VARIoT IoT vulnerabilities database
| VAR-202204-1331 | CVE-2022-25342 | olivetti of d-color mf3555 Fraudulent Authentication Vulnerability in Firmware |
CVSS V2: 5.5 CVSS V3: 8.1 Severity: HIGH |
An issue was discovered on Olivetti d-COLOR MF3555 2XD_S000.002.271 devices. The Web Application is affected by Broken Access Control. It does not properly validate requests for access to data and functionality under the /mngset/authset path. By not verifying permissions for access to resources, it allows a potential attacker to view pages that are not allowed. olivetti of d-color mf3555 An incorrect authentication vulnerability exists in firmware.Information may be obtained and information may be tampered with. Kyocera d-COLOR MF3555 is a color multifunction printer from Kyocera Corporation of Japan
| VAR-202204-1590 | CVE-2022-20804 | Cisco Unified Communications Manager Code problem vulnerability |
CVSS V2: 6.1 CVSS V3: 6.5 Severity: MEDIUM |
A vulnerability in the Cisco Discovery Protocol of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, adjacent attacker to cause a kernel panic on an affected system, resulting in a denial of service (DoS) condition. This vulnerability is due to incorrect processing of certain Cisco Discovery Protocol packets. An attacker could exploit this vulnerability by continuously sending certain Cisco Discovery Protocol packets to an affected device. A successful exploit could allow the attacker to cause a kernel panic on the system that is running the affected software, resulting in a DoS condition. Cisco Unified Communications Manager is a call processing component in a unified communication system of Cisco (Cisco). This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution. Unified Communications Manager Session Management Edition is the session management version of Unified Communications Manager
| VAR-202204-1470 | CVE-2022-20778 | Cisco Webex Meetings Cross-site scripting vulnerability |
CVSS V2: 4.3 CVSS V3: 6.1 Severity: MEDIUM |
A vulnerability in the authentication component of Cisco Webex Meetings could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based interface of the authentication component of Cisco Webex Meetings. An attacker could exploit this vulnerability by persuading a user of the interface to click a maliciously crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information
| VAR-202204-1318 | CVE-2022-29266 | Apache Software Foundation of APISIX Vulnerability regarding information leakage due to error messages in |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information. Apache Apisix is a cloud-native microservice API gateway service of the Apache Foundation. The software is implemented based on OpenResty and etcd, with dynamic routing and plug-in hot loading, suitable for API management under the microservice system. An attacker could exploit this vulnerability to obtain the secret configured by the plugin by sending an incorrect JSON Web Token to a route protected by the jwt-auth plugin and responding with an error message
| VAR-202204-0750 | CVE-2022-20789 | Cisco Unified Communications Manager Security hole |
CVSS V2: 8.5 CVSS V3: 6.5 Severity: MEDIUM |
A vulnerability in the software upgrade process of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to write arbitrary files on the affected system. This vulnerability is due to improper restrictions applied to a system script. An attacker could exploit this vulnerability by using crafted variables during the execution of a system upgrade. A successful exploit could allow the attacker to overwrite or append arbitrary data to system files using root-level privileges. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-arb-write-74QzruUU
| VAR-202204-1156 | CVE-2022-20788 | Cisco Unity Connection and Cisco Unified Communications Manager Cross-site scripting vulnerability |
CVSS V2: 4.3 CVSS V3: 6.1 Severity: MEDIUM |
A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified CM Session Management Edition (Unified CM SME), and Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information. Cisco Unified Communications Manager is a call processing component in a unified communication system of Cisco (Cisco). This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution. Unified Communications Manager Session Management Edition is the session management version of Unified Communications Manager. Browser Sensitive Information
| VAR-202206-0191 | CVE-2022-29730 | plural usr Product use of hardcoded credentials vulnerability |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
USR IOT 4G LTE Industrial Cellular VPN Router v1.0.36 was discovered to contain hard-coded credentials for its highest privileged account. The credentials cannot be altered through normal operation of the device. usr-g808 firmware, usr-g807 firmware, usr-g806 firmware etc. usr The product contains a vulnerability related to the use of hardcoded credentials.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. USR-G806 adopts high performance embedded CPU whichcan support 580MHz working frequency and can be widely used in Smart Grid,Smart Home, public bus and Vending machine for data transmission at highspeed. USR-G806 supports various functions such as APN card, VPN, WIFIDOG,flow control and has many advantages including high reliability, simpleoperation, reasonable price. USR-G806 supports WAN interface, LAN interface,WLAN interface, 4G interface. The 'usr' account with password 'www.usr.cn' has the highestprivileges on the device. The password is also the default WLAN password.Tested on: GNU/Linux 3.10.14 (mips)OpenWrt/Linaro GCC 4.8-2014.04Ralink SoC MT7628 PCIe RC modeBusyBox v1.22.1uhttpdLua
| VAR-202204-0819 | CVE-2022-1254 | McAfee's McAfee Web Gateway Open Redirect Vulnerability in Software |
CVSS V2: 5.8 CVSS V3: 6.1 Severity: MEDIUM |
A URL redirection vulnerability in Skyhigh SWG in main releases 10.x prior to 10.2.9, 9.x prior to 9.2.20, 8.x prior to 8.2.27, and 7.x prior to 7.8.2.31, and controlled release 11.x prior to 11.1.3 allows a remote attacker to redirect a user to a malicious website controlled by the attacker. This is possible because SWG incorrectly creates a HTTP redirect response when a user clicks a carefully constructed URL. Following the redirect response, the new request is still filtered by the SWG policy. McAfee's McAfee Web Gateway The software contains an open redirect vulnerability.Information may be obtained and information may be tampered with
| VAR-202204-1467 | CVE-2022-20783 | Cisco RoomOS Software and Cisco TelePresence Collaboration Endpoint Software Input validation error vulnerability |
CVSS V2: 7.8 CVSS V3: 7.5 Severity: HIGH |
A vulnerability in the packet processing functionality of Cisco TelePresence Collaboration Endpoint (CE) Software and Cisco RoomOS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted H.323 traffic to an affected device. A successful exploit could allow the attacker to cause the affected device to either reboot normally or reboot into maintenance mode, which could result in a DoS condition on the device
| VAR-202204-1473 | CVE-2022-20773 | Cisco Umbrella Trust Management Issue Vulnerability |
CVSS V2: 6.8 CVSS V3: 7.5 Severity: HIGH |
A vulnerability in the key-based SSH authentication mechanism of Cisco Umbrella Virtual Appliance (VA) could allow an unauthenticated, remote attacker to impersonate a VA. This vulnerability is due to the presence of a static SSH host key. An attacker could exploit this vulnerability by performing a man-in-the-middle attack on an SSH connection to the Umbrella VA. A successful exploit could allow the attacker to learn the administrator credentials, change configurations, or reload the VA. Note: SSH is not enabled by default on the Umbrella VA
| VAR-202204-1155 | CVE-2022-20787 | Cisco Unified Communications Manager Cross-site request forgery vulnerability |
CVSS V2: 6.0 CVSS V3: 6.8 Severity: MEDIUM |
A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) Software and Cisco Unified CM Session Management Edition (SME) Software could allow an authenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected device. This vulnerability is due to insufficient CSRF protections for the web-based management interface on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. Cisco Unified Communications Manager is a call processing component in a unified communication system of Cisco (Cisco). This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution. Unified Communications Manager Session Management Edition is the session management version of Unified Communications Manager
| VAR-202204-1586 | CVE-2022-20732 | Cisco Virtualized Infrastructure Manager Access control error vulnerability |
CVSS V2: 4.6 CVSS V3: 7.8 Severity: HIGH |
A vulnerability in the configuration file protections of Cisco Virtualized Infrastructure Manager (VIM) could allow an authenticated, local attacker to access confidential information and elevate privileges on an affected device. This vulnerability is due to improper access permissions for certain configuration files. An attacker with low-privileged credentials could exploit this vulnerability by accessing an affected device and reading the affected configuration files. A successful exploit could allow the attacker to obtain internal database credentials, which the attacker could use to view and modify the contents of the database. The attacker could use this access to the database to elevate privileges on the affected device. Cisco Virtualized Infrastructure Manager is a fully automated cloud lifecycle management system from Cisco
| VAR-202204-0619 | CVE-2022-20805 | Cisco Umbrella Encryption problem vulnerability |
CVSS V2: 2.7 CVSS V3: 4.1 Severity: MEDIUM |
A vulnerability in the automatic decryption process in Cisco Umbrella Secure Web Gateway (SWG) could allow an authenticated, adjacent attacker to bypass the SSL decryption and content filtering policies on an affected system. This vulnerability is due to how the decryption function uses the TLS Sever Name Indication (SNI) extension of an HTTP request to discover the destination domain and determine if the request needs to be decrypted. An attacker could exploit this vulnerability by sending a crafted request over TLS from a client to an unknown or controlled URL. A successful exploit could allow an attacker to bypass the decryption process of Cisco Umbrella SWG and allow malicious content to be downloaded to a host on a protected network. There are workarounds that address this vulnerability. Cisco Umbrella is a cloud security platform of Cisco (Cisco). The platform protects against cyber threats such as phishing, malware, and ransomware.
This advisory is available at the following link:tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-uswg-fdbps-xtTRKpp6
| VAR-202204-0596 | CVE-2022-21434 | Red Hat Security Advisory 2022-1439-01 |
CVSS V2: 5.0 CVSS V3: 5.3 Severity: MEDIUM |
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied. Bugs fixed (https://bugzilla.redhat.com/):
1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation
5. See the following advisory for the RPM packages for this
release:
https://access.redhat.com/errata/RHBA-2022:2270
Space precludes documenting all of the container images in this advisory.
You may download the oc tool and use it to inspect release image metadata
as follows:
(For x86_64 architecture)
$ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.8.41-x86_64
The image digest is
sha256:4ebcb3aea63d4acbb92118d3ae7ed08d3ebb1a66e7f79fddbb4da74883a12d0a
(For s390x architecture)
$ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.8.41-s390x
The image digest is
sha256:5ed0fc5b89e3ec257db50f936f788492211e4de4a741f930191ab2d3bc7ceec3
(For ppc64le architecture)
$ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.8.41-ppc64le
The image digest is
sha256:908ec3688cc152b15faaea3f71bb4ba59565df60e9846f08fcd15a6c2b43274a
All OpenShift Container Platform 4.8 users are advised to upgrade to these
updated packages and images when they are available in the appropriate
release channel. To check for available updates, use the OpenShift Console
or the CLI oc command. Instructions for upgrading a cluster are available
at
https://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html
3. Solution:
For OpenShift Container Platform 4.8 see the following documentation, which
will be updated shortly for this release, for important instructions on how
to upgrade your cluster and fully apply this asynchronous errata update:
https://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html
Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html
4. Bugs fixed (https://bugzilla.redhat.com/):
2057544 - Cancel rpm-ostree transaction after failed rebase
2058674 - whereabouts IPAM CNI ip-reconciler cronjob specification requires hostnetwork, api-int lb usage & proper backoff
2062655 - [4.8.z backport] cluster scaling new nodes ovs-configuration fails on all new nodes
2070762 - [4.8z] WebScale: duplicate ecmp next hop error caused by multiple of the same gateway IPs in ovnkube cache
2074053 - Internal registries with a big number of images delay pod creation due to recursive SELinux file context relabeling
2074680 - csv_succeeded metric not present in olm-operator for all successful CSVs
2076211 - CVE-2022-1677 openshift/router: route hijacking attack via crafted HAProxy configuration file
2077004 - Bump to latest available 1.21.11 k8s
2077370 - [4.8.z] NetworkPolicy tests are failing on metal IPv6
2077765 - (release-4.8) Gather namespace names with overlapping UID ranges
2078477 - Latest ose-jenkins-agent-base:v4.9.0 image fails to start on OpenShift due to FIPS error
2084259 - [4.8] OCP ignores STOPSIGNAL in Dockerfile and sends SIGTERM
2088196 - Redfish set boot device failed for node in OCP 4.8 latest RC
5. 9) - aarch64, noarch, ppc64le, s390x, x86_64
3. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: java-1.7.1-ibm security update
Advisory ID: RHSA-2022:4957-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://access.redhat.com/errata/RHSA-2022:4957
Issue date: 2022-06-08
CVE Names: CVE-2021-35561 CVE-2022-21299 CVE-2022-21434
CVE-2022-21443 CVE-2022-21496
====================================================================
1. Summary:
An update for java-1.7.1-ibm is now available for Red Hat Enterprise Linux
7 Supplementary.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client Supplementary (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Supplementary (v. 7) - x86_64
Red Hat Enterprise Linux Server Supplementary (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 7) - x86_64
3. Description:
IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment
and the IBM Java Software Development Kit.
This update upgrades IBM Java SE 7 to version 7R1 SR5-FP10.
Security Fix(es):
* OpenJDK: Excessive memory allocation in HashMap and HashSet (Utility,
8266097) (CVE-2021-35561)
* OpenJDK: Infinite loop related to incorrect handling of newlines in
XMLEntityScanner (JAXP, 8270646) (CVE-2022-21299)
* OpenJDK: Improper object-to-string conversion in
AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)
* OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)
(CVE-2022-21443)
* OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
All running instances of IBM Java must be restarted for this update to take
effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
2014524 - CVE-2021-35561 OpenJDK: Excessive memory allocation in HashMap and HashSet (Utility, 8266097)
2041472 - CVE-2022-21299 OpenJDK: Infinite loop related to incorrect handling of newlines in XMLEntityScanner (JAXP, 8270646)
2075793 - CVE-2022-21443 OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)
2075836 - CVE-2022-21434 OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672)
2075849 - CVE-2022-21496 OpenJDK: URI parsing inconsistencies (JNDI, 8278972)
6. Package List:
Red Hat Enterprise Linux Client Supplementary (v. 7):
x86_64:
java-1.7.1-ibm-1.7.1.5.10-1jpp.1.el7.x86_64.rpm
java-1.7.1-ibm-demo-1.7.1.5.10-1jpp.1.el7.x86_64.rpm
java-1.7.1-ibm-devel-1.7.1.5.10-1jpp.1.el7.x86_64.rpm
java-1.7.1-ibm-jdbc-1.7.1.5.10-1jpp.1.el7.x86_64.rpm
java-1.7.1-ibm-plugin-1.7.1.5.10-1jpp.1.el7.x86_64.rpm
java-1.7.1-ibm-src-1.7.1.5.10-1jpp.1.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Supplementary (v. 7):
x86_64:
java-1.7.1-ibm-1.7.1.5.10-1jpp.1.el7.x86_64.rpm
java-1.7.1-ibm-demo-1.7.1.5.10-1jpp.1.el7.x86_64.rpm
java-1.7.1-ibm-devel-1.7.1.5.10-1jpp.1.el7.x86_64.rpm
java-1.7.1-ibm-src-1.7.1.5.10-1jpp.1.el7.x86_64.rpm
Red Hat Enterprise Linux Server Supplementary (v. 7):
ppc64:
java-1.7.1-ibm-1.7.1.5.10-1jpp.1.el7.ppc64.rpm
java-1.7.1-ibm-demo-1.7.1.5.10-1jpp.1.el7.ppc64.rpm
java-1.7.1-ibm-devel-1.7.1.5.10-1jpp.1.el7.ppc64.rpm
java-1.7.1-ibm-jdbc-1.7.1.5.10-1jpp.1.el7.ppc64.rpm
java-1.7.1-ibm-src-1.7.1.5.10-1jpp.1.el7.ppc64.rpm
ppc64le:
java-1.7.1-ibm-1.7.1.5.10-1jpp.1.el7.ppc64le.rpm
java-1.7.1-ibm-demo-1.7.1.5.10-1jpp.1.el7.ppc64le.rpm
java-1.7.1-ibm-devel-1.7.1.5.10-1jpp.1.el7.ppc64le.rpm
java-1.7.1-ibm-jdbc-1.7.1.5.10-1jpp.1.el7.ppc64le.rpm
java-1.7.1-ibm-src-1.7.1.5.10-1jpp.1.el7.ppc64le.rpm
s390x:
java-1.7.1-ibm-1.7.1.5.10-1jpp.1.el7.s390x.rpm
java-1.7.1-ibm-demo-1.7.1.5.10-1jpp.1.el7.s390x.rpm
java-1.7.1-ibm-devel-1.7.1.5.10-1jpp.1.el7.s390x.rpm
java-1.7.1-ibm-jdbc-1.7.1.5.10-1jpp.1.el7.s390x.rpm
java-1.7.1-ibm-src-1.7.1.5.10-1jpp.1.el7.s390x.rpm
x86_64:
java-1.7.1-ibm-1.7.1.5.10-1jpp.1.el7.x86_64.rpm
java-1.7.1-ibm-demo-1.7.1.5.10-1jpp.1.el7.x86_64.rpm
java-1.7.1-ibm-devel-1.7.1.5.10-1jpp.1.el7.x86_64.rpm
java-1.7.1-ibm-jdbc-1.7.1.5.10-1jpp.1.el7.x86_64.rpm
java-1.7.1-ibm-plugin-1.7.1.5.10-1jpp.1.el7.x86_64.rpm
java-1.7.1-ibm-src-1.7.1.5.10-1jpp.1.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 7):
x86_64:
java-1.7.1-ibm-1.7.1.5.10-1jpp.1.el7.x86_64.rpm
java-1.7.1-ibm-demo-1.7.1.5.10-1jpp.1.el7.x86_64.rpm
java-1.7.1-ibm-devel-1.7.1.5.10-1jpp.1.el7.x86_64.rpm
java-1.7.1-ibm-jdbc-1.7.1.5.10-1jpp.1.el7.x86_64.rpm
java-1.7.1-ibm-plugin-1.7.1.5.10-1jpp.1.el7.x86_64.rpm
java-1.7.1-ibm-src-1.7.1.5.10-1jpp.1.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2021-35561
https://access.redhat.com/security/cve/CVE-2022-21299
https://access.redhat.com/security/cve/CVE-2022-21434
https://access.redhat.com/security/cve/CVE-2022-21443
https://access.redhat.com/security/cve/CVE-2022-21496
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYqFNktzjgjWX9erEAQgVmQ/9GVBo37J6v+OZMGpw0ZHgDJUgh3zCaX4m
bBY2BzzMC+pUhPK9maAqESuM8AcAmatr/UawuxaGvFD7r89QuNRfKTDUpBwzZZLz
T60TmAxTFMqNYnHloZAMt2lVosBALa9juOLFL68JeZnMImH4X/GgfLi8vaKwcpSs
7rJKSABBFN4dKP2nH5dzwfywxMR/U+WenDZW2bVW46QtNuH+5RE6iV5uhM/QvsQ3
x4EkfTfaU78yXgyUSBf/68weQS2M6jMb2mb37CEDCBTdYAumGZqE2lwPTV10qvLG
OZXvT29LemSojVp2WvkhZLwzccLMA9zOQbhsnY3pyzHt6qGO2Mrl8mpocNyfnAN5
v3EMGZECmZwcpj9dabAhGUOaKoAb+u60pt2UVDJhr93t+4Ixti7cZk2fKp83mbp8
GK98I7bm1pFqGFunTV9RetJEuxgpL5LFAn7I5hznf/Wd/cSMskAuHS6F9XCQo7Po
Z7nzdXGZpIFTMTWIzMEHxGmW5gBte7tpLx3fktXzavEf0Xs/MzjOC+9EDWuSuos3
dwgYa9eXABZ2BBd+lk65ndsxWC7FSbwyErnhdJ+087feofeQjazxC2bADsEeGIxv
T5x2OtyhTjYtPqPtis5Yi0jLpoBPT/B+vYbb5H/dwqL7Z1fd+tUfvlJPKAOTcUH0
0DBc/eIU86Y\xebZP
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce
. 8) - ppc64le, s390x, x86_64
3. Bugs fixed (https://bugzilla.redhat.com/):
2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data
2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way
2031958 - CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling
2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter
5. JIRA issues fixed (https://issues.jboss.org/):
LOG-2437 - EO shouldn't grant cluster-wide permission to system:serviceaccount:openshift-monitoring:prometheus-k8s when ES cluster is deployed. [openshift-logging 5.4]
LOG-2442 - Log file metric exporter not working with /var/log/pods
LOG-2448 - Audit and journald logs cannot be viewed from LokiStack, when logs are forwarded with Vector as collector.
For the stable distribution (bullseye), these problems have been fixed in
version 17.0.3+7-1~deb11u1.
We recommend that you upgrade your openjdk-17 packages.
For the detailed security status of openjdk-17 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openjdk-17
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmJxl3wACgkQEMKTtsN8
Tja/zg/7BeUmTL3RGbn6PBexYoRYRGd5TIgkjajpMhKJfgMJezJ95sDP1jKZmZ7W
5W7R3iqBYUIjJl+wcoDpSN2HyApXNUkLTMeTbNgJCwipJwk4LG79zcXLxAtBqmJl
hKt8ij5V4wQiou1NDhTYpGdLLQUQ8wQEX05veO5U80KYuMc2TzvRwsjzzAF1K3WM
zEKV8HJ3SLJcnb24s2PLpoPZLaWerJurcUwQG01OJVlp4smvuBzw1imExMOG5P9D
iX9CogACSoupamHCkpInajxtvzLx/Kb39obHOVIJmYlVJif9Vt4XMd+IRFv1ZiWK
bvmsexifgn96D2Qc9uoHMKanMsqb5bjN+jtyRSq/BRpADManyU9O0NPFAxuqkBk2
Zj1YiljDHTHdMmp/lnpMZA8Zxnm7JVQlNxxvrBsLttiEhytCkhAxBOzprXg00yoH
HQaRiOsPCDUTlvS73V3e5QfqTjWihUHiIwprxzL0nVIq7gZfwDs7/80QPZjm/yPK
OwOLGSobA2J/iyEG5VlLEaxyOBeyAfw5uMR5iHe0TKofyxBXFdSo69/oYDB8CVYp
ncJxX9e32EIrB/4aqCM9r/nVhos4QdwDfJIWncQVooQQisPd8zXLccSi9PkFxFQS
k4BnXv70QlIq9PnWi209kPyaU3TcQwEYRjZJBZqYRESaHLLnPGw=
=O0QV
-----END PGP SIGNATURE-----
. Summary:
Security updated rh-sso-7/sso75-openshift-rhel8 container image is now
available for RHEL-8 based Middleware Containers. Description:
The rh-sso-7/sso75-openshift-rhel8 container image has been updated for
RHEL-8 based Middleware Containers to include the following security
issues.
Users of rh-sso-7/sso75-openshift-rhel8 container images are advised to
upgrade to these updated images, which contain backported patches to
correct these security issues, fix these bugs and add these enhancements.
Users of these images are also encouraged to rebuild all container images
that depend on these images.
You can find images updated by this advisory in Red Hat Container Catalog
(see References). Solution:
The RHEL-8 based Middleware Containers container image provided by this
update can be downloaded from the Red Hat Container Registry at
registry.access.redhat.com.
Dockerfiles and scripts should be amended either to refer to this new image
specifically, or to the latest image generally. Bugs fixed (https://bugzilla.redhat.com/):
2071036 - CVE-2022-1245 keycloak: Privilege escalation vulnerability on Token Exchange
5
| VAR-202204-0593 | CVE-2022-21426 | Red Hat Security Advisory 2022-2217-01 |
CVSS V2: 5.0 CVSS V3: 5.3 Severity: MEDIUM |
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). It exists that OpenJDK incorrectly validated the encoded length of
certain object identifiers. An attacker could possibly use this issue to
cause a denial of service. (CVE-2022-21443). [openshift-logging 5.3]
6. Description:
Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
All OpenShift Container Platform 4.6 users are advised to upgrade to these
updated packages and images when they are available in the appropriate
release channel. To check for available updates, use the OpenShift Console
or the CLI oc command. Instructions for upgrading a cluster are available
at
https://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html
3. Solution:
For OpenShift Container Platform 4.6 see the following documentation, which
will be updated shortly for this release, for important instructions on how
to upgrade your cluster and fully apply this asynchronous errata update:
https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html
Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html
4. Bugs fixed (https://bugzilla.redhat.com/):
2059996 - read_lines_limit needs to be adjusted according to the setting of buffer_chunk_size
2066837 - CVE-2022-24769 moby: Default inheritable capabilities for linux container should be empty
5. Bugs fixed (https://bugzilla.redhat.com/):
2020725 - CVE-2021-41771 golang: debug/macho: invalid dynamic symbol table command can cause panic
2020736 - CVE-2021-41772 golang: archive/zip: Reader.Open panics on empty string
5. References:
https://access.redhat.com/security/cve/CVE-2018-25032
https://access.redhat.com/security/cve/CVE-2021-3999
https://access.redhat.com/security/cve/CVE-2021-23177
https://access.redhat.com/security/cve/CVE-2021-31566
https://access.redhat.com/security/cve/CVE-2021-41771
https://access.redhat.com/security/cve/CVE-2021-41772
https://access.redhat.com/security/cve/CVE-2021-45960
https://access.redhat.com/security/cve/CVE-2021-46143
https://access.redhat.com/security/cve/CVE-2022-0778
https://access.redhat.com/security/cve/CVE-2022-21426
https://access.redhat.com/security/cve/CVE-2022-21434
https://access.redhat.com/security/cve/CVE-2022-21443
https://access.redhat.com/security/cve/CVE-2022-21449
https://access.redhat.com/security/cve/CVE-2022-21476
https://access.redhat.com/security/cve/CVE-2022-21496
https://access.redhat.com/security/cve/CVE-2022-22822
https://access.redhat.com/security/cve/CVE-2022-22823
https://access.redhat.com/security/cve/CVE-2022-22824
https://access.redhat.com/security/cve/CVE-2022-22825
https://access.redhat.com/security/cve/CVE-2022-22826
https://access.redhat.com/security/cve/CVE-2022-22827
https://access.redhat.com/security/cve/CVE-2022-23218
https://access.redhat.com/security/cve/CVE-2022-23219
https://access.redhat.com/security/cve/CVE-2022-23308
https://access.redhat.com/security/cve/CVE-2022-23852
https://access.redhat.com/security/cve/CVE-2022-25235
https://access.redhat.com/security/cve/CVE-2022-25236
https://access.redhat.com/security/cve/CVE-2022-25315
For
details
about
the
security
issues
see
these
CVE
pages:
*
https://access.redhat.com/security/updates/classification/#low
*
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/serverless/index
*
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/serverless/index
*
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.8/html/serverless/index
*
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.9/html/serverless/index
*
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html/serverless/index
6.
For the oldstable distribution (buster), this problem has been fixed
in version 11.0.15+10-1~deb10u1.
For the stable distribution (bullseye), this problem has been fixed in
version 11.0.15+10-1~deb11u1.
We recommend that you upgrade your openjdk-11 packages.
For the detailed security status of openjdk-11 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openjdk-11
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmJz7AUACgkQEMKTtsN8
TjYPqQ//acxZ7tw58VvpicLhG3iTGRpUcVEVZwCcs1EGSs5sBAT20Q/rvZNc932o
//8ipzrsv1pZX4txFzDi9gI279f27RTIhb+vJCWblPoRt7rXVkB7N5TR0UT4IurP
ZCDcKF0PaStHPPrD7ZvVVUSQU09cDvHb0ibNnuXguOLCji9sIaPoubIAJ+NAkMIM
54inl1f4FQSwf1yqvZbjlnSvsDmBQ7nGE//yyajhN+JY29SkZdseLRgkAtGsG9+G
8XshJHdAGSuIeCUpJzbcYFdeikwXzQNP0DhvBGyClNmYUS/C4w9KCo8ab6L1rWhQ
vnVDIAdX4zH+GTxtZ7xuelNvYUwiTW4DhYHtEoU8UvrhzJJ0ZtidAdEhoLlxJkdK
e767zzyHFx9qbd5UFgwn8XMoJKlkkJtThTARypBcbN7mq9j7bxGV0JGTm1K76KJp
j2lIau4swGGkFWD2kTLVO5O/chj5l4gsxX2Mi9ipLiBeD2TVTwY/MV1iX5q4EVMg
3Kt4ZSw2AxgwCPzaaSTBpkRcwJyspsAzIQfkmhnJ170v9iUsf5hg3oJV+Mhxqm/F
znuzj1FKQ++A50O+6fGPA48T2DRATM7BMGBbjzWjRJ7KEptHEFnBGdkCU33I0YSm
MIYXEATq5Z7D5g5SX2WZLOReTr7Y/PLCd6FRZGcFvbs5zjcKSGM=
=Ysyl
-----END PGP SIGNATURE-----
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Important: java-11-openjdk security update
Advisory ID: RHSA-2022:1442-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:1442
Issue date: 2022-04-20
CVE Names: CVE-2022-21426 CVE-2022-21434 CVE-2022-21443
CVE-2022-21476 CVE-2022-21496
====================================================================
1. Summary:
An update for java-11-openjdk is now available for Red Hat Enterprise Linux
8.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat CodeReady Linux Builder (v. 8) - aarch64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64
3. Description:
The java-11-openjdk packages provide the OpenJDK 11 Java Runtime
Environment and the OpenJDK 11 Java Software Development Kit.
Security Fix(es):
* OpenJDK: Defective secure validation in Apache Santuario (Libraries,
8278008) (CVE-2022-21476)
* OpenJDK: Unbounded memory allocation when compiling crafted XPath
expressions (JAXP, 8270504) (CVE-2022-21426)
* OpenJDK: Improper object-to-string conversion in
AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)
* OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)
(CVE-2022-21443)
* OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
All running instances of OpenJDK Java must be restarted for this update to
take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
2075788 - CVE-2022-21426 OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)
2075793 - CVE-2022-21443 OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)
2075836 - CVE-2022-21434 OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672)
2075842 - CVE-2022-21476 OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008)
2075849 - CVE-2022-21496 OpenJDK: URI parsing inconsistencies (JNDI, 8278972)
6. Package List:
Red Hat Enterprise Linux AppStream (v. 8):
Source:
java-11-openjdk-11.0.15.0.9-2.el8_5.src.rpm
aarch64:
java-11-openjdk-11.0.15.0.9-2.el8_5.aarch64.rpm
java-11-openjdk-debuginfo-11.0.15.0.9-2.el8_5.aarch64.rpm
java-11-openjdk-debugsource-11.0.15.0.9-2.el8_5.aarch64.rpm
java-11-openjdk-demo-11.0.15.0.9-2.el8_5.aarch64.rpm
java-11-openjdk-devel-11.0.15.0.9-2.el8_5.aarch64.rpm
java-11-openjdk-devel-debuginfo-11.0.15.0.9-2.el8_5.aarch64.rpm
java-11-openjdk-headless-11.0.15.0.9-2.el8_5.aarch64.rpm
java-11-openjdk-headless-debuginfo-11.0.15.0.9-2.el8_5.aarch64.rpm
java-11-openjdk-javadoc-11.0.15.0.9-2.el8_5.aarch64.rpm
java-11-openjdk-javadoc-zip-11.0.15.0.9-2.el8_5.aarch64.rpm
java-11-openjdk-jmods-11.0.15.0.9-2.el8_5.aarch64.rpm
java-11-openjdk-src-11.0.15.0.9-2.el8_5.aarch64.rpm
java-11-openjdk-static-libs-11.0.15.0.9-2.el8_5.aarch64.rpm
ppc64le:
java-11-openjdk-11.0.15.0.9-2.el8_5.ppc64le.rpm
java-11-openjdk-debuginfo-11.0.15.0.9-2.el8_5.ppc64le.rpm
java-11-openjdk-debugsource-11.0.15.0.9-2.el8_5.ppc64le.rpm
java-11-openjdk-demo-11.0.15.0.9-2.el8_5.ppc64le.rpm
java-11-openjdk-devel-11.0.15.0.9-2.el8_5.ppc64le.rpm
java-11-openjdk-devel-debuginfo-11.0.15.0.9-2.el8_5.ppc64le.rpm
java-11-openjdk-headless-11.0.15.0.9-2.el8_5.ppc64le.rpm
java-11-openjdk-headless-debuginfo-11.0.15.0.9-2.el8_5.ppc64le.rpm
java-11-openjdk-javadoc-11.0.15.0.9-2.el8_5.ppc64le.rpm
java-11-openjdk-javadoc-zip-11.0.15.0.9-2.el8_5.ppc64le.rpm
java-11-openjdk-jmods-11.0.15.0.9-2.el8_5.ppc64le.rpm
java-11-openjdk-src-11.0.15.0.9-2.el8_5.ppc64le.rpm
java-11-openjdk-static-libs-11.0.15.0.9-2.el8_5.ppc64le.rpm
s390x:
java-11-openjdk-11.0.15.0.9-2.el8_5.s390x.rpm
java-11-openjdk-debuginfo-11.0.15.0.9-2.el8_5.s390x.rpm
java-11-openjdk-debugsource-11.0.15.0.9-2.el8_5.s390x.rpm
java-11-openjdk-demo-11.0.15.0.9-2.el8_5.s390x.rpm
java-11-openjdk-devel-11.0.15.0.9-2.el8_5.s390x.rpm
java-11-openjdk-devel-debuginfo-11.0.15.0.9-2.el8_5.s390x.rpm
java-11-openjdk-headless-11.0.15.0.9-2.el8_5.s390x.rpm
java-11-openjdk-headless-debuginfo-11.0.15.0.9-2.el8_5.s390x.rpm
java-11-openjdk-javadoc-11.0.15.0.9-2.el8_5.s390x.rpm
java-11-openjdk-javadoc-zip-11.0.15.0.9-2.el8_5.s390x.rpm
java-11-openjdk-jmods-11.0.15.0.9-2.el8_5.s390x.rpm
java-11-openjdk-src-11.0.15.0.9-2.el8_5.s390x.rpm
java-11-openjdk-static-libs-11.0.15.0.9-2.el8_5.s390x.rpm
x86_64:
java-11-openjdk-11.0.15.0.9-2.el8_5.x86_64.rpm
java-11-openjdk-debuginfo-11.0.15.0.9-2.el8_5.x86_64.rpm
java-11-openjdk-debugsource-11.0.15.0.9-2.el8_5.x86_64.rpm
java-11-openjdk-demo-11.0.15.0.9-2.el8_5.x86_64.rpm
java-11-openjdk-devel-11.0.15.0.9-2.el8_5.x86_64.rpm
java-11-openjdk-devel-debuginfo-11.0.15.0.9-2.el8_5.x86_64.rpm
java-11-openjdk-headless-11.0.15.0.9-2.el8_5.x86_64.rpm
java-11-openjdk-headless-debuginfo-11.0.15.0.9-2.el8_5.x86_64.rpm
java-11-openjdk-javadoc-11.0.15.0.9-2.el8_5.x86_64.rpm
java-11-openjdk-javadoc-zip-11.0.15.0.9-2.el8_5.x86_64.rpm
java-11-openjdk-jmods-11.0.15.0.9-2.el8_5.x86_64.rpm
java-11-openjdk-src-11.0.15.0.9-2.el8_5.x86_64.rpm
java-11-openjdk-static-libs-11.0.15.0.9-2.el8_5.x86_64.rpm
Red Hat CodeReady Linux Builder (v. 8):
aarch64:
java-11-openjdk-debuginfo-11.0.15.0.9-2.el8_5.aarch64.rpm
java-11-openjdk-debugsource-11.0.15.0.9-2.el8_5.aarch64.rpm
java-11-openjdk-demo-fastdebug-11.0.15.0.9-2.el8_5.aarch64.rpm
java-11-openjdk-demo-slowdebug-11.0.15.0.9-2.el8_5.aarch64.rpm
java-11-openjdk-devel-debuginfo-11.0.15.0.9-2.el8_5.aarch64.rpm
java-11-openjdk-devel-fastdebug-11.0.15.0.9-2.el8_5.aarch64.rpm
java-11-openjdk-devel-fastdebug-debuginfo-11.0.15.0.9-2.el8_5.aarch64.rpm
java-11-openjdk-devel-slowdebug-11.0.15.0.9-2.el8_5.aarch64.rpm
java-11-openjdk-devel-slowdebug-debuginfo-11.0.15.0.9-2.el8_5.aarch64.rpm
java-11-openjdk-fastdebug-11.0.15.0.9-2.el8_5.aarch64.rpm
java-11-openjdk-fastdebug-debuginfo-11.0.15.0.9-2.el8_5.aarch64.rpm
java-11-openjdk-headless-debuginfo-11.0.15.0.9-2.el8_5.aarch64.rpm
java-11-openjdk-headless-fastdebug-11.0.15.0.9-2.el8_5.aarch64.rpm
java-11-openjdk-headless-fastdebug-debuginfo-11.0.15.0.9-2.el8_5.aarch64.rpm
java-11-openjdk-headless-slowdebug-11.0.15.0.9-2.el8_5.aarch64.rpm
java-11-openjdk-headless-slowdebug-debuginfo-11.0.15.0.9-2.el8_5.aarch64.rpm
java-11-openjdk-jmods-fastdebug-11.0.15.0.9-2.el8_5.aarch64.rpm
java-11-openjdk-jmods-slowdebug-11.0.15.0.9-2.el8_5.aarch64.rpm
java-11-openjdk-slowdebug-11.0.15.0.9-2.el8_5.aarch64.rpm
java-11-openjdk-slowdebug-debuginfo-11.0.15.0.9-2.el8_5.aarch64.rpm
java-11-openjdk-src-fastdebug-11.0.15.0.9-2.el8_5.aarch64.rpm
java-11-openjdk-src-slowdebug-11.0.15.0.9-2.el8_5.aarch64.rpm
java-11-openjdk-static-libs-fastdebug-11.0.15.0.9-2.el8_5.aarch64.rpm
java-11-openjdk-static-libs-slowdebug-11.0.15.0.9-2.el8_5.aarch64.rpm
ppc64le:
java-11-openjdk-debuginfo-11.0.15.0.9-2.el8_5.ppc64le.rpm
java-11-openjdk-debugsource-11.0.15.0.9-2.el8_5.ppc64le.rpm
java-11-openjdk-demo-fastdebug-11.0.15.0.9-2.el8_5.ppc64le.rpm
java-11-openjdk-demo-slowdebug-11.0.15.0.9-2.el8_5.ppc64le.rpm
java-11-openjdk-devel-debuginfo-11.0.15.0.9-2.el8_5.ppc64le.rpm
java-11-openjdk-devel-fastdebug-11.0.15.0.9-2.el8_5.ppc64le.rpm
java-11-openjdk-devel-fastdebug-debuginfo-11.0.15.0.9-2.el8_5.ppc64le.rpm
java-11-openjdk-devel-slowdebug-11.0.15.0.9-2.el8_5.ppc64le.rpm
java-11-openjdk-devel-slowdebug-debuginfo-11.0.15.0.9-2.el8_5.ppc64le.rpm
java-11-openjdk-fastdebug-11.0.15.0.9-2.el8_5.ppc64le.rpm
java-11-openjdk-fastdebug-debuginfo-11.0.15.0.9-2.el8_5.ppc64le.rpm
java-11-openjdk-headless-debuginfo-11.0.15.0.9-2.el8_5.ppc64le.rpm
java-11-openjdk-headless-fastdebug-11.0.15.0.9-2.el8_5.ppc64le.rpm
java-11-openjdk-headless-fastdebug-debuginfo-11.0.15.0.9-2.el8_5.ppc64le.rpm
java-11-openjdk-headless-slowdebug-11.0.15.0.9-2.el8_5.ppc64le.rpm
java-11-openjdk-headless-slowdebug-debuginfo-11.0.15.0.9-2.el8_5.ppc64le.rpm
java-11-openjdk-jmods-fastdebug-11.0.15.0.9-2.el8_5.ppc64le.rpm
java-11-openjdk-jmods-slowdebug-11.0.15.0.9-2.el8_5.ppc64le.rpm
java-11-openjdk-slowdebug-11.0.15.0.9-2.el8_5.ppc64le.rpm
java-11-openjdk-slowdebug-debuginfo-11.0.15.0.9-2.el8_5.ppc64le.rpm
java-11-openjdk-src-fastdebug-11.0.15.0.9-2.el8_5.ppc64le.rpm
java-11-openjdk-src-slowdebug-11.0.15.0.9-2.el8_5.ppc64le.rpm
java-11-openjdk-static-libs-fastdebug-11.0.15.0.9-2.el8_5.ppc64le.rpm
java-11-openjdk-static-libs-slowdebug-11.0.15.0.9-2.el8_5.ppc64le.rpm
s390x:
java-11-openjdk-debuginfo-11.0.15.0.9-2.el8_5.s390x.rpm
java-11-openjdk-debugsource-11.0.15.0.9-2.el8_5.s390x.rpm
java-11-openjdk-demo-slowdebug-11.0.15.0.9-2.el8_5.s390x.rpm
java-11-openjdk-devel-debuginfo-11.0.15.0.9-2.el8_5.s390x.rpm
java-11-openjdk-devel-slowdebug-11.0.15.0.9-2.el8_5.s390x.rpm
java-11-openjdk-devel-slowdebug-debuginfo-11.0.15.0.9-2.el8_5.s390x.rpm
java-11-openjdk-headless-debuginfo-11.0.15.0.9-2.el8_5.s390x.rpm
java-11-openjdk-headless-slowdebug-11.0.15.0.9-2.el8_5.s390x.rpm
java-11-openjdk-headless-slowdebug-debuginfo-11.0.15.0.9-2.el8_5.s390x.rpm
java-11-openjdk-jmods-slowdebug-11.0.15.0.9-2.el8_5.s390x.rpm
java-11-openjdk-slowdebug-11.0.15.0.9-2.el8_5.s390x.rpm
java-11-openjdk-slowdebug-debuginfo-11.0.15.0.9-2.el8_5.s390x.rpm
java-11-openjdk-src-slowdebug-11.0.15.0.9-2.el8_5.s390x.rpm
java-11-openjdk-static-libs-slowdebug-11.0.15.0.9-2.el8_5.s390x.rpm
x86_64:
java-11-openjdk-debuginfo-11.0.15.0.9-2.el8_5.x86_64.rpm
java-11-openjdk-debugsource-11.0.15.0.9-2.el8_5.x86_64.rpm
java-11-openjdk-demo-fastdebug-11.0.15.0.9-2.el8_5.x86_64.rpm
java-11-openjdk-demo-slowdebug-11.0.15.0.9-2.el8_5.x86_64.rpm
java-11-openjdk-devel-debuginfo-11.0.15.0.9-2.el8_5.x86_64.rpm
java-11-openjdk-devel-fastdebug-11.0.15.0.9-2.el8_5.x86_64.rpm
java-11-openjdk-devel-fastdebug-debuginfo-11.0.15.0.9-2.el8_5.x86_64.rpm
java-11-openjdk-devel-slowdebug-11.0.15.0.9-2.el8_5.x86_64.rpm
java-11-openjdk-devel-slowdebug-debuginfo-11.0.15.0.9-2.el8_5.x86_64.rpm
java-11-openjdk-fastdebug-11.0.15.0.9-2.el8_5.x86_64.rpm
java-11-openjdk-fastdebug-debuginfo-11.0.15.0.9-2.el8_5.x86_64.rpm
java-11-openjdk-headless-debuginfo-11.0.15.0.9-2.el8_5.x86_64.rpm
java-11-openjdk-headless-fastdebug-11.0.15.0.9-2.el8_5.x86_64.rpm
java-11-openjdk-headless-fastdebug-debuginfo-11.0.15.0.9-2.el8_5.x86_64.rpm
java-11-openjdk-headless-slowdebug-11.0.15.0.9-2.el8_5.x86_64.rpm
java-11-openjdk-headless-slowdebug-debuginfo-11.0.15.0.9-2.el8_5.x86_64.rpm
java-11-openjdk-jmods-fastdebug-11.0.15.0.9-2.el8_5.x86_64.rpm
java-11-openjdk-jmods-slowdebug-11.0.15.0.9-2.el8_5.x86_64.rpm
java-11-openjdk-slowdebug-11.0.15.0.9-2.el8_5.x86_64.rpm
java-11-openjdk-slowdebug-debuginfo-11.0.15.0.9-2.el8_5.x86_64.rpm
java-11-openjdk-src-fastdebug-11.0.15.0.9-2.el8_5.x86_64.rpm
java-11-openjdk-src-slowdebug-11.0.15.0.9-2.el8_5.x86_64.rpm
java-11-openjdk-static-libs-fastdebug-11.0.15.0.9-2.el8_5.x86_64.rpm
java-11-openjdk-static-libs-slowdebug-11.0.15.0.9-2.el8_5.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2022-21426
https://access.redhat.com/security/cve/CVE-2022-21434
https://access.redhat.com/security/cve/CVE-2022-21443
https://access.redhat.com/security/cve/CVE-2022-21476
https://access.redhat.com/security/cve/CVE-2022-21496
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYmAyANzjgjWX9erEAQgTGw//a84AkLLhZU8iQDd7ecaS/EcNnUOXFJ0Q
CoHN4WRcj3RibRben6W9zQ65PnA28pUds3SgRbR1tV6xrF5s5QoinqP+gqS7F6hv
g+wd9/905dhwuM2Gtob36nuzunkYdtNv9epMfrrLaFjEytBgiIQqvcz4aXedtJdB
0PjUVtH8yJMclzNNlQHj7v6bWKK5jofPo1If1hA+XLxGn/9jbQ3hxLBK5s3Q7oWy
6OE7uW4pn33sGmYN9ZhKXfV3mXgEjNIeI6BK33+csw9mjiSKiwOB1aWqrjjpGxFl
iz46yLCprguxHCTzlKrIaqYiL8a9jwVCgRPD5bdELDcSXpUTYC2CAlTlT7EV9OP5
8OVefLnHODX4zgjKY57v01FLYpEi9y8NnYufE7AOHJOILpRUACwvujLNGUYLAi6f
fbMniQdtYsQAcNbIsmpRJRM5QDNXYISGkQjSGyC/8vEWCjNtSFnfNYEuOaL9diXx
eAzwjDcXJwxxQNUStudqge7D9bnCB77tjGDsiWBs3zymtnvwdpOOttyAfUNrkyHC
sChuZbAqpI2q86cmKl1ach1yGLzlfUL03CAB07VH/JK4e87XVqt/ssu+PZt658vb
xtLTeggHbcfenkNKwgmx/jaY0LrGtf4aJ5oy4M+A57djeuepb4cevMjGdq+uPV/5
qAZpBpzOUoQ\xa7pd
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce
. Bugs fixed (https://bugzilla.redhat.com/):
2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data
2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way
2031958 - CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling
2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter
5. JIRA issues fixed (https://issues.jboss.org/):
LOG-2437 - EO shouldn't grant cluster-wide permission to system:serviceaccount:openshift-monitoring:prometheus-k8s when ES cluster is deployed. [openshift-logging 5.4]
LOG-2442 - Log file metric exporter not working with /var/log/pods
LOG-2448 - Audit and journald logs cannot be viewed from LokiStack, when logs are forwarded with Vector as collector. For further information,
refer to the release notes linked to in the References section. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied
| VAR-202204-0184 | CVE-2022-26857 | Dell OpenManage Enterprise Security hole |
CVSS V2: 6.5 CVSS V3: 8.8 Severity: HIGH |
Dell OpenManage Enterprise Versions 3.8.3 and prior contain an improper authorization vulnerability. A remote authenticated malicious user with low privileges may potentially exploit this vulnerability to bypass blocked functionalities and perform unauthorized actions. Dell OpenManage Enterprise is an easy-to-use one-to-many system management console for IT infrastructure management from Dell in the United States. The software enables cost-effective, comprehensive lifecycle management of Dell EMC PowerEdge servers in a single console
| VAR-202204-0838 | CVE-2022-1381 | vim/vim Out-of-bounds write vulnerability in |
CVSS V2: 6.8 CVSS V3: 7.8 Severity: HIGH |
global heap buffer overflow in skip_range in GitHub repository vim/vim prior to 8.2.4763. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution. vim/vim Exists in an out-of-bounds write vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202208-32
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Low
Title: Vim, gVim: Multiple Vulnerabilities
Date: August 21, 2022
Bugs: #811870, #818562, #819528, #823473, #824930, #828583, #829658, #830106, #830994, #833572, #836432, #851231
ID: 202208-32
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
=======
Multiple vulnerabilities have been discovered in Vim, the worst of which
could result in denial of service.
Background
=========
Vim is an efficient, highly configurable improved version of the classic
‘vi’ text editor. gVim is the GUI version of Vim.
Affected packages
================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-editors/gvim < 9.0.0060 >= 9.0.0060
2 app-editors/vim < 9.0.0060 >= 9.0.0060
3 app-editors/vim-core < 9.0.0060 >= 9.0.0060
Description
==========
Multiple vulnerabilities have been discovered in Vim and gVim. Please
review the CVE identifiers referenced below for details.
Impact
=====
Please review the referenced CVE identifiers for details.
Workaround
=========
There is no known workaround at this time.
Resolution
=========
All Vim users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-editors/vim-9.0.0060"
All gVim users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-editors/gvim-9.0.0060"
All vim-core users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-editors/vim-core-9.0.0060"
References
=========
[ 1 ] CVE-2021-3770
https://nvd.nist.gov/vuln/detail/CVE-2021-3770
[ 2 ] CVE-2021-3778
https://nvd.nist.gov/vuln/detail/CVE-2021-3778
[ 3 ] CVE-2021-3796
https://nvd.nist.gov/vuln/detail/CVE-2021-3796
[ 4 ] CVE-2021-3872
https://nvd.nist.gov/vuln/detail/CVE-2021-3872
[ 5 ] CVE-2021-3875
https://nvd.nist.gov/vuln/detail/CVE-2021-3875
[ 6 ] CVE-2021-3927
https://nvd.nist.gov/vuln/detail/CVE-2021-3927
[ 7 ] CVE-2021-3928
https://nvd.nist.gov/vuln/detail/CVE-2021-3928
[ 8 ] CVE-2021-3968
https://nvd.nist.gov/vuln/detail/CVE-2021-3968
[ 9 ] CVE-2021-3973
https://nvd.nist.gov/vuln/detail/CVE-2021-3973
[ 10 ] CVE-2021-3974
https://nvd.nist.gov/vuln/detail/CVE-2021-3974
[ 11 ] CVE-2021-3984
https://nvd.nist.gov/vuln/detail/CVE-2021-3984
[ 12 ] CVE-2021-4019
https://nvd.nist.gov/vuln/detail/CVE-2021-4019
[ 13 ] CVE-2021-4069
https://nvd.nist.gov/vuln/detail/CVE-2021-4069
[ 14 ] CVE-2021-4136
https://nvd.nist.gov/vuln/detail/CVE-2021-4136
[ 15 ] CVE-2021-4166
https://nvd.nist.gov/vuln/detail/CVE-2021-4166
[ 16 ] CVE-2021-4173
https://nvd.nist.gov/vuln/detail/CVE-2021-4173
[ 17 ] CVE-2021-4187
https://nvd.nist.gov/vuln/detail/CVE-2021-4187
[ 18 ] CVE-2021-4192
https://nvd.nist.gov/vuln/detail/CVE-2021-4192
[ 19 ] CVE-2021-4193
https://nvd.nist.gov/vuln/detail/CVE-2021-4193
[ 20 ] CVE-2021-46059
https://nvd.nist.gov/vuln/detail/CVE-2021-46059
[ 21 ] CVE-2022-0128
https://nvd.nist.gov/vuln/detail/CVE-2022-0128
[ 22 ] CVE-2022-0156
https://nvd.nist.gov/vuln/detail/CVE-2022-0156
[ 23 ] CVE-2022-0158
https://nvd.nist.gov/vuln/detail/CVE-2022-0158
[ 24 ] CVE-2022-0213
https://nvd.nist.gov/vuln/detail/CVE-2022-0213
[ 25 ] CVE-2022-0261
https://nvd.nist.gov/vuln/detail/CVE-2022-0261
[ 26 ] CVE-2022-0318
https://nvd.nist.gov/vuln/detail/CVE-2022-0318
[ 27 ] CVE-2022-0319
https://nvd.nist.gov/vuln/detail/CVE-2022-0319
[ 28 ] CVE-2022-0351
https://nvd.nist.gov/vuln/detail/CVE-2022-0351
[ 29 ] CVE-2022-0359
https://nvd.nist.gov/vuln/detail/CVE-2022-0359
[ 30 ] CVE-2022-0361
https://nvd.nist.gov/vuln/detail/CVE-2022-0361
[ 31 ] CVE-2022-0368
https://nvd.nist.gov/vuln/detail/CVE-2022-0368
[ 32 ] CVE-2022-0392
https://nvd.nist.gov/vuln/detail/CVE-2022-0392
[ 33 ] CVE-2022-0393
https://nvd.nist.gov/vuln/detail/CVE-2022-0393
[ 34 ] CVE-2022-0407
https://nvd.nist.gov/vuln/detail/CVE-2022-0407
[ 35 ] CVE-2022-0408
https://nvd.nist.gov/vuln/detail/CVE-2022-0408
[ 36 ] CVE-2022-0413
https://nvd.nist.gov/vuln/detail/CVE-2022-0413
[ 37 ] CVE-2022-0417
https://nvd.nist.gov/vuln/detail/CVE-2022-0417
[ 38 ] CVE-2022-0443
https://nvd.nist.gov/vuln/detail/CVE-2022-0443
[ 39 ] CVE-2022-0554
https://nvd.nist.gov/vuln/detail/CVE-2022-0554
[ 40 ] CVE-2022-0629
https://nvd.nist.gov/vuln/detail/CVE-2022-0629
[ 41 ] CVE-2022-0685
https://nvd.nist.gov/vuln/detail/CVE-2022-0685
[ 42 ] CVE-2022-0714
https://nvd.nist.gov/vuln/detail/CVE-2022-0714
[ 43 ] CVE-2022-0729
https://nvd.nist.gov/vuln/detail/CVE-2022-0729
[ 44 ] CVE-2022-0943
https://nvd.nist.gov/vuln/detail/CVE-2022-0943
[ 45 ] CVE-2022-1154
https://nvd.nist.gov/vuln/detail/CVE-2022-1154
[ 46 ] CVE-2022-1160
https://nvd.nist.gov/vuln/detail/CVE-2022-1160
[ 47 ] CVE-2022-1381
https://nvd.nist.gov/vuln/detail/CVE-2022-1381
[ 48 ] CVE-2022-1420
https://nvd.nist.gov/vuln/detail/CVE-2022-1420
[ 49 ] CVE-2022-1616
https://nvd.nist.gov/vuln/detail/CVE-2022-1616
[ 50 ] CVE-2022-1619
https://nvd.nist.gov/vuln/detail/CVE-2022-1619
[ 51 ] CVE-2022-1620
https://nvd.nist.gov/vuln/detail/CVE-2022-1620
[ 52 ] CVE-2022-1621
https://nvd.nist.gov/vuln/detail/CVE-2022-1621
[ 53 ] CVE-2022-1629
https://nvd.nist.gov/vuln/detail/CVE-2022-1629
[ 54 ] CVE-2022-1674
https://nvd.nist.gov/vuln/detail/CVE-2022-1674
[ 55 ] CVE-2022-1720
https://nvd.nist.gov/vuln/detail/CVE-2022-1720
[ 56 ] CVE-2022-1733
https://nvd.nist.gov/vuln/detail/CVE-2022-1733
[ 57 ] CVE-2022-1735
https://nvd.nist.gov/vuln/detail/CVE-2022-1735
[ 58 ] CVE-2022-1769
https://nvd.nist.gov/vuln/detail/CVE-2022-1769
[ 59 ] CVE-2022-1771
https://nvd.nist.gov/vuln/detail/CVE-2022-1771
[ 60 ] CVE-2022-1785
https://nvd.nist.gov/vuln/detail/CVE-2022-1785
[ 61 ] CVE-2022-1796
https://nvd.nist.gov/vuln/detail/CVE-2022-1796
[ 62 ] CVE-2022-1851
https://nvd.nist.gov/vuln/detail/CVE-2022-1851
[ 63 ] CVE-2022-1886
https://nvd.nist.gov/vuln/detail/CVE-2022-1886
[ 64 ] CVE-2022-1897
https://nvd.nist.gov/vuln/detail/CVE-2022-1897
[ 65 ] CVE-2022-1898
https://nvd.nist.gov/vuln/detail/CVE-2022-1898
[ 66 ] CVE-2022-1927
https://nvd.nist.gov/vuln/detail/CVE-2022-1927
[ 67 ] CVE-2022-1942
https://nvd.nist.gov/vuln/detail/CVE-2022-1942
[ 68 ] CVE-2022-1968
https://nvd.nist.gov/vuln/detail/CVE-2022-1968
[ 69 ] CVE-2022-2000
https://nvd.nist.gov/vuln/detail/CVE-2022-2000
[ 70 ] CVE-2022-2042
https://nvd.nist.gov/vuln/detail/CVE-2022-2042
[ 71 ] CVE-2022-2124
https://nvd.nist.gov/vuln/detail/CVE-2022-2124
[ 72 ] CVE-2022-2125
https://nvd.nist.gov/vuln/detail/CVE-2022-2125
[ 73 ] CVE-2022-2126
https://nvd.nist.gov/vuln/detail/CVE-2022-2126
[ 74 ] CVE-2022-2129
https://nvd.nist.gov/vuln/detail/CVE-2022-2129
[ 75 ] CVE-2022-2175
https://nvd.nist.gov/vuln/detail/CVE-2022-2175
[ 76 ] CVE-2022-2182
https://nvd.nist.gov/vuln/detail/CVE-2022-2182
[ 77 ] CVE-2022-2183
https://nvd.nist.gov/vuln/detail/CVE-2022-2183
[ 78 ] CVE-2022-2206
https://nvd.nist.gov/vuln/detail/CVE-2022-2206
[ 79 ] CVE-2022-2207
https://nvd.nist.gov/vuln/detail/CVE-2022-2207
[ 80 ] CVE-2022-2208
https://nvd.nist.gov/vuln/detail/CVE-2022-2208
[ 81 ] CVE-2022-2210
https://nvd.nist.gov/vuln/detail/CVE-2022-2210
[ 82 ] CVE-2022-2231
https://nvd.nist.gov/vuln/detail/CVE-2022-2231
[ 83 ] CVE-2022-2257
https://nvd.nist.gov/vuln/detail/CVE-2022-2257
[ 84 ] CVE-2022-2264
https://nvd.nist.gov/vuln/detail/CVE-2022-2264
[ 85 ] CVE-2022-2284
https://nvd.nist.gov/vuln/detail/CVE-2022-2284
[ 86 ] CVE-2022-2285
https://nvd.nist.gov/vuln/detail/CVE-2022-2285
[ 87 ] CVE-2022-2286
https://nvd.nist.gov/vuln/detail/CVE-2022-2286
[ 88 ] CVE-2022-2287
https://nvd.nist.gov/vuln/detail/CVE-2022-2287
[ 89 ] CVE-2022-2288
https://nvd.nist.gov/vuln/detail/CVE-2022-2288
[ 90 ] CVE-2022-2289
https://nvd.nist.gov/vuln/detail/CVE-2022-2289
[ 91 ] CVE-2022-2304
https://nvd.nist.gov/vuln/detail/CVE-2022-2304
[ 92 ] CVE-2022-2343
https://nvd.nist.gov/vuln/detail/CVE-2022-2343
[ 93 ] CVE-2022-2344
https://nvd.nist.gov/vuln/detail/CVE-2022-2344
[ 94 ] CVE-2022-2345
https://nvd.nist.gov/vuln/detail/CVE-2022-2345
Availability
===========
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202208-32
Concerns?
========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
======
Copyright 2022 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
| VAR-202204-1019 | CVE-2021-46122 | TP-LINK Technologies of TL-WR840N Classic buffer overflow vulnerability in firmware |
CVSS V2: 9.0 CVSS V3: 7.2 Severity: HIGH |
Tp-Link TL-WR840N (EU) v6.20 Firmware (0.9.1 4.17 v0001.0 Build 201124 Rel.64328n) is vulnerable to Buffer Overflow via the Password reset feature. TP-LINK Technologies of TL-WR840N Firmware has a classic buffer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
| VAR-202204-1169 | CVE-2021-23285 | Eaton Intelligent Power Manager cross-site scripting vulnerability |
CVSS V2: 3.5 CVSS V3: 4.8 Severity: MEDIUM |
Eaton Intelligent Power Manager Infrastructure (IPM Infrastructure) version 1.5.0plus205 and all prior versions are vulnerable to reflected Cross-site Scripting vulnerability. This issue affects: Eaton Intelligent Power Manager Infrastructure (IPM Infrastructure) all version 1.5.0plus205 and prior versions. The vulnerability stems from the program's lack of data validation filtering for user-supplied data and output. Attackers can exploit this vulnerability to execute JavaScript code on the client
| VAR-202204-1601 | CVE-2021-23286 | Eaton of Intelligent Power Manager In CSV Vulnerability in neutralizing math elements in files |
CVSS V2: 7.9 CVSS V3: 8.0 Severity: HIGH |
Eaton Intelligent Power Manager Infrastructure (IPM Infrastructure) version 1.5.0plus205 and all prior versions are vulnerable to CSV Formula Injection. This issue affects: Eaton Intelligent Power Manager Infrastructure (IPM Infrastructure) all version 1.5.0plus205 and prior versions. (DoS) It may be in a state