MidnightBSD

Advisories for quarkus

CVE-2017-18640 MEDIUM

The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-776,

Products Affected

Vendor Product Version
fedoraproject fedora 32
quarkus quarkus *
oracle peoplesoft_enterprise_pt_peopletools 8.57
snakeyaml_project snakeyaml *
oracle peoplesoft_enterprise_pt_peopletools 8.56
oracle peoplesoft_enterprise_pt_peopletools 8.58
fedoraproject fedora 31
CVE-2019-14900 MEDIUM

A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
redhat jboss_enterprise_application_platform 7.3
redhat decision_manager 7.0
redhat jboss_enterprise_application_platform 7.4
redhat jboss_enterprise_application_platform 7.2
redhat openstack 10
redhat single_sign-on -
redhat fuse *
hibernate hibernate_orm *
redhat jboss_middleware_text-only_advisories -
quarkus quarkus *
redhat jboss_enterprise_application_platform -
redhat jboss_data_grid 7.0.0
redhat openstack 14
redhat openstack 13
redhat build_of_quarkus -
CVE-2020-10693 MEDIUM

A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-20,

Products Affected

Vendor Product Version
quarkus quarkus *
redhat satellite_capsule 6.8
redhat jboss_enterprise_application_platform 7.3.0
oracle weblogic_server 14.1.1.0.0
redhat hibernate_validator 7.0.0
redhat jboss_enterprise_application_platform 7.2.0
ibm websphere_application_server *
redhat hibernate_validator *
redhat satellite 6.8
CVE-2020-13692 MEDIUM

PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-611,

Products Affected

Vendor Product Version
fedoraproject fedora 32
quarkus quarkus *
debian debian_linux 10.0
debian debian_linux 11.0
postgresql postgresql_jdbc_driver *
netapp steelstore_cloud_integrated_storage -
CVE-2020-13956 MEDIUM

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
oracle peoplesoft_enterprise_pt_peopletools 8.57
oracle peoplesoft_enterprise_peopletools 8.57
oracle primavera_unifier 20.12
oracle weblogic_server 14.1.1.0.0
oracle data_integrator 12.2.1.4.0
oracle nosql_database *
oracle jd_edwards_enterpriseone_tools *
oracle primavera_unifier 18.8
oracle communications_cloud_native_core_service_communication_proxy 1.14.0
oracle primavera_unifier 19.12
netapp snapcenter -
oracle primavera_unifier 16.1
netapp active_iq_unified_manager -
oracle data_integrator 12.2.1.3.0
oracle weblogic_server 12.2.1.4.0
oracle peoplesoft_enterprise_pt_peopletools 8.58
oracle peoplesoft_enterprise_pt_peopletools 8.59
oracle jd_edwards_enterpriseone_orchestrator *
quarkus quarkus *
oracle sql_developer *
oracle commerce_guided_search 11.3.2
oracle spatial_studio *
oracle peoplesoft_enterprise_peopletools 8.58
apache httpclient *
oracle retail_customer_management_and_segmentation_foundation *
oracle primavera_unifier 16.2
oracle primavera_unifier *
CVE-2020-1714 MEDIUM

A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-20,

Products Affected

Vendor Product Version
quarkus quarkus *
redhat decision_manager 7.0
redhat process_automation 7.0
redhat single_sign-on 7.0
redhat keycloak *
redhat openshift_application_runtimes -
redhat jboss_fuse 7.0.0
CVE-2020-1728 MEDIUM

A vulnerability was found in all versions of Keycloak where, the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, yet it might aid attackers in their efforts to exploit other problems. The flaws unnecessarily make the servers more prone to Clickjacking, channel downgrade attacks and other similar client-based attack vectors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N 2.8 2.5
secalert@redhat.com 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N 2.2 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-358,CWE-1021,

Products Affected

Vendor Product Version
quarkus quarkus *
redhat keycloak *
CVE-2020-25633 MEDIUM

A flaw was found in RESTEasy client in all versions of RESTEasy up to 4.5.6.Final. It may allow client users to obtain the server's potentially sensitive information when the server got WebApplicationException from the RESTEasy client call. The highest threat from this vulnerability is to data confidentiality.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-209,CWE-209,

Products Affected

Vendor Product Version
quarkus quarkus *
redhat resteasy *
CVE-2020-25638 MEDIUM

A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,CWE-89,

Products Affected

Vendor Product Version
quarkus quarkus *
debian debian_linux 10.0
hibernate hibernate_orm *
debian debian_linux 9.0
oracle communications_cloud_native_core_console 1.9.0
oracle retail_customer_management_and_segmentation_foundation 19.0
CVE-2020-25649 MEDIUM

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-611,CWE-611,

Products Affected

Vendor Product Version
oracle communications_interactive_session_recorder 6.3
oracle retail_xstore_point_of_service 17.0.4
oracle banking_apis 21.1
oracle communications_billing_and_revenue_management 7.5.0.23.0
oracle banking_platform 2.10.0
oracle retail_service_backbone 16.0.3
oracle retail_service_backbone 14.1.3.2
oracle communications_offline_mediation_controller 12.0.0.3
oracle communications_messaging_server 8.0.2
oracle communications_evolved_communications_application_server 7.1
oracle health_sciences_empirica_signal 9.0
oracle retail_xstore_point_of_service 20.0.1
oracle insurance_rules_palette 11.0.2
oracle insurance_policy_administration 11.0.2
oracle retail_xstore_point_of_service 19.0.2
oracle agile_product_lifecycle_management_integration_pack 3.6
oracle communications_unified_inventory_management 7.4.1
oracle communications_messaging_server 8.1
oracle banking_apis 20.1
oracle goldengate_application_adapters 19.1.0.0.0
netapp oncommand_api_services -
oracle insurance_rules_palette *
oracle jd_edwards_enterpriseone_orchestrator *
oracle communications_instant_messaging_server 10.0.1.5.0
oracle retail_service_backbone 15.0.3.1
quarkus quarkus *
oracle communications_pricing_design_center 12.0.0.4.0
oracle coherence 12.2.1.4.0
oracle communications_services_gatekeeper 7.0
oracle banking_platform 2.6.2
apache iotdb *
oracle banking_platform 2.7.0
oracle banking_treasury_management 4.4
oracle utilities_framework 4.3.0.5.0
fedoraproject fedora 32
oracle retail_xstore_point_of_service 16.0.6
oracle blockchain_platform *
oracle banking_apis 19.2
oracle commerce_platform 11.2.0
oracle communications_billing_and_revenue_management 12.0.0.3.0
oracle jd_edwards_enterpriseone_tools *
fasterxml jackson-databind *
oracle retail_xstore_point_of_service 18.0.3
oracle utilities_framework 4.4.0.2.0
oracle utilities_framework 4.4.0.3.0
oracle utilities_framework 4.4.0.0.0
oracle banking_apis *
oracle webcenter_portal 12.2.1.3.0
oracle agile_plm 9.3.6
oracle commerce_platform *
oracle communications_network_charging_and_control 12.0.4.0.0
oracle sd-wan_edge 9.0
oracle banking_apis 19.1
oracle communications_interactive_session_recorder 6.4
oracle primavera_gateway 20.12.0
oracle banking_platform 2.9.0
oracle communications_cloud_native_core_unified_data_repository 1.4.0
oracle health_sciences_empirica_signal 9.1
oracle communications_convergent_charging_controller 12.0.4.0.0
oracle primavera_gateway *
oracle banking_platform 2.7.1
oracle utilities_framework 4.3.0.6.0
oracle webcenter_portal 12.2.1.4.0
oracle coherence 14.1.1.0.0
netapp oncommand_workflow_automation -
netapp service_level_manager -
oracle banking_platform 2.8.0
oracle insurance_policy_administration *
CVE-2020-25724 MEDIUM

A flaw was found in RESTEasy, where an incorrect response to an HTTP request is provided. This flaw allows an attacker to gain access to privileged information. The highest threat from this vulnerability is to confidentiality and integrity. Versions before resteasy 2.0.0.Alpha3 are affected.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-567,

Products Affected

Vendor Product Version
quarkus quarkus *
redhat resteasy *
redhat resteasy 2.0.0
CVE-2020-28491 MEDIUM

This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-770,

Products Affected

Vendor Product Version
quarkus quarkus *
fasterxml jackson-dataformats-binary 2.12.0
oracle weblogic_server 14.1.1.0.0
fasterxml jackson-dataformats-binary *
oracle weblogic_server 12.2.1.4.0
oracle weblogic_server 12.2.1.3.0
CVE-2020-8908 LOW

A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve-coordination@google.com 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 1.8 1.4
nvd@nist.gov 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 1.8 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-378,CWE-732,

Products Affected

Vendor Product Version
oracle peoplesoft_enterprise_peopletools 8.57
oracle primavera_unifier 20.12
oracle weblogic_server 14.1.1.0.0
oracle data_integrator 12.2.1.4.0
oracle communications_pricing_design_center 12.0.0.5.0
netapp active_iq_unified_manager -
oracle data_integrator 12.2.1.3.0
google guava *
oracle nosql_database *
quarkus quarkus *
oracle communications_pricing_design_center 12.0.0.4.0
oracle communications_cloud_native_core_network_repository_function 1.14.0
oracle communications_cloud_native_core_network_slice_selection_function 1.2.1
oracle primavera_unifier 18.8
oracle commerce_guided_search 11.3.2
oracle primavera_unifier 19.12
oracle peoplesoft_enterprise_peopletools 8.58
oracle primavera_unifier 21.12
oracle retail_customer_management_and_segmentation_foundation *
oracle peoplesoft_enterprise_peopletools 8.59
oracle primavera_unifier *
CVE-2021-20289 MEDIUM

A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-209,CWE-209,

Products Affected

Vendor Product Version
quarkus quarkus *
netapp oncommand_insight -
redhat resteasy *
oracle communications_cloud_native_core_console 1.9.0
CVE-2021-20328 MEDIUM

Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Java driver and the KMS service rendering Field Level Encryption ineffective. This issue was discovered during internal testing and affects all versions of the Java driver that support CSFLE. The Java async, Scala, and reactive streams drivers are not impacted. This vulnerability does not impact driver traffic payloads with CSFLE-supported key services originating from applications residing inside the AWS, GCP, and Azure network fabrics due to compensating controls in these environments. This issue does not impact driver workloads that don’t use Field Level Encryption.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cna@mongodb.com 6.4 MEDIUM CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N 1.2 5.2
nvd@nist.gov 6.8 MEDIUM CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N 1.6 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-295,CWE-295,

Products Affected

Vendor Product Version
quarkus quarkus *
mongodb java_driver *
quarkus quarkus 1.13.3
CVE-2021-21290 LOW

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6
security-advisories@github.com 6.2 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 2.5 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-378,CWE-379,CWE-668,

Products Affected

Vendor Product Version
debian debian_linux 10.0
oracle communications_design_studio 7.4.2
oracle banking_credit_facilities_process_management 14.5.0
oracle banking_credit_facilities_process_management 14.2.0
oracle banking_trade_finance_process_management 14.5.0
oracle banking_credit_facilities_process_management 14.3.0
oracle banking_trade_finance_process_management 14.2.0
oracle communications_messaging_server 8.1
netapp active_iq_unified_manager -
oracle communications_brm_-_elastic_charging_engine 12.0.0.3
oracle banking_corporate_lending_process_management 14.5.0
oracle nosql_database *
quarkus quarkus *
oracle banking_corporate_lending_process_management 14.3.0
oracle banking_corporate_lending_process_management 14.2.0
netapp snapcenter -
oracle banking_trade_finance_process_management 14.3.0
debian debian_linux 9.0
netapp cloud_secure_agent -
netty netty *
CVE-2021-21295 LOW

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N 2.2 3.6
security-advisories@github.com 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N 2.2 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-444,CWE-444,

Products Affected

Vendor Product Version
quarkus quarkus *
debian debian_linux 10.0
oracle communications_cloud_native_core_policy 1.14.0
apache kudu *
netapp oncommand_workflow_automation -
apache zookeeper 3.5.9
netapp oncommand_api_services -
netty netty *
CVE-2021-21409 MEDIUM

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N 2.2 3.6
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-444,CWE-444,

Products Affected

Vendor Product Version
oracle communications_cloud_native_core_policy 1.14.0
oracle banking_credit_facilities_process_management 14.2.0
oracle banking_trade_finance_process_management 14.2.0
oracle communications_brm_-_elastic_charging_engine 12.0.0.3
oracle nosql_database *
oracle jd_edwards_enterpriseone_tools *
oracle banking_corporate_lending_process_management 14.3.0
oracle banking_corporate_lending_process_management 14.2.0
oracle helidon 2.4.0
oracle helidon 1.4.10
oracle banking_trade_finance_process_management 14.3.0
netty netty *
debian debian_linux 10.0
oracle banking_credit_facilities_process_management 14.5.0
oracle banking_trade_finance_process_management 14.5.0
oracle banking_credit_facilities_process_management 14.3.0
oracle communications_design_studio 7.4.2.0.0
oracle communications_messaging_server 8.1
oracle banking_corporate_lending_process_management 14.5.0
netapp oncommand_api_services -
quarkus quarkus *
oracle coherence 12.2.1.4.0
oracle primavera_gateway *
oracle coherence 14.1.1.0.0
netapp oncommand_workflow_automation -
oracle communications_cloud_native_core_console 1.7.0
CVE-2021-2471 HIGH

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H 0.7 5.2

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
quarkus quarkus *
oracle communications_cloud_native_core_security_edge_protection_proxy 1.7.0
oracle communications_cloud_native_core_network_slice_selection_function 1.8.0
oracle communications_cloud_native_core_policy 1.15.0
oracle communications_cloud_native_core_console 1.9.0
oracle mysql_connectors *
CVE-2021-26291 MEDIUM

Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 3.9 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-346,

Products Affected

Vendor Product Version
quarkus quarkus *
apache maven *
oracle financial_services_analytical_applications_infrastructure *
oracle goldengate_big_data_and_application_adapters 23.1
CVE-2021-28170 MEDIUM

In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-917,

Products Affected

Vendor Product Version
quarkus quarkus *
oracle communications_cloud_native_core_policy 1.14.0
oracle weblogic_server 14.1.1.0.0
eclipse jakarta_expression_language *
CVE-2021-29427 MEDIUM

In Gradle from version 5.1 and before version 7.0 there is a vulnerability which can lead to information disclosure and/or dependency poisoning. Repository content filtering is a security control Gradle introduced to help users specify what repositories are used to resolve specific dependencies. This feature was introduced in the wake of the "A Confusing Dependency" blog post. In some cases, Gradle may ignore content filters and search all repositories for dependencies. This only occurs when repository content filtering is used from within a `pluginManagement` block in a settings file. This may change how dependencies are resolved for Gradle plugins and build scripts. For builds that are vulnerable, there are two risks: 1) Information disclosure: Gradle could make dependency requests to repositories outside your organization and leak internal package identifiers. 2) Dependency poisoning/Dependency confusion: Gradle could download a malicious binary from a repository outside your organization due to name squatting. For a full example and more details refer to the referenced GitHub Security Advisory. The problem has been patched and released with Gradle 7.0. Users relying on this feature should upgrade their build as soon as possible. As a workaround, users may use a company repository which has the right rules for fetching packages from public repositories, or use project level repository content filtering, inside `buildscript.repositories`. This option is available since Gradle 5.1 when the feature was introduced.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 8.0 HIGH CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H 1.3 6.0
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-829,

Products Affected

Vendor Product Version
quarkus quarkus *
gradle gradle *
CVE-2021-29428 MEDIUM

In Gradle before version 7.0, on Unix-like systems, the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. Gradle builds could be vulnerable to a local privilege escalation from an attacker quickly deleting and recreating files in the system temporary directory. This vulnerability impacted builds using precompiled script plugins written in Kotlin DSL and tests for Gradle plugins written using ProjectBuilder or TestKit. If you are on Windows or modern versions of macOS, you are not vulnerable. If you are on a Unix-like operating system with the "sticky" bit set on your system temporary directory, you are not vulnerable. The problem has been patched and released with Gradle 7.0. As a workaround, on Unix-like operating systems, ensure that the "sticky" bit is set. This only allows the original user (or root) to delete a file. If you are unable to change the permissions of the system temporary directory, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only. For additional details refer to the referenced GitHub Security Advisory.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 8.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 2.0 6.0
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-378,CWE-379,

Products Affected

Vendor Product Version
quarkus quarkus *
gradle gradle *
CVE-2021-29429 LOW

In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded into the system temporary directory first. Sensitive information contained in these files can be exposed to other local users on the same system. If you do not use the `TextResourceFactory` API, you are not vulnerable. As of Gradle 7.0, uses of the system temporary directory have been moved to the Gradle User Home directory. By default, this directory is restricted to the user running the build. As a workaround, set a more restrictive umask that removes read access to other users. When files are created in the system temporary directory, they will not be accessible to other users. If you are unable to change your system's umask, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6
security-advisories@github.com 4.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 2.5 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-377,

Products Affected

Vendor Product Version
quarkus quarkus *
gradle gradle *
CVE-2021-3642 LOW

A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N 1.6 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-203,CWE-203,

Products Affected

Vendor Product Version
redhat process_automation 7.0
redhat codeready_studio 12.0
redhat descision_manager 7.0
redhat jboss_fuse 7.0.0
quarkus quarkus *
redhat integration_camel_quarkus *
redhat jboss_enterprise_application_platform_expansion_pack -
redhat integration_camel_k -
redhat openshift_application_runtimes -
redhat wildfly_elytron *
redhat jboss_enterprise_application_platform 7.0.0
redhat data_grid 8.0
redhat build_of_quarkus -
CVE-2021-37136 MEDIUM

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,CWE-400,

Products Affected

Vendor Product Version
oracle peoplesoft_enterprise_peopletools 8.57
netapp oncommand_insight -
oracle banking_apis 21.1
oracle banking_digital_experience 21.1
oracle banking_apis 19.2
oracle communications_brm_-_elastic_charging_engine 12
oracle communications_cloud_native_core_network_slice_selection_function 1.8.0
oracle banking_digital_experience 20.1
oracle peoplesoft_enterprise_peopletools 8.48
oracle helidon 2.4.0
oracle banking_digital_experience 18.3
oracle communications_diameter_signaling_router *
oracle peoplesoft_enterprise_peopletools 8.59
oracle helidon 1.4.10
oracle banking_digital_experience 18.2
netty netty *
debian debian_linux 10.0
oracle banking_apis *
oracle communications_cloud_native_core_binding_support_function 1.10.0
oracle webcenter_portal 12.2.1.3.0
oracle banking_digital_experience 19.2
oracle banking_apis 19.1
oracle banking_apis 20.1
oracle communications_brm_-_elastic_charging_engine *
oracle banking_digital_experience 18.1
oracle communications_cloud_native_core_binding_support_function 1.11.0
quarkus quarkus *
oracle coherence 12.2.1.4.0
oracle communications_cloud_native_core_security_edge_protection_proxy 1.7.0
debian debian_linux 11.0
oracle commerce_guided_search 11.3.2
oracle communications_cloud_native_core_unified_data_repository 1.15.0
oracle peoplesoft_enterprise_peopletools 8.58
oracle webcenter_portal 12.2.1.4.0
oracle coherence 14.1.1.0.0
oracle banking_digital_experience 19.1
oracle communications_cloud_native_core_policy 1.15.0
oracle communications_instant_messaging_server 8.1
CVE-2021-37137 MEDIUM

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,CWE-400,

Products Affected

Vendor Product Version
oracle communications_brm_-_elastic_charging_engine 12.0.0.5.0
oracle peoplesoft_enterprise_peopletools 8.57
netapp oncommand_insight -
oracle banking_apis 21.1
oracle banking_digital_experience 21.1
oracle banking_apis 19.2
oracle banking_digital_experience 20.1
oracle banking_digital_experience 18.3
oracle communications_diameter_signaling_router *
oracle peoplesoft_enterprise_peopletools 8.59
oracle banking_digital_experience 18.2
netty netty *
debian debian_linux 10.0
oracle banking_apis *
oracle communications_cloud_native_core_binding_support_function 1.10.0
oracle webcenter_portal 12.2.1.3.0
oracle banking_digital_experience 19.2
oracle banking_apis 19.1
oracle banking_apis 20.1
oracle communications_brm_-_elastic_charging_engine *
oracle banking_digital_experience 18.1
quarkus quarkus *
debian debian_linux 11.0
oracle commerce_guided_search 11.3.2
oracle peoplesoft_enterprise_peopletools 8.58
oracle webcenter_portal 12.2.1.4.0
oracle banking_digital_experience 19.1
CVE-2021-37714 MEDIUM

jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-248,CWE-835,CWE-835,

Products Affected

Vendor Product Version
oracle primavera_unifier 20.12
oracle hospitality_token_proxy_service 19.2
oracle financial_services_crime_and_compliance_management_studio 8.0.8.3.0
oracle banking_treasury_management 14.5
oracle financial_services_crime_and_compliance_management_studio 8.0.8.2.0
oracle middleware_common_libraries_and_tools 12.2.1.4.0
oracle peoplesoft_enterprise_peopletools 8.59
oracle banking_trade_finance 14.5
oracle webcenter_portal 12.2.1.3.0
netapp management_services_for_element_software_and_netapp_hci -
oracle flexcube_universal_banking 14.5
oracle communications_messaging_server 8.1
quarkus quarkus *
oracle middleware_common_libraries_and_tools 12.2.1.3.0
oracle peoplesoft_enterprise_peopletools 8.58
oracle business_process_management_suite 12.2.1.3.0
oracle webcenter_portal 12.2.1.4.0
oracle primavera_unifier 21.12
oracle stream_analytics *
jsoup jsoup *
oracle retail_customer_management_and_segmentation_foundation *
oracle business_process_management_suite 12.2.1.4.0
oracle flexcube_universal_banking *
oracle stream_analytics 19c
CVE-2021-38153 MEDIUM

Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-203,CWE-203,

Products Affected

Vendor Product Version
oracle communications_brm_-_elastic_charging_engine 12.0.0.5.0
oracle primavera_unifier 20.12
oracle financial_services_enterprise_case_management 8.0.7.1
oracle financial_services_behavior_detection_platform 8.1.1.0
oracle financial_services_enterprise_case_management 8.0.8.0
oracle financial_services_enterprise_case_management 8.1.1.0
oracle communications_brm_-_elastic_charging_engine *
oracle financial_services_behavior_detection_platform *
apache kafka 2.8.0
oracle financial_services_behavior_detection_platform 8.1.1.1
quarkus quarkus *
oracle financial_services_enterprise_case_management 8.0.8.1
oracle primavera_unifier 18.8
oracle primavera_unifier 19.12
oracle primavera_unifier 21.12
oracle financial_services_analytical_applications_infrastructure *
oracle financial_services_behavior_detection_platform 8.1.2.0
oracle financial_services_enterprise_case_management 8.0.7.2
oracle communications_cloud_native_core_policy 1.15.0
oracle financial_services_enterprise_case_management 8.1.1.1
apache kafka *
CVE-2021-43797 MEDIUM

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 2.8 3.6
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-444,CWE-444,

Products Affected

Vendor Product Version
debian debian_linux 10.0
oracle communications_design_studio 7.4.2
oracle banking_deposits_and_lines_of_credit_servicing 2.7
oracle communications_cloud_native_core_binding_support_function 1.11.0
quarkus quarkus *
oracle coherence 12.2.1.4.0
oracle communications_cloud_native_core_security_edge_protection_proxy 1.7.0
debian debian_linux 11.0
oracle banking_platform 2.6.2
oracle communications_cloud_native_core_network_slice_selection_function 1.8.0
oracle communications_cloud_native_core_unified_data_repository 1.15.0
oracle peoplesoft_enterprise_peopletools 8.58
oracle banking_party_management 2.7.0
netapp snapcenter -
oracle helidon 2.4.0
oracle coherence 14.1.1.0.0
netapp oncommand_workflow_automation -
oracle peoplesoft_enterprise_peopletools 8.59
oracle helidon 1.4.10
oracle communications_cloud_native_core_policy 1.15.0
netty netty *
oracle communications_instant_messaging_server 8.1
CVE-2022-0981 MEDIUM

A flaw was found in Quarkus. The state and potentially associated permissions can leak from one web request to another in RestEasy Reactive. This flaw allows a low-privileged user to perform operations on the database with a different set of privileges than intended.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-863,CWE-863,

Products Affected

Vendor Product Version
quarkus quarkus *
CVE-2022-21363 MEDIUM

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert_us@oracle.com 6.6 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H 0.7 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
quarkus quarkus *
oracle mysql_connectors *
CVE-2022-21724 HIGH

pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes. Users using plugins are advised to upgrade. There are no known workarounds for this issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-665,CWE-665,

Products Affected

Vendor Product Version
quarkus quarkus *
debian debian_linux 10.0
debian debian_linux 11.0
fedoraproject fedora 35
postgresql postgresql_jdbc_driver *
debian debian_linux 9.0
postgresql postgresql_jdbc_driver 42.3.2
CVE-2022-2466

It was found that Quarkus 2.10.x does not terminate HTTP requests header context which may lead to unpredictable behavior.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
quarkus quarkus *
CVE-2022-4116

A vulnerability was found in quarkus. This security flaw happens in Dev UI Config Editor which is vulnerable to drive-by localhost attacks leading to remote code execution.

Products Affected

Vendor Product Version
quarkus quarkus *
redhat build_of_quarkus -
CVE-2022-4147

Quarkus CORS filter allows simple GET and POST requests with invalid Origin to proceed. Simple GET or POST requests made with XMLHttpRequest are the ones which have no event listeners registered on the object returned by the XMLHttpRequest upload property and have no ReadableStream object used in the request.

Products Affected

Vendor Product Version
quarkus quarkus *
CVE-2022-42003

In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.

Products Affected

Vendor Product Version
quarkus quarkus *
debian debian_linux 10.0
debian debian_linux 11.0
fasterxml jackson-databind *
netapp oncommand_workflow_automation -
CVE-2022-42004

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.

Products Affected

Vendor Product Version
quarkus quarkus *
debian debian_linux 10.0
debian debian_linux 11.0
fasterxml jackson-databind *
netapp oncommand_workflow_automation -
CVE-2023-0044

If the Quarkus Form Authentication session cookie Path attribute is set to `/` then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
quarkus quarkus *
redhat build_of_quarkus -
CVE-2023-0481

In RestEasy Reactive implementation of Quarkus the insecure File.createTempFile() is used in the FileBodyHandler class which creates temp files with insecure permissions that could be read by a local user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 1.8 1.4

Products Affected

Vendor Product Version
quarkus quarkus *
CVE-2023-1584

A flaw was found in Quarkus. Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used, which can allow attackers to access sensitive user data directly from the ID token or by using the access token to access user data from OIDC provider services. Please note that passwords are not stored in access tokens.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6
secalert@redhat.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
quarkus quarkus *
CVE-2023-4853

A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

Products Affected

Vendor Product Version
redhat decision_manager 7.0
redhat jboss_middleware 1
redhat integration_camel_k *
redhat openshift_container_platform 4.11
redhat build_of_optaplanner 8.0
redhat openshift_container_platform 4.10
redhat integration_service_registry -
redhat openshift_serverless 1.0
redhat process_automation_manager 7.0
quarkus quarkus *
redhat openshift_serverless -
redhat jboss_middleware_text-only_advisories 1.0
redhat integration_camel_quarkus -
redhat openshift_container_platform 4.12
redhat build_of_quarkus *
CVE-2023-5720

A flaw was found in Quarkus, where it does not properly sanitize artifacts created using the Gradle plugin, allowing certain build system information to remain. This flaw allows an attacker to access potentially sensitive information from the build system within the application.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6
secalert@redhat.com 7.7 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N 3.1 4.0

Products Affected

Vendor Product Version
quarkus quarkus *
quarkus quarkus 3.0.0
CVE-2023-6267

A flaw was found in the json payload. If annotation based security is used to secure a REST resource, the JSON body that the resource may consume is being processed (deserialized) prior to the security constraints being evaluated and applied. This does not happen with configuration based security.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
secalert@redhat.com 8.6 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H 3.9 4.7

Products Affected

Vendor Product Version
quarkus quarkus *
quarkus quarkus 3.2.9
quarkus quarkus 2.13.9
CVE-2023-6394

A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentication despite the endpoint being secured. This can allow an attacker to access information and functionality outside of normal granted API permissions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 7.4 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N 2.2 5.2
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 3.9 5.2

Products Affected

Vendor Product Version
quarkus quarkus *
redhat build_of_quarkus -
CVE-2024-12225

A vulnerability was found in Quarkus in the quarkus-security-webauthn module. The Quarkus WebAuthn module publishes default REST endpoints for registering and logging users in while allowing developers to provide custom REST endpoints. When developers provide custom REST endpoints, the default endpoints remain accessible, potentially allowing attackers to obtain a login cookie that has no corresponding user in the Quarkus application or, depending on how the application is written, could correspond to an existing user that has no relation with the current attacker, allowing anyone to log in as an existing user by just knowing that user's user name.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 3.9 5.2

Products Affected

Vendor Product Version
quarkus quarkus *
CVE-2025-66560

Quarkus is a Cloud Native, (Linux) Container First framework for writing Java applications. Prior to versions 3.31.0, 3.27.2, and 3.20.5, a vulnerability exists in the HTTP layer of Quarkus REST related to response handling. When a response is being written, the framework waits for previously written response chunks to be fully transmitted before proceeding. If the client connection is dropped during this waiting period, the associated worker thread is never released and becomes permanently blocked. Under sustained or repeated occurrences, this can exhaust the available worker threads, leading to degraded performance, or complete unavailability of the application. This issue has been patched in versions 3.31.0, 3.27.2, and 3.20.5. A workaround involves implementing a health check that monitors the status and saturation of the worker thread pool to detect abnormal thread retention early.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6

Products Affected

Vendor Product Version
quarkus quarkus *