Filtered by vendor Redhat Subscriptions
Filtered by product Camel Quarkus Subscriptions
Total 134 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2021-30129 3 Apache, Oracle, Redhat 13 Sshd, Banking Payments, Banking Trade Finance and 10 more 2024-08-03 6.5 Medium
A vulnerability in sshd-core of Apache Mina SSHD allows an attacker to overflow the server causing an OutOfMemory error. This issue affects the SFTP and port forwarding features of Apache Mina SSHD version 2.0.0 and later versions. It was addressed in Apache Mina SSHD 2.7.0
CVE-2021-29505 6 Debian, Fedoraproject, Netapp and 3 more 23 Debian Linux, Fedora, Snapmanager and 20 more 2024-08-03 7.5 High
XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.
CVE-2021-29429 3 Gradle, Quarkus, Redhat 4 Gradle, Quarkus, Camel Quarkus and 1 more 2024-08-03 4 Medium
In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded into the system temporary directory first. Sensitive information contained in these files can be exposed to other local users on the same system. If you do not use the `TextResourceFactory` API, you are not vulnerable. As of Gradle 7.0, uses of the system temporary directory have been moved to the Gradle User Home directory. By default, this directory is restricted to the user running the build. As a workaround, set a more restrictive umask that removes read access to other users. When files are created in the system temporary directory, they will not be accessible to other users. If you are unable to change your system's umask, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only.
CVE-2021-28163 6 Apache, Eclipse, Fedoraproject and 3 more 30 Ignite, Solr, Jetty and 27 more 2024-08-03 2.7 Low
In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.
CVE-2021-28169 5 Debian, Eclipse, Netapp and 2 more 14 Debian Linux, Jetty, Active Iq Unified Manager and 11 more 2024-08-03 5.3 Medium
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
CVE-2021-28168 3 Eclipse, Oracle, Redhat 6 Jersey, Communications Cloud Native Core Policy, Communications Cloud Native Core Unified Data Repository and 3 more 2024-08-03 6.2 Medium
Eclipse Jersey 2.28 to 2.33 and Eclipse Jersey 3.0.0 to 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users.
CVE-2021-28170 4 Eclipse, Oracle, Quarkus and 1 more 11 Jakarta Expression Language, Communications Cloud Native Core Policy, Weblogic Server and 8 more 2024-08-03 5.3 Medium
In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.
CVE-2021-28164 4 Eclipse, Netapp, Oracle and 1 more 23 Jetty, Cloud Manager, E-series Performance Analyzer and 20 more 2024-08-03 5.3 Medium
In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
CVE-2021-28165 5 Eclipse, Jenkins, Netapp and 2 more 28 Jetty, Jenkins, Cloud Manager and 25 more 2024-08-03 7.5 High
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
CVE-2021-27568 3 Json-smart Project, Oracle, Redhat 11 Json-smart-v1, Json-smart-v2, Communications Cloud Native Core Policy and 8 more 2024-08-03 5.9 Medium
An issue was discovered in netplex json-smart-v1 through 2015-10-23 and json-smart-v2 through 2.4. An exception is thrown from a function, but it is not caught, as demonstrated by NumberFormatException. When it is not caught, it may cause programs using the library to crash or expose sensitive information.
CVE-2021-26291 4 Apache, Oracle, Quarkus and 1 more 9 Maven, Financial Services Analytical Applications Infrastructure, Goldengate Big Data And Application Adapters and 6 more 2024-08-03 9.1 Critical
Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html
CVE-2021-22569 3 Google, Oracle, Redhat 14 Google-protobuf, Protobuf-java, Protobuf-kotlin and 11 more 2024-08-03 7.5 High
An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.
CVE-2021-22135 2 Elastic, Redhat 2 Elasticsearch, Camel Quarkus 2024-08-03 5.3 Medium
Elasticsearch versions before 7.11.2 and 6.8.15 contain a document disclosure flaw was found in the Elasticsearch suggester and profile API when Document and Field Level Security are enabled. The suggester and profile API are normally disabled for an index when document level security is enabled on the index. Certain queries are able to enable the profiler and suggester which could lead to disclosing the existence of documents and fields the attacker should not be able to view.
CVE-2021-22132 3 Elastic, Oracle, Redhat 4 Elasticsearch, Communications Cloud Native Core Automated Test Suite, Camel Quarkus and 1 more 2024-08-03 4.8 Medium
Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers of other users in the cluster. This issue is fixed in Elasticsearch 7.10.2
CVE-2021-22137 2 Elastic, Redhat 3 Elasticsearch, Camel Quarkus, Integration 2024-08-03 5.3 Medium
In Elasticsearch versions before 7.11.2 and 6.8.15 a document disclosure flaw was found when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain cross-cluster search queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices.
CVE-2021-21350 5 Debian, Fedoraproject, Oracle and 2 more 20 Debian Linux, Fedora, Banking Enterprise Default Management and 17 more 2024-08-03 5.3 Medium
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
CVE-2021-21342 5 Debian, Fedoraproject, Oracle and 2 more 18 Debian Linux, Fedora, Banking Enterprise Default Management and 15 more 2024-08-03 5.3 Medium
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
CVE-2021-21341 5 Debian, Fedoraproject, Oracle and 2 more 16 Debian Linux, Fedora, Banking Enterprise Default Management and 13 more 2024-08-03 7.5 High
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
CVE-2021-21345 5 Debian, Fedoraproject, Oracle and 2 more 20 Debian Linux, Fedora, Banking Enterprise Default Management and 17 more 2024-08-03 5.8 Medium
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
CVE-2021-21344 5 Debian, Fedoraproject, Oracle and 2 more 20 Debian Linux, Fedora, Banking Enterprise Default Management and 17 more 2024-08-03 5.3 Medium
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.