.0.2 Atlassian / Confluence		<10.0.2
IBM Cognos Analytics <12.0.4 IF2 IBM / Cognos Analytics		<12.0.4 IF2
IBM Spectrum Protect Plus <10.1.17.1 IBM / Spectrum Protect Plus		<10.1.17.1
Atlassian Confluence <8.5.25 Atlassian / Confluence		<8.5.25
Atlassian Confluence <9.2.7 Atlassian / Confluence		<9.2.7

CVE-2024-47554

Affected products

Known affected 13 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence <10.1.1 Atlassian / Confluence		<10.1.1
IBM DB2 on Cloud Pak for Data IBM / DB2	`cpe:/a:ibm:db2:on_cloud_pak_for_data`	on Cloud Pak for Data
IBM DB2 Warehouse <5.1.0 IBM / DB2		Warehouse <5.1.0
IBM DB2 <5.1.0 IBM / DB2		<5.1.0
IBM Spectrum Protect Plus <10.1.6.4 IBM / Spectrum Protect Plus		<10.1.6.4
IBM Cognos Analytics <11.2.4 IF4 IBM / Cognos Analytics		<11.2.4 IF4
IBM QRadar SIEM IBM	`cpe:/a:ibm:qradar_siem:-`	—
Atlassian Confluence <10.0.2 Atlassian / Confluence		<10.0.2
IBM Cognos Analytics <12.0.4 IF2 IBM / Cognos Analytics		<12.0.4 IF2
IBM Spectrum Protect Plus <10.1.17.1 IBM / Spectrum Protect Plus		<10.1.17.1
Atlassian Confluence <8.5.25 Atlassian / Confluence		<8.5.25
Atlassian Confluence <9.2.7 Atlassian / Confluence		<9.2.7

CVE-2024-6119

Affected products

Known affected 13 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence <10.1.1 Atlassian / Confluence		<10.1.1
IBM DB2 on Cloud Pak for Data IBM / DB2	`cpe:/a:ibm:db2:on_cloud_pak_for_data`	on Cloud Pak for Data
IBM DB2 Warehouse <5.1.0 IBM / DB2		Warehouse <5.1.0
IBM DB2 <5.1.0 IBM / DB2		<5.1.0
IBM Spectrum Protect Plus <10.1.6.4 IBM / Spectrum Protect Plus		<10.1.6.4
IBM Cognos Analytics <11.2.4 IF4 IBM / Cognos Analytics		<11.2.4 IF4
IBM QRadar SIEM IBM	`cpe:/a:ibm:qradar_siem:-`	—
Atlassian Confluence <10.0.2 Atlassian / Confluence		<10.0.2
IBM Cognos Analytics <12.0.4 IF2 IBM / Cognos Analytics		<12.0.4 IF2
IBM Spectrum Protect Plus <10.1.17.1 IBM / Spectrum Protect Plus		<10.1.17.1
Atlassian Confluence <8.5.25 Atlassian / Confluence		<8.5.25
Atlassian Confluence <9.2.7 Atlassian / Confluence		<9.2.7

CVE-2024-6345

Affected products

Known affected 13 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Atlassian Confluence <10.1.1 Atlassian / Confluence		<10.1.1
IBM DB2 on Cloud Pak for Data IBM / DB2	`cpe:/a:ibm:db2:on_cloud_pak_for_data`	on Cloud Pak for Data
IBM DB2 Warehouse <5.1.0 IBM / DB2		Warehouse <5.1.0
IBM DB2 <5.1.0 IBM / DB2		<5.1.0
IBM Spectrum Protect Plus <10.1.6.4 IBM / Spectrum Protect Plus		<10.1.6.4
IBM Cognos Analytics <11.2.4 IF4 IBM / Cognos Analytics		<11.2.4 IF4
IBM QRadar SIEM IBM	`cpe:/a:ibm:qradar_siem:-`	—
Atlassian Confluence <10.0.2 Atlassian / Confluence		<10.0.2
IBM Cognos Analytics <12.0.4 IF2 IBM / Cognos Analytics		<12.0.4 IF2
IBM Spectrum Protect Plus <10.1.17.1 IBM / Spectrum Protect Plus		<10.1.17.1
Atlassian Confluence <8.5.25 Atlassian / Confluence		<8.5.25
Atlassian Confluence <9.2.7 Atlassian / Confluence		<9.2.7

References

10 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://www.ibm.com/support/pages/node/7180105	external
https://www.ibm.com/support/pages/node/7180361	external
https://access.redhat.com/errata/RHSA-2025:1227	external
https://www.ibm.com/support/pages/node/7183676	external
https://www.ibm.com/support/pages/node/7229443	external
https://www.ibm.com/support/pages/node/7237702	external
https://www.ibm.com/support/pages/node/7249276	external
https://confluence.atlassian.com/security/securit…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "IBM DB2 ist ein relationales Datenbanksystem (RDBS) von IBM.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter oder lokaler Angreifer kann mehrere Schwachstellen in IBM DB2 on Cloud Pak for Data ausnutzen, um seine Privilegien zu erh\u00f6hen, beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen oder einen Denial-of-Service-Zustand zu erzeugen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-0001 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-0001.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-0001 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-0001"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin vom 2025-01-01",
        "url": "https://www.ibm.com/support/pages/node/7180105"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7180361 vom 2025-01-07",
        "url": "https://www.ibm.com/support/pages/node/7180361"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:1227 vom 2025-02-12",
        "url": "https://access.redhat.com/errata/RHSA-2025:1227"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7183676 vom 2025-02-27",
        "url": "https://www.ibm.com/support/pages/node/7183676"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7229443 vom 2025-03-28",
        "url": "https://www.ibm.com/support/pages/node/7229443"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7237702 vom 2025-06-24",
        "url": "https://www.ibm.com/support/pages/node/7237702"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7249276 vom 2025-10-27",
        "url": "https://www.ibm.com/support/pages/node/7249276"
      },
      {
        "category": "external",
        "summary": "Atlassian Security Bulletin - November 18 2025",
        "url": "https://confluence.atlassian.com/security/security-bulletin-november-18-2025-1671463469.html"
      }
    ],
    "source_lang": "en-US",
    "title": "IBM DB2: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2025-11-18T23:00:00.000+00:00",
      "generator": {
        "date": "2025-11-19T09:37:09.985+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.5.0"
        }
      },
      "id": "WID-SEC-W-2025-0001",
      "initial_release_date": "2025-01-01T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-01-01T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2025-01-06T23:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2025-02-12T23:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2025-02-27T23:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2025-03-30T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2025-06-23T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2025-10-27T23:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2025-11-18T23:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates aufgenommen"
        }
      ],
      "status": "final",
      "version": "8"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c10.1.1",
                "product": {
                  "name": "Atlassian Confluence \u003c10.1.1",
                  "product_id": "T048680"
                }
              },
              {
                "category": "product_version",
                "name": "10.1.1",
                "product": {
                  "name": "Atlassian Confluence 10.1.1",
                  "product_id": "T048680-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:atlassian:confluence:10.1.1"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c10.0.2",
                "product": {
                  "name": "Atlassian Confluence \u003c10.0.2",
                  "product_id": "T048685"
                }
              },
              {
                "category": "product_version",
                "name": "10.0.2",
                "product": {
                  "name": "Atlassian Confluence 10.0.2",
                  "product_id": "T048685-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:atlassian:confluence:10.0.2"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c9.2.7",
                "product": {
                  "name": "Atlassian Confluence \u003c9.2.7",
                  "product_id": "T048686"
                }
              },
              {
                "category": "product_version",
                "name": "9.2.7",
                "product": {
                  "name": "Atlassian Confluence 9.2.7",
                  "product_id": "T048686-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:atlassian:confluence:9.2.7"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c8.5.25",
                "product": {
                  "name": "Atlassian Confluence \u003c8.5.25",
                  "product_id": "T048687"
                }
              },
              {
                "category": "product_version",
                "name": "8.5.25",
                "product": {
                  "name": "Atlassian Confluence 8.5.25",
                  "product_id": "T048687-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:atlassian:confluence:8.5.25"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Confluence"
          }
        ],
        "category": "vendor",
        "name": "Atlassian"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c12.0.4 IF2",
                "product": {
                  "name": "IBM Cognos Analytics \u003c12.0.4 IF2",
                  "product_id": "T041469"
                }
              },
              {
                "category": "product_version",
                "name": "12.0.4 IF2",
                "product": {
                  "name": "IBM Cognos Analytics 12.0.4 IF2",
                  "product_id": "T041469-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:cognos_analytics:12.0.4_if2"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c11.2.4 IF4",
                "product": {
                  "name": "IBM Cognos Analytics \u003c11.2.4 IF4",
                  "product_id": "T041470"
                }
              },
              {
                "category": "product_version",
                "name": "11.2.4 IF4",
                "product": {
                  "name": "IBM Cognos Analytics 11.2.4 IF4",
                  "product_id": "T041470-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:cognos_analytics:11.2.4_if4"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Cognos Analytics"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c5.1.0",
                "product": {
                  "name": "IBM DB2 \u003c5.1.0",
                  "product_id": "T039987"
                }
              },
              {
                "category": "product_version",
                "name": "5.1.0",
                "product": {
                  "name": "IBM DB2 5.1.0",
                  "product_id": "T039987-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:db2:5.1.0"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Warehouse \u003c5.1.0",
                "product": {
                  "name": "IBM DB2 Warehouse \u003c5.1.0",
                  "product_id": "T039988"
                }
              },
              {
                "category": "product_version",
                "name": "Warehouse 5.1.0",
                "product": {
                  "name": "IBM DB2 Warehouse 5.1.0",
                  "product_id": "T039988-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:db2:warehouse__5.1.0"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "on Cloud Pak for Data",
                "product": {
                  "name": "IBM DB2 on Cloud Pak for Data",
                  "product_id": "T042208",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:db2:on_cloud_pak_for_data"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "DB2"
          },
          {
            "category": "product_name",
            "name": "IBM QRadar SIEM",
            "product": {
              "name": "IBM QRadar SIEM",
              "product_id": "T021415",
              "product_identification_helper": {
                "cpe": "cpe:/a:ibm:qradar_siem:-"
              }
            }
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c10.1.6.4",
                "product": {
                  "name": "IBM Spectrum Protect Plus \u003c10.1.6.4",
                  "product_id": "T040030"
                }
              },
              {
                "category": "product_version",
                "name": "10.1.6.4",
                "product": {
                  "name": "IBM Spectrum Protect Plus 10.1.6.4",
                  "product_id": "T040030-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:spectrum_protect_plus:10.1.6.4"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c10.1.17.1",
                "product": {
                  "name": "IBM Spectrum Protect Plus \u003c10.1.17.1",
                  "product_id": "T044782"
                }
              },
              {
                "category": "product_version",
                "name": "10.1.17.1",
                "product": {
                  "name": "IBM Spectrum Protect Plus 10.1.17.1",
                  "product_id": "T044782-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:spectrum_protect_plus:10.1.17.1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Spectrum Protect Plus"
          }
        ],
        "category": "vendor",
        "name": "IBM"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-32740",
      "product_status": {
        "known_affected": [
          "67646",
          "T048680",
          "T042208",
          "T039988",
          "T039987",
          "T040030",
          "T041470",
          "T021415",
          "T048685",
          "T041469",
          "T044782",
          "T048687",
          "T048686"
        ]
      },
      "release_date": "2025-01-01T23:00:00.000+00:00",
      "title": "CVE-2021-32740"
    },
    {
      "cve": "CVE-2021-41186",
      "product_status": {
        "known_affected": [
          "67646",
          "T048680",
          "T042208",
          "T039988",
          "T039987",
          "T040030",
          "T041470",
          "T021415",
          "T048685",
          "T041469",
          "T044782",
          "T048687",
          "T048686"
        ]
      },
      "release_date": "2025-01-01T23:00:00.000+00:00",
      "title": "CVE-2021-41186"
    },
    {
      "cve": "CVE-2022-0759",
      "product_status": {
        "known_affected": [
          "67646",
          "T048680",
          "T042208",
          "T039988",
          "T039987",
          "T040030",
          "T041470",
          "T021415",
          "T048685",
          "T041469",
          "T044782",
          "T048687",
          "T048686"
        ]
      },
      "release_date": "2025-01-01T23:00:00.000+00:00",
      "title": "CVE-2022-0759"
    },
    {
      "cve": "CVE-2022-24795",
      "product_status": {
        "known_affected": [
          "67646",
          "T048680",
          "T042208",
          "T039988",
          "T039987",
          "T040030",
          "T041470",
          "T021415",
          "T048685",
          "T041469",
          "T044782",
          "T048687",
          "T048686"
        ]
      },
      "release_date": "2025-01-01T23:00:00.000+00:00",
      "title": "CVE-2022-24795"
    },
    {
      "cve": "CVE-2022-31163",
      "product_status": {
        "known_affected": [
          "67646",
          "T048680",
          "T042208",
          "T039988",
          "T039987",
          "T040030",
          "T041470",
          "T021415",
          "T048685",
          "T041469",
          "T044782",
          "T048687",
          "T048686"
        ]
      },
      "release_date": "2025-01-01T23:00:00.000+00:00",
      "title": "CVE-2022-31163"
    },
    {
      "cve": "CVE-2023-39325",
      "product_status": {
        "known_affected": [
          "67646",
          "T048680",
          "T042208",
          "T039988",
          "T039987",
          "T040030",
          "T041470",
          "T021415",
          "T048685",
          "T041469",
          "T044782",
          "T048687",
          "T048686"
        ]
      },
      "release_date": "2025-01-01T23:00:00.000+00:00",
      "title": "CVE-2023-39325"
    },
    {
      "cve": "CVE-2023-41993",
      "product_status": {
        "known_affected": [
          "67646",
          "T048680",
          "T042208",
          "T039988",
          "T039987",
          "T040030",
          "T041470",
          "T021415",
          "T048685",
          "T041469",
          "T044782",
          "T048687",
          "T048686"
        ]
      },
      "release_date": "2025-01-01T23:00:00.000+00:00",
      "title": "CVE-2023-41993"
    },
    {
      "cve": "CVE-2023-45283",
      "product_status": {
        "known_affected": [
          "67646",
          "T048680",
          "T042208",
          "T039988",
          "T039987",
          "T040030",
          "T041470",
          "T021415",
          "T048685",
          "T041469",
          "T044782",
          "T048687",
          "T048686"
        ]
      },
      "release_date": "2025-01-01T23:00:00.000+00:00",
      "title": "CVE-2023-45283"
    },
    {
      "cve": "CVE-2023-45288",
      "product_status": {
        "known_affected": [
          "67646",
          "T048680",
          "T042208",
          "T039988",
          "T039987",
          "T040030",
          "T041470",
          "T021415",
          "T048685",
          "T041469",
          "T044782",
          "T048687",
          "T048686"
        ]
      },
      "release_date": "2025-01-01T23:00:00.000+00:00",
      "title": "CVE-2023-45288"
    },
    {
      "cve": "CVE-2023-6597",
      "product_status": {
        "known_affected": [
          "67646",
          "T048680",
          "T042208",
          "T039988",
          "T039987",
          "T040030",
          "T041470",
          "T021415",
          "T048685",
          "T041469",
          "T044782",
          "T048687",
          "T048686"
        ]
      },
      "release_date": "2025-01-01T23:00:00.000+00:00",
      "title": "CVE-2023-6597"
    },
    {
      "cve": "CVE-2024-0406",
      "product_status": {
        "known_affected": [
          "67646",
          "T048680",
          "T042208",
          "T039988",
          "T039987",
          "T040030",
          "T041470",
          "T021415",
          "T048685",
          "T041469",
          "T044782",
          "T048687",
          "T048686"
        ]
      },
      "release_date": "2025-01-01T23:00:00.000+00:00",
      "title": "CVE-2024-0406"
    },
    {
      "cve": "CVE-2024-20918",
      "product_status": {
        "known_affected": [
          "67646",
          "T048680",
          "T042208",
          "T039988",
          "T039987",
          "T040030",
          "T041470",
          "T021415",
          "T048685",
          "T041469",
          "T044782",
          "T048687",
          "T048686"
        ]
      },
      "release_date": "2025-01-01T23:00:00.000+00:00",
      "title": "CVE-2024-20918"
    },
    {
      "cve": "CVE-2024-20952",
      "product_status": {
        "known_affected": [
          "67646",
          "T048680",
          "T042208",
          "T039988",
          "T039987",
          "T040030",
          "T041470",
          "T021415",
          "T048685",
          "T041469",
          "T044782",
          "T048687",
          "T048686"
        ]
      },
      "release_date": "2025-01-01T23:00:00.000+00:00",
      "title": "CVE-2024-20952"
    },
    {
      "cve": "CVE-2024-2398",
      "product_status": {
        "known_affected": [
          "67646",
          "T048680",
          "T042208",
          "T039988",
          "T039987",
          "T040030",
          "T041470",
          "T021415",
          "T048685",
          "T041469",
          "T044782",
          "T048687",
          "T048686"
        ]
      },
      "release_date": "2025-01-01T23:00:00.000+00:00",
      "title": "CVE-2024-2398"
    },
    {
      "cve": "CVE-2024-24786",
      "product_status": {
        "known_affected": [
          "67646",
          "T048680",
          "T042208",
          "T039988",
          "T039987",
          "T040030",
          "T041470",
          "T021415",
          "T048685",
          "T041469",
          "T044782",
          "T048687",
          "T048686"
        ]
      },
      "release_date": "2025-01-01T23:00:00.000+00:00",
      "title": "CVE-2024-24786"
    },
    {
      "cve": "CVE-2024-27281",
      "product_status": {
        "known_affected": [
          "67646",
          "T048680",
          "T042208",
          "T039988",
          "T039987",
          "T040030",
          "T041470",
          "T021415",
          "T048685",
          "T041469",
          "T044782",
          "T048687",
          "T048686"
        ]
      },
      "release_date": "2025-01-01T23:00:00.000+00:00",
      "title": "CVE-2024-27281"
    },
    {
      "cve": "CVE-2024-2961",
      "product_status": {
        "known_affected": [
          "67646",
          "T048680",
          "T042208",
          "T039988",
          "T039987",
          "T040030",
          "T041470",
          "T021415",
          "T048685",
          "T041469",
          "T044782",
          "T048687",
          "T048686"
        ]
      },
      "release_date": "2025-01-01T23:00:00.000+00:00",
      "title": "CVE-2024-2961"
    },
    {
      "cve": "CVE-2024-29857",
      "product_status": {
        "known_affected": [
          "67646",
          "T048680",
          "T042208",
          "T039988",
          "T039987",
          "T040030",
          "T041470",
          "T021415",
          "T048685",
          "T041469",
          "T044782",
          "T048687",
          "T048686"
        ]
      },
      "release_date": "2025-01-01T23:00:00.000+00:00",
      "title": "CVE-2024-29857"
    },
    {
      "cve": "CVE-2024-33599",
      "product_status": {
        "known_affected": [
          "67646",
          "T048680",
          "T042208",
          "T039988",
          "T039987",
          "T040030",
          "T041470",
          "T021415",
          "T048685",
          "T041469",
          "T044782",
          "T048687",
          "T048686"
        ]
      },
      "release_date": "2025-01-01T23:00:00.000+00:00",
      "title": "CVE-2024-33599"
    },
    {
      "cve": "CVE-2024-33883",
      "product_status": {
        "known_affected": [
          "67646",
          "T048680",
          "T042208",
          "T039988",
          "T039987",
          "T040030",
          "T041470",
          "T021415",
          "T048685",
          "T041469",
          "T044782",
          "T048687",
          "T048686"
        ]
      },
      "release_date": "2025-01-01T23:00:00.000+00:00",
      "title": "CVE-2024-33883"
    },
    {
      "cve": "CVE-2024-37370",
      "product_status": {
        "known_affected": [
          "67646",
          "T048680",
          "T042208",
          "T039988",
          "T039987",
          "T040030",
          "T041470",
          "T021415",
          "T048685",
          "T041469",
          "T044782",
          "T048687",
          "T048686"
        ]
      },
      "release_date": "2025-01-01T23:00:00.000+00:00",
      "title": "CVE-2024-37370"
    },
    {
      "cve": "CVE-2024-37371",
      "product_status": {
        "known_affected": [
          "67646",
          "T048680",
          "T042208",
          "T039988",
          "T039987",
          "T040030",
          "T041470",
          "T021415",
          "T048685",
          "T041469",
          "T044782",
          "T048687",
          "T048686"
        ]
      },
      "release_date": "2025-01-01T23:00:00.000+00:00",
      "title": "CVE-2024-37371"
    },
    {
      "cve": "CVE-2024-37890",
      "product_status": {
        "known_affected": [
          "67646",
          "T048680",
          "T042208",
          "T039988",
          "T039987",
          "T040030",
          "T041470",
          "T021415",
          "T048685",
          "T041469",
          "T044782",
          "T048687",
          "T048686"
        ]
      },
      "release_date": "2025-01-01T23:00:00.000+00:00",
      "title": "CVE-2024-37890"
    },
    {
      "cve": "CVE-2024-39338",
      "product_status": {
        "known_affected": [
          "67646",
          "T048680",
          "T042208",
          "T039988",
          "T039987",
          "T040030",
          "T041470",
          "T021415",
          "T048685",
          "T041469",
          "T044782",
          "T048687",
          "T048686"
        ]
      },
      "release_date": "2025-01-01T23:00:00.000+00:00",
      "title": "CVE-2024-39338"
    },
    {
      "cve": "CVE-2024-4068",
      "product_status": {
        "known_affected": [
          "67646",
          "T048680",
          "T042208",
          "T039988",
          "T039987",
          "T040030",
          "T041470",
          "T021415",
          "T048685",
          "T041469",
          "T044782",
          "T048687",
          "T048686"
        ]
      },
      "release_date": "2025-01-01T23:00:00.000+00:00",
      "title": "CVE-2024-4068"
    },
    {
      "cve": "CVE-2024-41110",
      "product_status": {
        "known_affected": [
          "67646",
          "T048680",
          "T042208",
          "T039988",
          "T039987",
          "T040030",
          "T041470",
          "T021415",
          "T048685",
          "T041469",
          "T044782",
          "T048687",
          "T048686"
        ]
      },
      "release_date": "2025-01-01T23:00:00.000+00:00",
      "title": "CVE-2024-41110"
    },
    {
      "cve": "CVE-2024-41123",
      "product_status": {
        "known_affected": [
          "67646",
          "T048680",
          "T042208",
          "T039988",
          "T039987",
          "T040030",
          "T041470",
          "T021415",
          "T048685",
          "T041469",
          "T044782",
          "T048687",
          "T048686"
        ]
      },
      "release_date": "2025-01-01T23:00:00.000+00:00",
      "title": "CVE-2024-41123"
    },
    {
      "cve": "CVE-2024-41946",
      "product_status": {
        "known_affected": [
          "67646",
          "T048680",
          "T042208",
          "T039988",
          "T039987",
          "T040030",
          "T041470",
          "T021415",
          "T048685",
          "T041469",
          "T044782",
          "T048687",
          "T048686"
        ]
      },
      "release_date": "2025-01-01T23:00:00.000+00:00",
      "title": "CVE-2024-41946"
    },
    {
      "cve": "CVE-2024-45296",
      "product_status": {
        "known_affected": [
          "67646",
          "T048680",
          "T042208",
          "T039988",
          "T039987",
          "T040030",
          "T041470",
          "T021415",
          "T048685",
          "T041469",
          "T044782",
          "T048687",
          "T048686"
        ]
      },
      "release_date": "2025-01-01T23:00:00.000+00:00",
      "title": "CVE-2024-45296"
    },
    {
      "cve": "CVE-2024-45491",
      "product_status": {
        "known_affected": [
          "67646",
          "T048680",
          "T042208",
          "T039988",
          "T039987",
          "T040030",
          "T041470",
          "T021415",
          "T048685",
          "T041469",
          "T044782",
          "T048687",
          "T048686"
        ]
      },
      "release_date": "2025-01-01T23:00:00.000+00:00",
      "title": "CVE-2024-45491"
    },
    {
      "cve": "CVE-2024-45590",
      "product_status": {
        "known_affected": [
          "67646",
          "T048680",
          "T042208",
          "T039988",
          "T039987",
          "T040030",
          "T041470",
          "T021415",
          "T048685",
          "T041469",
          "T044782",
          "T048687",
          "T048686"
        ]
      },
      "release_date": "2025-01-01T23:00:00.000+00:00",
      "title": "CVE-2024-45590"
    },
    {
      "cve": "CVE-2024-47220",
      "product_status": {
        "known_affected": [
          "67646",
          "T048680",
          "T042208",
          "T039988",
          "T039987",
          "T040030",
          "T041470",
          "T021415",
          "T048685",
          "T041469",
          "T044782",
          "T048687",
          "T048686"
        ]
      },
      "release_date": "2025-01-01T23:00:00.000+00:00",
      "title": "CVE-2024-47220"
    },
    {
      "cve": "CVE-2024-47554",
      "product_status": {
        "known_affected": [
          "67646",
          "T048680",
          "T042208",
          "T039988",
          "T039987",
          "T040030",
          "T041470",
          "T021415",
          "T048685",
          "T041469",
          "T044782",
          "T048687",
          "T048686"
        ]
      },
      "release_date": "2025-01-01T23:00:00.000+00:00",
      "title": "CVE-2024-47554"
    },
    {
      "cve": "CVE-2024-6119",
      "product_status": {
        "known_affected": [
          "67646",
          "T048680",
          "T042208",
          "T039988",
          "T039987",
          "T040030",
          "T041470",
          "T021415",
          "T048685",
          "T041469",
          "T044782",
          "T048687",
          "T048686"
        ]
      },
      "release_date": "2025-01-01T23:00:00.000+00:00",
      "title": "CVE-2024-6119"
    },
    {
      "cve": "CVE-2024-6345",
      "product_status": {
        "known_affected": [
          "67646",
          "T048680",
          "T042208",
          "T039988",
          "T039987",
          "T040030",
          "T041470",
          "T021415",
          "T048685",
          "T041469",
          "T044782",
          "T048687",
          "T048686"
        ]
      },
      "release_date": "2025-01-01T23:00:00.000+00:00",
      "title": "CVE-2024-6345"
    }
  ]
}

WID-SEC-W-2025-0135

Vulnerability from csaf_certbund - Published: 2025-01-21 23:00 - Updated: 2025-01-21 23:00

Summary

Oracle Communications Applications: Mehrere Schwachstellen

Severity

Hoch

Notes

Produktbeschreibung: Communications Applications umfasst eine Sammlung von Werkzeugen zur Verwaltung von Messaging-, Kommunikationsdiensten und -ressourcen.

Angriff: Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Communications Applications ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.

Betroffene Betriebssysteme: - Linux - UNIX - Windows

CVE-2023-29408

In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist "HIGH" für "Confidentiality", "Integrity" und "Availability" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert "HOCH" für die Schadenshöhe.

Affected products

Known affected 12 products

Product	Identifier	Version
Oracle Communications Applications 3.0.3.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.0.0`	3.0.3.0.0
Oracle Communications Applications 3.0.2.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.2.0.0`	3.0.2.0.0
Oracle Communications Applications 8.1.0.26 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.26`	8.1.0.26
Oracle Communications Applications 8.1.0.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.1`	8.1.0.1
Oracle Communications Applications 15.0.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.0.0`	15.0.0.0
Oracle Communications Applications 8.0.0.3 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.0.0.3`	8.0.0.3
Oracle Communications Applications 15.0.1.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.1.0`	15.0.1.0
Oracle Communications Applications 7.4.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.0`	7.4.0
Oracle Communications Applications 7.4.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.1`	7.4.1
Oracle Communications Applications 7.5.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.5.0`	7.5.0
Oracle Communications Applications 7.4.2 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.2`	7.4.2
Oracle Communications Applications 3.0.3.3.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.3.0`	3.0.3.3.0

Last affected 3 products

Product	Identifier	Version	Remediation
Oracle Communications Applications <=6.0.5 Oracle / Communications Applications		<=6.0.5
Oracle Communications Applications <=12.0.0.8 Oracle / Communications Applications		<=12.0.0.8
Oracle Communications Applications <=15.0.0.1 Oracle / Communications Applications		<=15.0.0.1

CVE-2024-0232

Affected products

Known affected 12 products

Product	Identifier	Version
Oracle Communications Applications 3.0.3.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.0.0`	3.0.3.0.0
Oracle Communications Applications 3.0.2.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.2.0.0`	3.0.2.0.0
Oracle Communications Applications 8.1.0.26 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.26`	8.1.0.26
Oracle Communications Applications 8.1.0.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.1`	8.1.0.1
Oracle Communications Applications 15.0.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.0.0`	15.0.0.0
Oracle Communications Applications 8.0.0.3 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.0.0.3`	8.0.0.3
Oracle Communications Applications 15.0.1.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.1.0`	15.0.1.0
Oracle Communications Applications 7.4.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.0`	7.4.0
Oracle Communications Applications 7.4.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.1`	7.4.1
Oracle Communications Applications 7.5.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.5.0`	7.5.0
Oracle Communications Applications 7.4.2 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.2`	7.4.2
Oracle Communications Applications 3.0.3.3.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.3.0`	3.0.3.3.0

Last affected 3 products

Product	Identifier	Version	Remediation
Oracle Communications Applications <=6.0.5 Oracle / Communications Applications		<=6.0.5
Oracle Communications Applications <=12.0.0.8 Oracle / Communications Applications		<=12.0.0.8
Oracle Communications Applications <=15.0.0.1 Oracle / Communications Applications		<=15.0.0.1

CVE-2024-1442

Affected products

Known affected 12 products

Product	Identifier	Version
Oracle Communications Applications 3.0.3.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.0.0`	3.0.3.0.0
Oracle Communications Applications 3.0.2.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.2.0.0`	3.0.2.0.0
Oracle Communications Applications 8.1.0.26 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.26`	8.1.0.26
Oracle Communications Applications 8.1.0.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.1`	8.1.0.1
Oracle Communications Applications 15.0.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.0.0`	15.0.0.0
Oracle Communications Applications 8.0.0.3 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.0.0.3`	8.0.0.3
Oracle Communications Applications 15.0.1.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.1.0`	15.0.1.0
Oracle Communications Applications 7.4.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.0`	7.4.0
Oracle Communications Applications 7.4.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.1`	7.4.1
Oracle Communications Applications 7.5.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.5.0`	7.5.0
Oracle Communications Applications 7.4.2 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.2`	7.4.2
Oracle Communications Applications 3.0.3.3.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.3.0`	3.0.3.3.0

Last affected 3 products

Product	Identifier	Version	Remediation
Oracle Communications Applications <=6.0.5 Oracle / Communications Applications		<=6.0.5
Oracle Communications Applications <=12.0.0.8 Oracle / Communications Applications		<=12.0.0.8
Oracle Communications Applications <=15.0.0.1 Oracle / Communications Applications		<=15.0.0.1

CVE-2024-24786

Affected products

Known affected 12 products

Product	Identifier	Version
Oracle Communications Applications 3.0.3.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.0.0`	3.0.3.0.0
Oracle Communications Applications 3.0.2.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.2.0.0`	3.0.2.0.0
Oracle Communications Applications 8.1.0.26 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.26`	8.1.0.26
Oracle Communications Applications 8.1.0.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.1`	8.1.0.1
Oracle Communications Applications 15.0.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.0.0`	15.0.0.0
Oracle Communications Applications 8.0.0.3 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.0.0.3`	8.0.0.3
Oracle Communications Applications 15.0.1.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.1.0`	15.0.1.0
Oracle Communications Applications 7.4.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.0`	7.4.0
Oracle Communications Applications 7.4.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.1`	7.4.1
Oracle Communications Applications 7.5.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.5.0`	7.5.0
Oracle Communications Applications 7.4.2 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.2`	7.4.2
Oracle Communications Applications 3.0.3.3.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.3.0`	3.0.3.3.0

Last affected 3 products

Product	Identifier	Version	Remediation
Oracle Communications Applications <=6.0.5 Oracle / Communications Applications		<=6.0.5
Oracle Communications Applications <=12.0.0.8 Oracle / Communications Applications		<=12.0.0.8
Oracle Communications Applications <=15.0.0.1 Oracle / Communications Applications		<=15.0.0.1

CVE-2024-26308

Affected products

Known affected 12 products

Product	Identifier	Version
Oracle Communications Applications 3.0.3.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.0.0`	3.0.3.0.0
Oracle Communications Applications 3.0.2.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.2.0.0`	3.0.2.0.0
Oracle Communications Applications 8.1.0.26 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.26`	8.1.0.26
Oracle Communications Applications 8.1.0.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.1`	8.1.0.1
Oracle Communications Applications 15.0.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.0.0`	15.0.0.0
Oracle Communications Applications 8.0.0.3 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.0.0.3`	8.0.0.3
Oracle Communications Applications 15.0.1.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.1.0`	15.0.1.0
Oracle Communications Applications 7.4.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.0`	7.4.0
Oracle Communications Applications 7.4.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.1`	7.4.1
Oracle Communications Applications 7.5.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.5.0`	7.5.0
Oracle Communications Applications 7.4.2 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.2`	7.4.2
Oracle Communications Applications 3.0.3.3.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.3.0`	3.0.3.3.0

Last affected 3 products

Product	Identifier	Version	Remediation
Oracle Communications Applications <=6.0.5 Oracle / Communications Applications		<=6.0.5
Oracle Communications Applications <=12.0.0.8 Oracle / Communications Applications		<=12.0.0.8
Oracle Communications Applications <=15.0.0.1 Oracle / Communications Applications		<=15.0.0.1

CVE-2024-27309

Affected products

Known affected 12 products

Product	Identifier	Version
Oracle Communications Applications 3.0.3.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.0.0`	3.0.3.0.0
Oracle Communications Applications 3.0.2.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.2.0.0`	3.0.2.0.0
Oracle Communications Applications 8.1.0.26 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.26`	8.1.0.26
Oracle Communications Applications 8.1.0.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.1`	8.1.0.1
Oracle Communications Applications 15.0.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.0.0`	15.0.0.0
Oracle Communications Applications 8.0.0.3 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.0.0.3`	8.0.0.3
Oracle Communications Applications 15.0.1.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.1.0`	15.0.1.0
Oracle Communications Applications 7.4.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.0`	7.4.0
Oracle Communications Applications 7.4.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.1`	7.4.1
Oracle Communications Applications 7.5.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.5.0`	7.5.0
Oracle Communications Applications 7.4.2 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.2`	7.4.2
Oracle Communications Applications 3.0.3.3.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.3.0`	3.0.3.3.0

Last affected 3 products

Product	Identifier	Version	Remediation
Oracle Communications Applications <=6.0.5 Oracle / Communications Applications		<=6.0.5
Oracle Communications Applications <=12.0.0.8 Oracle / Communications Applications		<=12.0.0.8
Oracle Communications Applications <=15.0.0.1 Oracle / Communications Applications		<=15.0.0.1

CVE-2024-28849

Affected products

Known affected 12 products

Product	Identifier	Version
Oracle Communications Applications 3.0.3.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.0.0`	3.0.3.0.0
Oracle Communications Applications 3.0.2.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.2.0.0`	3.0.2.0.0
Oracle Communications Applications 8.1.0.26 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.26`	8.1.0.26
Oracle Communications Applications 8.1.0.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.1`	8.1.0.1
Oracle Communications Applications 15.0.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.0.0`	15.0.0.0
Oracle Communications Applications 8.0.0.3 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.0.0.3`	8.0.0.3
Oracle Communications Applications 15.0.1.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.1.0`	15.0.1.0
Oracle Communications Applications 7.4.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.0`	7.4.0
Oracle Communications Applications 7.4.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.1`	7.4.1
Oracle Communications Applications 7.5.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.5.0`	7.5.0
Oracle Communications Applications 7.4.2 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.2`	7.4.2
Oracle Communications Applications 3.0.3.3.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.3.0`	3.0.3.3.0

Last affected 3 products

Product	Identifier	Version	Remediation
Oracle Communications Applications <=6.0.5 Oracle / Communications Applications		<=6.0.5
Oracle Communications Applications <=12.0.0.8 Oracle / Communications Applications		<=12.0.0.8
Oracle Communications Applications <=15.0.0.1 Oracle / Communications Applications		<=15.0.0.1

CVE-2024-29025

Affected products

Known affected 12 products

Product	Identifier	Version
Oracle Communications Applications 3.0.3.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.0.0`	3.0.3.0.0
Oracle Communications Applications 3.0.2.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.2.0.0`	3.0.2.0.0
Oracle Communications Applications 8.1.0.26 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.26`	8.1.0.26
Oracle Communications Applications 8.1.0.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.1`	8.1.0.1
Oracle Communications Applications 15.0.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.0.0`	15.0.0.0
Oracle Communications Applications 8.0.0.3 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.0.0.3`	8.0.0.3
Oracle Communications Applications 15.0.1.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.1.0`	15.0.1.0
Oracle Communications Applications 7.4.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.0`	7.4.0
Oracle Communications Applications 7.4.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.1`	7.4.1
Oracle Communications Applications 7.5.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.5.0`	7.5.0
Oracle Communications Applications 7.4.2 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.2`	7.4.2
Oracle Communications Applications 3.0.3.3.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.3.0`	3.0.3.3.0

Last affected 3 products

Product	Identifier	Version	Remediation
Oracle Communications Applications <=6.0.5 Oracle / Communications Applications		<=6.0.5
Oracle Communications Applications <=12.0.0.8 Oracle / Communications Applications		<=12.0.0.8
Oracle Communications Applications <=15.0.0.1 Oracle / Communications Applications		<=15.0.0.1

CVE-2024-29133

Affected products

Known affected 12 products

Product	Identifier	Version
Oracle Communications Applications 3.0.3.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.0.0`	3.0.3.0.0
Oracle Communications Applications 3.0.2.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.2.0.0`	3.0.2.0.0
Oracle Communications Applications 8.1.0.26 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.26`	8.1.0.26
Oracle Communications Applications 8.1.0.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.1`	8.1.0.1
Oracle Communications Applications 15.0.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.0.0`	15.0.0.0
Oracle Communications Applications 8.0.0.3 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.0.0.3`	8.0.0.3
Oracle Communications Applications 15.0.1.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.1.0`	15.0.1.0
Oracle Communications Applications 7.4.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.0`	7.4.0
Oracle Communications Applications 7.4.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.1`	7.4.1
Oracle Communications Applications 7.5.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.5.0`	7.5.0
Oracle Communications Applications 7.4.2 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.2`	7.4.2
Oracle Communications Applications 3.0.3.3.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.3.0`	3.0.3.3.0

Last affected 3 products

Product	Identifier	Version	Remediation
Oracle Communications Applications <=6.0.5 Oracle / Communications Applications		<=6.0.5
Oracle Communications Applications <=12.0.0.8 Oracle / Communications Applications		<=12.0.0.8
Oracle Communications Applications <=15.0.0.1 Oracle / Communications Applications		<=15.0.0.1

CVE-2024-35195

Affected products

Known affected 12 products

Product	Identifier	Version
Oracle Communications Applications 3.0.3.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.0.0`	3.0.3.0.0
Oracle Communications Applications 3.0.2.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.2.0.0`	3.0.2.0.0
Oracle Communications Applications 8.1.0.26 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.26`	8.1.0.26
Oracle Communications Applications 8.1.0.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.1`	8.1.0.1
Oracle Communications Applications 15.0.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.0.0`	15.0.0.0
Oracle Communications Applications 8.0.0.3 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.0.0.3`	8.0.0.3
Oracle Communications Applications 15.0.1.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.1.0`	15.0.1.0
Oracle Communications Applications 7.4.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.0`	7.4.0
Oracle Communications Applications 7.4.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.1`	7.4.1
Oracle Communications Applications 7.5.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.5.0`	7.5.0
Oracle Communications Applications 7.4.2 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.2`	7.4.2
Oracle Communications Applications 3.0.3.3.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.3.0`	3.0.3.3.0

Last affected 3 products

Product	Identifier	Version	Remediation
Oracle Communications Applications <=6.0.5 Oracle / Communications Applications		<=6.0.5
Oracle Communications Applications <=12.0.0.8 Oracle / Communications Applications		<=12.0.0.8
Oracle Communications Applications <=15.0.0.1 Oracle / Communications Applications		<=15.0.0.1

CVE-2024-37371

Affected products

Known affected 12 products

Product	Identifier	Version
Oracle Communications Applications 3.0.3.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.0.0`	3.0.3.0.0
Oracle Communications Applications 3.0.2.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.2.0.0`	3.0.2.0.0
Oracle Communications Applications 8.1.0.26 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.26`	8.1.0.26
Oracle Communications Applications 8.1.0.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.1`	8.1.0.1
Oracle Communications Applications 15.0.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.0.0`	15.0.0.0
Oracle Communications Applications 8.0.0.3 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.0.0.3`	8.0.0.3
Oracle Communications Applications 15.0.1.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.1.0`	15.0.1.0
Oracle Communications Applications 7.4.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.0`	7.4.0
Oracle Communications Applications 7.4.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.1`	7.4.1
Oracle Communications Applications 7.5.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.5.0`	7.5.0
Oracle Communications Applications 7.4.2 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.2`	7.4.2
Oracle Communications Applications 3.0.3.3.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.3.0`	3.0.3.3.0

Last affected 3 products

Product	Identifier	Version	Remediation
Oracle Communications Applications <=6.0.5 Oracle / Communications Applications		<=6.0.5
Oracle Communications Applications <=12.0.0.8 Oracle / Communications Applications		<=12.0.0.8
Oracle Communications Applications <=15.0.0.1 Oracle / Communications Applications		<=15.0.0.1

CVE-2024-37891

Affected products

Known affected 12 products

Product	Identifier	Version
Oracle Communications Applications 3.0.3.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.0.0`	3.0.3.0.0
Oracle Communications Applications 3.0.2.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.2.0.0`	3.0.2.0.0
Oracle Communications Applications 8.1.0.26 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.26`	8.1.0.26
Oracle Communications Applications 8.1.0.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.1`	8.1.0.1
Oracle Communications Applications 15.0.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.0.0`	15.0.0.0
Oracle Communications Applications 8.0.0.3 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.0.0.3`	8.0.0.3
Oracle Communications Applications 15.0.1.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.1.0`	15.0.1.0
Oracle Communications Applications 7.4.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.0`	7.4.0
Oracle Communications Applications 7.4.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.1`	7.4.1
Oracle Communications Applications 7.5.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.5.0`	7.5.0
Oracle Communications Applications 7.4.2 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.2`	7.4.2
Oracle Communications Applications 3.0.3.3.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.3.0`	3.0.3.3.0

Last affected 3 products

Product	Identifier	Version	Remediation
Oracle Communications Applications <=6.0.5 Oracle / Communications Applications		<=6.0.5
Oracle Communications Applications <=12.0.0.8 Oracle / Communications Applications		<=12.0.0.8
Oracle Communications Applications <=15.0.0.1 Oracle / Communications Applications		<=15.0.0.1

CVE-2024-38807

Affected products

Known affected 12 products

Product	Identifier	Version
Oracle Communications Applications 3.0.3.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.0.0`	3.0.3.0.0
Oracle Communications Applications 3.0.2.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.2.0.0`	3.0.2.0.0
Oracle Communications Applications 8.1.0.26 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.26`	8.1.0.26
Oracle Communications Applications 8.1.0.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.1`	8.1.0.1
Oracle Communications Applications 15.0.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.0.0`	15.0.0.0
Oracle Communications Applications 8.0.0.3 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.0.0.3`	8.0.0.3
Oracle Communications Applications 15.0.1.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.1.0`	15.0.1.0
Oracle Communications Applications 7.4.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.0`	7.4.0
Oracle Communications Applications 7.4.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.1`	7.4.1
Oracle Communications Applications 7.5.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.5.0`	7.5.0
Oracle Communications Applications 7.4.2 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.2`	7.4.2
Oracle Communications Applications 3.0.3.3.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.3.0`	3.0.3.3.0

Last affected 3 products

Product	Identifier	Version	Remediation
Oracle Communications Applications <=6.0.5 Oracle / Communications Applications		<=6.0.5
Oracle Communications Applications <=12.0.0.8 Oracle / Communications Applications		<=12.0.0.8
Oracle Communications Applications <=15.0.0.1 Oracle / Communications Applications		<=15.0.0.1

CVE-2024-38827

Affected products

Known affected 12 products

Product	Identifier	Version
Oracle Communications Applications 3.0.3.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.0.0`	3.0.3.0.0
Oracle Communications Applications 3.0.2.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.2.0.0`	3.0.2.0.0
Oracle Communications Applications 8.1.0.26 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.26`	8.1.0.26
Oracle Communications Applications 8.1.0.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.1`	8.1.0.1
Oracle Communications Applications 15.0.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.0.0`	15.0.0.0
Oracle Communications Applications 8.0.0.3 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.0.0.3`	8.0.0.3
Oracle Communications Applications 15.0.1.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.1.0`	15.0.1.0
Oracle Communications Applications 7.4.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.0`	7.4.0
Oracle Communications Applications 7.4.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.1`	7.4.1
Oracle Communications Applications 7.5.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.5.0`	7.5.0
Oracle Communications Applications 7.4.2 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.2`	7.4.2
Oracle Communications Applications 3.0.3.3.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.3.0`	3.0.3.3.0

Last affected 3 products

Product	Identifier	Version	Remediation
Oracle Communications Applications <=6.0.5 Oracle / Communications Applications		<=6.0.5
Oracle Communications Applications <=12.0.0.8 Oracle / Communications Applications		<=12.0.0.8
Oracle Communications Applications <=15.0.0.1 Oracle / Communications Applications		<=15.0.0.1

CVE-2024-47535

Affected products

Known affected 12 products

Product	Identifier	Version
Oracle Communications Applications 3.0.3.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.0.0`	3.0.3.0.0
Oracle Communications Applications 3.0.2.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.2.0.0`	3.0.2.0.0
Oracle Communications Applications 8.1.0.26 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.26`	8.1.0.26
Oracle Communications Applications 8.1.0.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.1`	8.1.0.1
Oracle Communications Applications 15.0.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.0.0`	15.0.0.0
Oracle Communications Applications 8.0.0.3 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.0.0.3`	8.0.0.3
Oracle Communications Applications 15.0.1.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.1.0`	15.0.1.0
Oracle Communications Applications 7.4.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.0`	7.4.0
Oracle Communications Applications 7.4.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.1`	7.4.1
Oracle Communications Applications 7.5.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.5.0`	7.5.0
Oracle Communications Applications 7.4.2 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.2`	7.4.2
Oracle Communications Applications 3.0.3.3.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.3.0`	3.0.3.3.0

Last affected 3 products

Product	Identifier	Version	Remediation
Oracle Communications Applications <=6.0.5 Oracle / Communications Applications		<=6.0.5
Oracle Communications Applications <=12.0.0.8 Oracle / Communications Applications		<=12.0.0.8
Oracle Communications Applications <=15.0.0.1 Oracle / Communications Applications		<=15.0.0.1

CVE-2024-47554

Affected products

Known affected 12 products

Product	Identifier	Version
Oracle Communications Applications 3.0.3.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.0.0`	3.0.3.0.0
Oracle Communications Applications 3.0.2.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.2.0.0`	3.0.2.0.0
Oracle Communications Applications 8.1.0.26 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.26`	8.1.0.26
Oracle Communications Applications 8.1.0.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.1`	8.1.0.1
Oracle Communications Applications 15.0.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.0.0`	15.0.0.0
Oracle Communications Applications 8.0.0.3 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.0.0.3`	8.0.0.3
Oracle Communications Applications 15.0.1.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.1.0`	15.0.1.0
Oracle Communications Applications 7.4.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.0`	7.4.0
Oracle Communications Applications 7.4.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.1`	7.4.1
Oracle Communications Applications 7.5.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.5.0`	7.5.0
Oracle Communications Applications 7.4.2 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.2`	7.4.2
Oracle Communications Applications 3.0.3.3.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.3.0`	3.0.3.3.0

Last affected 3 products

Product	Identifier	Version	Remediation
Oracle Communications Applications <=6.0.5 Oracle / Communications Applications		<=6.0.5
Oracle Communications Applications <=12.0.0.8 Oracle / Communications Applications		<=12.0.0.8
Oracle Communications Applications <=15.0.0.1 Oracle / Communications Applications		<=15.0.0.1

CVE-2024-47561

Affected products

Known affected 12 products

Product	Identifier	Version
Oracle Communications Applications 3.0.3.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.0.0`	3.0.3.0.0
Oracle Communications Applications 3.0.2.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.2.0.0`	3.0.2.0.0
Oracle Communications Applications 8.1.0.26 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.26`	8.1.0.26
Oracle Communications Applications 8.1.0.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.1`	8.1.0.1
Oracle Communications Applications 15.0.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.0.0`	15.0.0.0
Oracle Communications Applications 8.0.0.3 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.0.0.3`	8.0.0.3
Oracle Communications Applications 15.0.1.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.1.0`	15.0.1.0
Oracle Communications Applications 7.4.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.0`	7.4.0
Oracle Communications Applications 7.4.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.1`	7.4.1
Oracle Communications Applications 7.5.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.5.0`	7.5.0
Oracle Communications Applications 7.4.2 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.2`	7.4.2
Oracle Communications Applications 3.0.3.3.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.3.0`	3.0.3.3.0

Last affected 3 products

Product	Identifier	Version	Remediation
Oracle Communications Applications <=6.0.5 Oracle / Communications Applications		<=6.0.5
Oracle Communications Applications <=12.0.0.8 Oracle / Communications Applications		<=12.0.0.8
Oracle Communications Applications <=15.0.0.1 Oracle / Communications Applications		<=15.0.0.1

CVE-2024-6162

Affected products

Known affected 12 products

Product	Identifier	Version
Oracle Communications Applications 3.0.3.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.0.0`	3.0.3.0.0
Oracle Communications Applications 3.0.2.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.2.0.0`	3.0.2.0.0
Oracle Communications Applications 8.1.0.26 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.26`	8.1.0.26
Oracle Communications Applications 8.1.0.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.1`	8.1.0.1
Oracle Communications Applications 15.0.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.0.0`	15.0.0.0
Oracle Communications Applications 8.0.0.3 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.0.0.3`	8.0.0.3
Oracle Communications Applications 15.0.1.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.1.0`	15.0.1.0
Oracle Communications Applications 7.4.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.0`	7.4.0
Oracle Communications Applications 7.4.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.1`	7.4.1
Oracle Communications Applications 7.5.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.5.0`	7.5.0
Oracle Communications Applications 7.4.2 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.2`	7.4.2
Oracle Communications Applications 3.0.3.3.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.3.0`	3.0.3.3.0

Last affected 3 products

Product	Identifier	Version	Remediation
Oracle Communications Applications <=6.0.5 Oracle / Communications Applications		<=6.0.5
Oracle Communications Applications <=12.0.0.8 Oracle / Communications Applications		<=12.0.0.8
Oracle Communications Applications <=15.0.0.1 Oracle / Communications Applications		<=15.0.0.1

CVE-2024-7254

Affected products

Known affected 12 products

Product	Identifier	Version
Oracle Communications Applications 3.0.3.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.0.0`	3.0.3.0.0
Oracle Communications Applications 3.0.2.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.2.0.0`	3.0.2.0.0
Oracle Communications Applications 8.1.0.26 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.26`	8.1.0.26
Oracle Communications Applications 8.1.0.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.1`	8.1.0.1
Oracle Communications Applications 15.0.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.0.0`	15.0.0.0
Oracle Communications Applications 8.0.0.3 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.0.0.3`	8.0.0.3
Oracle Communications Applications 15.0.1.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.1.0`	15.0.1.0
Oracle Communications Applications 7.4.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.0`	7.4.0
Oracle Communications Applications 7.4.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.1`	7.4.1
Oracle Communications Applications 7.5.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.5.0`	7.5.0
Oracle Communications Applications 7.4.2 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.2`	7.4.2
Oracle Communications Applications 3.0.3.3.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.3.0`	3.0.3.3.0

Last affected 3 products

Product	Identifier	Version	Remediation
Oracle Communications Applications <=6.0.5 Oracle / Communications Applications		<=6.0.5
Oracle Communications Applications <=12.0.0.8 Oracle / Communications Applications		<=12.0.0.8
Oracle Communications Applications <=15.0.0.1 Oracle / Communications Applications		<=15.0.0.1

CVE-2024-7592

Affected products

Known affected 12 products

Product	Identifier	Version
Oracle Communications Applications 3.0.3.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.0.0`	3.0.3.0.0
Oracle Communications Applications 3.0.2.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.2.0.0`	3.0.2.0.0
Oracle Communications Applications 8.1.0.26 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.26`	8.1.0.26
Oracle Communications Applications 8.1.0.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.1`	8.1.0.1
Oracle Communications Applications 15.0.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.0.0`	15.0.0.0
Oracle Communications Applications 8.0.0.3 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.0.0.3`	8.0.0.3
Oracle Communications Applications 15.0.1.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.1.0`	15.0.1.0
Oracle Communications Applications 7.4.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.0`	7.4.0
Oracle Communications Applications 7.4.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.1`	7.4.1
Oracle Communications Applications 7.5.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.5.0`	7.5.0
Oracle Communications Applications 7.4.2 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.2`	7.4.2
Oracle Communications Applications 3.0.3.3.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.3.0`	3.0.3.3.0

Last affected 3 products

Product	Identifier	Version	Remediation
Oracle Communications Applications <=6.0.5 Oracle / Communications Applications		<=6.0.5
Oracle Communications Applications <=12.0.0.8 Oracle / Communications Applications		<=12.0.0.8
Oracle Communications Applications <=15.0.0.1 Oracle / Communications Applications		<=15.0.0.1

CVE-2025-21542

Affected products

Known affected 12 products

Product	Identifier	Version
Oracle Communications Applications 3.0.3.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.0.0`	3.0.3.0.0
Oracle Communications Applications 3.0.2.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.2.0.0`	3.0.2.0.0
Oracle Communications Applications 8.1.0.26 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.26`	8.1.0.26
Oracle Communications Applications 8.1.0.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.1`	8.1.0.1
Oracle Communications Applications 15.0.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.0.0`	15.0.0.0
Oracle Communications Applications 8.0.0.3 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.0.0.3`	8.0.0.3
Oracle Communications Applications 15.0.1.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.1.0`	15.0.1.0
Oracle Communications Applications 7.4.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.0`	7.4.0
Oracle Communications Applications 7.4.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.1`	7.4.1
Oracle Communications Applications 7.5.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.5.0`	7.5.0
Oracle Communications Applications 7.4.2 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.2`	7.4.2
Oracle Communications Applications 3.0.3.3.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.3.0`	3.0.3.3.0

Last affected 3 products

Product	Identifier	Version	Remediation
Oracle Communications Applications <=6.0.5 Oracle / Communications Applications		<=6.0.5
Oracle Communications Applications <=12.0.0.8 Oracle / Communications Applications		<=12.0.0.8
Oracle Communications Applications <=15.0.0.1 Oracle / Communications Applications		<=15.0.0.1

CVE-2025-21544

Affected products

Known affected 12 products

Product	Identifier	Version
Oracle Communications Applications 3.0.3.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.0.0`	3.0.3.0.0
Oracle Communications Applications 3.0.2.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.2.0.0`	3.0.2.0.0
Oracle Communications Applications 8.1.0.26 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.26`	8.1.0.26
Oracle Communications Applications 8.1.0.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.1`	8.1.0.1
Oracle Communications Applications 15.0.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.0.0`	15.0.0.0
Oracle Communications Applications 8.0.0.3 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.0.0.3`	8.0.0.3
Oracle Communications Applications 15.0.1.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.1.0`	15.0.1.0
Oracle Communications Applications 7.4.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.0`	7.4.0
Oracle Communications Applications 7.4.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.1`	7.4.1
Oracle Communications Applications 7.5.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.5.0`	7.5.0
Oracle Communications Applications 7.4.2 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.2`	7.4.2
Oracle Communications Applications 3.0.3.3.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.3.0`	3.0.3.3.0

Last affected 3 products

Product	Identifier	Version	Remediation
Oracle Communications Applications <=6.0.5 Oracle / Communications Applications		<=6.0.5
Oracle Communications Applications <=12.0.0.8 Oracle / Communications Applications		<=12.0.0.8
Oracle Communications Applications <=15.0.0.1 Oracle / Communications Applications		<=15.0.0.1

CVE-2025-21554

Affected products

Known affected 12 products

Product	Identifier	Version
Oracle Communications Applications 3.0.3.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.0.0`	3.0.3.0.0
Oracle Communications Applications 3.0.2.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.2.0.0`	3.0.2.0.0
Oracle Communications Applications 8.1.0.26 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.26`	8.1.0.26
Oracle Communications Applications 8.1.0.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.1.0.1`	8.1.0.1
Oracle Communications Applications 15.0.0.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.0.0`	15.0.0.0
Oracle Communications Applications 8.0.0.3 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:8.0.0.3`	8.0.0.3
Oracle Communications Applications 15.0.1.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:15.0.1.0`	15.0.1.0
Oracle Communications Applications 7.4.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.0`	7.4.0
Oracle Communications Applications 7.4.1 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.1`	7.4.1
Oracle Communications Applications 7.5.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.5.0`	7.5.0
Oracle Communications Applications 7.4.2 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:7.4.2`	7.4.2
Oracle Communications Applications 3.0.3.3.0 Oracle / Communications Applications	`cpe:/a:oracle:communications_applications:3.0.3.3.0`	3.0.3.3.0

Last affected 3 products

Product	Identifier	Version	Remediation
Oracle Communications Applications <=6.0.5 Oracle / Communications Applications		<=6.0.5
Oracle Communications Applications <=12.0.0.8 Oracle / Communications Applications		<=12.0.0.8
Oracle Communications Applications <=15.0.0.1 Oracle / Communications Applications		<=15.0.0.1

References

3 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://www.oracle.com/security-alerts/cpujan2025…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Communications Applications umfasst eine Sammlung von Werkzeugen zur Verwaltung von Messaging-, Kommunikationsdiensten und -ressourcen.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Communications Applications ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-0135 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-0135.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-0135 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-0135"
      },
      {
        "category": "external",
        "summary": "Oracle Critical Patch Update Advisory - January 2025 - Appendix Oracle Communications Applications vom 2025-01-21",
        "url": "https://www.oracle.com/security-alerts/cpujan2025.html#AppendixCAGBU"
      }
    ],
    "source_lang": "en-US",
    "title": "Oracle Communications Applications: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2025-01-21T23:00:00.000+00:00",
      "generator": {
        "date": "2025-01-22T09:03:47.024+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.10"
        }
      },
      "id": "WID-SEC-W-2025-0135",
      "initial_release_date": "2025-01-21T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-01-21T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "7.4.0",
                "product": {
                  "name": "Oracle Communications Applications 7.4.0",
                  "product_id": "T018938",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:communications_applications:7.4.0"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.4.1",
                "product": {
                  "name": "Oracle Communications Applications 7.4.1",
                  "product_id": "T018939",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:communications_applications:7.4.1"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c=12.0.0.8",
                "product": {
                  "name": "Oracle Communications Applications \u003c=12.0.0.8",
                  "product_id": "T034251"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c=12.0.0.8",
                "product": {
                  "name": "Oracle Communications Applications \u003c=12.0.0.8",
                  "product_id": "T034251-fixed"
                }
              },
              {
                "category": "product_version",
                "name": "15.0.0.0",
                "product": {
                  "name": "Oracle Communications Applications 15.0.0.0",
                  "product_id": "T034252",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:communications_applications:15.0.0.0"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.4.2",
                "product": {
                  "name": "Oracle Communications Applications 7.4.2",
                  "product_id": "T034254",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:communications_applications:7.4.2"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.5.0",
                "product": {
                  "name": "Oracle Communications Applications 7.5.0",
                  "product_id": "T034255",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:communications_applications:7.5.0"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c=6.0.5",
                "product": {
                  "name": "Oracle Communications Applications \u003c=6.0.5",
                  "product_id": "T038372"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c=6.0.5",
                "product": {
                  "name": "Oracle Communications Applications \u003c=6.0.5",
                  "product_id": "T038372-fixed"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c=15.0.0.1",
                "product": {
                  "name": "Oracle Communications Applications \u003c=15.0.0.1",
                  "product_id": "T040433"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c=15.0.0.1",
                "product": {
                  "name": "Oracle Communications Applications \u003c=15.0.0.1",
                  "product_id": "T040433-fixed"
                }
              },
              {
                "category": "product_version",
                "name": "15.0.1.0",
                "product": {
                  "name": "Oracle Communications Applications 15.0.1.0",
                  "product_id": "T040434",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:communications_applications:15.0.1.0"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "8.0.0.3",
                "product": {
                  "name": "Oracle Communications Applications 8.0.0.3",
                  "product_id": "T040435",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:communications_applications:8.0.0.3"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "8.1.0.1",
                "product": {
                  "name": "Oracle Communications Applications 8.1.0.1",
                  "product_id": "T040436",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:communications_applications:8.1.0.1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "8.1.0.26",
                "product": {
                  "name": "Oracle Communications Applications 8.1.0.26",
                  "product_id": "T040437",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:communications_applications:8.1.0.26"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "3.0.2.0.0",
                "product": {
                  "name": "Oracle Communications Applications 3.0.2.0.0",
                  "product_id": "T040438",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:communications_applications:3.0.2.0.0"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "3.0.3.0.0",
                "product": {
                  "name": "Oracle Communications Applications 3.0.3.0.0",
                  "product_id": "T040439",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:communications_applications:3.0.3.0.0"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "3.0.3.3.0",
                "product": {
                  "name": "Oracle Communications Applications 3.0.3.3.0",
                  "product_id": "T040440",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:communications_applications:3.0.3.3.0"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Communications Applications"
          }
        ],
        "category": "vendor",
        "name": "Oracle"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-29408",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T040439",
          "T040438",
          "T040437",
          "T040436",
          "T034252",
          "T040435",
          "T040434",
          "T018938",
          "T018939",
          "T034255",
          "T034254",
          "T040440"
        ],
        "last_affected": [
          "T038372",
          "T034251",
          "T040433"
        ]
      },
      "release_date": "2025-01-21T23:00:00.000+00:00",
      "title": "CVE-2023-29408"
    },
    {
      "cve": "CVE-2024-0232",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T040439",
          "T040438",
          "T040437",
          "T040436",
          "T034252",
          "T040435",
          "T040434",
          "T018938",
          "T018939",
          "T034255",
          "T034254",
          "T040440"
        ],
        "last_affected": [
          "T038372",
          "T034251",
          "T040433"
        ]
      },
      "release_date": "2025-01-21T23:00:00.000+00:00",
      "title": "CVE-2024-0232"
    },
    {
      "cve": "CVE-2024-1442",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T040439",
          "T040438",
          "T040437",
          "T040436",
          "T034252",
          "T040435",
          "T040434",
          "T018938",
          "T018939",
          "T034255",
          "T034254",
          "T040440"
        ],
        "last_affected": [
          "T038372",
          "T034251",
          "T040433"
        ]
      },
      "release_date": "2025-01-21T23:00:00.000+00:00",
      "title": "CVE-2024-1442"
    },
    {
      "cve": "CVE-2024-24786",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T040439",
          "T040438",
          "T040437",
          "T040436",
          "T034252",
          "T040435",
          "T040434",
          "T018938",
          "T018939",
          "T034255",
          "T034254",
          "T040440"
        ],
        "last_affected": [
          "T038372",
          "T034251",
          "T040433"
        ]
      },
      "release_date": "2025-01-21T23:00:00.000+00:00",
      "title": "CVE-2024-24786"
    },
    {
      "cve": "CVE-2024-26308",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T040439",
          "T040438",
          "T040437",
          "T040436",
          "T034252",
          "T040435",
          "T040434",
          "T018938",
          "T018939",
          "T034255",
          "T034254",
          "T040440"
        ],
        "last_affected": [
          "T038372",
          "T034251",
          "T040433"
        ]
      },
      "release_date": "2025-01-21T23:00:00.000+00:00",
      "title": "CVE-2024-26308"
    },
    {
      "cve": "CVE-2024-27309",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T040439",
          "T040438",
          "T040437",
          "T040436",
          "T034252",
          "T040435",
          "T040434",
          "T018938",
          "T018939",
          "T034255",
          "T034254",
          "T040440"
        ],
        "last_affected": [
          "T038372",
          "T034251",
          "T040433"
        ]
      },
      "release_date": "2025-01-21T23:00:00.000+00:00",
      "title": "CVE-2024-27309"
    },
    {
      "cve": "CVE-2024-28849",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T040439",
          "T040438",
          "T040437",
          "T040436",
          "T034252",
          "T040435",
          "T040434",
          "T018938",
          "T018939",
          "T034255",
          "T034254",
          "T040440"
        ],
        "last_affected": [
          "T038372",
          "T034251",
          "T040433"
        ]
      },
      "release_date": "2025-01-21T23:00:00.000+00:00",
      "title": "CVE-2024-28849"
    },
    {
      "cve": "CVE-2024-29025",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T040439",
          "T040438",
          "T040437",
          "T040436",
          "T034252",
          "T040435",
          "T040434",
          "T018938",
          "T018939",
          "T034255",
          "T034254",
          "T040440"
        ],
        "last_affected": [
          "T038372",
          "T034251",
          "T040433"
        ]
      },
      "release_date": "2025-01-21T23:00:00.000+00:00",
      "title": "CVE-2024-29025"
    },
    {
      "cve": "CVE-2024-29133",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T040439",
          "T040438",
          "T040437",
          "T040436",
          "T034252",
          "T040435",
          "T040434",
          "T018938",
          "T018939",
          "T034255",
          "T034254",
          "T040440"
        ],
        "last_affected": [
          "T038372",
          "T034251",
          "T040433"
        ]
      },
      "release_date": "2025-01-21T23:00:00.000+00:00",
      "title": "CVE-2024-29133"
    },
    {
      "cve": "CVE-2024-35195",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T040439",
          "T040438",
          "T040437",
          "T040436",
          "T034252",
          "T040435",
          "T040434",
          "T018938",
          "T018939",
          "T034255",
          "T034254",
          "T040440"
        ],
        "last_affected": [
          "T038372",
          "T034251",
          "T040433"
        ]
      },
      "release_date": "2025-01-21T23:00:00.000+00:00",
      "title": "CVE-2024-35195"
    },
    {
      "cve": "CVE-2024-37371",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T040439",
          "T040438",
          "T040437",
          "T040436",
          "T034252",
          "T040435",
          "T040434",
          "T018938",
          "T018939",
          "T034255",
          "T034254",
          "T040440"
        ],
        "last_affected": [
          "T038372",
          "T034251",
          "T040433"
        ]
      },
      "release_date": "2025-01-21T23:00:00.000+00:00",
      "title": "CVE-2024-37371"
    },
    {
      "cve": "CVE-2024-37891",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T040439",
          "T040438",
          "T040437",
          "T040436",
          "T034252",
          "T040435",
          "T040434",
          "T018938",
          "T018939",
          "T034255",
          "T034254",
          "T040440"
        ],
        "last_affected": [
          "T038372",
          "T034251",
          "T040433"
        ]
      },
      "release_date": "2025-01-21T23:00:00.000+00:00",
      "title": "CVE-2024-37891"
    },
    {
      "cve": "CVE-2024-38807",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T040439",
          "T040438",
          "T040437",
          "T040436",
          "T034252",
          "T040435",
          "T040434",
          "T018938",
          "T018939",
          "T034255",
          "T034254",
          "T040440"
        ],
        "last_affected": [
          "T038372",
          "T034251",
          "T040433"
        ]
      },
      "release_date": "2025-01-21T23:00:00.000+00:00",
      "title": "CVE-2024-38807"
    },
    {
      "cve": "CVE-2024-38827",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T040439",
          "T040438",
          "T040437",
          "T040436",
          "T034252",
          "T040435",
          "T040434",
          "T018938",
          "T018939",
          "T034255",
          "T034254",
          "T040440"
        ],
        "last_affected": [
          "T038372",
          "T034251",
          "T040433"
        ]
      },
      "release_date": "2025-01-21T23:00:00.000+00:00",
      "title": "CVE-2024-38827"
    },
    {
      "cve": "CVE-2024-47535",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T040439",
          "T040438",
          "T040437",
          "T040436",
          "T034252",
          "T040435",
          "T040434",
          "T018938",
          "T018939",
          "T034255",
          "T034254",
          "T040440"
        ],
        "last_affected": [
          "T038372",
          "T034251",
          "T040433"
        ]
      },
      "release_date": "2025-01-21T23:00:00.000+00:00",
      "title": "CVE-2024-47535"
    },
    {
      "cve": "CVE-2024-47554",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T040439",
          "T040438",
          "T040437",
          "T040436",
          "T034252",
          "T040435",
          "T040434",
          "T018938",
          "T018939",
          "T034255",
          "T034254",
          "T040440"
        ],
        "last_affected": [
          "T038372",
          "T034251",
          "T040433"
        ]
      },
      "release_date": "2025-01-21T23:00:00.000+00:00",
      "title": "CVE-2024-47554"
    },
    {
      "cve": "CVE-2024-47561",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T040439",
          "T040438",
          "T040437",
          "T040436",
          "T034252",
          "T040435",
          "T040434",
          "T018938",
          "T018939",
          "T034255",
          "T034254",
          "T040440"
        ],
        "last_affected": [
          "T038372",
          "T034251",
          "T040433"
        ]
      },
      "release_date": "2025-01-21T23:00:00.000+00:00",
      "title": "CVE-2024-47561"
    },
    {
      "cve": "CVE-2024-6162",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T040439",
          "T040438",
          "T040437",
          "T040436",
          "T034252",
          "T040435",
          "T040434",
          "T018938",
          "T018939",
          "T034255",
          "T034254",
          "T040440"
        ],
        "last_affected": [
          "T038372",
          "T034251",
          "T040433"
        ]
      },
      "release_date": "2025-01-21T23:00:00.000+00:00",
      "title": "CVE-2024-6162"
    },
    {
      "cve": "CVE-2024-7254",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T040439",
          "T040438",
          "T040437",
          "T040436",
          "T034252",
          "T040435",
          "T040434",
          "T018938",
          "T018939",
          "T034255",
          "T034254",
          "T040440"
        ],
        "last_affected": [
          "T038372",
          "T034251",
          "T040433"
        ]
      },
      "release_date": "2025-01-21T23:00:00.000+00:00",
      "title": "CVE-2024-7254"
    },
    {
      "cve": "CVE-2024-7592",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T040439",
          "T040438",
          "T040437",
          "T040436",
          "T034252",
          "T040435",
          "T040434",
          "T018938",
          "T018939",
          "T034255",
          "T034254",
          "T040440"
        ],
        "last_affected": [
          "T038372",
          "T034251",
          "T040433"
        ]
      },
      "release_date": "2025-01-21T23:00:00.000+00:00",
      "title": "CVE-2024-7592"
    },
    {
      "cve": "CVE-2025-21542",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T040439",
          "T040438",
          "T040437",
          "T040436",
          "T034252",
          "T040435",
          "T040434",
          "T018938",
          "T018939",
          "T034255",
          "T034254",
          "T040440"
        ],
        "last_affected": [
          "T038372",
          "T034251",
          "T040433"
        ]
      },
      "release_date": "2025-01-21T23:00:00.000+00:00",
      "title": "CVE-2025-21542"
    },
    {
      "cve": "CVE-2025-21544",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T040439",
          "T040438",
          "T040437",
          "T040436",
          "T034252",
          "T040435",
          "T040434",
          "T018938",
          "T018939",
          "T034255",
          "T034254",
          "T040440"
        ],
        "last_affected": [
          "T038372",
          "T034251",
          "T040433"
        ]
      },
      "release_date": "2025-01-21T23:00:00.000+00:00",
      "title": "CVE-2025-21544"
    },
    {
      "cve": "CVE-2025-21554",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T040439",
          "T040438",
          "T040437",
          "T040436",
          "T034252",
          "T040435",
          "T040434",
          "T018938",
          "T018939",
          "T034255",
          "T034254",
          "T040440"
        ],
        "last_affected": [
          "T038372",
          "T034251",
          "T040433"
        ]
      },
      "release_date": "2025-01-21T23:00:00.000+00:00",
      "title": "CVE-2025-21554"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-47554 (GCVE-0-2024-47554)

Tags

Sightings

Nomenclature