Export limit exceeded: 354377 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (127 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-2053 | 1 Redhat | 5 Integration Camel K, Jboss Enterprise Application Platform, Jboss Enterprise Application Platform Eus and 2 more | 2024-11-21 | 7.5 High |
| When a POST request comes through AJP and the request exceeds the max-post-size limit (maxEntitySize), Undertow's AjpServerRequestConduit implementation closes a connection without sending any response to the client/proxy. This behavior results in that a front-end proxy marking the backend worker (application server) as an error state and not forward requests to the worker for a while. In mod_cluster, this continues until the next STATUS request (10 seconds intervals) from the application server updates the server state. So, in the worst case, it can result in "All workers are in error state" and mod_cluster responds "503 Service Unavailable" for a while (up to 10 seconds). In mod_proxy_balancer, it does not forward requests to the worker until the "retry" timeout passes. However, luckily, mod_proxy_balancer has "forcerecovery" setting (On by default; this parameter can force the immediate recovery of all workers without considering the retry parameter of the workers if all workers of a balancer are in error state.). So, unlike mod_cluster, mod_proxy_balancer does not result in responding "503 Service Unavailable". An attacker could use this behavior to send a malicious request and trigger server errors, resulting in DoS (denial of service). This flaw was fixed in Undertow 2.2.19.Final, Undertow 2.3.0.Alpha2. | ||||
| CVE-2022-24407 | 6 Cyrusimap, Debian, Fedoraproject and 3 more | 14 Cyrus-sasl, Debian Linux, Fedora and 11 more | 2024-11-21 | 8.8 High |
| In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement. | ||||
| CVE-2022-1415 | 1 Redhat | 16 Camel Quarkus, Camel Spring Boot, Decision Manager and 13 more | 2024-11-21 | 8.1 High |
| A flaw was found where some utility classes in Drools core did not use proper safeguards when deserializing data. This flaw allows an authenticated attacker to construct malicious serialized objects (usually called gadgets) and achieve code execution on the server. | ||||
| CVE-2022-1278 | 1 Redhat | 10 Amq, Amq Broker, Amq Online and 7 more | 2024-11-21 | 7.5 High |
| A flaw was found in WildFly, where an attacker can see deployment names, endpoints, and any other data the trace payload may contain. | ||||
| CVE-2022-1259 | 2 Netapp, Redhat | 12 Active Iq Unified Manager, Cloud Secure Agent, Oncommand Insight and 9 more | 2024-11-21 | 7.5 High |
| A flaw was found in Undertow. A potential security issue in flow control handling by the browser over HTTP/2 may cause overhead or a denial of service in the server. This flaw exists because of an incomplete fix for CVE-2021-3629. | ||||
| CVE-2022-0084 | 1 Redhat | 9 Integration Camel K, Integration Camel Quarkus, Jboss Data Grid and 6 more | 2024-11-21 | 7.5 High |
| A flaw was found in XNIO, specifically in the notifyReadClosed method. The issue revealed this method was logging a message to another expected end. This flaw allows an attacker to send flawed requests to a server, possibly causing log contention-related performance concerns or an unwanted disk fill-up. | ||||
| CVE-2021-4178 | 1 Redhat | 13 A-mq Streams, Amq Streams, Build Of Quarkus and 10 more | 2024-11-21 | 6.7 Medium |
| A arbitrary code execution flaw was found in the Fabric 8 Kubernetes client affecting versions 5.0.0-beta-1 and above. Due to an improperly configured YAML parsing, this will allow a local and privileged attacker to supply malicious YAML. | ||||
| CVE-2021-40690 | 4 Apache, Debian, Oracle and 1 more | 27 Cxf, Santuario Xml Security For Java, Tomee and 24 more | 2024-11-21 | 7.5 High |
| All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element. | ||||
| CVE-2021-3690 | 1 Redhat | 14 Camel Quarkus, Enterprise Linux, Fuse and 11 more | 2024-11-21 | 7.5 High |
| A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denial of service. The highest threat from this vulnerability is availability. | ||||
| CVE-2021-3642 | 2 Quarkus, Redhat | 18 Quarkus, Build Of Quarkus, Camel Quarkus and 15 more | 2024-11-21 | 5.3 Medium |
| A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality. | ||||
| CVE-2021-3629 | 2 Netapp, Redhat | 14 Active Iq Unified Manager, Oncommand Insight, Oncommand Workflow Automation and 11 more | 2024-11-21 | 5.9 Medium |
| A flaw was found in Undertow. A potential security issue in flow control handling by the browser over http/2 may potentially cause overhead or a denial of service in the server. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.40.Final and prior to 2.2.11.Final. | ||||
| CVE-2021-3536 | 1 Redhat | 12 Build Of Quarkus, Data Grid, Descision Manager and 9 more | 2024-11-21 | 4.8 Medium |
| A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode via the admin console, it is possible to add a payload in the name field, leading to XSS. This affects Confidentiality and Integrity. | ||||
| CVE-2021-3520 | 5 Lz4 Project, Netapp, Oracle and 2 more | 12 Lz4, Active Iq Unified Manager, Cloud Backup and 9 more | 2024-11-21 | 9.8 Critical |
| There's a flaw in lz4. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash. The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well. | ||||
| CVE-2021-38153 | 4 Apache, Oracle, Quarkus and 1 more | 15 Kafka, Communications Brm - Elastic Charging Engine, Communications Cloud Native Core Policy and 12 more | 2024-11-21 | 5.9 Medium |
| Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0. | ||||
| CVE-2021-37714 | 5 Jsoup, Netapp, Oracle and 2 more | 25 Jsoup, Management Services For Element Software And Netapp Hci, Banking Trade Finance and 22 more | 2024-11-21 | 7.5 High |
| jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes. | ||||
| CVE-2021-33813 | 6 Apache, Debian, Fedoraproject and 3 more | 10 Solr, Tika, Debian Linux and 7 more | 2024-11-21 | 7.5 High |
| An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request. | ||||
| CVE-2021-31812 | 4 Apache, Fedoraproject, Oracle and 1 more | 8 Pdfbox, Fedora, Banking Corporate Lending Process Management and 5 more | 2024-11-21 | 5.5 Medium |
| In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions. | ||||
| CVE-2021-31811 | 4 Apache, Fedoraproject, Oracle and 1 more | 13 Pdfbox, Fedora, Banking Corporate Lending Process Management and 10 more | 2024-11-21 | 5.5 Medium |
| In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions. | ||||
| CVE-2021-30468 | 3 Apache, Oracle, Redhat | 8 Cxf, Tomee, Business Intelligence and 5 more | 2024-11-21 | 7.5 High |
| A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malformed JSON to a web service, which results in the thread getting stuck in an infinite loop, consuming CPU indefinitely. This issue affects Apache CXF versions prior to 3.4.4; Apache CXF versions prior to 3.3.11. | ||||
| CVE-2021-2471 | 3 Oracle, Quarkus, Redhat | 11 Communications Cloud Native Core Console, Communications Cloud Native Core Network Slice Selection Function, Communications Cloud Native Core Policy and 8 more | 2024-11-21 | 5.9 Medium |
| Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H). | ||||