Filtered by vendor Quarkus Subscriptions
Total 45 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2021-2471 3 Oracle, Quarkus, Redhat 11 Communications Cloud Native Core Console, Communications Cloud Native Core Network Slice Selection Function, Communications Cloud Native Core Policy and 8 more 2024-09-25 5.9 Medium
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H).
CVE-2022-21363 3 Oracle, Quarkus, Redhat 6 Mysql Connectors, Quarkus, Jboss Enterprise Application Platform and 3 more 2024-09-24 6.6 Medium
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
CVE-2020-28491 4 Fasterxml, Oracle, Quarkus and 1 more 11 Jackson-dataformats-binary, Weblogic Server, Quarkus and 8 more 2024-09-16 7.5 High
This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.
CVE-2021-20328 3 Mongodb, Quarkus, Redhat 4 Java Driver, Quarkus, Camel Quarkus and 1 more 2024-09-16 6.4 Medium
Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Java driver and the KMS service rendering Field Level Encryption ineffective. This issue was discovered during internal testing and affects all versions of the Java driver that support CSFLE. The Java async, Scala, and reactive streams drivers are not impacted. This vulnerability does not impact driver traffic payloads with CSFLE-supported key services originating from applications residing inside the AWS, GCP, and Azure network fabrics due to compensating controls in these environments. This issue does not impact driver workloads that don’t use Field Level Encryption.
CVE-2023-6267 2 Quarkus, Redhat 6 Quarkus, Camel Quarkus, Integration and 3 more 2024-09-16 8.6 High
A flaw was found in the json payload. If annotation based security is used to secure a REST resource, the JSON body that the resource may consume is being processed (deserialized) prior to the security constraints being evaluated and applied. This does not happen with configuration based security.
CVE-2023-6394 2 Quarkus, Redhat 3 Quarkus, Build Of Quarkus, Quarkus 2024-09-16 7.4 High
A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentication despite the endpoint being secured. This can allow an attacker to access information and functionality outside of normal granted API permissions.
CVE-2023-4853 2 Quarkus, Redhat 21 Quarkus, Build Of Optaplanner, Build Of Quarkus and 18 more 2024-09-16 8.1 High
A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.
CVE-2017-18640 5 Fedoraproject, Oracle, Quarkus and 2 more 8 Fedora, Peoplesoft Enterprise Pt Peopletools, Quarkus and 5 more 2024-08-05 7.5 High
The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
CVE-2019-14900 3 Hibernate, Quarkus, Redhat 17 Hibernate Orm, Quarkus, Build Of Quarkus and 14 more 2024-08-05 6.5 Medium
A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.
CVE-2020-25724 2 Quarkus, Redhat 3 Quarkus, Openshift Application Runtimes, Resteasy 2024-08-04 4.3 Medium
A flaw was found in RESTEasy, where an incorrect response to an HTTP request is provided. This flaw allows an attacker to gain access to privileged information. The highest threat from this vulnerability is to confidentiality and integrity. Versions before resteasy 2.0.0.Alpha3 are affected.
CVE-2020-25649 7 Apache, Fasterxml, Fedoraproject and 4 more 50 Iotdb, Jackson-databind, Fedora and 47 more 2024-08-04 7.5 High
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
CVE-2020-25633 2 Quarkus, Redhat 7 Quarkus, Jboss Enterprise Application Platform, Jboss Fuse and 4 more 2024-08-04 5.3 Medium
A flaw was found in RESTEasy client in all versions of RESTEasy up to 4.5.6.Final. It may allow client users to obtain the server's potentially sensitive information when the server got WebApplicationException from the RESTEasy client call. The highest threat from this vulnerability is to data confidentiality.
CVE-2020-25638 5 Debian, Hibernate, Oracle and 2 more 14 Debian Linux, Hibernate Orm, Communications Cloud Native Core Console and 11 more 2024-08-04 7.4 High
A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
CVE-2020-13956 5 Apache, Netapp, Oracle and 2 more 27 Httpclient, Active Iq Unified Manager, Snapcenter and 24 more 2024-08-04 5.3 Medium
Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
CVE-2020-13692 6 Debian, Fedoraproject, Netapp and 3 more 14 Debian Linux, Fedora, Steelstore Cloud Integrated Storage and 11 more 2024-08-04 7.7 High
PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE.
CVE-2020-10693 4 Ibm, Oracle, Quarkus and 1 more 13 Websphere Application Server, Weblogic Server, Quarkus and 10 more 2024-08-04 5.3 Medium
A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.
CVE-2020-8908 5 Google, Netapp, Oracle and 2 more 20 Guava, Active Iq Unified Manager, Commerce Guided Search and 17 more 2024-08-04 3.3 Low
A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
CVE-2020-1728 2 Quarkus, Redhat 5 Quarkus, Jboss Single Sign On, Keycloak and 2 more 2024-08-04 4.8 Medium
A vulnerability was found in all versions of Keycloak where, the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, yet it might aid attackers in their efforts to exploit other problems. The flaws unnecessarily make the servers more prone to Clickjacking, channel downgrade attacks and other similar client-based attack vectors.
CVE-2020-1714 2 Quarkus, Redhat 11 Quarkus, Decision Manager, Jboss Enterprise Application Platform and 8 more 2024-08-04 8.8 High
A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution.
CVE-2021-43797 6 Debian, Netapp, Netty and 3 more 28 Debian Linux, Oncommand Workflow Automation, Snapcenter and 25 more 2024-08-04 6.5 Medium
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.