Filtered by vendor Redhat
Subscriptions
Filtered by product Camel Spring Boot
Subscriptions
Total
77 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-42889 | 4 Apache, Juniper, Netapp and 1 more | 21 Commons Text, Jsa1500, Jsa3500 and 18 more | 2024-11-21 | 9.8 Critical |
| Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default. | ||||
| CVE-2022-42004 | 5 Debian, Fasterxml, Netapp and 2 more | 20 Debian Linux, Jackson-databind, Oncommand Workflow Automation and 17 more | 2024-11-21 | 7.5 High |
| In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization. | ||||
| CVE-2022-42003 | 5 Debian, Fasterxml, Netapp and 2 more | 23 Debian Linux, Jackson-databind, Oncommand Workflow Automation and 20 more | 2024-11-21 | 7.5 High |
| In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. | ||||
| CVE-2022-41854 | 3 Fedoraproject, Redhat, Snakeyaml Project | 13 Fedora, Amq Clients, Camel Spring Boot and 10 more | 2024-11-21 | 5.8 Medium |
| Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack. | ||||
| CVE-2022-41704 | 3 Apache, Debian, Redhat | 4 Batik, Debian Linux, Camel Spring Boot and 1 more | 2024-11-21 | 7.5 High |
| A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16. | ||||
| CVE-2022-40146 | 3 Apache, Debian, Redhat | 4 Batik, Debian Linux, Camel Spring Boot and 1 more | 2024-11-21 | 7.5 High |
| Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14. | ||||
| CVE-2022-38752 | 2 Redhat, Snakeyaml Project | 9 Amq Streams, Camel Spring Boot, Jboss Data Grid and 6 more | 2024-11-21 | 6.5 Medium |
| Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow. | ||||
| CVE-2022-38750 | 3 Debian, Redhat, Snakeyaml Project | 9 Debian Linux, Amq Broker, Camel Spring Boot and 6 more | 2024-11-21 | 6.5 Medium |
| Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. | ||||
| CVE-2022-38749 | 3 Debian, Redhat, Snakeyaml Project | 11 Debian Linux, Amq Broker, Amq Clients and 8 more | 2024-11-21 | 6.5 Medium |
| Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. | ||||
| CVE-2022-38648 | 3 Apache, Debian, Redhat | 4 Batik, Debian Linux, Camel Spring Boot and 1 more | 2024-11-21 | 5.3 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. This issue affects Apache XML Graphics Batik 1.14. | ||||
| CVE-2022-38398 | 3 Apache, Debian, Redhat | 4 Batik, Debian Linux, Camel Spring Boot and 1 more | 2024-11-21 | 5.3 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14. | ||||
| CVE-2022-33681 | 2 Apache, Redhat | 2 Pulsar, Camel Spring Boot | 2024-11-21 | 5.9 Medium |
| Delayed TLS hostname verification in the Pulsar Java Client and the Pulsar Proxy make each client vulnerable to a man in the middle attack. Connections from the Pulsar Java Client to the Pulsar Broker/Proxy and connections from the Pulsar Proxy to the Pulsar Broker are vulnerable. Authentication data is sent before verifying the server’s TLS certificate matches the hostname, which means authentication data could be exposed to an attacker. An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack by providing the client with a cryptographically valid certificate for an unrelated host. Because the client sends authentication data before performing hostname verification, an attacker could gain access to the client’s authentication data. The client eventually closes the connection when it verifies the hostname and identifies the targeted hostname does not match a hostname on the certificate. Because the client eventually closes the connection, the value of the intercepted authentication data depends on the authentication method used by the client. Token based authentication and username/password authentication methods are vulnerable because the authentication data can be used to impersonate the client in a separate session. This issue affects Apache Pulsar Java Client versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0; 2.6.4 and earlier. | ||||
| CVE-2022-31684 | 2 Pivotal, Redhat | 3 Reactor Netty, Camel Spring Boot, Openshift Application Runtimes | 2024-11-21 | 4.3 Medium |
| Reactor Netty HTTP Server, in versions 1.0.11 - 1.0.23, may log request headers in some cases of invalid HTTP requests. The logged headers may reveal valid access tokens to those with access to server logs. This may affect only invalid HTTP requests where logging at WARN level is enabled. | ||||
| CVE-2022-25897 | 2 Eclipse, Redhat | 2 Milo, Camel Spring Boot | 2024-11-21 | 5.9 Medium |
| The package org.eclipse.milo:sdk-server before 0.6.8 are vulnerable to Denial of Service (DoS) when bypassing the limitations for excessive memory consumption by sending multiple CloseSession requests with the deleteSubscription parameter equal to False. | ||||
| CVE-2022-25857 | 3 Debian, Redhat, Snakeyaml Project | 18 Debian Linux, Amq Broker, Amq Clients and 15 more | 2024-11-21 | 7.5 High |
| The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections. | ||||
| CVE-2022-1415 | 1 Redhat | 16 Camel Quarkus, Camel Spring Boot, Decision Manager and 13 more | 2024-11-21 | 8.1 High |
| A flaw was found where some utility classes in Drools core did not use proper safeguards when deserializing data. This flaw allows an authenticated attacker to construct malicious serialized objects (usually called gadgets) and achieve code execution on the server. | ||||
| CVE-2022-40156 | 1 Redhat | 2 Camel Quarkus, Camel Spring Boot | 2023-11-07 | 7.5 High |
| DO NOT USE THIS CANDIDATE NUMBER. Reason: This CVE has been rejected as it was incorrectly assigned. All references and descriptions in this candidate have been removed to prevent accidental usage. | ||||