VulnerableCode Package Details - pkg:rpm/redhat/eap7-jackson-modules-base@2.10.4-4.redhat

Vulnerabilities affecting this package (9)

Vulnerability	Summary	Fixed by
VCID-8977-tjss-w7ba Aliases: CVE-2021-45046 GHSA-7rjr-3q55-vv33	Incomplete fix for Apache Log4j vulnerability The fix to address [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228) in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a remote code execution (RCE) attack.	There are no reported fixed by versions.
VCID-9bk7-2rsc-nbd6 Aliases: CVE-2020-13936 GHSA-59j4-wjwp-mw9m	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.	There are no reported fixed by versions.
VCID-j986-mtma-b3bw Aliases: CVE-2022-42889 GHSA-599f-7c49-w659	Arbitrary code execution in Apache Commons Text Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.	There are no reported fixed by versions.
VCID-jstt-6zs3-ybew Aliases: CVE-2021-42392 GHSA-h376-j262-vhq6 GMS-2022-7	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in com.h2database:h2.	There are no reported fixed by versions.
VCID-jwav-88m7-6fhz Aliases: CVE-2021-44228 GHSA-jfh8-c2jp-5v3q	Remote code injection in Log4j Log4j versions prior to 2.16.0 are subject to a remote code execution vulnerability via the ldap JNDI parser. As per [Apache's Log4j security guide](https://logging.apache.org/log4j/2.x/security.html): Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.16.0, this behavior has been disabled by default. Log4j version 2.15.0 contained an earlier fix for the vulnerability, but that patch did not disable attacker-controlled JNDI lookups in all situations. For more information, see the `Updated advice for version 2.16.0` section of this advisory.	There are no reported fixed by versions.
VCID-netd-rr9e-wbg5 Aliases: CVE-2022-45047 GHSA-fhw8-8j55-vwgq	Unsafe deserialization in Apache MINA SSHD Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server. Until version 2.1.0, the code affected by this vulnerability appeared in `org.apache.sshd:sshd-core`. Version 2.1.0 contains a [commit](https://github.com/apache/mina-sshd/commit/10de190e7d3f9189deb76b8d08c72334a1fe2df0) where the code was moved to the package `org.apache.sshd:sshd-common`, which did not exist until version 2.1.0.	There are no reported fixed by versions.
VCID-qruf-r6dc-3ugj Aliases: CVE-2022-41881 GHSA-fx2c-96vj-985v	HAProxyMessageDecoder Stack Exhaustion DoS ### Impact A StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. ### Patches Users should upgrade to 4.1.86.Final. ### Workarounds There is no workaround, except using a custom HaProxyMessageDecoder. ### References When parsing a TLV with type = PP2_TYPE_SSL, the value can be again a TLV with type = PP2_TYPE_SSL and so on. The only limitation of the recursion is that the TLV length cannot be bigger than 0xffff because it is encoded in an unsigned short type. Providing a TLV with a nesting level that is large enough will lead to raising of a StackOverflowError. The StackOverflowError will be caught if HAProxyMessageDecoder is used as part of Netty’s ChannelPipeline, but using it directly without the ChannelPipeline will lead to a thrown exception / crash. ### For more information If you have any questions or comments about this advisory: * Open an issue in [netty](https://github.com/netty/netty)	There are no reported fixed by versions.
VCID-turp-dju7-c7fx Aliases: CVE-2021-44906 GHSA-xvch-5gv4-984h	Prototype Pollution in minimist Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).	There are no reported fixed by versions.
VCID-xzs8-rbhd-mkbp Aliases: CVE-2022-46363 GHSA-3w37-5p3p-jv92	Apache CXF vulnerable to Exposure of Sensitive Information A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows an attacker to perform a remote directory listing or code exfiltration. The vulnerability only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, and so the vulnerability can only arise if the CXF service is misconfigured.	There are no reported fixed by versions.

Next non-vulnerable version	None.
Latest non-vulnerable version	None.
Risk	10.0

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T14:02:54.983820+00:00	RedHat Importer	Affected by	VCID-9bk7-2rsc-nbd6	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-13936.json	38.0.0
2026-04-01T14:00:42.844815+00:00	RedHat Importer	Affected by	VCID-jwav-88m7-6fhz	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-44228.json	38.0.0
2026-04-01T14:00:41.179774+00:00	RedHat Importer	Affected by	VCID-8977-tjss-w7ba	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-45046.json	38.0.0
2026-04-01T14:00:36.279024+00:00	RedHat Importer	Affected by	VCID-jstt-6zs3-ybew	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-42392.json	38.0.0
2026-04-01T13:59:16.479909+00:00	RedHat Importer	Affected by	VCID-turp-dju7-c7fx	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-44906.json	38.0.0
2026-04-01T13:56:43.933542+00:00	RedHat Importer	Affected by	VCID-j986-mtma-b3bw	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-42889.json	38.0.0
2026-04-01T13:56:18.705364+00:00	RedHat Importer	Affected by	VCID-netd-rr9e-wbg5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-45047.json	38.0.0
2026-04-01T13:56:08.714439+00:00	RedHat Importer	Affected by	VCID-qruf-r6dc-3ugj	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-41881.json	38.0.0
2026-04-01T13:56:05.822690+00:00	RedHat Importer	Affected by	VCID-xzs8-rbhd-mkbp	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-46363.json	38.0.0