Search for packages
| purl | pkg:rpm/redhat/eap7-xml-security@2.0.10-2.redhat_00002.1.ep7?arch=el7 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-14ff-vn3t-vyhy
Aliases: CVE-2021-3690 GHSA-fj7c-vg2v-ccrm GMS-2022-2964 |
Undertow vulnerable to memory exhaustion due to buffer leak Buffer leak on incoming WebSocket PONG message(s) in Undertow before 2.0.40 and 2.2.10 can lead to memory exhaustion and allow a denial of service. | There are no reported fixed by versions. |
|
VCID-1vrj-chs2-d3ab
Aliases: CVE-2023-1973 GHSA-97cq-f4jm-mv8h |
Undertow Denial of Service vulnerability A flaw was found in Undertow package. Using the FormAuthenticationMechanism, a malicious user could trigger a Denial of Service by sending crafted requests, leading the server to an OutofMemory error, exhausting the server's memory. | There are no reported fixed by versions. |
|
VCID-469b-j213-6ufk
Aliases: CVE-2024-1635 GHSA-w6qf-42m7-vh68 |
Undertow Uncontrolled Resource Consumption Vulnerability A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available. At HTTP upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting ServerConnectionOpenListener. Because the remoting connection originates in Undertow as part of the HTTP upgrade, there is an external layer to the remoting connection. This connection is unaware of the outermost layer when closing the connection during the connection opening procedure. Hence, the Undertow WriteTimeoutStreamSinkConduit is not notified of the closed connection in this scenario. Because WriteTimeoutStreamSinkConduit creates a timeout task, the whole dependency tree leaks via that task, which is added to XNIO WorkerThread. So, the workerThread points to the Undertow conduit, which contains the connections and causes the leak. | There are no reported fixed by versions. |
|
VCID-46y3-rx34-pyc6
Aliases: CVE-2021-40690 GHSA-j8wc-gxx9-82hx |
Exposure of Sensitive Information to an Unauthorized Actor All versions of Apache Santuario - XML Security for Java is vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element. | There are no reported fixed by versions. |
|
VCID-4rxk-nhwr-ffad
Aliases: CVE-2021-37714 GHSA-m72m-mhq2-9p6c |
Uncaught Exception jsoup is a Java library for working with HTML. Those using jsoup to parse untrusted HTML or XML may be vulnerable to DoS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes. | There are no reported fixed by versions. |
|
VCID-7yc7-e35f-8uhj
Aliases: CVE-2023-3223 GHSA-65h2-wf7m-q2v8 |
Uncontrolled Resource Consumption A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service (DoS) attack. If the server uses fileSizeThreshold to limit the file size, it's possible to bypass the limit by setting the file name in the request to null. | There are no reported fixed by versions. |
|
VCID-93ut-2de3-ckc5
Aliases: CVE-2022-1319 |
undertow: Double AJP response for 400 from EAP 7 results in CPING failures | There are no reported fixed by versions. |
|
VCID-cf5j-2dz8-7bbu
Aliases: CVE-2021-3859 GHSA-339q-62wm-c39w GMS-2022-2963 |
Undertow vulnerable to Denial of Service (DoS) attacks Undertow client side invocation timeout raised when calling over HTTP2, this vulnerability can allow attacker to carry out denial of service (DoS) attacks in versions less than 2.2.15 Final. | There are no reported fixed by versions. |
|
VCID-e3vc-jpft-gye7
Aliases: CVE-2022-0084 GHSA-76fg-mhrg-fmmg |
XNIO `notifyReadClosed` method logging message to unexpected end A flaw was found in XNIO, specifically in the `notifyReadClosed` method. The issue revealed this method was logging a message to another expected end. This flaw allows an attacker to send flawed requests to a server, possibly causing log contention-related performance concerns or an unwanted disk fill-up. A fix for this issue is available on the `3.x` branch of the repository. | There are no reported fixed by versions. |
|
VCID-hqzr-vc5w-9ff5
Aliases: CVE-2022-40152 GHSA-3f7h-mf4q-vrm4 |
Denial of Service due to parser crash Those using FasterXML/woodstox to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack. This vulnerability is only relevant for users making use of the DTD parsing functionality. | There are no reported fixed by versions. |
|
VCID-kexn-gjxj-uudm
Aliases: CVE-2022-24785 GHSA-8hfj-j24r-96c4 |
Path Traversal: 'dir/../../filename' in moment.locale This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg `fr` is directly used to switch moment locale. | There are no reported fixed by versions. |
|
VCID-mm3e-4pej-byed
Aliases: CVE-2022-25857 GHSA-3mc7-4q67-w48m |
Uncontrolled Resource Consumption in snakeyaml The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections. | There are no reported fixed by versions. |
|
VCID-nfjb-tkzv-fudg
Aliases: CVE-2022-25647 GHSA-4jrv-ppp4-jm57 |
The package com.google.code.gson:gson before 2.8.9 is vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks. | There are no reported fixed by versions. |
|
VCID-sqx4-euc2-myew
Aliases: CVE-2022-40149 GHSA-56h3-78gp-v83r |
Jettison parser crash by stackoverflow Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack. | There are no reported fixed by versions. |
|
VCID-usz2-tufg-k7gz
Aliases: CVE-2023-1108 GHSA-m4mm-pg93-fv78 |
Undertow denial of service vulnerability A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates. | There are no reported fixed by versions. |
|
VCID-xftw-raz7-b7e1
Aliases: CVE-2022-2053 GHSA-95rf-557x-44g5 |
Undertow vulnerable to Dos via Large AJP request When a POST request comes through AJP and the request exceeds the max-post-size limit (maxEntitySize), Undertow's AjpServerRequestConduit implementation closes a connection without sending any response to the client/proxy. This behavior results in that a front-end proxy marking the backend worker (application server) as an error state and not forward requests to the worker for a while. In mod_cluster, this continues until the next STATUS request (10 seconds intervals) from the application server updates the server state. So, in the worst case, it can result in "All workers are in error state" and mod_cluster responds "503 Service Unavailable" for a while (up to 10 seconds). In mod_proxy_balancer, it does not forward requests to the worker until the "retry" timeout passes. However, luckily, mod_proxy_balancer has "forcerecovery" setting (On by default; this parameter can force the immediate recovery of all workers without considering the retry parameter of the workers if all workers of a balancer are in error state.). So, unlike mod_cluster, mod_proxy_balancer does not result in responding "503 Service Unavailable". An attacker could use this behavior to send a malicious request and trigger server errors, resulting in DoS (denial of service). This flaw was fixed in Undertow 2.2.19.Final, Undertow 2.3.0.Alpha2. | There are no reported fixed by versions. |
|
VCID-zy5r-wxv8-g3e8
Aliases: CVE-2022-23913 GHSA-pr38-qpxm-g88x |
Uncontrolled Resource Consumption In Apache ActiveMQ Artemis, an attacker could partially disrupt availability (DoS) through uncontrolled resource consumption of memory. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||