-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: Red Hat Integration Camel for Spring Boot 3.20.1 security update
Advisory ID:       RHSA-2023:2100-01
Product:           Red Hat Integration
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:2100
Issue date:        2023-05-03
CVE Names:         CVE-2021-37533 CVE-2022-4492 CVE-2022-25857 
                   CVE-2022-31777 CVE-2022-33681 CVE-2022-37865 
                   CVE-2022-37866 CVE-2022-38398 CVE-2022-38648 
                   CVE-2022-38749 CVE-2022-38750 CVE-2022-38751 
                   CVE-2022-38752 CVE-2022-39368 CVE-2022-40146 
                   CVE-2022-40150 CVE-2022-40151 CVE-2022-40152 
                   CVE-2022-40156 CVE-2022-41704 CVE-2022-41852 
                   CVE-2022-41853 CVE-2022-41854 CVE-2022-41881 
                   CVE-2022-41966 CVE-2022-42003 CVE-2022-42004 
                   CVE-2022-42890 CVE-2023-1370 CVE-2023-1436 
                   CVE-2023-20860 CVE-2023-20861 CVE-2023-20863 
                   CVE-2023-22602 CVE-2023-24998 
====================================================================
1. Summary:

Red Hat Integration Camel for Spring Boot 3.20.1 release and security
update is now available.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

This release of Camel for Spring Boot 3.20.1 serves as a replacement for
Camel for Spring Boot 3.18.3 and includes bug fixes and enhancements, which
are documented in the Release Notes document linked in the References.

The purpose of this text-only errata is to inform you about the security
issues fixed.

Security Fix(es):

* snakeyaml: Denial of Service due to missing nested depth limitation for
collections (CVE-2022-25857)

* JXPath: untrusted XPath expressions may lead to RCE attack
(CVE-2022-41852)

* hsqldb: Untrusted input may lead to RCE attack (CVE-2022-41853)

* xstream: Denial of Service by injecting recursive collections or maps
based on element's hash values raising a stack overflow (CVE-2022-41966)

* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern
(CVE-2023-20860)

* apache-commons-net: FTP client trusts the host from PASV response by
default (CVE-2021-37533)

* undertow: Server identity in https connection is not checked by the
undertow client (CVE-2022-4492)

* apache-spark: XSS vulnerability in log viewer UI Javascript
(CVE-2022-31777)

* Apache Pulsar: Improper Hostname Verification in Java Client and Proxy
can expose authentication data via MITM (CVE-2022-33681)

* apache-ivy: Directory Traversal (CVE-2022-37865)

* : Apache Ivy: Ivy Path traversal (CVE-2022-37866)

* batik: Server-Side Request Forgery (CVE-2022-38398)

* batik: Server-Side Request Forgery (CVE-2022-38648)

* snakeyaml: Uncaught exception in
org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)

* snakeyaml: Uncaught exception in
org.yaml.snakeyaml.constructor.BaseConstructor.constructObject
(CVE-2022-38750)

* snakeyaml: Uncaught exception in
java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)

* snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode
(CVE-2022-38752)

* scandium: Failing DTLS handshakes may cause throttling to block
processing of records (CVE-2022-39368)

* batik: Server-Side Request Forgery (SSRF) vulnerability (CVE-2022-40146)

* xstream: Xstream to serialise XML data was vulnerable to Denial of
Service attacks (CVE-2022-40151)

* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of
Service attacks (CVE-2022-40152)

* xstream: Xstream to serialise XML data was vulnerable to Denial of
Service attacks (CVE-2022-40156)

* batik: Apache XML Graphics Batik vulnerable to code execution via SVG
(CVE-2022-41704)

* dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)

* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS
(CVE-2022-41881)

* jackson-databind: deep wrapper array nesting wrt
UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)

* jackson-databind: use of deeply nested arrays (CVE-2022-42004)

* batik: Untrusted code execution in Apache XML Graphics Batik
(CVE-2022-42890)

* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)

* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)

* shiro: Authentication bypass through a specially crafted HTTP request
(CVE-2023-22602)

* Apache Commons FileUpload: FileUpload DoS with excessive parts
(CVE-2023-24998)

* jettison: memory exhaustion via user-supplied XML or JSON data
(CVE-2022-40150)

* springframework: Spring Expression DoS Vulnerability (CVE-2023-20863)

* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart
(Resource Exhaustion) (CVE-2023-1370)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2126789 - CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limitation for collections
2129706 - CVE-2022-38749 snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode
2129707 - CVE-2022-38750 snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject
2129709 - CVE-2022-38751 snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match
2129710 - CVE-2022-38752 snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode
2134288 - CVE-2022-40156 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks
2134291 - CVE-2022-40152 woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks
2134292 - CVE-2022-40151 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks
2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays
2135770 - CVE-2022-40150 jettison: memory exhaustion via user-supplied XML or JSON data
2136128 - CVE-2022-41852 JXPath: untrusted XPath expressions may lead to RCE attack
2136141 - CVE-2022-41853 hsqldb: Untrusted input may lead to RCE attack
2136207 - CVE-2022-33681 Apache Pulsar: Improper Hostname Verification in Java Client and Proxy can expose authentication data via MITM
2145205 - CVE-2022-39368 scandium: Failing DTLS handshakes may cause throttling to block processing of records
2145264 - CVE-2022-31777 apache-spark: XSS vulnerability in log viewer UI Javascript
2150011 - CVE-2022-37866 : Apache Ivy: Ivy Path traversal
2151988 - CVE-2022-41854 dev-java/snakeyaml: DoS via stack overflow
2153260 - CVE-2022-4492 undertow: Server identity in https connection is not checked by the undertow client
2153379 - CVE-2022-41881 codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS
2155291 - CVE-2022-40146 batik: Server-Side Request Forgery (SSRF) vulnerability
2155292 - CVE-2022-38398 batik: Server-Side Request Forgery
2155295 - CVE-2022-38648 batik: Server-Side Request Forgery
2169924 - CVE-2021-37533 apache-commons-net: FTP client trusts the host from PASV response by default
2170431 - CVE-2022-41966 xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow
2172298 - CVE-2023-24998 Apache Commons FileUpload: FileUpload DoS with excessive parts
2180528 - CVE-2023-20860 springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern
2180530 - CVE-2023-20861 springframework: Spring Expression DoS Vulnerability
2182182 - CVE-2022-41704 batik: Apache XML Graphics Batik vulnerable to code execution via SVG
2182183 - CVE-2022-42890 batik: Untrusted code execution in Apache XML Graphics Batik
2182188 - CVE-2022-37865 apache-ivy: Directory Traversal
2182198 - CVE-2023-22602 shiro: Authentication bypass through a specially crafted HTTP request
2182788 - CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray
2187742 - CVE-2023-20863 springframework: Spring Expression DoS Vulnerability
2188542 - CVE-2023-1370 json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)

5. References:

https://access.redhat.com/security/cve/CVE-2021-37533
https://access.redhat.com/security/cve/CVE-2022-4492
https://access.redhat.com/security/cve/CVE-2022-25857
https://access.redhat.com/security/cve/CVE-2022-31777
https://access.redhat.com/security/cve/CVE-2022-33681
https://access.redhat.com/security/cve/CVE-2022-37865
https://access.redhat.com/security/cve/CVE-2022-37866
https://access.redhat.com/security/cve/CVE-2022-38398
https://access.redhat.com/security/cve/CVE-2022-38648
https://access.redhat.com/security/cve/CVE-2022-38749
https://access.redhat.com/security/cve/CVE-2022-38750
https://access.redhat.com/security/cve/CVE-2022-38751
https://access.redhat.com/security/cve/CVE-2022-38752
https://access.redhat.com/security/cve/CVE-2022-39368
https://access.redhat.com/security/cve/CVE-2022-40146
https://access.redhat.com/security/cve/CVE-2022-40150
https://access.redhat.com/security/cve/CVE-2022-40151
https://access.redhat.com/security/cve/CVE-2022-40152
https://access.redhat.com/security/cve/CVE-2022-40156
https://access.redhat.com/security/cve/CVE-2022-41704
https://access.redhat.com/security/cve/CVE-2022-41852
https://access.redhat.com/security/cve/CVE-2022-41853
https://access.redhat.com/security/cve/CVE-2022-41854
https://access.redhat.com/security/cve/CVE-2022-41881
https://access.redhat.com/security/cve/CVE-2022-41966
https://access.redhat.com/security/cve/CVE-2022-42003
https://access.redhat.com/security/cve/CVE-2022-42004
https://access.redhat.com/security/cve/CVE-2022-42890
https://access.redhat.com/security/cve/CVE-2023-1370
https://access.redhat.com/security/cve/CVE-2023-1436
https://access.redhat.com/security/cve/CVE-2023-20860
https://access.redhat.com/security/cve/CVE-2023-20861
https://access.redhat.com/security/cve/CVE-2023-20863
https://access.redhat.com/security/cve/CVE-2023-22602
https://access.redhat.com/security/cve/CVE-2023-24998
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZFKf5tzjgjWX9erEAQhIqg//XeYlOwVssDc5dWFf02uXELWr1vTurtJ+
7QGG8kgacPOojp8CHqFy1Bgyt0XIRQq75pwaFRjG4ea2Tbfusr77ZDq9Yq/wl18p
4U8FZ885MIaTYPt+xK2kNVf0c0qJAxwIcA9h+FSrmETpNxPcf2axexpbyRNdSLIv
3Oet0spu1hpJl0agTZ214dRFODuLq/ZylBueAQB0D1UbUFwdhs0Ay/LdGxvq6fNp
HcZU8YQvhbTCgqV3Hr4Y9wsgvyjENoLkp6QhaD38Jgp3JvXwFLbLfvZNRZn7ILKx
VIz4Tqr1qrEMzsX0gZuM2H5fIjriXezhrPKvy6V2aA6rHws2p1DociAGepQmCL64
Obc6UE36z5ebu7yGXMzzcuxE4TP7rrAokEqEjVngysitXoFHlt3CdNFrfaHU8fOc
HykRqQm0BhMKGtocLUSG9Ykw/k0AbX0ZtDqrLjsjTJczulJXm43qEN0KQZjZEz78
5OHTThAs7Cz3l77NMvk6XTOsr+kxYLoJdmdfWPkyeFjqZ73F7DR6KZLSNOuho5mE
rNI24kXfC/1NwqyteG/3936kO1nHHWx4X3s9IQ/JHCLe7vnsAt3tEi1MUG16tvpb
dSnn728JfYB1L8IdYNh+BUgEmc2P5KaMb+wpilffsW3lIgwKOsFa/Z6noMeJCjiO
4+sH8zYm/3A=u6p/
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2023-2100:01 Important: Red Hat Integration Camel for Spring

Red Hat Integration Camel for Spring Boot 3.20.1 release and security update is now available

Summary

This release of Camel for Spring Boot 3.20.1 serves as a replacement for Camel for Spring Boot 3.18.3 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.
The purpose of this text-only errata is to inform you about the security issues fixed.
Security Fix(es):
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* JXPath: untrusted XPath expressions may lead to RCE attack (CVE-2022-41852)
* hsqldb: Untrusted input may lead to RCE attack (CVE-2022-41853)
* xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow (CVE-2022-41966)
* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)
* apache-commons-net: FTP client trusts the host from PASV response by default (CVE-2021-37533)
* undertow: Server identity in https connection is not checked by the undertow client (CVE-2022-4492)
* apache-spark: XSS vulnerability in log viewer UI Javascript (CVE-2022-31777)
* Apache Pulsar: Improper Hostname Verification in Java Client and Proxy can expose authentication data via MITM (CVE-2022-33681)
* apache-ivy: Directory Traversal (CVE-2022-37865)
* : Apache Ivy: Ivy Path traversal (CVE-2022-37866)
* batik: Server-Side Request Forgery (CVE-2022-38398)
* batik: Server-Side Request Forgery (CVE-2022-38648)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)
* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)
* snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode (CVE-2022-38752)
* scandium: Failing DTLS handshakes may cause throttling to block processing of records (CVE-2022-39368)
* batik: Server-Side Request Forgery (SSRF) vulnerability (CVE-2022-40146)
* xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40151)
* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)
* xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40156)
* batik: Apache XML Graphics Batik vulnerable to code execution via SVG (CVE-2022-41704)
* dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)
* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS (CVE-2022-41881)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* batik: Untrusted code execution in Apache XML Graphics Batik (CVE-2022-42890)
* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)
* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)
* shiro: Authentication bypass through a specially crafted HTTP request (CVE-2023-22602)
* Apache Commons FileUpload: FileUpload DoS with excessive parts (CVE-2023-24998)
* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
* springframework: Spring Expression DoS Vulnerability (CVE-2023-20863)
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2021-37533 https://access.redhat.com/security/cve/CVE-2022-4492 https://access.redhat.com/security/cve/CVE-2022-25857 https://access.redhat.com/security/cve/CVE-2022-31777 https://access.redhat.com/security/cve/CVE-2022-33681 https://access.redhat.com/security/cve/CVE-2022-37865 https://access.redhat.com/security/cve/CVE-2022-37866 https://access.redhat.com/security/cve/CVE-2022-38398 https://access.redhat.com/security/cve/CVE-2022-38648 https://access.redhat.com/security/cve/CVE-2022-38749 https://access.redhat.com/security/cve/CVE-2022-38750 https://access.redhat.com/security/cve/CVE-2022-38751 https://access.redhat.com/security/cve/CVE-2022-38752 https://access.redhat.com/security/cve/CVE-2022-39368 https://access.redhat.com/security/cve/CVE-2022-40146 https://access.redhat.com/security/cve/CVE-2022-40150 https://access.redhat.com/security/cve/CVE-2022-40151 https://access.redhat.com/security/cve/CVE-2022-40152 https://access.redhat.com/security/cve/CVE-2022-40156 https://access.redhat.com/security/cve/CVE-2022-41704 https://access.redhat.com/security/cve/CVE-2022-41852 https://access.redhat.com/security/cve/CVE-2022-41853 https://access.redhat.com/security/cve/CVE-2022-41854 https://access.redhat.com/security/cve/CVE-2022-41881 https://access.redhat.com/security/cve/CVE-2022-41966 https://access.redhat.com/security/cve/CVE-2022-42003 https://access.redhat.com/security/cve/CVE-2022-42004 https://access.redhat.com/security/cve/CVE-2022-42890 https://access.redhat.com/security/cve/CVE-2023-1370 https://access.redhat.com/security/cve/CVE-2023-1436 https://access.redhat.com/security/cve/CVE-2023-20860 https://access.redhat.com/security/cve/CVE-2023-20861 https://access.redhat.com/security/cve/CVE-2023-20863 https://access.redhat.com/security/cve/CVE-2023-22602 https://access.redhat.com/security/cve/CVE-2023-24998 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2

Package List


Severity
Advisory ID: RHSA-2023:2100-01
Product: Red Hat Integration
Advisory URL: https://access.redhat.com/errata/RHSA-2023:2100
Issued Date: : 2023-05-03
CVE Names: CVE-2021-37533 CVE-2022-4492 CVE-2022-25857 CVE-2022-31777 CVE-2022-33681 CVE-2022-37865 CVE-2022-37866 CVE-2022-38398 CVE-2022-38648 CVE-2022-38749 CVE-2022-38750 CVE-2022-38751 CVE-2022-38752 CVE-2022-39368 CVE-2022-40146 CVE-2022-40150 CVE-2022-40151 CVE-2022-40152 CVE-2022-40156 CVE-2022-41704 CVE-2022-41852 CVE-2022-41853 CVE-2022-41854 CVE-2022-41881 CVE-2022-41966 CVE-2022-42003 CVE-2022-42004 CVE-2022-42890 CVE-2023-1370 CVE-2023-1436 CVE-2023-20860 CVE-2023-20861 CVE-2023-20863 CVE-2023-22602 CVE-2023-24998

Topic

Red Hat Integration Camel for Spring Boot 3.20.1 release and securityupdate is now available.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

2126789 - CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limitation for collections

2129706 - CVE-2022-38749 snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode

2129707 - CVE-2022-38750 snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject

2129709 - CVE-2022-38751 snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match

2129710 - CVE-2022-38752 snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode

2134288 - CVE-2022-40156 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks

2134291 - CVE-2022-40152 woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks

2134292 - CVE-2022-40151 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks

2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS

2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays

2135770 - CVE-2022-40150 jettison: memory exhaustion via user-supplied XML or JSON data

2136128 - CVE-2022-41852 JXPath: untrusted XPath expressions may lead to RCE attack

2136141 - CVE-2022-41853 hsqldb: Untrusted input may lead to RCE attack

2136207 - CVE-2022-33681 Apache Pulsar: Improper Hostname Verification in Java Client and Proxy can expose authentication data via MITM

2145205 - CVE-2022-39368 scandium: Failing DTLS handshakes may cause throttling to block processing of records

2145264 - CVE-2022-31777 apache-spark: XSS vulnerability in log viewer UI Javascript

2150011 - CVE-2022-37866 : Apache Ivy: Ivy Path traversal

2151988 - CVE-2022-41854 dev-java/snakeyaml: DoS via stack overflow

2153260 - CVE-2022-4492 undertow: Server identity in https connection is not checked by the undertow client

2153379 - CVE-2022-41881 codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS

2155291 - CVE-2022-40146 batik: Server-Side Request Forgery (SSRF) vulnerability

2155292 - CVE-2022-38398 batik: Server-Side Request Forgery

2155295 - CVE-2022-38648 batik: Server-Side Request Forgery

2169924 - CVE-2021-37533 apache-commons-net: FTP client trusts the host from PASV response by default

2170431 - CVE-2022-41966 xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow

2172298 - CVE-2023-24998 Apache Commons FileUpload: FileUpload DoS with excessive parts

2180528 - CVE-2023-20860 springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern

2180530 - CVE-2023-20861 springframework: Spring Expression DoS Vulnerability

2182182 - CVE-2022-41704 batik: Apache XML Graphics Batik vulnerable to code execution via SVG

2182183 - CVE-2022-42890 batik: Untrusted code execution in Apache XML Graphics Batik

2182188 - CVE-2022-37865 apache-ivy: Directory Traversal

2182198 - CVE-2023-22602 shiro: Authentication bypass through a specially crafted HTTP request

2182788 - CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray

2187742 - CVE-2023-20863 springframework: Spring Expression DoS Vulnerability

2188542 - CVE-2023-1370 json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)


Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved