Search for packages
| purl | pkg:rpm/redhat/eap7-h2database@1.4.197-3.redhat_00004.1?arch=el7eap |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-698m-2hju-2qcv
Aliases: CVE-2021-4104 GHSA-fp5r-v3w9-4333 |
Deserialization of Untrusted Data JMSAppender in Log4j is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide `TopicBindingName` and `TopicConnectionFactoryBindingName` configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j when specifically configured to use JMSAppender, which is not the default. Apache Log4j reached end of life in August Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. | There are no reported fixed by versions. |
|
VCID-6tyr-1gfy-fua1
Aliases: CVE-2022-23221 GHSA-45hx-wfhj-473x |
Improper Control of Generation of Code ('Code Injection') H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392. | There are no reported fixed by versions. |
|
VCID-6yqn-2w2d-3yd3
Aliases: CVE-2023-39410 GHSA-rhrv-645h-fjfh PYSEC-2023-188 |
When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system. This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which addresses this issue. | There are no reported fixed by versions. |
|
VCID-9k99-jzq8-fyge
Aliases: CVE-2022-23305 GHSA-65fg-84f6-3jq3 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') By design, the JDBCAppender in Log4j accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j when specifically configured to use the JDBCAppender, which is not the default. Beginning, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j reached end of life in August Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. | There are no reported fixed by versions. |
|
VCID-agjx-5whj-dyac
Aliases: CVE-2024-47561 GHSA-r7pg-v2c8-mfg3 |
Apache Avro Java SDK: Arbitrary Code Execution when reading Avro Data (Java SDK) Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code. Users are recommended to upgrade to version 1.11.4 or 1.12.0, which fix this issue. | There are no reported fixed by versions. |
|
VCID-bbq3-tx7c-yucn
Aliases: CVE-2022-23307 GHSA-f7vh-qwp3-x37m |
This advisory has been marked as False Positive and removed. | There are no reported fixed by versions. |
|
VCID-cf5j-2dz8-7bbu
Aliases: CVE-2021-3859 GHSA-339q-62wm-c39w GMS-2022-2963 |
Undertow vulnerable to Denial of Service (DoS) attacks Undertow client side invocation timeout raised when calling over HTTP2, this vulnerability can allow attacker to carry out denial of service (DoS) attacks in versions less than 2.2.15 Final. | There are no reported fixed by versions. |
|
VCID-efw6-swgm-4fbc
Aliases: CVE-2024-28752 GHSA-qmgx-j96g-4428 |
SSRF vulnerability using the Aegis DataBinding in Apache CXF A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted. | There are no reported fixed by versions. |
|
VCID-khr7-6pza-afab
Aliases: CVE-2023-26464 GHSA-vp98-w2p3-mv35 |
Apache Log4j 1.x (EOL) allows Denial of Service (DoS) ** UNSUPPORTED WHEN ASSIGNED ** When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie deeply nested) hashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized. This issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | There are no reported fixed by versions. |
|
VCID-knw5-d2nn-vyhq
Aliases: CVE-2022-41853 GHSA-77xx-rxvh-q682 |
HyperSQL DataBase vulnerable to remote code execution when processing untrusted input Those using `java.sql.Statement` or `java.sql.PreparedStatement` in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, `System.setProperty("hsqldb.method_class_names", "abc")` or Java argument `-Dhsqldb.method_class_names="abc"` can be used. From version 2.7.1 all classes by default are not accessible except those in `java.lang.Math` and need to be manually enabled. | There are no reported fixed by versions. |
|
VCID-rfs8-njaq-qkc8
Aliases: CVE-2022-34169 GHSA-9339-86wc-4qgf |
Apache Xalan Java XSLT library integer truncation issue when processing malicious XSLT stylesheets The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. A fix for this issue was published in September 2022 as part of an anticipated 2.7.3 release. | There are no reported fixed by versions. |
|
VCID-rgtf-p6z8-dkc3
Aliases: CVE-2023-5685 GHSA-7f88-5hhx-67m2 |
XNIO denial of service vulnerability A flaw was found in XNIO. The XNIO NotifierState that can cause a Stack Overflow Exception when the chain of notifier states becomes problematically large can lead to uncontrolled resource management and a possible denial of service (DoS). Version 3.8.14.Final is expected to contain a fix. | There are no reported fixed by versions. |
|
VCID-y8up-mkx2-abcn
Aliases: CVE-2022-46364 GHSA-x3x3-qwjq-8gj4 |
Apache CXF Server-Side Request Forgery vulnerability A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. | There are no reported fixed by versions. |
|
VCID-zxsk-ucu6-73h1
Aliases: CVE-2023-3171 |
eap-7: heap exhaustion via deserialization | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||