dom4j is an Open Source XML framework for Java. dom4j allows you to read, write, navigate, create and modify XML documents. dom4j integrates with DOM and SAX and is seamlessly integrated with full XPath support.
{"osv": [{"lastseen": "2022-08-05T05:18:19", "description": "\nMario Areias discovered that dom4j, a XML framework for Java, was\nvulnerable to a XML injection attack. An attacker able to specify\nattributes or elements in the XML document might be able to modify the\nwhole XML document.\n\n\nFor Debian 8 Jessie, this problem has been fixed in version\n1.6.1+dfsg.3-2+deb8u1.\n\n\nWe recommend that you upgrade your dom4j packages.\n\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: <https://wiki.debian.org/LTS>\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2018-09-24T00:00:00", "type": "osv", "title": "dom4j - security update", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000632"], "modified": "2022-08-05T05:18:16", "id": "OSV:DLA-1517-1", "href": "https://osv.dev/vulnerability/DLA-1517-1", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-04-11T01:29:52", "description": "dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.\n\nNote: This advisory applies to `dom4j:dom4j` version 1.x legacy artifacts. To resolve this a change to the latest version of `org.dom4j:dom4j` is recommended.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-10-16T17:01:25", "type": "osv", "title": "Dom4j contains a XML Injection vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000632"], "modified": "2023-04-11T01:29:47", "id": "OSV:GHSA-6PCC-3RFX-4GPM", "href": "https://osv.dev/vulnerability/GHSA-6pcc-3rfx-4gpm", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "openvas": [{"lastseen": "2020-07-24T15:56:31", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "cvss3": {}, "published": "2020-01-23T00:00:00", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for dom4j (EulerOS-SA-2019-2569)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-1000632"], "modified": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220192569", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220192569", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.2569\");\n script_version(\"2020-01-23T13:06:38+0000\");\n script_cve_id(\"CVE-2018-1000632\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 13:06:38 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 13:06:38 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for dom4j (EulerOS-SA-2019-2569)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP3\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-2569\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2569\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'dom4j' package(s) announced via the EulerOS-SA-2019-2569 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.(CVE-2018-1000632)\");\n\n script_tag(name:\"affected\", value:\"'dom4j' package(s) on Huawei EulerOS V2.0SP3.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP3\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"dom4j\", rpm:\"dom4j~1.6.1~20.h1\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-07-24T15:57:42", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "cvss3": {}, "published": "2020-01-23T00:00:00", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for dom4j (EulerOS-SA-2019-1960)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-1000632"], "modified": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220191960", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220191960", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.1960\");\n script_version(\"2020-01-23T12:28:35+0000\");\n script_cve_id(\"CVE-2018-1000632\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 12:28:35 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 12:28:35 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for dom4j (EulerOS-SA-2019-1960)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP5\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-1960\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1960\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'dom4j' package(s) announced via the EulerOS-SA-2019-1960 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. (CVE-2018-1000632)\");\n\n script_tag(name:\"affected\", value:\"'dom4j' package(s) on Huawei EulerOS V2.0SP5.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP5\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"dom4j\", rpm:\"dom4j~1.6.1~20.h1.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-07-24T16:01:50", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "cvss3": {}, "published": "2020-01-23T00:00:00", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for dom4j (EulerOS-SA-2019-2405)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-1000632"], "modified": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220192405", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220192405", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.2405\");\n script_version(\"2020-01-23T12:53:41+0000\");\n script_cve_id(\"CVE-2018-1000632\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 12:53:41 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 12:53:41 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for dom4j (EulerOS-SA-2019-2405)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP2\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-2405\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2405\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'dom4j' package(s) announced via the EulerOS-SA-2019-2405 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.(CVE-2018-1000632)\");\n\n script_tag(name:\"affected\", value:\"'dom4j' package(s) on Huawei EulerOS V2.0SP2.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP2\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"dom4j\", rpm:\"dom4j~1.6.1~20.h1\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-07-24T12:59:46", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2018-12-10T00:00:00", "type": "openvas", "title": "openSUSE: Security Advisory for dom4j (openSUSE-SU-2018:3998-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-1000632"], "modified": "2020-01-31T00:00:00", "id": "OPENVAS:1361412562310852163", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310852163", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.852163\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_cve_id(\"CVE-2018-1000632\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-12-10 07:37:03 +0100 (Mon, 10 Dec 2018)\");\n script_name(\"openSUSE: Security Advisory for dom4j (openSUSE-SU-2018:3998-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap15\\.0\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2018:3998-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2018-12/msg00000.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'dom4j'\n package(s) announced via the openSUSE-SU-2018:3998-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for dom4j fixes the following issues:\n\n - CVE-2018-1000632: Prevent XML injection that could have resulted in an\n attacker tampering with XML documents (bsc#1105443).\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.0:\n\n zypper in -t patch openSUSE-2018-1486=1\");\n\n script_tag(name:\"affected\", value:\"dom4j on openSUSE Leap 15.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap15.0\") {\n if(!isnull(res = isrpmvuln(pkg:\"dom4j\", rpm:\"dom4j~1.6.1~lp150.3.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"dom4j-demo\", rpm:\"dom4j-demo~1.6.1~lp150.3.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"dom4j-javadoc\", rpm:\"dom4j-javadoc~1.6.1~lp150.3.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"dom4j-manual\", rpm:\"dom4j-manual~1.6.1~lp150.3.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-07-24T13:28:55", "description": "Mario Areias discovered that dom4j, a XML framework for Java, was\nvulnerable to a XML injection attack. An attacker able to specify\nattributes or elements in the XML document might be able to modify the\nwhole XML document.", "cvss3": {}, "published": "2018-09-25T00:00:00", "type": "openvas", "title": "Debian LTS: Security Advisory for dom4j (DLA-1517-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-1000632"], "modified": "2020-01-29T00:00:00", "id": "OPENVAS:1361412562310891517", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891517", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891517\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2018-1000632\");\n script_name(\"Debian LTS: Security Advisory for dom4j (DLA-1517-1)\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-09-25 00:00:00 +0200 (Tue, 25 Sep 2018)\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2018/09/msg00028.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_tag(name:\"affected\", value:\"dom4j on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', this problem has been fixed in version\n1.6.1+dfsg.3-2+deb8u1.\n\nWe recommend that you upgrade your dom4j packages.\");\n\n script_tag(name:\"summary\", value:\"Mario Areias discovered that dom4j, a XML framework for Java, was\nvulnerable to a XML injection attack. An attacker able to specify\nattributes or elements in the XML document might be able to modify the\nwhole XML document.\");\n\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"libdom4j-java\", ver:\"1.6.1+dfsg.3-2+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libdom4j-java-doc\", ver:\"1.6.1+dfsg.3-2+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-07-24T13:02:00", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2018-09-28T00:00:00", "type": "openvas", "title": "openSUSE: Security Advisory for dom4j (openSUSE-SU-2018:2931-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-1000632"], "modified": "2020-01-31T00:00:00", "id": "OPENVAS:1361412562310851918", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851918", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851918\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-09-28 13:06:25 +0200 (Fri, 28 Sep 2018)\");\n script_cve_id(\"CVE-2018-1000632\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for dom4j (openSUSE-SU-2018:2931-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'dom4j'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for dom4j fixes the following issues:\n\n - CVE-2018-1000632: Prevent XML injection vulnerability that allowed an\n attacker to tamper with XML documents (bsc#1105443)\n\n This update was imported from the SUSE:SLE-12:Update update project.\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 42.3:\n\n zypper in -t patch openSUSE-2018-1077=1\");\n\n script_tag(name:\"affected\", value:\"dom4j on openSUSE Leap 42.3\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2018:2931-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2018-09/msg00083.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.3\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.3\") {\n if(!isnull(res = isrpmvuln(pkg:\"dom4j\", rpm:\"dom4j~1.6.1~31.3.2\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"dom4j-demo\", rpm:\"dom4j-demo~1.6.1~31.3.2\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"dom4j-javadoc\", rpm:\"dom4j-javadoc~1.6.1~31.3.2\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"dom4j-manual\", rpm:\"dom4j-manual~1.6.1~31.3.2\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "nessus": [{"lastseen": "2023-05-23T14:15:14", "description": "This update for dom4j fixes the following issues :\n\n - CVE-2018-1000632: Prevent XML injection vulnerability that allowed an attacker to tamper with XML documents (bsc#1105443)\n\nThis update was imported from the SUSE:SLE-12:Update update project.", "cvss3": {}, "published": "2018-10-01T00:00:00", "type": "nessus", "title": "openSUSE Security Update : dom4j (openSUSE-2018-1077)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-1000632"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:dom4j", "p-cpe:/a:novell:opensuse:dom4j-demo", "p-cpe:/a:novell:opensuse:dom4j-javadoc", "p-cpe:/a:novell:opensuse:dom4j-manual", "cpe:/o:novell:opensuse:42.3"], "id": "OPENSUSE-2018-1077.NASL", "href": "https://www.tenable.com/plugins/nessus/117852", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2018-1077.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(117852);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2018-1000632\");\n\n script_name(english:\"openSUSE Security Update : dom4j (openSUSE-2018-1077)\");\n script_summary(english:\"Check for the openSUSE-2018-1077 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for dom4j fixes the following issues :\n\n - CVE-2018-1000632: Prevent XML injection vulnerability\n that allowed an attacker to tamper with XML documents\n (bsc#1105443)\n\nThis update was imported from the SUSE:SLE-12:Update update project.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1105443\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected dom4j packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dom4j\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dom4j-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dom4j-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dom4j-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/09/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.3\", reference:\"dom4j-1.6.1-31.3.2\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"dom4j-demo-1.6.1-31.3.2\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"dom4j-javadoc-1.6.1-31.3.2\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"dom4j-manual-1.6.1-31.3.2\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dom4j / dom4j-demo / dom4j-javadoc / dom4j-manual\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T15:05:41", "description": "The remote Ubuntu 16.04 LTS host has a package installed that is affected by a vulnerability as referenced in the USN-4619-1 advisory.\n\n - dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element.\n Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later. (CVE-2018-1000632)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-11-06T00:00:00", "type": "nessus", "title": "Ubuntu 16.04 LTS : dom4j vulnerability (USN-4619-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-1000632"], "modified": "2023-10-23T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:16.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:libdom4j-java"], "id": "UBUNTU_USN-4619-1.NASL", "href": "https://www.tenable.com/plugins/nessus/142499", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4619-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(142499);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/10/23\");\n\n script_cve_id(\"CVE-2018-1000632\");\n script_bugtraq_id(106608);\n script_xref(name:\"USN\", value:\"4619-1\");\n\n script_name(english:\"Ubuntu 16.04 LTS : dom4j vulnerability (USN-4619-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 16.04 LTS host has a package installed that is affected by a vulnerability as referenced in the\nUSN-4619-1 advisory.\n\n - dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element.\n Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML\n injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the\n XML document. This vulnerability appears to have been fixed in 2.1.1 or later. (CVE-2018-1000632)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-4619-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected libdom4j-java package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-1000632\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/07/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/11/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/11/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libdom4j-java\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2020-2023 Canonical, Inc. / NASL script (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/Ubuntu/release');\nif ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nos_release = chomp(os_release);\nif (! ('16.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04', 'Ubuntu ' + os_release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nvar pkgs = [\n {'osver': '16.04', 'pkgname': 'libdom4j-java', 'pkgver': '1.6.1+dfsg.3-2ubuntu1.2'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var osver = NULL;\n var pkgname = NULL;\n var pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libdom4j-java');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-25T14:28:58", "description": "According to the version of the dom4j package installed, the EulerOS installation on the remote host is affected by the following vulnerability :\n\n - dom4j version prior to version 2.1.1 contains a CWE-91:\n XML Injection vulnerability in Class: Element. Methods:\n addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection.\n This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document.\n (CVE-2018-1000632)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2019-09-23T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP5 : dom4j (EulerOS-SA-2019-1960)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-1000632"], "modified": "2021-02-01T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:dom4j", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2019-1960.NASL", "href": "https://www.tenable.com/plugins/nessus/129117", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(129117);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/01\");\n\n script_cve_id(\n \"CVE-2018-1000632\"\n );\n\n script_name(english:\"EulerOS 2.0 SP5 : dom4j (EulerOS-SA-2019-1960)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the dom4j package installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerability :\n\n - dom4j version prior to version 2.1.1 contains a CWE-91:\n XML Injection vulnerability in Class: Element. Methods:\n addElement, addAttribute that can result in an attacker\n tampering with XML documents through XML injection.\n This attack appear to be exploitable via an attacker\n specifying attributes or elements in the XML document.\n (CVE-2018-1000632)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1960\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8d568a32\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dom4j package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-1000632\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/09/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/09/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dom4j\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(5)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"dom4j-1.6.1-20.h1.eulerosv2r7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"5\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dom4j\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-23T14:17:13", "description": "This update for dom4j fixes the following issues :\n\n - CVE-2018-1000632: Prevent XML injection that could have resulted in an attacker tampering with XML documents (bsc#1105443).\n\nThis update was imported from the SUSE:SLE-15:Update update project.", "cvss3": {}, "published": "2018-12-07T00:00:00", "type": "nessus", "title": "openSUSE Security Update : dom4j (openSUSE-2018-1486)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-1000632"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:dom4j", "p-cpe:/a:novell:opensuse:dom4j-demo", "p-cpe:/a:novell:opensuse:dom4j-javadoc", "p-cpe:/a:novell:opensuse:dom4j-manual", "cpe:/o:novell:opensuse:15.0"], "id": "OPENSUSE-2018-1486.NASL", "href": "https://www.tenable.com/plugins/nessus/119494", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2018-1486.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(119494);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2018-1000632\");\n\n script_name(english:\"openSUSE Security Update : dom4j (openSUSE-2018-1486)\");\n script_summary(english:\"Check for the openSUSE-2018-1486 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for dom4j fixes the following issues :\n\n - CVE-2018-1000632: Prevent XML injection that could have\n resulted in an attacker tampering with XML documents\n (bsc#1105443).\n\nThis update was imported from the SUSE:SLE-15:Update update project.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1105443\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected dom4j packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dom4j\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dom4j-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dom4j-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dom4j-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/12/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/12/07\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.0)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.0\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.0\", reference:\"dom4j-1.6.1-lp150.3.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"dom4j-demo-1.6.1-lp150.3.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"dom4j-javadoc-1.6.1-lp150.3.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"dom4j-manual-1.6.1-lp150.3.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dom4j / dom4j-demo / dom4j-javadoc / dom4j-manual\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-25T14:17:38", "description": "This update for dom4j fixes the following issues :\n\n - CVE-2018-1000632: Prevent XML injection that could have resulted in an attacker tampering with XML documents (bsc#1105443).\n\nThis update was imported from the SUSE:SLE-15:Update update project.", "cvss3": {}, "published": "2019-03-27T00:00:00", "type": "nessus", "title": "openSUSE Security Update : dom4j (openSUSE-2019-958)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-1000632"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:dom4j", "p-cpe:/a:novell:opensuse:dom4j-demo", "p-cpe:/a:novell:opensuse:dom4j-javadoc", "p-cpe:/a:novell:opensuse:dom4j-manual", "cpe:/o:novell:opensuse:15.0"], "id": "OPENSUSE-2019-958.NASL", "href": "https://www.tenable.com/plugins/nessus/123387", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2019-958.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(123387);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2018-1000632\");\n\n script_name(english:\"openSUSE Security Update : dom4j (openSUSE-2019-958)\");\n script_summary(english:\"Check for the openSUSE-2019-958 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for dom4j fixes the following issues :\n\n - CVE-2018-1000632: Prevent XML injection that could have\n resulted in an attacker tampering with XML documents\n (bsc#1105443).\n\nThis update was imported from the SUSE:SLE-15:Update update project.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1105443\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected dom4j packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dom4j\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dom4j-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dom4j-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dom4j-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/03/27\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.0)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.0\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.0\", reference:\"dom4j-1.6.1-lp150.3.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"dom4j-demo-1.6.1-lp150.3.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"dom4j-javadoc-1.6.1-lp150.3.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"dom4j-manual-1.6.1-lp150.3.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dom4j / dom4j-demo / dom4j-javadoc / dom4j-manual\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:33:44", "description": "According to the version of the dom4j package installed, the EulerOS installation on the remote host is affected by the following vulnerability :\n\n - dom4j version prior to version 2.1.1 contains a CWE-91:\n XML Injection vulnerability in Class: Element. Methods:\n addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection.\n This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document.\n This vulnerability appears to have been fixed in 2.1.1 or later.(CVE-2018-1000632)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2019-12-19T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP3 : dom4j (EulerOS-SA-2019-2569)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-1000632"], "modified": "2021-01-29T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:dom4j", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2019-2569.NASL", "href": "https://www.tenable.com/plugins/nessus/132286", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(132286);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/29\");\n\n script_cve_id(\n \"CVE-2018-1000632\"\n );\n\n script_name(english:\"EulerOS 2.0 SP3 : dom4j (EulerOS-SA-2019-2569)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the dom4j package installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerability :\n\n - dom4j version prior to version 2.1.1 contains a CWE-91:\n XML Injection vulnerability in Class: Element. Methods:\n addElement, addAttribute that can result in an attacker\n tampering with XML documents through XML injection.\n This attack appear to be exploitable via an attacker\n specifying attributes or elements in the XML document.\n This vulnerability appears to have been fixed in 2.1.1\n or later.(CVE-2018-1000632)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2569\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5afee94a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dom4j package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-1000632\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dom4j\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(3)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"dom4j-1.6.1-20.h1\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"3\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dom4j\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-23T14:15:12", "description": "Mario Areias discovered that dom4j, a XML framework for Java, was vulnerable to a XML injection attack. An attacker able to specify attributes or elements in the XML document might be able to modify the whole XML document.\n\nFor Debian 8 'Jessie', this problem has been fixed in version 1.6.1+dfsg.3-2+deb8u1.\n\nWe recommend that you upgrade your dom4j packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2018-09-25T00:00:00", "type": "nessus", "title": "Debian DLA-1517-1 : dom4j security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-1000632"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:libdom4j-java", "p-cpe:/a:debian:debian_linux:libdom4j-java-doc", "cpe:/o:debian:debian_linux:8.0"], "id": "DEBIAN_DLA-1517.NASL", "href": "https://www.tenable.com/plugins/nessus/117673", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1517-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(117673);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2018-1000632\");\n\n script_name(english:\"Debian DLA-1517-1 : dom4j security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Mario Areias discovered that dom4j, a XML framework for Java, was\nvulnerable to a XML injection attack. An attacker able to specify\nattributes or elements in the XML document might be able to modify the\nwhole XML document.\n\nFor Debian 8 'Jessie', this problem has been fixed in version\n1.6.1+dfsg.3-2+deb8u1.\n\nWe recommend that you upgrade your dom4j packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2018/09/msg00028.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/dom4j\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Upgrade the affected libdom4j-java, and libdom4j-java-doc packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libdom4j-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libdom4j-java-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/09/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/25\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"libdom4j-java\", reference:\"1.6.1+dfsg.3-2+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libdom4j-java-doc\", reference:\"1.6.1+dfsg.3-2+deb8u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:33:23", "description": "According to the version of the dom4j package installed, the EulerOS installation on the remote host is affected by the following vulnerability :\n\n - dom4j version prior to version 2.1.1 contains a CWE-91:\n XML Injection vulnerability in Class: Element. Methods:\n addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection.\n This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document.\n This vulnerability appears to have been fixed in 2.1.1 or later.(CVE-2018-1000632)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2019-12-10T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP2 : dom4j (EulerOS-SA-2019-2405)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-1000632"], "modified": "2021-01-29T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:dom4j", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2019-2405.NASL", "href": "https://www.tenable.com/plugins/nessus/131897", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(131897);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/29\");\n\n script_cve_id(\n \"CVE-2018-1000632\"\n );\n\n script_name(english:\"EulerOS 2.0 SP2 : dom4j (EulerOS-SA-2019-2405)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the dom4j package installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerability :\n\n - dom4j version prior to version 2.1.1 contains a CWE-91:\n XML Injection vulnerability in Class: Element. Methods:\n addElement, addAttribute that can result in an attacker\n tampering with XML documents through XML injection.\n This attack appear to be exploitable via an attacker\n specifying attributes or elements in the XML document.\n This vulnerability appears to have been fixed in 2.1.1\n or later.(CVE-2018-1000632)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2405\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4ce1c471\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected dom4j package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-1000632\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:dom4j\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(2)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"dom4j-1.6.1-20.h1\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"2\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dom4j\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T14:30:20", "description": "An update is now available for Red Hat JBoss Enterprise Application Platform 7.1 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nRed Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.1.6 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.1.5, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es) :\n\n* wildfly-core: Cross-site scripting (XSS) in JBoss Management Console (CVE-2018-10934)\n\n* undertow: Infoleak in some circumstances where Undertow can serve data from a random buffer (CVE-2018-14642)\n\n* dom4j: XML Injection in Class: Element. Methods: addElement, addAttribute which can impact the integrity of XML documents (CVE-2018-1000632)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {}, "published": "2019-02-20T00:00:00", "type": "nessus", "title": "RHEL 7 : JBoss EAP (RHSA-2019:0365)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-1000632", "CVE-2018-10934", "CVE-2018-14642"], "modified": "2022-05-23T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-cli", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-commons", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-core-client", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-dto", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hornetq-protocol", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hqclient-protocol", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jdbc-store", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-client", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-server", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-journal", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-native", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-ra", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-selector", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-server", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-service-extensions", "p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf", "p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-rt", "p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-services", "p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-tools", "p-cpe:/a:redhat:enterprise_linux:eap7-dom4j", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-core", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-entitymanager", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-envers", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-infinispan", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-java8", "p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar", "p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-common-api", "p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-common-impl", "p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-common-spi", "p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-core-api", "p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-core-impl", "p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-deployers-common", "p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-jdbc", "p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-validator", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-databind", "p-cpe:/a:redhat:enterprise_linux:eap7-jandex", "p-cpe:/a:redhat:enterprise_linux:eap7-jberet", "p-cpe:/a:redhat:enterprise_linux:eap7-jberet-core", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-ejb-client", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-el-api_3.0_spec", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-logmanager", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-modules", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-security-negotiation", "p-cpe:/a:redhat:enterprise_linux:eap7-jbossws-common", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-compensations", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jbosstxbridge", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jbossxts", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jts-idlj", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jts-integration", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-api", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-bridge", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-integration", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-util", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-txframework", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-api", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-bindings", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-common", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-config", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-federation", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-idm-api", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-idm-impl", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-idm-simple-schema", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-impl", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-wildfly8", "p-cpe:/a:redhat:enterprise_linux:eap7-undertow", "p-cpe:/a:redhat:enterprise_linux:eap7-undertow-jastow", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-common", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron-tool", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-web-console-eap", "cpe:/o:redhat:enterprise_linux:7"], "id": "REDHAT-RHSA-2019-0365.NASL", "href": "https://www.tenable.com/plugins/nessus/122333", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2019:0365. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(122333);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/23\");\n\n script_cve_id(\"CVE-2018-10934\", \"CVE-2018-14642\", \"CVE-2018-1000632\");\n script_xref(name:\"RHSA\", value:\"2019:0365\");\n\n script_name(english:\"RHEL 7 : JBoss EAP (RHSA-2019:0365)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update is now available for Red Hat JBoss Enterprise Application\nPlatform 7.1 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nRed Hat JBoss Enterprise Application Platform is a platform for Java\napplications based on the JBoss Application Server.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.1.6\nserves as a replacement for Red Hat JBoss Enterprise Application\nPlatform 7.1.5, and includes bug fixes and enhancements, which are\ndocumented in the Release Notes document linked to in the References.\n\nSecurity Fix(es) :\n\n* wildfly-core: Cross-site scripting (XSS) in JBoss Management Console\n(CVE-2018-10934)\n\n* undertow: Infoleak in some circumstances where Undertow can serve\ndata from a random buffer (CVE-2018-14642)\n\n* dom4j: XML Injection in Class: Element. Methods: addElement,\naddAttribute which can impact the integrity of XML documents\n(CVE-2018-1000632)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, and other related information, refer to the CVE page(s)\nlisted in the References section.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/documentation/en-us/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2019:0365\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2018-10934\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2018-14642\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2018-1000632\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-14642\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2018-1000632\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/02/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-commons\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-core-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-dto\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hornetq-protocol\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hqclient-protocol\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jdbc-store\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-journal\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-native\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-ra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-selector\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-service-extensions\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-services\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-dom4j\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-entitymanager\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-envers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-infinispan\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-java8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-common-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-common-impl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-common-spi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-core-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-core-impl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-deployers-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-validator\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-databind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jandex\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jberet\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jberet-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-ejb-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-el-api_3.0_spec\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-logmanager\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-security-negotiation\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jbossws-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-compensations\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jbosstxbridge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jbossxts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jts-idlj\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jts-integration\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-bridge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-integration\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-util\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-txframework\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-bindings\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-config\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-federation\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-idm-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-idm-impl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-idm-simple-schema\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-impl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-wildfly8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-undertow\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-undertow-jastow\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron-tool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-web-console-eap\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2019:0365\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n\n if (! (rpm_exists(release:\"RHEL7\", rpm:\"eap7-jboss\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"JBoss EAP\");\n\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-activemq-artemis-1.5.5.015-1.redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-activemq-artemis-cli-1.5.5.015-1.redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-activemq-artemis-commons-1.5.5.015-1.redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-activemq-artemis-core-client-1.5.5.015-1.redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-activemq-artemis-dto-1.5.5.015-1.redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-activemq-artemis-hornetq-protocol-1.5.5.015-1.redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-activemq-artemis-hqclient-protocol-1.5.5.015-1.redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-activemq-artemis-jdbc-store-1.5.5.015-1.redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-activemq-artemis-jms-client-1.5.5.015-1.redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-activemq-artemis-jms-server-1.5.5.015-1.redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-activemq-artemis-journal-1.5.5.015-1.redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-activemq-artemis-native-1.5.5.015-1.redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-activemq-artemis-ra-1.5.5.015-1.redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-activemq-artemis-selector-1.5.5.015-1.redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-activemq-artemis-server-1.5.5.015-1.redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-activemq-artemis-service-extensions-1.5.5.015-1.redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-apache-cxf-3.1.16-2.redhat_2.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-apache-cxf-rt-3.1.16-2.redhat_2.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-apache-cxf-services-3.1.16-2.redhat_2.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-apache-cxf-tools-3.1.16-2.redhat_2.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-dom4j-2.1.1-1.redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-hibernate-5.1.17-1.Final_redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-hibernate-core-5.1.17-1.Final_redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-hibernate-entitymanager-5.1.17-1.Final_redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-hibernate-envers-5.1.17-1.Final_redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-hibernate-infinispan-5.1.17-1.Final_redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-hibernate-java8-5.1.17-1.Final_redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-ironjacamar-1.4.12-1.Final_redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-ironjacamar-common-api-1.4.12-1.Final_redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-ironjacamar-common-impl-1.4.12-1.Final_redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-ironjacamar-common-spi-1.4.12-1.Final_redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-ironjacamar-core-api-1.4.12-1.Final_redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-ironjacamar-core-impl-1.4.12-1.Final_redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-ironjacamar-deployers-common-1.4.12-1.Final_redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-ironjacamar-jdbc-1.4.12-1.Final_redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-ironjacamar-validator-1.4.12-1.Final_redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-jackson-databind-2.8.11.3-1.redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-jandex-2.0.5-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-jberet-1.2.7-1.Final_redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-jberet-core-1.2.7-1.Final_redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-jboss-ejb-client-4.0.12-1.Final_redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-jboss-el-api_3.0_spec-1.0.13-1.Final_redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-jboss-logmanager-2.0.11-1.Final_redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-jboss-modules-1.6.7-1.Final_redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-jboss-security-negotiation-3.0.5-1.Final_redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-jbossws-common-3.1.7-1.Final_redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-narayana-5.5.34-1.Final_redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-narayana-compensations-5.5.34-1.Final_redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-narayana-jbosstxbridge-5.5.34-1.Final_redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-narayana-jbossxts-5.5.34-1.Final_redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-narayana-jts-idlj-5.5.34-1.Final_redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-narayana-jts-integration-5.5.34-1.Final_redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-narayana-restat-api-5.5.34-1.Final_redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-narayana-restat-bridge-5.5.34-1.Final_redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-narayana-restat-integration-5.5.34-1.Final_redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-narayana-restat-util-5.5.34-1.Final_redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-narayana-txframework-5.5.34-1.Final_redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-picketlink-api-2.5.5-15.SP12_redhat_3.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-picketlink-bindings-2.5.5-15.SP12_redhat_3.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-picketlink-common-2.5.5-15.SP12_redhat_3.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-picketlink-config-2.5.5-15.SP12_redhat_3.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-picketlink-federation-2.5.5-15.SP12_redhat_3.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-picketlink-idm-api-2.5.5-15.SP12_redhat_3.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-picketlink-idm-impl-2.5.5-15.SP12_redhat_3.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-picketlink-idm-simple-schema-2.5.5-15.SP12_redhat_3.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-picketlink-impl-2.5.5-15.SP12_redhat_3.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-picketlink-wildfly8-2.5.5-15.SP12_redhat_3.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-undertow-1.4.18-10.SP11_redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-undertow-jastow-2.0.7-1.Final_redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-wildfly-7.1.6-4.GA_redhat_00002.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-wildfly-common-1.2.1-1.Final_redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-wildfly-elytron-1.1.12-1.Final_redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-wildfly-elytron-tool-1.0.9-1.Final_redhat_00001.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-wildfly-javadocs-7.1.6-2.GA_redhat_00002.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-wildfly-modules-7.1.6-4.GA_redhat_00002.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-wildfly-web-console-eap-2.9.19-1.Final_redhat_00001.1.ep7.el7\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"eap7-activemq-artemis / eap7-activemq-artemis-cli / etc\");\n }\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T14:29:07", "description": "An update is now available for Red Hat JBoss Enterprise Application Platform 7.1 for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nRed Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.1.6 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.1.5, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es) :\n\n* wildfly-core: Cross-site scripting (XSS) in JBoss Management Console (CVE-2018-10934)\n\n* undertow: Infoleak in some circumstances where Undertow can serve data from a random buffer (CVE-2018-14642)\n\n* dom4j: XML Injection in Class: Element. Methods: addElement, addAttribute which can impact the integrity of XML documents (CVE-2018-1000632)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {}, "published": "2019-02-20T00:00:00", "type": "nessus", "title": "RHEL 6 : JBoss EAP (RHSA-2019:0364)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-1000632", "CVE-2018-10934", "CVE-2018-14642"], "modified": "2022-05-23T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-cli", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-commons", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-core-client", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-dto", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hornetq-protocol", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hqclient-protocol", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jdbc-store", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-client", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-server", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-journal", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-native", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-ra", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-selector", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-server", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-service-extensions", "p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf", "p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-rt", "p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-services", "p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-tools", "p-cpe:/a:redhat:enterprise_linux:eap7-dom4j", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-core", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-entitymanager", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-envers", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-infinispan", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-java8", "p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar", "p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-common-api", "p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-common-impl", "p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-common-spi", "p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-core-api", "p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-core-impl", "p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-deployers-common", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-api", "p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-jdbc", "p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-validator", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-databind", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-bridge", "p-cpe:/a:redhat:enterprise_linux:eap7-jandex", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-integration", "p-cpe:/a:redhat:enterprise_linux:eap7-jberet", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-util", "p-cpe:/a:redhat:enterprise_linux:eap7-jberet-core", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-txframework", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-ejb-client", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-el-api_3.0_spec", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-api", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-logmanager", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-modules", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-security-negotiation", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-bindings", "p-cpe:/a:redhat:enterprise_linux:eap7-jbossws-common", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-common", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-compensations", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-config", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jbosstxbridge", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jbossxts", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-federation", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jts-idlj", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jts-integration", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-idm-api", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-idm-impl", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-idm-simple-schema", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-impl", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-wildfly8", "p-cpe:/a:redhat:enterprise_linux:eap7-undertow", "p-cpe:/a:redhat:enterprise_linux:eap7-undertow-jastow", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-common", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron-tool", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-web-console-eap", "cpe:/o:redhat:enterprise_linux:6"], "id": "REDHAT-RHSA-2019-0364.NASL", "href": "https://www.tenable.com/plugins/nessus/122332", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2019:0364. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(122332);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/23\");\n\n script_cve_id(\"CVE-2018-10934\", \"CVE-2018-14642\", \"CVE-2018-1000632\");\n script_xref(name:\"RHSA\", value:\"2019:0364\");\n\n script_name(english:\"RHEL 6 : JBoss EAP (RHSA-2019:0364)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update is now available for Red Hat JBoss Enterprise Application\nPlatform 7.1 for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nRed Hat JBoss Enterprise Application Platform is a platform for Java\napplications based on the JBoss Application Server.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.1.6\nserves as a replacement for Red Hat JBoss Enterprise Application\nPlatform 7.1.5, and includes bug fixes and enhancements, which are\ndocumented in the Release Notes document linked to in the References.\n\nSecurity Fix(es) :\n\n* wildfly-core: Cross-site scripting (XSS) in JBoss Management Console\n(CVE-2018-10934)\n\n* undertow: Infoleak in some circumstances where Undertow can serve\ndata from a random buffer (CVE-2018-14642)\n\n* dom4j: XML Injection in Class: Element. Methods: addElement,\naddAttribute which can impact the integrity of XML documents\n(CVE-2018-1000632)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, and other related information, refer to the CVE page(s)\nlisted in the References section.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/documentation/en-us/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2019:0364\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2018-10934\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2018-14642\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2018-1000632\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-14642\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2018-1000632\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/02/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-commons\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-core-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-dto\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hornetq-protocol\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hqclient-protocol\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jdbc-store\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-journal\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-native\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-ra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-selector\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-service-extensions\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-services\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-dom4j\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-entitymanager\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-envers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-infinispan\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-java8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-common-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-common-impl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-common-spi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-core-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-core-impl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-deployers-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-validator\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-databind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jandex\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jberet\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jberet-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-ejb-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-el-api_3.0_spec\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-logmanager\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-security-negotiation\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jbossws-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-compensations\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jbosstxbridge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jbossxts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jts-idlj\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jts-integration\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-bridge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-integration\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-util\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-txframework\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-bindings\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-config\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-federation\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-idm-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-idm-impl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-idm-simple-schema\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-impl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-wildfly8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-undertow\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-undertow-jastow\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron-tool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-web-console-eap\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2019:0364\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n\n if (! (rpm_exists(release:\"RHEL6\", rpm:\"eap7-jboss\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"JBoss EAP\");\n\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-activemq-artemis-1.5.5.015-1.redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-activemq-artemis-cli-1.5.5.015-1.redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-activemq-artemis-commons-1.5.5.015-1.redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-activemq-artemis-core-client-1.5.5.015-1.redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-activemq-artemis-dto-1.5.5.015-1.redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-activemq-artemis-hornetq-protocol-1.5.5.015-1.redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-activemq-artemis-hqclient-protocol-1.5.5.015-1.redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-activemq-artemis-jdbc-store-1.5.5.015-1.redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-activemq-artemis-jms-client-1.5.5.015-1.redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-activemq-artemis-jms-server-1.5.5.015-1.redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-activemq-artemis-journal-1.5.5.015-1.redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-activemq-artemis-native-1.5.5.015-1.redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-activemq-artemis-ra-1.5.5.015-1.redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-activemq-artemis-selector-1.5.5.015-1.redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-activemq-artemis-server-1.5.5.015-1.redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-activemq-artemis-service-extensions-1.5.5.015-1.redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-apache-cxf-3.1.16-2.redhat_2.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-apache-cxf-rt-3.1.16-2.redhat_2.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-apache-cxf-services-3.1.16-2.redhat_2.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-apache-cxf-tools-3.1.16-2.redhat_2.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-dom4j-2.1.1-1.redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-hibernate-5.1.17-1.Final_redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-hibernate-core-5.1.17-1.Final_redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-hibernate-entitymanager-5.1.17-1.Final_redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-hibernate-envers-5.1.17-1.Final_redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-hibernate-infinispan-5.1.17-1.Final_redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-hibernate-java8-5.1.17-1.Final_redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-ironjacamar-1.4.12-1.Final_redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-ironjacamar-common-api-1.4.12-1.Final_redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-ironjacamar-common-impl-1.4.12-1.Final_redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-ironjacamar-common-spi-1.4.12-1.Final_redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-ironjacamar-core-api-1.4.12-1.Final_redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-ironjacamar-core-impl-1.4.12-1.Final_redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-ironjacamar-deployers-common-1.4.12-1.Final_redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-ironjacamar-jdbc-1.4.12-1.Final_redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-ironjacamar-validator-1.4.12-1.Final_redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-jackson-databind-2.8.11.3-1.redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-jandex-2.0.5-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-jberet-1.2.7-1.Final_redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-jberet-core-1.2.7-1.Final_redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-jboss-ejb-client-4.0.12-1.Final_redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-jboss-el-api_3.0_spec-1.0.13-1.Final_redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-jboss-logmanager-2.0.11-1.Final_redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-jboss-modules-1.6.7-1.Final_redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-jboss-security-negotiation-3.0.5-1.Final_redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-jbossws-common-3.1.7-1.Final_redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-narayana-5.5.34-1.Final_redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-narayana-compensations-5.5.34-1.Final_redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-narayana-jbosstxbridge-5.5.34-1.Final_redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-narayana-jbossxts-5.5.34-1.Final_redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-narayana-jts-idlj-5.5.34-1.Final_redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-narayana-jts-integration-5.5.34-1.Final_redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-narayana-restat-api-5.5.34-1.Final_redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-narayana-restat-bridge-5.5.34-1.Final_redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-narayana-restat-integration-5.5.34-1.Final_redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-narayana-restat-util-5.5.34-1.Final_redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-narayana-txframework-5.5.34-1.Final_redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-picketlink-api-2.5.5-15.SP12_redhat_3.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-picketlink-bindings-2.5.5-15.SP12_redhat_3.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-picketlink-common-2.5.5-15.SP12_redhat_3.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-picketlink-config-2.5.5-15.SP12_redhat_3.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-picketlink-federation-2.5.5-15.SP12_redhat_3.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-picketlink-idm-api-2.5.5-15.SP12_redhat_3.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-picketlink-idm-impl-2.5.5-15.SP12_redhat_3.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-picketlink-idm-simple-schema-2.5.5-15.SP12_redhat_3.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-picketlink-impl-2.5.5-15.SP12_redhat_3.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-picketlink-wildfly8-2.5.5-15.SP12_redhat_3.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-undertow-1.4.18-10.SP11_redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-undertow-jastow-2.0.7-1.Final_redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-wildfly-7.1.6-4.GA_redhat_00002.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-wildfly-common-1.2.1-1.Final_redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-wildfly-elytron-1.1.12-1.Final_redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-wildfly-elytron-tool-1.0.9-1.Final_redhat_00001.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-wildfly-javadocs-7.1.6-2.GA_redhat_00002.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-wildfly-modules-7.1.6-4.GA_redhat_00002.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-wildfly-web-console-eap-2.9.19-1.Final_redhat_00001.1.ep7.el6\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"eap7-activemq-artemis / eap7-activemq-artemis-cli / etc\");\n }\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:33:45", "description": "The version of Red Hat JBoss Enterprise Application Platform (EAP) installed on the remote host is 6.x prior to 6.4.22. It is therefore, affected my multiple vulnerabilities as referenced in the RHSA-2019:1162 advisory:\n\n - admin-cli: wildfly-core: Cross-site scripting (XSS) in JBoss Management Console (CVE-2018-10934)\n\n - dom4j: XML Injection in Class: Element. Methods: addElement, addAttribute which can impact the integrity of XML documents (CVE-2018-1000632)\n\n - jbossweb: tomcat: host name verification missing in WebSocket client (CVE-2018-8034)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2019-12-19T00:00:00", "type": "nessus", "title": "Red Hat JBoss Enterprise Application Platform 6.x < 6.4.22 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-1000632", "CVE-2018-10934", "CVE-2018-8034"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:redhat:jboss_enterprise_application_platform"], "id": "JBOSS_EAP_RHSA-2019-1162.NASL", "href": "https://www.tenable.com/plugins/nessus/132311", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(132311);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2018-8034\", \"CVE-2018-10934\", \"CVE-2018-1000632\");\n script_bugtraq_id(104895, 106608);\n script_xref(name:\"RHSA\", value:\"2019:1162\");\n\n script_name(english:\"Red Hat JBoss Enterprise Application Platform 6.x < 6.4.22 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat JBoss Enterprise Application Platform installation is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Red Hat JBoss Enterprise Application Platform (EAP) installed\non the remote host is 6.x prior to 6.4.22. It is therefore, affected my multiple\nvulnerabilities as referenced in the RHSA-2019:1162 advisory:\n\n - admin-cli: wildfly-core: Cross-site scripting (XSS) in JBoss Management\n Console (CVE-2018-10934)\n\n - dom4j: XML Injection in Class: Element. Methods: addElement, addAttribute\n which can impact the integrity of XML documents (CVE-2018-1000632)\n\n - jbossweb: tomcat: host name verification missing in WebSocket client\n (CVE-2018-8034)\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2019:1162\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update to Red Hat JBoss Enterprise Application Platform 6.4.22 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"unix\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8034\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/05/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:jboss_enterprise_application_platform\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"jboss_detect.nbin\");\n script_require_keys(\"installed_sw/JBoss\");\n\n exit(0);\n}\n\ninclude('lists.inc');\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\n\nvcf::jboss::eap::initialize();\napp_info = vcf::jboss::eap::get_app_info();\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [\n { 'min_version' : '6', 'fixed_version' : '6.4.22' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING, flags:{xss:TRUE});\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-12-23T02:29:39", "description": "An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nRed Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.\n\nThis release of Red Hat JBoss Enterprise Application Platform 6.4.22 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.21, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es) :\n\n* admin-cli: wildfly-core: Cross-site scripting (XSS) in JBoss Management Console (CVE-2018-10934)\n\n* dom4j: XML Injection in Class: Element. Methods: addElement, addAttribute which can impact the integrity of XML documents (CVE-2018-1000632)\n\n* jbossweb: tomcat: host name verification missing in WebSocket client (CVE-2018-8034)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nAll users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect.", "cvss3": {}, "published": "2019-05-14T00:00:00", "type": "nessus", "title": "RHEL 6 : JBoss EAP (RHSA-2019:1160)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-1000632", "CVE-2018-10934", "CVE-2018-8034"], "modified": "2021-02-08T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:apache-cxf", "p-cpe:/a:redhat:enterprise_linux:dom4j-eap6", "p-cpe:/a:redhat:enterprise_linux:hornetq", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-api-eap6", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-impl-eap6", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-spi-eap6", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-core-api-eap6", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-core-impl-eap6", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-deployers-common-eap6", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-eap6", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-jdbc-eap6", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-spec-api-eap6", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-validator-eap6", "p-cpe:/a:redhat:enterprise_linux:jboss-as-appclient", "p-cpe:/a:redhat:enterprise_linux:jboss-as-cli", "p-cpe:/a:redhat:enterprise_linux:jboss-as-client-all", "p-cpe:/a:redhat:enterprise_linux:jboss-as-clustering", "p-cpe:/a:redhat:enterprise_linux:jboss-as-cmp", "p-cpe:/a:redhat:enterprise_linux:jboss-as-configadmin", "p-cpe:/a:redhat:enterprise_linux:jboss-as-connector", "p-cpe:/a:redhat:enterprise_linux:jboss-as-console", "p-cpe:/a:redhat:enterprise_linux:jboss-as-controller", "p-cpe:/a:redhat:enterprise_linux:jboss-as-controller-client", "p-cpe:/a:redhat:enterprise_linux:jboss-as-core-security", "p-cpe:/a:redhat:enterprise_linux:jboss-as-deployment-repository", "p-cpe:/a:redhat:enterprise_linux:jboss-as-deployment-scanner", "p-cpe:/a:redhat:enterprise_linux:jboss-as-domain-http", "p-cpe:/a:redhat:enterprise_linux:jboss-as-domain-management", "p-cpe:/a:redhat:enterprise_linux:jboss-as-ee", "p-cpe:/a:redhat:enterprise_linux:jboss-as-ee-deployment", "p-cpe:/a:redhat:enterprise_linux:jboss-as-ejb3", "p-cpe:/a:redhat:enterprise_linux:jboss-as-embedded", "p-cpe:/a:redhat:enterprise_linux:jboss-as-host-controller", "p-cpe:/a:redhat:enterprise_linux:jboss-as-jacorb", "p-cpe:/a:redhat:enterprise_linux:jboss-as-jaxr", "p-cpe:/a:redhat:enterprise_linux:jboss-as-jaxrs", "p-cpe:/a:redhat:enterprise_linux:jboss-as-jdr", "p-cpe:/a:redhat:enterprise_linux:jboss-as-jmx", "p-cpe:/a:redhat:enterprise_linux:jboss-as-jpa", "p-cpe:/a:redhat:enterprise_linux:jboss-as-jsf", "p-cpe:/a:redhat:enterprise_linux:jboss-as-jsr77", "p-cpe:/a:redhat:enterprise_linux:jboss-as-logging", "p-cpe:/a:redhat:enterprise_linux:jboss-as-mail", "p-cpe:/a:redhat:enterprise_linux:jboss-as-management-client-content", "p-cpe:/a:redhat:enterprise_linux:jboss-as-messaging", "p-cpe:/a:redhat:enterprise_linux:jboss-as-modcluster", "p-cpe:/a:redhat:enterprise_linux:jboss-as-naming", "p-cpe:/a:redhat:enterprise_linux:jboss-as-network", "p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi", "p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi-configadmin", "p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi-service", "p-cpe:/a:redhat:enterprise_linux:jboss-as-picketlink", "p-cpe:/a:redhat:enterprise_linux:jboss-as-platform-mbean", "p-cpe:/a:redhat:enterprise_linux:jboss-as-pojo", "p-cpe:/a:redhat:enterprise_linux:jboss-as-process-controller", "p-cpe:/a:redhat:enterprise_linux:jboss-as-protocol", "p-cpe:/a:redhat:enterprise_linux:jboss-as-remoting", "p-cpe:/a:redhat:enterprise_linux:jboss-as-sar", "p-cpe:/a:redhat:enterprise_linux:jboss-as-security", "p-cpe:/a:redhat:enterprise_linux:jboss-as-server", "p-cpe:/a:redhat:enterprise_linux:jboss-as-system-jmx", "p-cpe:/a:redhat:enterprise_linux:jboss-as-threads", "p-cpe:/a:redhat:enterprise_linux:jboss-as-transactions", "p-cpe:/a:redhat:enterprise_linux:jboss-as-version", "p-cpe:/a:redhat:enterprise_linux:jboss-as-web", "p-cpe:/a:redhat:enterprise_linux:jboss-as-webservices", "p-cpe:/a:redhat:enterprise_linux:jboss-as-weld", "p-cpe:/a:redhat:enterprise_linux:jboss-as-xts", "p-cpe:/a:redhat:enterprise_linux:jboss-hal", "p-cpe:/a:redhat:enterprise_linux:jboss-remote-naming", "p-cpe:/a:redhat:enterprise_linux:jbossas-appclient", "p-cpe:/a:redhat:enterprise_linux:jbossas-bundles", "p-cpe:/a:redhat:enterprise_linux:jbossas-core", "p-cpe:/a:redhat:enterprise_linux:jbossas-domain", "p-cpe:/a:redhat:enterprise_linux:jbossas-javadocs", "p-cpe:/a:redhat:enterprise_linux:jbossas-modules-eap", "p-cpe:/a:redhat:enterprise_linux:jbossas-product-eap", "p-cpe:/a:redhat:enterprise_linux:jbossas-standalone", "p-cpe:/a:redhat:enterprise_linux:jbossas-welcome-content-eap", "p-cpe:/a:redhat:enterprise_linux:jbossweb", "p-cpe:/a:redhat:enterprise_linux:resteasy", "cpe:/o:redhat:enterprise_linux:6"], "id": "REDHAT-RHSA-2019-1160.NASL", "href": "https://www.tenable.com/plugins/nessus/125034", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2019:1160. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(125034);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/08\");\n\n script_cve_id(\"CVE-2018-1000632\", \"CVE-2018-10934\", \"CVE-2018-8034\");\n script_xref(name:\"RHSA\", value:\"2019:1160\");\n\n script_name(english:\"RHEL 6 : JBoss EAP (RHSA-2019:1160)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"An update is now available for Red Hat JBoss Enterprise Application\nPlatform 6.4 for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nRed Hat JBoss Enterprise Application Platform is a platform for Java\napplications based on the JBoss Application Server.\n\nThis release of Red Hat JBoss Enterprise Application Platform 6.4.22\nserves as a replacement for Red Hat JBoss Enterprise Application\nPlatform 6.4.21, and includes bug fixes and enhancements, which are\ndocumented in the Release Notes document linked to in the References.\n\nSecurity Fix(es) :\n\n* admin-cli: wildfly-core: Cross-site scripting (XSS) in JBoss\nManagement Console (CVE-2018-10934)\n\n* dom4j: XML Injection in Class: Element. Methods: addElement,\naddAttribute which can impact the integrity of XML documents\n(CVE-2018-1000632)\n\n* jbossweb: tomcat: host name verification missing in WebSocket client\n(CVE-2018-8034)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, and other related information, refer to the CVE page(s)\nlisted in the References section.\n\nAll users of Red Hat JBoss Enterprise Application Platform 6.4 on Red\nHat Enterprise Linux 6 are advised to upgrade to these updated\npackages. The JBoss server process must be restarted for the update to\ntake effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/documentation/en-US/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2019:1160\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-8034\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-10934\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-1000632\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8034\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:apache-cxf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:dom4j-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:hornetq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-api-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-impl-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-spi-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-core-api-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-core-impl-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-deployers-common-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-jdbc-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-spec-api-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-validator-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-appclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-client-all\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-clustering\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-cmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-configadmin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-connector\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-console\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-controller\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-controller-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-core-security\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-deployment-repository\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-deployment-scanner\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-domain-http\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-domain-management\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-ee\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-ee-deployment\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-ejb3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-embedded\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-host-controller\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jacorb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jaxr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jaxrs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jdr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jmx\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jpa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jsf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jsr77\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-logging\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-mail\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-management-client-content\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-messaging\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-modcluster\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-naming\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-network\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi-configadmin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi-service\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-picketlink\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-platform-mbean\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-pojo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-process-controller\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-protocol\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-remoting\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-sar\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-security\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-system-jmx\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-threads\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-transactions\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-version\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-web\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-webservices\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-weld\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-xts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-hal\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-remote-naming\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-appclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-bundles\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-domain\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-javadocs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-modules-eap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-product-eap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-standalone\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-welcome-content-eap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossweb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:resteasy\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2019:1160\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n\n if (! (rpm_exists(release:\"RHEL6\", rpm:\"jbossas-welcome-content-eap\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"JBoss EAP\");\n\n if (rpm_check(release:\"RHEL6\", reference:\"apache-cxf-2.7.18-8.SP7_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"dom4j-eap6-1.6.1-22.redhat_9.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"hornetq-2.3.25-28.SP29_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ironjacamar-common-api-eap6-1.0.43-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ironjacamar-common-impl-eap6-1.0.43-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ironjacamar-common-spi-eap6-1.0.43-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ironjacamar-core-api-eap6-1.0.43-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ironjacamar-core-impl-eap6-1.0.43-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ironjacamar-deployers-common-eap6-1.0.43-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ironjacamar-eap6-1.0.43-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ironjacamar-jdbc-eap6-1.0.43-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ironjacamar-spec-api-eap6-1.0.43-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ironjacamar-validator-eap6-1.0.43-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-appclient-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-cli-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-client-all-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-clustering-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-cmp-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-configadmin-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-connector-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-console-2.5.19-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-controller-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-controller-client-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-core-security-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-deployment-repository-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-deployment-scanner-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-domain-http-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-domain-management-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-ee-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-ee-deployment-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-ejb3-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-embedded-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-host-controller-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-jacorb-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-jaxr-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-jaxrs-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-jdr-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-jmx-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-jpa-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-jsf-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-jsr77-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-logging-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-mail-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-management-client-content-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-messaging-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-modcluster-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-naming-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-network-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-osgi-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-osgi-configadmin-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-osgi-service-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-picketlink-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-platform-mbean-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-pojo-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-process-controller-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-protocol-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-remoting-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-sar-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-security-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-server-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-system-jmx-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-threads-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-transactions-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-version-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-web-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-webservices-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-weld-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-xts-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-hal-2.5.19-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-remote-naming-1.0.15-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jbossas-appclient-7.5.22-2.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jbossas-bundles-7.5.22-2.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jbossas-core-7.5.22-2.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jbossas-domain-7.5.22-2.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jbossas-javadocs-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jbossas-modules-eap-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jbossas-product-eap-7.5.22-2.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jbossas-standalone-7.5.22-2.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jbossas-welcome-content-eap-7.5.22-2.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jbossweb-7.5.30-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"resteasy-2.3.23-1.Final_redhat_1.1.ep6.el6\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache-cxf / dom4j-eap6 / hornetq / ironjacamar-common-api-eap6 / etc\");\n }\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-12-23T02:31:40", "description": "An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nRed Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.\n\nThis release of Red Hat JBoss Enterprise Application Platform 6.4.22 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.21, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es) :\n\n* admin-cli: wildfly-core: Cross-site scripting (XSS) in JBoss Management Console (CVE-2018-10934)\n\n* dom4j: XML Injection in Class: Element. Methods: addElement, addAttribute which can impact the integrity of XML documents (CVE-2018-1000632)\n\n* jbossweb: tomcat: host name verification missing in WebSocket client (CVE-2018-8034)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nAll users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 7 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect.", "cvss3": {}, "published": "2019-05-14T00:00:00", "type": "nessus", "title": "RHEL 7 : JBoss EAP (RHSA-2019:1161)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-1000632", "CVE-2018-10934", "CVE-2018-8034"], "modified": "2021-02-08T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:apache-cxf", "p-cpe:/a:redhat:enterprise_linux:dom4j-eap6", "p-cpe:/a:redhat:enterprise_linux:hornetq", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-api-eap6", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-impl-eap6", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-spi-eap6", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-core-api-eap6", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-core-impl-eap6", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-deployers-common-eap6", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-eap6", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-jdbc-eap6", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-spec-api-eap6", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-validator-eap6", "p-cpe:/a:redhat:enterprise_linux:jboss-as-appclient", "p-cpe:/a:redhat:enterprise_linux:jboss-as-cli", "p-cpe:/a:redhat:enterprise_linux:jboss-as-client-all", "p-cpe:/a:redhat:enterprise_linux:jboss-as-clustering", "p-cpe:/a:redhat:enterprise_linux:jboss-as-cmp", "p-cpe:/a:redhat:enterprise_linux:jboss-as-configadmin", "p-cpe:/a:redhat:enterprise_linux:jboss-as-connector", "p-cpe:/a:redhat:enterprise_linux:jboss-as-console", "p-cpe:/a:redhat:enterprise_linux:jboss-as-controller", "p-cpe:/a:redhat:enterprise_linux:jboss-as-controller-client", "p-cpe:/a:redhat:enterprise_linux:jboss-as-core-security", "p-cpe:/a:redhat:enterprise_linux:jboss-as-deployment-repository", "p-cpe:/a:redhat:enterprise_linux:jboss-as-deployment-scanner", "p-cpe:/a:redhat:enterprise_linux:jboss-as-domain-http", "p-cpe:/a:redhat:enterprise_linux:jboss-as-domain-management", "p-cpe:/a:redhat:enterprise_linux:jboss-as-ee", "p-cpe:/a:redhat:enterprise_linux:jboss-as-ee-deployment", "p-cpe:/a:redhat:enterprise_linux:jboss-as-ejb3", "p-cpe:/a:redhat:enterprise_linux:jboss-as-embedded", "p-cpe:/a:redhat:enterprise_linux:jboss-as-host-controller", "p-cpe:/a:redhat:enterprise_linux:jboss-as-jacorb", "p-cpe:/a:redhat:enterprise_linux:jboss-as-jaxr", "p-cpe:/a:redhat:enterprise_linux:jboss-as-jaxrs", "p-cpe:/a:redhat:enterprise_linux:jboss-as-jdr", "p-cpe:/a:redhat:enterprise_linux:jboss-as-jmx", "p-cpe:/a:redhat:enterprise_linux:jboss-as-jpa", "p-cpe:/a:redhat:enterprise_linux:jboss-as-jsf", "p-cpe:/a:redhat:enterprise_linux:jboss-as-jsr77", "p-cpe:/a:redhat:enterprise_linux:jboss-as-logging", "p-cpe:/a:redhat:enterprise_linux:jboss-as-mail", "p-cpe:/a:redhat:enterprise_linux:jboss-as-management-client-content", "p-cpe:/a:redhat:enterprise_linux:jboss-as-messaging", "p-cpe:/a:redhat:enterprise_linux:jboss-as-modcluster", "p-cpe:/a:redhat:enterprise_linux:jboss-as-naming", "p-cpe:/a:redhat:enterprise_linux:jboss-as-network", "p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi", "p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi-configadmin", "p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi-service", "p-cpe:/a:redhat:enterprise_linux:jboss-as-picketlink", "p-cpe:/a:redhat:enterprise_linux:jboss-as-platform-mbean", "p-cpe:/a:redhat:enterprise_linux:jboss-as-pojo", "p-cpe:/a:redhat:enterprise_linux:jboss-as-process-controller", "p-cpe:/a:redhat:enterprise_linux:jboss-as-protocol", "p-cpe:/a:redhat:enterprise_linux:jboss-as-remoting", "p-cpe:/a:redhat:enterprise_linux:jboss-as-sar", "p-cpe:/a:redhat:enterprise_linux:jboss-as-security", "p-cpe:/a:redhat:enterprise_linux:jboss-as-server", "p-cpe:/a:redhat:enterprise_linux:jboss-as-system-jmx", "p-cpe:/a:redhat:enterprise_linux:jboss-as-threads", "p-cpe:/a:redhat:enterprise_linux:jboss-as-transactions", "p-cpe:/a:redhat:enterprise_linux:jboss-as-version", "p-cpe:/a:redhat:enterprise_linux:jboss-as-web", "p-cpe:/a:redhat:enterprise_linux:jboss-as-webservices", "p-cpe:/a:redhat:enterprise_linux:jboss-as-weld", "p-cpe:/a:redhat:enterprise_linux:jboss-as-xts", "p-cpe:/a:redhat:enterprise_linux:jboss-hal", "p-cpe:/a:redhat:enterprise_linux:jboss-remote-naming", "p-cpe:/a:redhat:enterprise_linux:jbossas-appclient", "p-cpe:/a:redhat:enterprise_linux:jbossas-bundles", "p-cpe:/a:redhat:enterprise_linux:jbossas-core", "p-cpe:/a:redhat:enterprise_linux:jbossas-domain", "p-cpe:/a:redhat:enterprise_linux:jbossas-javadocs", "p-cpe:/a:redhat:enterprise_linux:jbossas-modules-eap", "p-cpe:/a:redhat:enterprise_linux:jbossas-product-eap", "p-cpe:/a:redhat:enterprise_linux:jbossas-standalone", "p-cpe:/a:redhat:enterprise_linux:jbossas-welcome-content-eap", "p-cpe:/a:redhat:enterprise_linux:jbossweb", "p-cpe:/a:redhat:enterprise_linux:resteasy", "cpe:/o:redhat:enterprise_linux:7"], "id": "REDHAT-RHSA-2019-1161.NASL", "href": "https://www.tenable.com/plugins/nessus/125035", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2019:1161. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(125035);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/08\");\n\n script_cve_id(\"CVE-2018-1000632\", \"CVE-2018-10934\", \"CVE-2018-8034\");\n script_xref(name:\"RHSA\", value:\"2019:1161\");\n\n script_name(english:\"RHEL 7 : JBoss EAP (RHSA-2019:1161)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"An update is now available for Red Hat JBoss Enterprise Application\nPlatform 6.4 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nRed Hat JBoss Enterprise Application Platform is a platform for Java\napplications based on the JBoss Application Server.\n\nThis release of Red Hat JBoss Enterprise Application Platform 6.4.22\nserves as a replacement for Red Hat JBoss Enterprise Application\nPlatform 6.4.21, and includes bug fixes and enhancements, which are\ndocumented in the Release Notes document linked to in the References.\n\nSecurity Fix(es) :\n\n* admin-cli: wildfly-core: Cross-site scripting (XSS) in JBoss\nManagement Console (CVE-2018-10934)\n\n* dom4j: XML Injection in Class: Element. Methods: addElement,\naddAttribute which can impact the integrity of XML documents\n(CVE-2018-1000632)\n\n* jbossweb: tomcat: host name verification missing in WebSocket client\n(CVE-2018-8034)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, and other related information, refer to the CVE page(s)\nlisted in the References section.\n\nAll users of Red Hat JBoss Enterprise Application Platform 6.4 on Red\nHat Enterprise Linux 7 are advised to upgrade to these updated\npackages. The JBoss server process must be restarted for the update to\ntake effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/documentation/en-US/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2019:1161\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-8034\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-10934\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-1000632\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8034\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:apache-cxf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:dom4j-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:hornetq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-api-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-impl-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-spi-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-core-api-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-core-impl-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-deployers-common-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-jdbc-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-spec-api-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-validator-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-appclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-client-all\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-clustering\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-cmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-configadmin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-connector\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-console\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-controller\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-controller-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-core-security\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-deployment-repository\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-deployment-scanner\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-domain-http\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-domain-management\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-ee\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-ee-deployment\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-ejb3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-embedded\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-host-controller\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jacorb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jaxr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jaxrs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jdr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jmx\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jpa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jsf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jsr77\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-logging\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-mail\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-management-client-content\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-messaging\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-modcluster\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-naming\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-network\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi-configadmin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi-service\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-picketlink\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-platform-mbean\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-pojo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-process-controller\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-protocol\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-remoting\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-sar\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-security\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-system-jmx\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-threads\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-transactions\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-version\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-web\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-webservices\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-weld\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-xts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-hal\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-remote-naming\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-appclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-bundles\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-domain\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-javadocs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-modules-eap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-product-eap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-standalone\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-welcome-content-eap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossweb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:resteasy\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2019:1161\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n\n if (! (rpm_exists(release:\"RHEL7\", rpm:\"jbossas-welcome-content-eap\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"JBoss EAP\");\n\n if (rpm_check(release:\"RHEL7\", reference:\"apache-cxf-2.7.18-8.SP7_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"dom4j-eap6-1.6.1-22.redhat_9.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"hornetq-2.3.25-28.SP29_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"ironjacamar-common-api-eap6-1.0.43-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"ironjacamar-common-impl-eap6-1.0.43-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"ironjacamar-common-spi-eap6-1.0.43-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"ironjacamar-core-api-eap6-1.0.43-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"ironjacamar-core-impl-eap6-1.0.43-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"ironjacamar-deployers-common-eap6-1.0.43-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"ironjacamar-eap6-1.0.43-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"ironjacamar-jdbc-eap6-1.0.43-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"ironjacamar-spec-api-eap6-1.0.43-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"ironjacamar-validator-eap6-1.0.43-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-appclient-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-cli-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-client-all-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-clustering-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-cmp-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-configadmin-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-connector-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-console-2.5.19-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-controller-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-controller-client-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-core-security-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-deployment-repository-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-deployment-scanner-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-domain-http-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-domain-management-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-ee-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-ee-deployment-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-ejb3-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-embedded-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-host-controller-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-jacorb-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-jaxr-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-jaxrs-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-jdr-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-jmx-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-jpa-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-jsf-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-jsr77-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-logging-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-mail-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-management-client-content-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-messaging-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-modcluster-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-naming-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-network-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-osgi-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-osgi-configadmin-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-osgi-service-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-picketlink-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-platform-mbean-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-pojo-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-process-controller-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-protocol-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-remoting-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-sar-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-security-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-server-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-system-jmx-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-threads-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-transactions-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-version-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-web-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-webservices-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-weld-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-xts-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-hal-2.5.19-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-remote-naming-1.0.15-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jbossas-appclient-7.5.22-2.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jbossas-bundles-7.5.22-2.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jbossas-core-7.5.22-2.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jbossas-domain-7.5.22-2.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jbossas-javadocs-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jbossas-modules-eap-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jbossas-product-eap-7.5.22-2.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jbossas-standalone-7.5.22-2.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jbossas-welcome-content-eap-7.5.22-2.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jbossweb-7.5.30-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"resteasy-2.3.23-1.Final_redhat_1.1.ep6.el7\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache-cxf / dom4j-eap6 / hornetq / ironjacamar-common-api-eap6 / etc\");\n }\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-05-24T14:31:07", "description": "The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2019:3172 advisory.\n\n - python-werkzeug: Cross-site scripting in render_full function in debug/tbtools.py (CVE-2016-10516)\n\n - python-jinja2: Sandbox escape due to information disclosure via str.format (CVE-2016-10745)\n\n - dom4j: XML Injection in Class: Element. Methods: addElement, addAttribute which can impact the integrity of XML documents (CVE-2018-1000632)\n\n - rubygem-rack: Buffer size in multipart parser allows for denial of service (CVE-2018-16470)\n\n - foreman: authorization bypasses in foreman-tasks leading to information disclosure (CVE-2019-10198)\n\n - python-jinja2: str.format_map allows sandbox escape (CVE-2019-10906)\n\n - python-twisted: Improper neutralization of CRLF characters in URIs and HTTP methods (CVE-2019-12387)\n\n - katello: registry credentials are captured in plain text during repository discovery (CVE-2019-14825)\n\n - foreman: Recover of plaintext password or token for the compute resources (CVE-2019-3893)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2019-10-24T00:00:00", "type": "nessus", "title": "RHEL 7 : Red Hat Satellite 6 (RHSA-2019:3172)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-10516", "CVE-2016-10745", "CVE-2018-1000632", "CVE-2018-16470", "CVE-2019-10198", "CVE-2019-10906", "CVE-2019-12387", "CVE-2019-14825", "CVE-2019-3893"], "modified": "2022-05-18T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:python-pulp-bindings", "p-cpe:/a:redhat:enterprise_linux:ansible-runner", "p-cpe:/a:redhat:enterprise_linux:python-pulp-client-lib", "p-cpe:/a:redhat:enterprise_linux:python-pulp-common", "p-cpe:/a:redhat:enterprise_linux:ansiblerole-foreman_scap_client", "p-cpe:/a:redhat:enterprise_linux:python-pulp-docker-common", "p-cpe:/a:redhat:enterprise_linux:ansiblerole-insights-client", "p-cpe:/a:redhat:enterprise_linux:python-pulp-integrity", "p-cpe:/a:redhat:enterprise_linux:python-pulp-oid_validation", "p-cpe:/a:redhat:enterprise_linux:python-pulp-ostree-common", "p-cpe:/a:redhat:enterprise_linux:python-pulp-puppet-common", "p-cpe:/a:redhat:enterprise_linux:python-pulp-repoauth", "p-cpe:/a:redhat:enterprise_linux:candlepin", "p-cpe:/a:redhat:enterprise_linux:python-pulp-rpm-common", "p-cpe:/a:redhat:enterprise_linux:python-pulp-streamer", "p-cpe:/a:redhat:enterprise_linux:candlepin-selinux", "p-cpe:/a:redhat:enterprise_linux:python-pymongo", "p-cpe:/a:redhat:enterprise_linux:createrepo_c", "p-cpe:/a:redhat:enterprise_linux:python-pymongo-gridfs", "p-cpe:/a:redhat:enterprise_linux:python-qpid", "p-cpe:/a:redhat:enterprise_linux:python-qpid-proton", "p-cpe:/a:redhat:enterprise_linux:createrepo_c-libs", "p-cpe:/a:redhat:enterprise_linux:python-qpid-qmf", "p-cpe:/a:redhat:enterprise_linux:python-saslwrapper", "p-cpe:/a:redhat:enterprise_linux:foreman", "p-cpe:/a:redhat:enterprise_linux:python-semantic_version", "p-cpe:/a:redhat:enterprise_linux:python-simplejson", "p-cpe:/a:redhat:enterprise_linux:foreman-bootloaders-redhat", "p-cpe:/a:redhat:enterprise_linux:python-zope-interface", "p-cpe:/a:redhat:enterprise_linux:foreman-bootloaders-redhat-tftpboot", "p-cpe:/a:redhat:enterprise_linux:python2-amqp", "p-cpe:/a:redhat:enterprise_linux:foreman-cli", "p-cpe:/a:redhat:enterprise_linux:python2-ansible-runner", "p-cpe:/a:redhat:enterprise_linux:python2-anyjson", "p-cpe:/a:redhat:enterprise_linux:foreman-debug", "p-cpe:/a:redhat:enterprise_linux:python2-billiard", "p-cpe:/a:redhat:enterprise_linux:python2-celery", "p-cpe:/a:redhat:enterprise_linux:python2-click", "p-cpe:/a:redhat:enterprise_linux:foreman-discovery-image", "p-cpe:/a:redhat:enterprise_linux:python2-crane", "p-cpe:/a:redhat:enterprise_linux:python2-daemon", "p-cpe:/a:redhat:enterprise_linux:python2-django", "p-cpe:/a:redhat:enterprise_linux:foreman-ec2", "p-cpe:/a:redhat:enterprise_linux:python2-flask", "p-cpe:/a:redhat:enterprise_linux:foreman-gce", "p-cpe:/a:redhat:enterprise_linux:python2-future", "p-cpe:/a:redhat:enterprise_linux:python2-gobject", "p-cpe:/a:redhat:enterprise_linux:python2-gobject-base", "p-cpe:/a:redhat:enterprise_linux:foreman-installer", "p-cpe:/a:redhat:enterprise_linux:python2-isodate", "p-cpe:/a:redhat:enterprise_linux:foreman-installer-katello", "p-cpe:/a:redhat:enterprise_linux:python2-itsdangerous", "p-cpe:/a:redhat:enterprise_linux:foreman-journald", "p-cpe:/a:redhat:enterprise_linux:python2-jinja2", "p-cpe:/a:redhat:enterprise_linux:python2-kombu", "p-cpe:/a:redhat:enterprise_linux:foreman-libvirt", "p-cpe:/a:redhat:enterprise_linux:python2-lockfile", "p-cpe:/a:redhat:enterprise_linux:foreman-openstack", "p-cpe:/a:redhat:enterprise_linux:python2-markupsafe", "p-cpe:/a:redhat:enterprise_linux:foreman-ovirt", "p-cpe:/a:redhat:enterprise_linux:python2-nectar", "p-cpe:/a:redhat:enterprise_linux:python2-okaara", "p-cpe:/a:redhat:enterprise_linux:foreman-postgresql", "p-cpe:/a:redhat:enterprise_linux:python2-pexpect", "p-cpe:/a:redhat:enterprise_linux:python2-ptyprocess", "p-cpe:/a:redhat:enterprise_linux:python2-pycurl", "p-cpe:/a:redhat:enterprise_linux:foreman-proxy", "p-cpe:/a:redhat:enterprise_linux:python2-solv", "p-cpe:/a:redhat:enterprise_linux:python2-twisted", "p-cpe:/a:redhat:enterprise_linux:foreman-proxy-content", "p-cpe:/a:redhat:enterprise_linux:python2-vine", "p-cpe:/a:redhat:enterprise_linux:foreman-proxy-journald", "p-cpe:/a:redhat:enterprise_linux:python2-werkzeug", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client", "p-cpe:/a:redhat:enterprise_linux:foreman-rackspace", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client-devel", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server", "p-cpe:/a:redhat:enterprise_linux:foreman-selinux", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-linearstore", "p-cpe:/a:redhat:enterprise_linux:foreman-telemetry", "p-cpe:/a:redhat:enterprise_linux:qpid-dispatch-router", "p-cpe:/a:redhat:enterprise_linux:foreman-vmware", "p-cpe:/a:redhat:enterprise_linux:qpid-dispatch-tools", "p-cpe:/a:redhat:enterprise_linux:hfsplus-tools", "p-cpe:/a:redhat:enterprise_linux:qpid-proton-c", "p-cpe:/a:redhat:enterprise_linux:katello", "p-cpe:/a:redhat:enterprise_linux:qpid-qmf", "p-cpe:/a:redhat:enterprise_linux:qpid-tools", "p-cpe:/a:redhat:enterprise_linux:katello-certs-tools", "p-cpe:/a:redhat:enterprise_linux:redhat-access-insights-puppet", "p-cpe:/a:redhat:enterprise_linux:katello-client-bootstrap", "p-cpe:/a:redhat:enterprise_linux:repoview", "p-cpe:/a:redhat:enterprise_linux:rhel8-kickstart-setup", "p-cpe:/a:redhat:enterprise_linux:rubygem-ansi", "p-cpe:/a:redhat:enterprise_linux:katello-common", "p-cpe:/a:redhat:enterprise_linux:rubygem-bundler_ext", "p-cpe:/a:redhat:enterprise_linux:rubygem-clamp", "p-cpe:/a:redhat:enterprise_linux:katello-debug", "p-cpe:/a:redhat:enterprise_linux:rubygem-concurrent-ruby", "p-cpe:/a:redhat:enterprise_linux:katello-selinux", "p-cpe:/a:redhat:enterprise_linux:rubygem-facter", "p-cpe:/a:redhat:enterprise_linux:rubygem-faraday", "p-cpe:/a:redhat:enterprise_linux:katello-service", "p-cpe:/a:redhat:enterprise_linux:rubygem-faraday_middleware", "p-cpe:/a:redhat:enterprise_linux:rubygem-fast_gettext", "p-cpe:/a:redhat:enterprise_linux:kobo", "p-cpe:/a:redhat:enterprise_linux:rubygem-ffi", "p-cpe:/a:redhat:enterprise_linux:rubygem-foreman_scap_client", "p-cpe:/a:redhat:enterprise_linux:libmodulemd", "p-cpe:/a:redhat:enterprise_linux:rubygem-gssapi", "p-cpe:/a:redhat:enterprise_linux:libsolv", "p-cpe:/a:redhat:enterprise_linux:rubygem-hashie", "p-cpe:/a:redhat:enterprise_linux:rubygem-highline", "p-cpe:/a:redhat:enterprise_linux:libwebsockets", "p-cpe:/a:redhat:enterprise_linux:rubygem-infoblox", "p-cpe:/a:redhat:enterprise_linux:livecd-tools", "p-cpe:/a:redhat:enterprise_linux:rubygem-journald-logger", "p-cpe:/a:redhat:enterprise_linux:rubygem-journald-native", "p-cpe:/a:redhat:enterprise_linux:mod_passenger", "p-cpe:/a:redhat:enterprise_linux:rubygem-jwt", "p-cpe:/a:redhat:enterprise_linux:rubygem-kafo", "p-cpe:/a:redhat:enterprise_linux:rubygem-kafo_parsers", "p-cpe:/a:redhat:enterprise_linux:rubygem-kafo_wizards", "p-cpe:/a:redhat:enterprise_linux:mod_xsendfile", "p-cpe:/a:redhat:enterprise_linux:rubygem-little-plugger", "p-cpe:/a:redhat:enterprise_linux:rubygem-logging", "p-cpe:/a:redhat:enterprise_linux:ostree", "p-cpe:/a:redhat:enterprise_linux:rubygem-logging-journald", "p-cpe:/a:redhat:enterprise_linux:pcp-mmvstatsd", "p-cpe:/a:redhat:enterprise_linux:rubygem-mime-types", "p-cpe:/a:redhat:enterprise_linux:rubygem-multi_json", "p-cpe:/a:redhat:enterprise_linux:pulp-admin-client", "p-cpe:/a:redhat:enterprise_linux:rubygem-multipart-post", "p-cpe:/a:redhat:enterprise_linux:rubygem-net-ssh", "p-cpe:/a:redhat:enterprise_linux:pulp-docker-admin-extensions", "p-cpe:/a:redhat:enterprise_linux:pulp-docker-plugins", "p-cpe:/a:redhat:enterprise_linux:rubygem-netrc", "p-cpe:/a:redhat:enterprise_linux:rubygem-newt", "p-cpe:/a:redhat:enterprise_linux:pulp-katello", "p-cpe:/a:redhat:enterprise_linux:rubygem-oauth", "p-cpe:/a:redhat:enterprise_linux:pulp-maintenance", "p-cpe:/a:redhat:enterprise_linux:rubygem-openscap", "p-cpe:/a:redhat:enterprise_linux:rubygem-passenger", "p-cpe:/a:redhat:enterprise_linux:pulp-nodes-child", "p-cpe:/a:redhat:enterprise_linux:rubygem-passenger-native", "p-cpe:/a:redhat:enterprise_linux:pulp-nodes-common", "p-cpe:/a:redhat:enterprise_linux:rubygem-passenger-native-libs", "p-cpe:/a:redhat:enterprise_linux:rubygem-powerbar", "p-cpe:/a:redhat:enterprise_linux:rubygem-rack", "p-cpe:/a:redhat:enterprise_linux:pulp-nodes-parent", "p-cpe:/a:redhat:enterprise_linux:rubygem-rack-protection", "p-cpe:/a:redhat:enterprise_linux:rubygem-rake", "p-cpe:/a:redhat:enterprise_linux:pulp-ostree-admin-extensions", "p-cpe:/a:redhat:enterprise_linux:rubygem-rb-inotify", "p-cpe:/a:redhat:enterprise_linux:rubygem-rest-client", "p-cpe:/a:redhat:enterprise_linux:pulp-ostree-plugins", "p-cpe:/a:redhat:enterprise_linux:rubygem-rkerberos", "p-cpe:/a:redhat:enterprise_linux:rubygem-rsec", "p-cpe:/a:redhat:enterprise_linux:pulp-puppet-admin-extensions", "p-cpe:/a:redhat:enterprise_linux:rubygem-rubyipmi", "p-cpe:/a:redhat:enterprise_linux:pulp-puppet-plugins", "p-cpe:/a:redhat:enterprise_linux:rubygem-sinatra", "p-cpe:/a:redhat:enterprise_linux:rubygem-smart_proxy_ansible", "p-cpe:/a:redhat:enterprise_linux:pulp-puppet-tools", "p-cpe:/a:redhat:enterprise_linux:rubygem-smart_proxy_dhcp_infoblox", "p-cpe:/a:redhat:enterprise_linux:pulp-rpm-admin-extensions", "p-cpe:/a:redhat:enterprise_linux:rubygem-smart_proxy_dhcp_remote_isc", "p-cpe:/a:redhat:enterprise_linux:rubygem-smart_proxy_discovery", "p-cpe:/a:redhat:enterprise_linux:pulp-rpm-plugins", "p-cpe:/a:redhat:enterprise_linux:rubygem-smart_proxy_discovery_image", "p-cpe:/a:redhat:enterprise_linux:pulp-selinux", "p-cpe:/a:redhat:enterprise_linux:rubygem-smart_proxy_dns_infoblox", "p-cpe:/a:redhat:enterprise_linux:pulp-server", "p-cpe:/a:redhat:enterprise_linux:rubygem-smart_proxy_dynflow", "p-cpe:/a:redhat:enterprise_linux:rubygem-smart_proxy_openscap", "p-cpe:/a:redhat:enterprise_linux:rubygem-smart_proxy_pulp", "p-cpe:/a:redhat:enterprise_linux:rubygem-smart_proxy_remote_execution_ssh", "p-cpe:/a:redhat:enterprise_linux:puppet-agent", "p-cpe:/a:redhat:enterprise_linux:rubygem-tilt", "p-cpe:/a:redhat:enterprise_linux:saslwrapper", "p-cpe:/a:redhat:enterprise_linux:puppet-agent-oauth", "p-cpe:/a:redhat:enterprise_linux:satellite", "p-cpe:/a:redhat:enterprise_linux:satellite-capsule", "p-cpe:/a:redhat:enterprise_linux:puppet-foreman_scap_client", "p-cpe:/a:redhat:enterprise_linux:satellite-cli", "p-cpe:/a:redhat:enterprise_linux:puppetlabs-stdlib", "p-cpe:/a:redhat:enterprise_linux:satellite-common", "p-cpe:/a:redhat:enterprise_linux:satellite-debug-tools", "p-cpe:/a:redhat:enterprise_linux:puppetserver", "p-cpe:/a:redhat:enterprise_linux:satellite-installer", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-actioncable", "p-cpe:/a:redhat:enterprise_linux:pycairo", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-actionmailer", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-actionpack", "p-cpe:/a:redhat:enterprise_linux:python-blinker", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-actionview", "p-cpe:/a:redhat:enterprise_linux:python-bson", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-activejob", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-activemodel", "p-cpe:/a:redhat:enterprise_linux:python-gnupg", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-activerecord", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-activestorage", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-activesupport", "p-cpe:/a:redhat:enterprise_linux:python-gofer", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-arel", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-builder", "p-cpe:/a:redhat:enterprise_linux:python-gofer-qpid", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-coffee-rails", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-coffee-script", "p-cpe:/a:redhat:enterprise_linux:python-imgcreate", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-coffee-script-source", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-concurrent-ruby", "p-cpe:/a:redhat:enterprise_linux:python-kid", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-crass", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-erubi", "p-cpe:/a:redhat:enterprise_linux:python-mongoengine", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-execjs", "p-cpe:/a:redhat:enterprise_linux:python-oauth2", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-globalid", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-i18n", "p-cpe:/a:redhat:enterprise_linux:python-psutil", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-loofah", "p-cpe:/a:redhat:enterprise_linux:python-pulp-agent-lib", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-mail", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-marcel", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-mime-types-data", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-method_source", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-mime-types", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-runtime", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-mimemagic", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-activerecord-import", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-activerecord-session_store", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-mini_mime", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-addressable", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-algebrick", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-mini_portile2", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ancestry", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-multi_json", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-anemone", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-angular-rails-templates", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-mustermann", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-apipie-bindings", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-apipie-params", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-nio4r", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-apipie-rails", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-nokogiri", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-audited", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-awesome_print", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-rack", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-bundler_ext", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-rack-protection", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-clamp", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-rack-test", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-concurrent-ruby-edge", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-css_parser", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-daemons", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-deacon", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-rails", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-declarative", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-declarative-option", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-rails-dom-testing", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-deep_cloneable", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-rails-html-sanitizer", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-deface", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-diffy", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-railties", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-domain_name", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-dynflow", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-sinatra", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ethon", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-sprockets", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-excon", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-sprockets-rails", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-facter", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-faraday", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-sqlite3", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fast_gettext", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-thor", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ffi", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-thread_safe", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fog-aws", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fog-core", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fog-google", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fog-json", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-tilt", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fog-kubevirt", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fog-libvirt", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-turbolinks", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fog-openstack", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fog-ovirt", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-tzinfo", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fog-rackspace", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fog-vsphere", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-websocket-driver", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fog-xml", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman-tasks", "p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-websocket-extensions", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman-tasks-core", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-google-api-client", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_ansible", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_ansible_core", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-googleauth", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_bootdisk", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_discovery", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-graphql", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_docker", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-graphql-batch", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_hooks", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_kubevirt", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_openscap", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_remote_execution", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-gssapi", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_remote_execution_core", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_templates", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_theme_satellite", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_virt_who_configure", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-formatador", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-friendly_id", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_admin", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-get_process_mem", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_ansible", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-gettext", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-gettext_i18n_rails", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_bootdisk", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-git", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_discovery", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-http", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_docker", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-http-cookie", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_kubevirt", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-http-form_data", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-http_parser.rb", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_openscap", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-httpclient", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ipaddress", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-jgrep", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_remote_execution", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-journald-logger", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-journald-native", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_tasks", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-jwt", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-katello", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_templates", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-kubeclient", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ldap_fluff", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-little-plugger", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_virt_who_configure", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-locale", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_katello", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-logging", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-logging-journald", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hashie", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-memoist", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-highline", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-multipart-post", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-net-ldap", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-qpid_messaging", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-net-ping", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-net-scp", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-quantile", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-net-ssh", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-net-ssh-krb", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-netrc", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-oauth", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rabl", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-optimist", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-os", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rack-cors", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ovirt-engine-sdk", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rack-jsonp", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ovirt_provision_plugin", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-parse-cron", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-passenger", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rails-i18n", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-passenger-native", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-passenger-native-libs", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rainbow", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-pg", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rbovirt", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-polyglot", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rbvmomi", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-powerbar", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-prometheus-client", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-record_tag_helper", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-promise.rb", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-recursive-open-struct", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-public_suffix", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-redhat_access", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-redhat_access_lib", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-representable", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-responders", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rest-client", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-retriable", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-roadie", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-roadie-rails", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-robotex", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ruby-libvirt", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ruby2ruby", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ruby_parser", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-runcible", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-safemode", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-scoped_search", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-secure_headers", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-sequel", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-sexp_processor", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-signet", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-smart_proxy_dynflow_core", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-sshkey", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-statsd-instrument", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-text", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-typhoeus", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-uber", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-unf", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-unf_ext", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-unicode", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-unicode-display_width", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-validates_lengths_from_database", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-webpack-rails", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-wicked", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-will_paginate", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-x-editable-rails", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-zest", "p-cpe:/a:redhat:enterprise_linux:tfm-runtime"], "id": "REDHAT-RHSA-2019-3172.NASL", "href": "https://www.tenable.com/plugins/nessus/130187", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2019:3172. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(130187);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/18\");\n\n script_cve_id(\n \"CVE-2018-16470\",\n \"CVE-2018-1000632\",\n \"CVE-2019-3893\",\n \"CVE-2019-10198\",\n \"CVE-2019-14825\"\n );\n script_bugtraq_id(\n 106608,\n 107166,\n 107846,\n 109151\n );\n script_xref(name:\"RHSA\", value:\"2019:3172\");\n\n script_name(english:\"RHEL 7 : Red Hat Satellite 6 (RHSA-2019:3172)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2019:3172 advisory.\n\n - python-werkzeug: Cross-site scripting in render_full function in debug/tbtools.py (CVE-2016-10516)\n\n - python-jinja2: Sandbox escape due to information disclosure via str.format (CVE-2016-10745)\n\n - dom4j: XML Injection in Class: Element. Methods: addElement, addAttribute which can impact the integrity\n of XML documents (CVE-2018-1000632)\n\n - rubygem-rack: Buffer size in multipart parser allows for denial of service (CVE-2018-16470)\n\n - foreman: authorization bypasses in foreman-tasks leading to information disclosure (CVE-2019-10198)\n\n - python-jinja2: str.format_map allows sandbox escape (CVE-2019-10906)\n\n - python-twisted: Improper neutralization of CRLF characters in URIs and HTTP methods (CVE-2019-12387)\n\n - katello: registry credentials are captured in plain text during repository discovery (CVE-2019-14825)\n\n - foreman: Recover of plaintext password or token for the compute resources (CVE-2019-3893)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/79.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/88.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/113.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/138.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/287.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/319.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/400.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/732.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2016-10516\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2016-10745\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2018-16470\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2018-1000632\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-3893\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-10198\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-10906\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-12387\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-14825\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2019:3172\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1512102\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1620529\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1646814\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1696400\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1698345\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1698839\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1719501\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1729130\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1739485\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-1000632\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(79, 88, 113, 138, 287, 319, 400, 732);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/10/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/10/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ansible-runner\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ansiblerole-foreman_scap_client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ansiblerole-insights-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:candlepin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:candlepin-selinux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:createrepo_c\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:createrepo_c-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-bootloaders-redhat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-bootloaders-redhat-tftpboot\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-discovery-image\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-ec2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-gce\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-installer\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-installer-katello\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-journald\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-libvirt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-openstack\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-ovirt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-postgresql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-proxy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-proxy-content\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-proxy-journald\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-rackspace\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-selinux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-telemetry\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-vmware\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:hfsplus-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:katello\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:katello-certs-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:katello-client-bootstrap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:katello-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:katello-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:katello-selinux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:katello-service\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kobo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:libmodulemd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:libsolv\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:libwebsockets\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:livecd-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:mod_passenger\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:mod_xsendfile\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ostree\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pcp-mmvstatsd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pulp-admin-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pulp-docker-admin-extensions\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pulp-docker-plugins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pulp-katello\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pulp-maintenance\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pulp-nodes-child\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pulp-nodes-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pulp-nodes-parent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pulp-ostree-admin-extensions\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pulp-ostree-plugins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pulp-puppet-admin-extensions\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pulp-puppet-plugins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pulp-puppet-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pulp-rpm-admin-extensions\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pulp-rpm-plugins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pulp-selinux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pulp-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:puppet-agent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:puppet-agent-oauth\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:puppet-foreman_scap_client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:puppetlabs-stdlib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:puppetserver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pycairo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-blinker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-bson\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-gnupg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-gofer\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-gofer-qpid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-imgcreate\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-kid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-mongoengine\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-oauth2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-psutil\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-pulp-agent-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-pulp-bindings\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-pulp-client-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-pulp-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-pulp-docker-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-pulp-integrity\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-pulp-oid_validation\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-pulp-ostree-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-pulp-puppet-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-pulp-repoauth\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-pulp-rpm-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-pulp-streamer\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-pymongo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-pymongo-gridfs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-qpid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-qpid-proton\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-qpid-qmf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-saslwrapper\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-semantic_version\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-simplejson\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-zope-interface\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-amqp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-ansible-runner\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-anyjson\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-billiard\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-celery\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-click\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-crane\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-daemon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-django\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-flask\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-future\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-gobject\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-gobject-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-isodate\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-itsdangerous\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-jinja2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-kombu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-lockfile\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-markupsafe\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-nectar\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-okaara\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-pexpect\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-ptyprocess\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-pycurl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-solv\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-twisted\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-vine\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-werkzeug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-linearstore\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-dispatch-router\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-dispatch-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-proton-c\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-qmf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:redhat-access-insights-puppet\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:repoview\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rhel8-kickstart-setup\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-ansi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-bundler_ext\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-clamp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-concurrent-ruby\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-facter\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-faraday\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-faraday_middleware\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-fast_gettext\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-ffi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-foreman_scap_client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-gssapi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-hashie\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-highline\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-infoblox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-journald-logger\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-journald-native\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-jwt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-kafo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-kafo_parsers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-kafo_wizards\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-little-plugger\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-logging\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-logging-journald\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-mime-types\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-multi_json\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-multipart-post\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-net-ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-netrc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-newt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-oauth\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-openscap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-passenger\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-passenger-native\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-passenger-native-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-powerbar\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-rack\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-rack-protection\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-rake\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-rb-inotify\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-rest-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-rkerberos\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-rsec\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-rubyipmi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-sinatra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-smart_proxy_ansible\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-smart_proxy_dhcp_infoblox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-smart_proxy_dhcp_remote_isc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-smart_proxy_discovery\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-smart_proxy_discovery_image\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-smart_proxy_dns_infoblox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-smart_proxy_dynflow\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-smart_proxy_openscap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-smart_proxy_pulp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-smart_proxy_remote_execution_ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-tilt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:saslwrapper\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:satellite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:satellite-capsule\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:satellite-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:satellite-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:satellite-debug-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:satellite-installer\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-actioncable\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-actionmailer\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-actionpack\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-actionview\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-activejob\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-activemodel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-activerecord\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-activestorage\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-activesupport\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-arel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-builder\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-coffee-rails\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-coffee-script\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-coffee-script-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-concurrent-ruby\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-crass\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-erubi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-execjs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-globalid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-i18n\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-loofah\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-mail\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-marcel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-method_source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-mime-types\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-mime-types-data\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-mimemagic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-mini_mime\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-mini_portile2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-multi_json\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-mustermann\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-nio4r\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-nokogiri\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-rack\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-rack-protection\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-rack-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-rails\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-rails-dom-testing\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-rails-html-sanitizer\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-railties\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-sinatra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-sprockets\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-sprockets-rails\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-sqlite3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-thor\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-thread_safe\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-tilt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-turbolinks\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-tzinfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-websocket-driver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-rubygem-websocket-extensions\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-ror52-runtime\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-activerecord-import\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-activerecord-session_store\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-addressable\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-algebrick\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ancestry\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-anemone\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-angular-rails-templates\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-apipie-bindings\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-apipie-params\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-apipie-rails\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-audited\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-awesome_print\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-bundler_ext\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-clamp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-concurrent-ruby-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-css_parser\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-daemons\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-deacon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-declarative\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-declarative-option\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-deep_cloneable\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-deface\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-diffy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-domain_name\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-dynflow\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ethon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-excon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-facter\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-faraday\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fast_gettext\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ffi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fog-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fog-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fog-google\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fog-json\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fog-kubevirt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fog-libvirt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fog-openstack\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fog-ovirt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fog-rackspace\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fog-vsphere\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fog-xml\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman-tasks\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman-tasks-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_ansible\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_ansible_core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_bootdisk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_discovery\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_docker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_hooks\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_kubevirt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_openscap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_remote_execution\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_remote_execution_core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_templates\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_theme_satellite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_virt_who_configure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-formatador\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-friendly_id\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-get_process_mem\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-gettext\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-gettext_i18n_rails\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-git\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-google-api-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-googleauth\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-graphql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-graphql-batch\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-gssapi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_admin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_ansible\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_bootdisk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_discovery\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_docker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_kubevirt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_openscap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_remote_execution\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_tasks\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_templates\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_virt_who_configure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_katello\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hashie\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-highline\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-http\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-http-cookie\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-http-form_data\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-http_parser.rb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-httpclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ipaddress\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-jgrep\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-journald-logger\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-journald-native\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-jwt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-katello\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-kubeclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ldap_fluff\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-little-plugger\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-locale\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-logging\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-logging-journald\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-memoist\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-multipart-post\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-net-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-net-ping\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-net-scp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-net-ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-net-ssh-krb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-netrc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-oauth\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-optimist\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-os\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ovirt-engine-sdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ovirt_provision_plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-parse-cron\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-passenger\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-passenger-native\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-passenger-native-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-pg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-polyglot\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-powerbar\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-prometheus-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-promise.rb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-public_suffix\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-qpid_messaging\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-quantile\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rabl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rack-cors\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rack-jsonp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rails-i18n\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rainbow\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rbovirt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rbvmomi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-record_tag_helper\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-recursive-open-struct\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-redhat_access\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-redhat_access_lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-representable\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-responders\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rest-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-retriable\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-roadie\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-roadie-rails\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-robotex\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ruby-libvirt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ruby2ruby\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ruby_parser\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-runcible\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-safemode\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-scoped_search\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-secure_headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-sequel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-sexp_processor\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-signet\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-smart_proxy_dynflow_core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-sshkey\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-statsd-instrument\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-text\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-typhoeus\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-uber\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-unf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-unf_ext\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-unicode\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-unicode-display_width\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-validates_lengths_from_database\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-webpack-rails\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-wicked\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-will_paginate\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-x-editable-rails\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-zest\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-runtime\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '7')) audit(AUDIT_OS_NOT, 'Red Hat 7.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nrepositories = {\n 'satellite_6_6_el7': [\n 'rhel-7-server-satellite-6.6-debug-rpms',\n 'rhel-7-server-satellite-6.6-rpms',\n 'rhel-7-server-satellite-6.6-source-rpms'\n ],\n 'satellite_capsule_6_6_el7': [\n 'rhel-7-server-satellite-capsule-6.6-debug-rpms',\n 'rhel-7-server-satellite-capsule-6.6-rpms',\n 'rhel-7-server-satellite-capsule-6.6-source-rpms'\n ]\n};\n\nfound_repos = NULL;\nhost_repo_list = get_kb_list('Host/RedHat/repo-list/*');\nif (!(empty_or_null(host_repo_list))) {\n found_repos = make_list();\n foreach repo_key (keys(repositories)) {\n foreach repo ( repositories[repo_key] ) {\n if (get_kb_item('Host/RedHat/repo-list/' + repo)) {\n append_element(var:found_repos, value:repo_key);\n break;\n }\n }\n }\n if(empty_or_null(found_repos)) audit(AUDIT_RHSA_NOT_AFFECTED, 'RHSA-2019:3172');\n}\n\npkgs = [\n {'reference':'ansible-runner-1.3.4-2.el7ar', 'release':'7', 'el_string':'el7ar', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'ansiblerole-foreman_scap_client-0.0.3-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'ansiblerole-insights-client-1.6-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'candlepin-2.6.9-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'candlepin-selinux-2.6.9-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'createrepo_c-0.7.4-1.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'createrepo_c-libs-0.7.4-1.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'foreman-1.22.0.32-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'foreman-bootloaders-redhat-201901011200-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'foreman-bootloaders-redhat-tftpboot-201901011200-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'foreman-cli-1.22.0.32-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'foreman-debug-1.22.0.32-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'foreman-discovery-image-3.5.4-6.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'foreman-ec2-1.22.0.32-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'foreman-gce-1.22.0.32-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'foreman-installer-1.22.0.16-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'foreman-installer-katello-1.22.0.16-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'foreman-journald-1.22.0.32-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'foreman-libvirt-1.22.0.32-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'foreman-openstack-1.22.0.32-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'foreman-ovirt-1.22.0.32-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'foreman-postgresql-1.22.0.32-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'foreman-proxy-1.22.0.2-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'foreman-proxy-content-3.12.0-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'foreman-proxy-journald-1.22.0.2-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'foreman-rackspace-1.22.0.32-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'foreman-selinux-1.22.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'foreman-telemetry-1.22.0.32-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'foreman-vmware-1.22.0.32-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'hfsplus-tools-332.14-12.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'katello-3.12.0-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'katello-certs-tools-2.6.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'katello-client-bootstrap-1.7.3-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'katello-common-3.12.0-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'katello-debug-3.12.0-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'katello-selinux-3.1.1-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'katello-service-3.12.0-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'kobo-0.5.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'libmodulemd-1.7.0-1.pulp.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'libsolv-0.7.4-3.pulp.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'libwebsockets-2.4.2-2.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'livecd-tools-20.4-1.6.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'mod_passenger-4.0.18-24.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'mod_xsendfile-0.12-11.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'ostree-2017.1-2.atomic.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'pcp-mmvstatsd-0.4-2.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'pulp-admin-client-2.19.1.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'pulp-docker-admin-extensions-3.2.3.1-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'pulp-docker-plugins-3.2.3.1-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'pulp-katello-1.0.3-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'pulp-maintenance-2.19.1.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'pulp-nodes-child-2.19.1.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'pulp-nodes-common-2.19.1.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'pulp-nodes-parent-2.19.1.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'pulp-ostree-admin-extensions-1.3.1-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'pulp-ostree-plugins-1.3.1-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'pulp-puppet-admin-extensions-2.19.1-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'pulp-puppet-plugins-2.19.1-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'pulp-puppet-tools-2.19.1-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'pulp-rpm-admin-extensions-2.19.1.1-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'pulp-rpm-plugins-2.19.1.1-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'pulp-selinux-2.19.1.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'pulp-server-2.19.1.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'puppet-agent-5.5.12-1.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'puppet-agent-oauth-0.5.1-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'puppet-foreman_scap_client-0.3.19-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'puppetlabs-stdlib-4.25.1-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'puppetserver-5.3.8-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'pycairo-1.16.3-9.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python-blinker-1.3-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python-bson-3.2-2.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python-gnupg-0.3.7-1.el7ui', 'release':'7', 'el_string':'el7ui', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python-gofer-2.12.5-5.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python-gofer-qpid-2.12.5-5.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python-imgcreate-20.4-1.6.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python-kid-0.9.6-11.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python-mongoengine-0.10.5-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python-oauth2-1.5.211-8.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python-psutil-5.0.1-3.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python-pulp-agent-lib-2.19.1.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python-pulp-bindings-2.19.1.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python-pulp-client-lib-2.19.1.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python-pulp-common-2.19.1.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python-pulp-docker-common-3.2.3.1-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python-pulp-integrity-2.19.1.1-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python-pulp-oid_validation-2.19.1.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python-pulp-ostree-common-1.3.1-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python-pulp-puppet-common-2.19.1-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python-pulp-repoauth-2.19.1.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python-pulp-rpm-common-2.19.1.1-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python-pulp-streamer-2.19.1.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python-pymongo-3.2-2.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python-pymongo-gridfs-3.2-2.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python-qpid-1.35.0-5.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python-qpid-proton-0.28.0-1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python-qpid-qmf-1.36.0-28.el7amq', 'cpu':'x86_64', 'release':'7', 'el_string':'el7amq', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python-saslwrapper-0.22-5.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python-semantic_version-2.2.0-6.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python-simplejson-3.2.0-1.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python-zope-interface-4.0.5-4.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python2-amqp-2.2.2-5.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python2-ansible-runner-1.3.4-2.el7ar', 'release':'7', 'el_string':'el7ar', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python2-anyjson-0.3.3-11.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python2-billiard-3.5.0.3-3.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python2-celery-4.0.2-9.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python2-click-6.7-9.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python2-crane-3.3.1-9.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python2-daemon-2.1.2-7.el7at', 'release':'7', 'el_string':'el7at', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python2-django-1.11.13-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python2-flask-0.12.2-4.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python2-future-0.16.0-11.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python2-gobject-3.28.3-2.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python2-gobject-base-3.28.3-2.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python2-isodate-0.5.4-12.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python2-itsdangerous-0.24-15.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python2-jinja2-2.10-10.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python2-kombu-4.0.2-13.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'epoch':'10', 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python2-lockfile-0.11.0-10.el7ar', 'release':'7', 'el_string':'el7ar', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python2-markupsafe-0.23-21.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python2-nectar-1.6.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python2-okaara-1.0.37-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python2-pexpect-4.6-1.el7at', 'release':'7', 'el_string':'el7at', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python2-ptyprocess-0.5.2-3.el7at', 'release':'7', 'el_string':'el7at', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python2-pycurl-7.43.0.2-4.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python2-solv-0.7.4-3.pulp.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python2-twisted-16.4.1-12.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python2-vine-1.1.3-6.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'epoch':'10', 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'python2-werkzeug-0.12.2-5.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'qpid-cpp-client-1.36.0-28.el7amq', 'cpu':'x86_64', 'release':'7', 'el_string':'el7amq', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'qpid-cpp-client-devel-1.36.0-28.el7amq', 'cpu':'x86_64', 'release':'7', 'el_string':'el7amq', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'qpid-cpp-server-1.36.0-28.el7amq', 'cpu':'x86_64', 'release':'7', 'el_string':'el7amq', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'qpid-cpp-server-linearstore-1.36.0-28.el7amq', 'cpu':'x86_64', 'release':'7', 'el_string':'el7amq', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'qpid-dispatch-router-1.5.0-4.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'qpid-dispatch-tools-1.5.0-4.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'qpid-proton-c-0.28.0-1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'qpid-qmf-1.36.0-28.el7amq', 'cpu':'x86_64', 'release':'7', 'el_string':'el7amq', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'qpid-tools-1.36.0-28.el7amq', 'release':'7', 'el_string':'el7amq', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'redhat-access-insights-puppet-1.0.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'repoview-0.6.6-11.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rhel8-kickstart-setup-0.0.2-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-ansi-1.4.3-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-bundler_ext-0.4.1-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-clamp-1.1.2-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-concurrent-ruby-1.1.4-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-facter-2.4.1-2.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-faraday-0.15.4-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-faraday_middleware-0.13.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-fast_gettext-1.1.0-4.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-ffi-1.4.0-3.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-foreman_scap_client-0.4.6-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-gssapi-1.1.2-4.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-hashie-2.0.5-5.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-highline-1.7.8-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-infoblox-3.0.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-journald-logger-2.0.4-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-journald-native-1.0.11-2.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-jwt-1.2.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-kafo-3.0.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-kafo_parsers-1.0.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-kafo_wizards-0.0.1-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-little-plugger-1.1.3-22.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-logging-2.2.2-4.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-logging-journald-2.0.0-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-mime-types-1.19-7.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-multi_json-1.12.2-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-multipart-post-2.0.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-net-ssh-4.2.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-netrc-0.7.7-9.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-newt-0.9.6-3.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-oauth-0.5.4-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-openscap-0.4.7-4.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-passenger-4.0.18-24.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-passenger-native-4.0.18-24.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-passenger-native-libs-4.0.18-24.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-powerbar-2.0.1-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-rack-1.6.4-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-rack-protection-1.5.3-4.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-rake-0.9.2.2-41.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-rb-inotify-0.9.7-5.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-rest-client-1.6.7-7.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-rkerberos-0.1.5-15.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-rsec-0.4.3-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-rubyipmi-0.10.0-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-sinatra-1.4.7-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-smart_proxy_ansible-3.0.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-smart_proxy_dhcp_infoblox-0.0.15-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-smart_proxy_dhcp_remote_isc-0.0.4-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-smart_proxy_discovery-1.0.5-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-smart_proxy_discovery_image-1.0.9-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-smart_proxy_dns_infoblox-1.0.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-smart_proxy_dynflow-0.2.2-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-smart_proxy_openscap-0.7.2-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-smart_proxy_pulp-1.4.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-smart_proxy_remote_execution_ssh-0.2.1-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'rubygem-tilt-1.3.7-2.git.0.3b416c9.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'saslwrapper-0.22-5.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'satellite-6.6.0-7.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'satellite-capsule-6.6.0-7.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'satellite-cli-6.6.0-7.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'satellite-common-6.6.0-7.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'satellite-debug-tools-6.6.0-7.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'satellite-installer-6.6.0.21-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-actioncable-5.2.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-actionmailer-5.2.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-actionpack-5.2.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-actionview-5.2.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-activejob-5.2.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-activemodel-5.2.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-activerecord-5.2.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-activestorage-5.2.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-activesupport-5.2.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-arel-9.0.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-builder-3.2.3-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-coffee-rails-4.2.2-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-coffee-script-2.4.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-coffee-script-source-1.12.2-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-concurrent-ruby-1.1.4-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-crass-1.0.4-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-erubi-1.7.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-execjs-2.7.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-globalid-0.4.1-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-i18n-1.4.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-loofah-2.2.2-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-mail-2.7.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-marcel-0.3.2-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-method_source-0.9.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-mime-types-3.2.2-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-mime-types-data-3.2018.0812-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-mimemagic-0.3.2-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-mini_mime-1.0.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-mini_portile2-2.3.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-multi_json-1.13.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-mustermann-1.0.2-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-nio4r-2.3.1-1.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-nokogiri-1.8.4-2.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-rack-2.0.6-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-rack-protection-2.0.3-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-rack-test-1.1.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-rails-5.2.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-rails-dom-testing-2.0.3-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-rails-html-sanitizer-1.0.4-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-railties-5.2.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-sinatra-2.0.3-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-sprockets-3.7.2-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-sprockets-rails-3.2.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-sqlite3-1.3.13-1.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-thor-0.20.0-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-thread_safe-0.3.6-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-tilt-2.0.8-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-turbolinks-2.5.4-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-tzinfo-1.2.5-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-websocket-driver-0.7.0-1.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-rubygem-websocket-extensions-0.1.3-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-ror52-runtime-1.0-4.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-activerecord-import-1.0.0-4.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-activerecord-session_store-1.1.1-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-addressable-2.6.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-algebrick-0.7.3-6.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-ancestry-3.0.0-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-anemone-0.7.2-20.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-angular-rails-templates-1.0.2-4.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-apipie-bindings-0.2.2-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-apipie-params-0.0.5-5.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-apipie-rails-0.5.14-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-audited-4.7.1-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-awesome_print-1.8.0-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-bundler_ext-0.4.1-4.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-clamp-1.1.2-5.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-concurrent-ruby-edge-0.4.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-css_parser-1.4.7-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-daemons-1.2.3-7.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-deacon-1.0.0-4.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-declarative-0.0.10-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-declarative-option-0.1.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-deep_cloneable-2.3.2-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-deface-1.3.2-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-diffy-3.0.1-6.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-domain_name-0.5.20160310-4.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-dynflow-1.2.3-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-ethon-0.12.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-excon-0.58.0-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-facter-2.4.0-6.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-faraday-0.15.4-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-fast_gettext-1.4.1-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-ffi-1.4.0-12.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-fog-aws-3.5.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-fog-core-2.1.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-fog-google-1.8.2-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-fog-json-1.2.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-fog-kubevirt-1.3.2-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-fog-libvirt-0.6.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-fog-openstack-1.0.8-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-fog-ovirt-1.1.5-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-fog-rackspace-0.1.4-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-fog-vsphere-3.2.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-fog-xml-0.1.2-7.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-foreman-tasks-0.15.11.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-foreman-tasks-core-0.3.2-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-foreman_ansible-3.0.7.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-foreman_ansible_core-3.0.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-foreman_bootdisk-15.0.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-foreman_discovery-15.0.2-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-foreman_docker-5.0.0.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-foreman_hooks-0.3.15-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-foreman_kubevirt-0.1.5.2-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-foreman_openscap-1.0.8-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-foreman_remote_execution-1.8.0.4-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-foreman_remote_execution_core-1.2.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-foreman_templates-6.0.3-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-foreman_theme_satellite-4.0.1.7-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-foreman_virt_who_configure-0.4.4-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-formatador-0.2.1-11.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-friendly_id-5.2.4-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-get_process_mem-0.2.1-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-gettext-3.1.4-10.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-gettext_i18n_rails-1.8.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-git-1.5.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-google-api-client-0.23.9-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-googleauth-0.6.7-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-graphql-1.8.14-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-graphql-batch-0.3.10-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-gssapi-1.2.0-6.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-hammer_cli-0.17.1-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-hammer_cli_foreman-0.17.0.8-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-hammer_cli_foreman_admin-0.0.8-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-hammer_cli_foreman_ansible-0.3.2-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-hammer_cli_foreman_bootdisk-0.1.3.3-5.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-hammer_cli_foreman_discovery-1.0.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-hammer_cli_foreman_docker-0.0.6.4-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-hammer_cli_foreman_kubevirt-0.1.3-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-hammer_cli_foreman_openscap-0.1.7-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-hammer_cli_foreman_remote_execution-0.1.0-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-hammer_cli_foreman_tasks-0.0.13-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-hammer_cli_foreman_templates-0.1.2-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-hammer_cli_foreman_virt_who_configure-0.0.4-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-hammer_cli_katello-0.18.0.6-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-hashie-3.6.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-highline-1.7.8-4.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-http-3.3.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-http-cookie-1.0.2-5.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-http-form_data-2.1.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-http_parser.rb-0.6.0-1.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-httpclient-2.8.3-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-ipaddress-0.8.0-11.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-jgrep-1.3.3-12.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-journald-logger-2.0.4-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-journald-native-1.0.11-2.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-jwt-2.1.0-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-katello-3.12.0.27-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-kubeclient-4.3.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-ldap_fluff-0.4.7-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-little-plugger-1.1.3-24.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-locale-2.0.9-13.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-logging-2.2.2-5.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-logging-journald-2.0.0-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-memoist-0.16.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-multipart-post-2.0.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-net-ldap-0.15.0-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-net-ping-2.0.1-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-net-scp-1.2.1-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-net-ssh-4.2.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-net-ssh-krb-0.4.0-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-netrc-0.11.0-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-oauth-0.5.4-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-optimist-3.0.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-os-1.0.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-ovirt-engine-sdk-4.2.3-3.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-ovirt_provision_plugin-2.0.3-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-parse-cron-0.1.4-4.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-passenger-4.0.18-10.12.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-passenger-native-4.0.18-10.12.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-passenger-native-libs-4.0.18-10.12.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-pg-0.21.0-3.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-polyglot-0.3.5-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-powerbar-2.0.1-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-prometheus-client-0.7.1-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-promise.rb-0.7.4-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-public_suffix-3.0.3-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-qpid_messaging-1.36.0-9.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-quantile-0.2.0-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-rabl-0.13.1-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-rack-cors-1.0.2-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-rack-jsonp-1.3.1-7.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-rails-i18n-5.1.1-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-rainbow-2.2.1-5.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-rbovirt-0.1.7-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-rbvmomi-2.2.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-record_tag_helper-1.0.0-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-recursive-open-struct-1.1.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-redhat_access-2.2.8-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-redhat_access_lib-1.1.5-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-representable-3.0.4-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-responders-2.4.0-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-rest-client-2.0.1-4.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-retriable-3.1.2-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-roadie-3.4.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-roadie-rails-2.0.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-robotex-1.0.0-21.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-ruby-libvirt-0.7.0-4.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-ruby2ruby-2.4.0-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-ruby_parser-3.10.1-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-runcible-2.11.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-safemode-1.3.5-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-scoped_search-4.1.7-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-secure_headers-6.0.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-sequel-5.7.1-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-sexp_processor-4.10.0-5.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-signet-0.11.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-smart_proxy_dynflow_core-0.2.2-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-sshkey-1.9.0-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-statsd-instrument-2.1.4-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-text-1.3.0-7.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-typhoeus-1.3.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-uber-0.1.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-unf-0.1.3-7.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-unf_ext-0.0.6-9.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-unicode-0.4.4.1-6.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-unicode-display_width-1.0.5-5.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-validates_lengths_from_database-0.5.0-5.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-webpack-rails-0.9.8-5.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-wicked-1.3.3-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-will_paginate-3.1.5-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-x-editable-rails-1.5.5-4.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-rubygem-zest-0.0.4-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']},\n {'reference':'tfm-runtime-5.0-7.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['satellite_6_6_el7', 'satellite_capsule_6_6_el7']}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n repocheck = FALSE;\n if (empty_or_null(found_repos))\n {\n repocheck = TRUE;\n }\n else\n {\n foreach repo (repo_list) {\n if (contains_element(var:found_repos, value:repo))\n {\n repocheck = TRUE;\n break;\n }\n }\n }\n if (repocheck && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n if (empty_or_null(host_repo_list)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'ansible-runner / ansiblerole-foreman_scap_client / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "veracode": [{"lastseen": "2023-04-18T15:36:21", "description": "dom4j is vulnerable to XML External Entity (XXE) attacks. The library does not properly validate the attributes that can be inserted by the user, allowing a malicious user to conduct an XXE attack.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-08-21T09:14:23", "type": "veracode", "title": "XML External Entity (XXE)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000632"], "modified": "2021-05-12T12:12:09", "id": "VERACODE:7341", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-7341/summary", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "ubuntucve": [{"lastseen": "2023-12-07T15:02:01", "description": "dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection\nvulnerability in Class: Element. Methods: addElement, addAttribute that can\nresult in an attacker tampering with XML documents through XML injection.\nThis attack appear to be exploitable via an attacker specifying attributes\nor elements in the XML document. This vulnerability appears to have been\nfixed in 2.1.1 or later.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-08-20T00:00:00", "type": "ubuntucve", "title": "CVE-2018-1000632", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000632"], "modified": "2018-08-20T00:00:00", "id": "UB:CVE-2018-1000632", "href": "https://ubuntu.com/security/CVE-2018-1000632", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "mageia": [{"lastseen": "2023-12-07T17:03:28", "description": "dom4j version prior to version 2.1.1 contains an XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appears to be exploitable via an attacker specifying attributes or elements in the XML document (CVE-2018-1000632). \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-02-14T11:38:16", "type": "mageia", "title": "Updated dom4j packages fix security vulnerability\n", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000632"], "modified": "2019-02-14T11:38:16", "id": "MGASA-2019-0077", "href": "https://advisories.mageia.org/MGASA-2019-0077.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "ibm": [{"lastseen": "2023-12-07T18:21:13", "description": "## Summary\n\nVulnerability in dom4j allows remote attacker to execute arbitrary code on the system may affect IBM Spectrum Control.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2018-1000632](<https://vulners.com/cve/CVE-2018-1000632>) \n** DESCRIPTION: **dom4j could allow a remote attacker to execute arbitrary code on the system, caused by improper input validation in multiple methods. By sending a specially-crafted XML content, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/148750](<https://exchange.xforce.ibmcloud.com/vulnerabilities/148750>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Spectrum Control| 5.4 \n \n\n\n## Remediation/Fixes\n\n**Release**| **First Fixing** \n**VRM Level**| ** Link to Fix** \n---|---|--- \n5.4| 5.4.10| **<https://www.ibm.com/support/pages/latest-downloads-ibm-spectrum-control>** \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2023-03-03T05:55:34", "type": "ibm", "title": "Security Bulletin: IBM Spectrum Control is vulnerable to weakness related to dom4j", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000632"], "modified": "2023-03-03T05:55:34", "id": "CB01E6853C64C288BE80DDE27064824F3B99801B8CD6E6B5203368FB629091EC", "href": "https://www.ibm.com/support/pages/node/6959029", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-12-07T17:59:49", "description": "## Summary\n\nVulnerability have been identified in dom4j-1.6.1.jar which is shipped with IBM\u00ae Intelligent Operations Center. Information about this vulnerability affecting IBM\u00ae Intelligent Operations Center have been published and addressed the applicable CVEs.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2018-1000632](<https://exchange.xforce.ibmcloud.com/vulnerabilities/148750>) \n** DESCRIPTION: **dom4j could allow a remote attacker to execute arbitrary code on the system, caused by improper input validation in multiple methods. By sending a specially-crafted XML content, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/148750](<https://exchange.xforce.ibmcloud.com/vulnerabilities/148750>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIntelligent Operations Center (IOC)| 5.1.0, 5.1.0.2, 5.1.0.3, 5.1.0.4, 5.1.0.6, 5.2, 5.2.1, 5.2.2, 5.2.3 \n \n## Remediation/Fixes\n\nThe recommended solution is to apply an interim fix that contains the fix for this issue as soon as practical.\n\nDownload the IBM Intelligent Operations Center Version 5.2.4 is an upgrade to IBM Intelligent Operations Center Version 5.2.3 through IBM Intelligent Operations Center Version 5.2 from the following link:\n\n[IBM Intelligent Operations Center Version 5.2.4](<https://www.ibm.com/support/pages/node/7022369>)\n\nInstallation instructions for the fix are included in the readme document that is in the fix package.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2023-09-05T12:33:50", "type": "ibm", "title": "Security Bulletin: Vulnerability found in dom4j-1.6.1.jar which is shipped with IBM\u00ae Intelligent Operations Center(CVE-2018-1000632)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000632"], "modified": "2023-09-05T12:33:50", "id": "FFF61835C72330962E1EE49EB4E204840FE39F4532D4920DF766E57BAE1B8221", "href": "https://www.ibm.com/support/pages/node/7030619", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-12-07T18:37:00", "description": "## Summary\n\nIBM Security Verify Governance uses dom4j could allow a remote attacker to execute arbitrary code on the system, caused by improper input validation in multiple methods (CVE-2018-1000632). The fix includes upgrading the dom4j jar to the patched version.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2018-1000632](<https://vulners.com/cve/CVE-2018-1000632>) \n** DESCRIPTION: **dom4j could allow a remote attacker to execute arbitrary code on the system, caused by improper input validation in multiple methods. By sending a specially-crafted XML content, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/148750](<https://exchange.xforce.ibmcloud.com/vulnerabilities/148750>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Security Verify Governance| 10.0 \n \n## Remediation/Fixes\n\nAffected Product(s)\n\n| \n\nVersion(s)\n\n| \n\nFirst Fix \n \n---|---|--- \n \nIBM Security Verify Governance\n\n| \n\n10.0.1\n\n| \n\n[10.0.1.0-ISS-ISVG-IGVA-FP0002](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Tivoli/IBM+Security+Verify+Governance&release=10.0.0.0&platform=Linux&function=fixId&fixids=10.0.1.0-ISS-ISVG-IGVA-FP0002&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-11-21T12:41:38", "type": "ibm", "title": "Security Bulletin: IBM Security Verify Governance is vulnerable to arbitrary code execution due to use of dom4j (CVE-2018-1000632)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000632"], "modified": "2022-11-21T12:41:38", "id": "37FEDFA5DF3F0060E544688E9EF0F5DB94DF9FBB54A45BA5388CFB35F53DA927", "href": "https://www.ibm.com/support/pages/node/6836923", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-04-23T20:38:23", "description": "## Summary\n\nThere is an XML Injection vulnerability in dom4j that affects Apache Solr.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2018-1000632](<https://vulners.com/cve/CVE-2018-1000632>) \n** DESCRIPTION: **dom4j could allow a remote attacker to execute arbitrary code on the system, caused by improper input validation in multiple methods. By sending a specially-crafted XML content, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/148750](<https://exchange.xforce.ibmcloud.com/vulnerabilities/148750>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nLog Analysis| 1.3.1 \nLog Analysis| 1.3.2 \nLog Analysis| 1.3.3 \nLog Analysis| 1.3.4 \nLog Analysis| 1.3.5 \nLog Analysis| 1.3.6 \n \n \n \n\n\n \n\n\n## Remediation/Fixes\n\nPrincipal Product and Version(s) :| Fix details \n---|--- \nIBM Operations Analytics - Log Analysis version 1.3.x| Upgrade to Log Analysis version 1.3.7 \nDownload the 1.3.7-TIV-IOALA-FP [here](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Operations%20Analytics&product=ibm/Tivoli/IBM+SmartCloud+Analytics+-+Log+Analysis&release=1.3.7&platform=All&function=all> \"here\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-04-16T06:03:16", "type": "ibm", "title": "Security Bulletin: dom4j Vulnerability in Apache Solr shipped with IBM Operations Analytics - Log Analysis Analysis (CVE-2018-1000632)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000632"], "modified": "2021-04-16T06:03:16", "id": "E64AB3ADC23B600EA6ED20359A0A41DC683503D7E0E0C1B0EA08877FC18ADCD0", "href": "https://www.ibm.com/support/pages/node/6444035", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-12-07T18:00:37", "description": "## Summary\n\nIBM Tivoli Composite Application Manager (ITCAM) for Transactions - Transaction Tracking has addressed the following dom4j-1.6.1.jar vulnerability and updated dom4j.jar file from version 1.6.1 to 2.1.4\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2018-1000632](<https://exchange.xforce.ibmcloud.com/vulnerabilities/148750>) \n** DESCRIPTION: **dom4j could allow a remote attacker to execute arbitrary code on the system, caused by improper input validation in multiple methods. By sending a specially-crafted XML content, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/148750](<https://exchange.xforce.ibmcloud.com/vulnerabilities/148750>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nITCAM for Transactions| 7.4.0.2 \n \n## Remediation/Fixes\n\nITCAM for Transaction Tracking 7.4.0.2 IFix 22 - [7.4.0.2-TIV-CAMTT-IF0022](<https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Composite+Application+Manager+for+Transactions&fixids=7.4.0.2-TIV-CAMTT-IF0022&source=SAR>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2023-08-30T11:05:38", "type": "ibm", "title": "Security Bulletin: ITCAM for Transactions affected by the Security vulnerability CVE-2018-1000632 found in dom4j-1.6.1.jar", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000632"], "modified": "2023-08-30T11:05:38", "id": "D2F50568EE4DA937EE17845E1DD5EBF05D635A0EA8DF1A71A541344922C646AE", "href": "https://www.ibm.com/support/pages/node/7029825", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-12-07T18:50:37", "description": "## Summary\n\nThere is a vulnerability in the version of Dom4j that is part of IBM SPSS Statistics. IBM SPSS Statistics has addressed this vulnerability.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2018-1000632](<https://vulners.com/cve/CVE-2018-1000632>) \n** DESCRIPTION: **dom4j could allow a remote attacker to execute arbitrary code on the system, caused by improper input validation in multiple methods. By sending a specially-crafted XML content, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/148750](<https://exchange.xforce.ibmcloud.com/vulnerabilities/148750>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM SPSS Statistics | 28.0 \n \n\n\n## Remediation/Fixes\n\nUpgrade software to IBM SPSS Statistics v. 29.0\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-09-13T20:08:24", "type": "ibm", "title": "Security Bulletin: Dom4j Vulnerability affects IBM SPSS Statistics (CVE-2018-1000632)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000632"], "modified": "2022-09-13T20:08:24", "id": "172A294B4E2CF6C12D3CB6DE7719E22FDCF3394F3511D668B2CFA99B26749D80", "href": "https://www.ibm.com/support/pages/node/6620049", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-27T21:48:58", "description": "## Summary\n\nIBM Sterling B2B Integrator has addressed a Dom4j XML injection vulnerability.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2018-1000632](<https://vulners.com/cve/CVE-2018-1000632>) \n** DESCRIPTION: **dom4j could allow a remote attacker to execute arbitrary code on the system, caused by improper input validation in multiple methods. By sending a specially-crafted XML content, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/148750](<https://exchange.xforce.ibmcloud.com/vulnerabilities/148750>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Sterling B2B Integrator| 6.0.0.0 - 6.0.3.2 \nIBM Sterling B2B Integrator| 5.2.0.0 - 5.2.6.5_2 \n \n\n\n## Remediation/Fixes\n\n** Product & Version**| **APAR**| ** Remediation & Fix** \n---|---|--- \n5.2.0.0 - 5.2.6.5_2| IT34904| Apply IBM Sterling B2B Integrator version 5.2.6.5_3, 6.0.3.3 or 6.1.0.0 on [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%2Bsoftware&product=ibm/Other+software/Sterling+B2B+Integrator&release=All&platform=All&function=all>) \n6.0.0.0 - 6.0.3.2| IT34904| Apply IBM Sterling B2B Integrator version 6.0.3.3 or 6.1.0.0 on [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%2Bsoftware&product=ibm/Other+software/Sterling+B2B+Integrator&release=All&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-11-13T18:51:11", "type": "ibm", "title": "Security Bulletin: Dom4j XML Injection Vulnerability Affects IBM Sterling B2B Integrator (CVE-2018-1000632)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000632"], "modified": "2020-11-13T18:51:11", "id": "C868750A64F1F0DE2A582ECF9C49046F23D8C1A898586CEBEE0D5DF55CF4FBA1", "href": "https://www.ibm.com/support/pages/node/6367929", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-12-07T18:52:21", "description": "## Summary\n\nIBM Tririga is vulnerable to remote attacker due to dom4j open source.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2018-1000632](<https://vulners.com/cve/CVE-2018-1000632>) \n** DESCRIPTION: **dom4j could allow a remote attacker to execute arbitrary code on the system, caused by improper input validation in multiple methods. By sending a specially-crafted XML content, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/148750](<https://exchange.xforce.ibmcloud.com/vulnerabilities/148750>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM TRIRIGA Application Platform| 3.6. \nIBM TRIRIGA Application Platform| 3.7 \nIBM TRIRIGA Application Platform | 3.8 \nIBM TRIRIGA Application Platform | 4.0 \nIBM TRIRIGA Application Platform | 4.1 \n \n## Remediation/Fixes\n\n**Product**| **VRMF**| \n\n**Remediation/First Fix** \n \n---|---|--- \nIBM TRIRIGA Application Platform| 3.6.1.3| The fix is available for download on [FixCentral](<https://www.ibm.com/mysupport/s/ibm-community-support-search-results?q=Tririga%203.6.1.3&language=en_US> \"FixCentral\" ). \nIBM TRIRIGA Application Platform| 3.7.0.1| The fix is available for download on [FixCental](<https://www.ibm.com/mysupport/s/ibm-community-support-search-results?q=Tririga%203.7.0.1&language=en_US> \"FixCental\" ) \nIBM TRIRIGA Application Platform| 3.8.0.1| The fix is available for download on [FixCental](<https://www.ibm.com/mysupport/s/ibm-community-support-search-results?q=Tririga%203.8.0.1&language=en_US> \"FixCental\" ) \nIBM TRIRIGA Application Platform| 4.0.2| The fix is available for download on [FixCental](<https://www.ibm.com/mysupport/s/ibm-community-support-search-results?q=Tririga%204.0.2&language=en_US> \"FixCental\" ) \nIBM TRIRIGA Application Platform| 4.1.1| The fix is available for download on [FixCental](<https://www.ibm.com/mysupport/s/ibm-community-support-search-results?q=Tririga%204.1.1&language=en_US> \"FixCental\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-08-30T15:23:52", "type": "ibm", "title": "Security Bulletin: Tririga is vulnerable to remote hacker due to dom4j open source", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000632"], "modified": "2022-08-30T15:23:52", "id": "F231A1135B58328EB93FE9F162165688AF51DA93D4A867DE99250877EF9D4E04", "href": "https://www.ibm.com/support/pages/node/6616093", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-27T21:49:25", "description": "## Summary\n\nDom4j as used by IBM QRadar SIEM contains multiple vulnerabilities\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2018-1000632](<https://vulners.com/cve/CVE-2018-1000632>) \n** DESCRIPTION: **dom4j could allow a remote attacker to execute arbitrary code on the system, caused by improper input validation in multiple methods. By sending a specially-crafted XML content, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/148750](<https://exchange.xforce.ibmcloud.com/vulnerabilities/148750>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2020-10683](<https://vulners.com/cve/CVE-2020-10683>) \n** DESCRIPTION: **dom4j could allow a remote authenticated attacker to obtain sensitive information, caused by an XML external entity (XXE) error when processing XML data. By sending specially crafted XML data, a remote attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181356](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181356>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\n**7.3**\n\nAll WindowsDHCPProtocol versions before 7.3.0-QRADAR-PROTOCOL-WindowsDHCPProtocol-7.3-20201007124637\n\nAll SmbTailProtocol versions before 7.3.0-QRADAR-PROTOCOL-SmbTailProtocol-7.3-20201007124637\n\nAll OracleDatabaseListener versions before 7.3.0-QRADAR-PROTOCOL-OracleDatabaseListener-7.3-20201007124637\n\nAll WindowsExchangeProtocol versions before 7.3.0-QRADAR-PROTOCOL-WindowsExchangeProtocol-7.3-20201007124637\n\nAll WindowsIISProtocol versions before 7.3.0-QRADAR-PROTOCOL-WindowsIISProtocol-7.3-20201007124637\n\nAll EMCVMWareProtocol versions before 7.3.0-QRADAR-PROTOCOL-EMCVMWareProtocol-7.3-20200916171440\n\n**7.4**\n\nAll WindowsDHCPProtocol versions before 7.4.0-QRADAR-PROTOCOL-WindowsDHCPProtocol-7.4-20201007123631\n\nAll SmbTailProtocol versions before 7.4.0-QRADAR-PROTOCOL-SmbTailProtocol-7.4-20201007123631\n\nAll OracleDatabaseListener versions before 7.4.0-QRADAR-PROTOCOL-OracleDatabaseListener-7.4-2020100712363\n\nAll WindowsExchangeProtocol versions before 7.4.0-QRADAR-PROTOCOL-WindowsExchangeProtocol-7.4-2020100712363\n\nAll WindowsIISProtocol versions before 7.4.0-QRADAR-PROTOCOL-WindowsIISProtocol-7.4-20201007123631\n\nAll EMCVMWareProtocol versions before 7.4.0-QRADAR-PROTOCOL-EMCVMWareProtocol-7.4-20200916171516\n\n## Remediation/Fixes\n\n**7.3**\n\n[7.3.0-QRADAR-PROTOCOL-WindowsDHCPProtocol-7.3-20201007124637](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=Security%2BSystems&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=All&platform=All&function=fixId&fixids=7.3.0-QRADAR-PROTOCOL-WindowsDHCPProtocol-7.3-20201007124637.noarch.rpm&includeRequisites=1&includeSupersedes=0&downloadMethod=http> \"\" )\n\n[7.3.0-QRADAR-PROTOCOL-SmbTailProtocol-7.3-20201007124637](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=Security%2BSystems&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=All&platform=All&function=fixId&fixids=7.3.0-QRADAR-PROTOCOL-SmbTailProtocol-7.3-20201007124637.noarch.rpm&includeRequisites=1&includeSupersedes=0&downloadMethod=http> \"\" )\n\n[7.3.0-QRADAR-PROTOCOL-OracleDatabaseListener-7.3-20201007124637](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=Security%2BSystems&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=All&platform=All&function=fixId&fixids=7.3.0-QRADAR-PROTOCOL-OracleDatabaseListener-7.3-20201007124637.noarch.rpm&includeRequisites=1&includeSupersedes=0&downloadMethod=http> \"\" )\n\n[7.3.0-QRADAR-PROTOCOL-WindowsExchangeProtocol-7.3-20201007124637](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=Security%2BSystems&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=All&platform=All&function=fixId&fixids=7.3.0-QRADAR-PROTOCOL-WindowsExchangeProtocol-7.3-20201007124637.noarch.rpm&includeRequisites=1&includeSupersedes=0&downloadMethod=http> \"\" )\n\n[7.3.0-QRADAR-PROTOCOL-WindowsIISProtocol-7.3-20201007124637](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=Security%2BSystems&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=All&platform=All&function=fixId&fixids=7.3.0-QRADAR-PROTOCOL-WindowsIISProtocol-7.3-20201007124637.noarch.rpm&includeRequisites=1&includeSupersedes=0&downloadMethod=http> \"\" )\n\n[7.3.0-QRADAR-PROTOCOL-EMCVMWareProtocol-7.3-20200916171440](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=Security%2BSystems&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=All&platform=All&function=fixId&fixids=7.3.0-QRADAR-PROTOCOL-EMCVMWareProtocol-7.3-20200916171440.noarch.rpm&includeRequisites=1&includeSupersedes=0&downloadMethod=http> \"\" )\n\n**7.4**\n\n[7.4.0-QRADAR-PROTOCOL-WindowsDHCPProtocol-7.4-20201007123631](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.4.0&platform=Linux&function=fixId&fixids=7.4.0-QRADAR-PROTOCOL-WindowsDHCPProtocol-7.4-20201007123631.noarch.rpm&includeRequisites=1&includeSupersedes=0&downloadMethod=http> \"\" )\n\n[7.4.0-QRADAR-PROTOCOL-SmbTailProtocol-7.4-20201007123631](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.4.0&platform=Linux&function=fixId&fixids=7.4.0-QRADAR-PROTOCOL-SmbTailProtocol-7.4-20201007123631.noarch.rpm&includeRequisites=1&includeSupersedes=0&downloadMethod=http> \"\" )\n\n[7.4.0-QRADAR-PROTOCOL-OracleDatabaseListener-7.4-2020100712363](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.4.0&platform=Linux&function=fixId&fixids=7.4.0-QRADAR-PROTOCOL-OracleDatabaseListener-7.4-20201007123631.noarch.rpm&includeRequisites=1&includeSupersedes=0&downloadMethod=http> \"\" )\n\n[7.4.0-QRADAR-PROTOCOL-WindowsExchangeProtocol-7.4-2020100712363](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.4.0&platform=Linux&function=fixId&fixids=7.4.0-QRADAR-PROTOCOL-WindowsExchangeProtocol-7.4-20201007123631.noarch.rpm&includeRequisites=1&includeSupersedes=0&downloadMethod=http> \"\" )\n\n[7.4.0-QRADAR-PROTOCOL-WindowsIISProtocol-7.4-20201007123631](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.4.0&platform=Linux&function=fixId&fixids=7.4.0-QRADAR-PROTOCOL-WindowsIISProtocol-7.4-20201007123631.noarch.rpm&includeRequisites=1&includeSupersedes=0&downloadMethod=http> \"\" )\n\n[7.4.0-QRADAR-PROTOCOL-EMCVMWareProtocol-7.4-20200916171516](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.4.0&platform=Linux&function=fixId&fixids=7.4.0-QRADAR-PROTOCOL-EMCVMWareProtocol-7.4-20200916171516.noarch.rpm&includeRequisites=1&includeSupersedes=0&downloadMethod=http> \"7.4.0-QRADAR-PROTOCOL-EMCVMWareProtocol-7.4-20200916171516\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-28T21:34:12", "type": "ibm", "title": "Security Bulletin: Dom4j as used by IBM QRadar SIEM contains multiple vulnerabilities (CVE-2018-1000632, CVE-2020-10683)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000632", "CVE-2020-10683"], "modified": "2020-10-28T21:34:12", "id": "C38AFDD82BC77228F8D7DDBD5DE927E97F8C97D1E6B1F76B6C890149323EE9E7", "href": "https://www.ibm.com/support/pages/node/6356447", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-07T18:12:07", "description": "## Summary\n\nAtlas eDiscovery Process Management is affected by a vulnerable dom4j-1.6.1.jar. Hence dom4j-1.6.1.jar upgraded to dom4j-2.0.3.jar to fix vulnerabilities.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-10683](<https://vulners.com/cve/CVE-2020-10683>) \n** DESCRIPTION: **dom4j could allow a remote authenticated attacker to obtain sensitive information, caused by an XML external entity (XXE) error when processing XML data. By sending specially crafted XML data, a remote attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181356](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181356>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2018-1000632](<https://vulners.com/cve/CVE-2018-1000632>) \n** DESCRIPTION: **dom4j could allow a remote attacker to execute arbitrary code on the system, caused by improper input validation in multiple methods. By sending a specially-crafted XML content, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/148750](<https://exchange.xforce.ibmcloud.com/vulnerabilities/148750>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nAtlas eDiscovery Process Management| 6.0.3 \n \n\n\n## Remediation/Fixes\n\n**_ Product_**\n\n| \n\n**_ VRMF_**\n\n| \n\n**_ Remediation/First Fix_** \n \n---|---|--- \n \nAtlas eDiscovery Process Management\n\n| \n\n6.0.3\n\n| \n\nApply Fix Pack **6.0.3.9 Interim fix 7**, available from [Fix Central](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Atlas%20eDiscovery&product=ibm/Information+Management/Atlas+eDiscovery+Process+Management&release=6.0.3.9&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-05-08T08:24:22", "type": "ibm", "title": "Security Bulletin: Atlas eDiscovery Process Management is affected by a vulnerable dom4j-1.6.1.jar", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000632", "CVE-2020-10683"], "modified": "2023-05-08T08:24:22", "id": "3BF2E5B5DC96CFF6560CACA72BDEFBC18C7F886DCC73DD4BC3A493BD7B4647F1", "href": "https://www.ibm.com/support/pages/node/6988889", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-24T06:16:37", "description": "## Summary\n\nThe Planning Analytics Workspace component of IBM Planning Analytics is affected by multiple vulnerabilities . These have been addressed in IBM Planning Analytics Local v2.0 - Planning Analytics Workspace Release 55.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-4653](<https://vulners.com/cve/CVE-2020-4653>) \n** DESCRIPTION: **IBM Planning Analytics 2.0 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. \nCVSS Base score: 6.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186082](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186082>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2020-4648](<https://vulners.com/cve/CVE-2020-4648>) \n** DESCRIPTION: **A vulnerability exsists in IBM Planning Analytics 2.0 whereby avatars in Planning Analytics Workspace could be modified by other users without authorization to do so. IBM X-Force ID: 186019. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186019](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186019>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2014-0114](<https://vulners.com/cve/CVE-2014-0114>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to restrict the setting of Class Loader attributes. An attacker could exploit this vulnerability using the class parameter of an ActionForm object to manipulate the ClassLoader and execute arbitrary code on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/92889](<https://exchange.xforce.ibmcloud.com/vulnerabilities/92889>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2020-11023](<https://vulners.com/cve/CVE-2020-11023>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the option elements. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181350](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181350>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-11022](<https://vulners.com/cve/CVE-2020-11022>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the jQuery.htmlPrefilter method. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181349](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181349>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2018-1000632](<https://vulners.com/cve/CVE-2018-1000632>) \n** DESCRIPTION: **dom4j could allow a remote attacker to execute arbitrary code on the system, caused by improper input validation in multiple methods. By sending a specially-crafted XML content, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/148750](<https://exchange.xforce.ibmcloud.com/vulnerabilities/148750>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2019-10768](<https://vulners.com/cve/CVE-2019-10768>) \n** DESCRIPTION: **AngularJS could allow a remote attacker to bypass security restrictions, caused by a prototype pollution flaw in the merge function. By sending a specially-crafted request using a constructor payload, a remote attacker could exploit this vulnerability to add or modify properties of Object.prototype. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/172185](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172185>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** Third Party Entry: **177835 \n** DESCRIPTION: **Apache Commons Codec could allow a remote attacker to obtain sensitive information, caused by the improper validation of input. An attacker could exploit this vulnerability using a method call to obtain sensitive information. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/177835 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177835>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Planning Analytics 2.0.x\n\n \n\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the fix as soon as practical.\n\n[Download IBM Planning Analytics Local v2.0 - Planning Analytics Workspace Release 55 from Fix Central.](<https://www.ibm.com/support/pages/node/6251229> \"Download IBM Planning Analytics Local v2.0 - Planning Analytics Workspace Release 55 from Fix Central.\" )\n\n \n\n\n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-08-18T14:25:47", "type": "ibm", "title": "Security Bulletin: IBM Planning Analytics Workspace is affected by security vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0114", "CVE-2018-1000632", "CVE-2019-10768", "CVE-2020-11022", "CVE-2020-11023", "CVE-2020-4648", "CVE-2020-4653"], "modified": "2021-08-18T14:25:47", "id": "D4F9AE28EA501CF2A176391E0E920E7B7FC3A2D7D8CE5319FAE6CA44DF5B1E04", "href": "https://www.ibm.com/support/pages/node/6254788", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-10-20T15:51:03", "description": "## Summary\n\nThere are multiple vulnerabilities that are used by IBM Jazz Team Server affecting the following IBM Jazz Team Server based Applications: Engineering Lifecycle Management (ELM), IBM Engineering Requirements Management DOORS Next (DOORS Next), IBM Engineering Workflow Management (EWM), IBM Engineering Systems Design Rhapsody, IBM Engineering Requirements Quality Assistant On-Premises.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-8908](<https://vulners.com/cve/CVE-2020-8908>) \n** DESCRIPTION: **Guava could allow a remote authenticated attacker to bypass security restrictions, caused by a temp directory creation vulnerability in com.google.common.io.Files.createTempDir(). By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions. \nCVSS Base score: 5.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192996](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192996>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2021-29786](<https://vulners.com/cve/CVE-2021-29786>) \n** DESCRIPTION: **IBM Jazz Foundation stores user credentials in clear text which can be read by an authenticated user. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/203172](<https://exchange.xforce.ibmcloud.com/vulnerabilities/203172>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2021-29774](<https://vulners.com/cve/CVE-2021-29774>) \n** DESCRIPTION: **IBM Engineering Requirements Quality Assistant could allow an authenticated user to obtain elevated privileges under certain configurations. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/203025](<https://exchange.xforce.ibmcloud.com/vulnerabilities/203025>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2021-29713](<https://vulners.com/cve/CVE-2021-29713>) \n** DESCRIPTION: **IBM Jazz Foundation products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. \nCVSS Base score: 5.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/200967](<https://exchange.xforce.ibmcloud.com/vulnerabilities/200967>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2021-27219](<https://vulners.com/cve/CVE-2021-27219>) \n** DESCRIPTION: **GNOME GLib could allow a remote attacker to cause a denial of service, caused by an integer overflow in the g_bytes_new function. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/196782](<https://exchange.xforce.ibmcloud.com/vulnerabilities/196782>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-29673](<https://vulners.com/cve/CVE-2021-29673>) \n** DESCRIPTION: **IBM Engineering Workflow Management is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. \nCVSS Base score: 5.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/199482](<https://exchange.xforce.ibmcloud.com/vulnerabilities/199482>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2018-1000632](<https://vulners.com/cve/CVE-2018-1000632>) \n** DESCRIPTION: **dom4j could allow a remote attacker to execute arbitrary code on the system, caused by improper input validation in multiple methods. By sending a specially-crafted XML content, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/148750](<https://exchange.xforce.ibmcloud.com/vulnerabilities/148750>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2020-10683](<https://vulners.com/cve/CVE-2020-10683>) \n** DESCRIPTION: **dom4j could allow a remote authenticated attacker to obtain sensitive information, caused by an XML external entity (XXE) error when processing XML data. By sending specially crafted XML data, a remote attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181356](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181356>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2021-29844](<https://vulners.com/cve/CVE-2021-29844>) \n** DESCRIPTION: **IBM Engineering Requirements Management DOORS Next is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. \nCVSS Base score: 5.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/205205](<https://exchange.xforce.ibmcloud.com/vulnerabilities/205205>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nCLM| 6.0.6.1 \nCLM| 6.0.6 \nELM| 7.0.2 \nELM| 7.0 \nELM| 7.0.1 \nIBM Engineering Requirements Quality Assistant| 1.0 \nIBM Engineering Requirements Quality Assistant On-Premises| All \nEWM| 7.0.2 \nEWM| 7.0.1 \nRTC| 6.0.2 \nRTC| 6.0.6.1 \nEWM| 7.0 \nRTC| 6.0.6 \nIBM Engineering Systems Design Rhapsody| All \nDOORS Next| 7.0.2 \nDOORS Next| 7.0 \nDOORS Next| 7.0.1 \nRDNG| 6.0.6.1 \nRDNG| 6.0.6 \n \n\n\n## Remediation/Fixes\n\nFor the 6.0.6 - 7.0.2 releases: \n\nUpgrade to version 7.0.2 iFix005 or later\n\n * [IBM Engineering Lifecycle Management 7.0.2 iFix007](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Lifecycle+Management&release=7.0.2&platform=All&function=all> \"\" )\n * [IBM Engineering Requirements Management DOORS Next 7.0.2 iFix007](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Requirements+Management+DOORS+Next&release=7.0.2&platform=All&function=all> \"\" )\n * [IBM Engineering Test Management 7.0.2 iFix007](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Test+Management&release=7.0.2&platform=All&function=all> \"\" )\n * [IBM Engineering Workflow Management 7.0.2 iFix007](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Workflow+Management&release=7.0.2&platform=All&function=all> \"\" )\n * IBM Engineering Lifecycle Optimization - Engineering Insights:_ _Upgrade to version 7.0.2 and install server from [ELM 7.0.2 iFix007](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Lifecycle+Management&release=7.0.2&platform=All&function=all> \"ELM 7.0.2 iFix001\" )\n * IBM Engineering Lifecycle Optimization - Publishing:_ _Upgrade to version 7.0.2 and install server from [ELM 7.0.2 iFix007](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Lifecycle+Management&release=7.0.2&platform=All&function=all> \"ELM 7.0.2 iFix001\" )\n * IBM Engineering Systems Design Rhapsody - Design Manager:_ _Upgrade to version 7.0.2 and install server from [ELM 7.0.2 iFix007](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Lifecycle+Management&release=7.0.2&platform=All&function=all> \"ELM 7.0.2 iFix001\" )\n * IBM Engineering Systems Design Rhapsody - Model Manager:_ _Upgrade to version 7.0.2 and install server from [ELM 7.0.2 iFix007](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Lifecycle+Management&release=7.0.2&platform=All&function=all> \"ELM 7.0.2 iFix001\" )\n\nUpgrade to version 7.0.1 iFix010 or later\n\n * [IBM Engineering Lifecycle Management 7.0.1 iFix012](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Lifecycle+Management&release=7.0.1&platform=All&function=all> \"\" )\n * [IBM Engineering Requirements Management DOORS Next 7.0.1 iFix012](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Requirements+Management+DOORS+Next&release=7.0.1&platform=All&function=all> \"\" )\n * [IBM Engineering Test Management 7.0.1 iFix012](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Test+Management&release=7.0.1&platform=All&function=all> \"IBM Engineering Test Management 7.0 iFix003\" )\n * [IBM Engineering Workflow Management 7.0.1 iFix012](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Workflow+Management&release=7.0.1&platform=All&function=all> \"IBM Engineering Workflow Management 7.0 iFix003\" )\n * IBM Engineering Lifecycle Optimization - Engineering Insights:_ _Upgrade to version 7.0.1 and install server from [ELM 7.0.1 iFix012](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Lifecycle+Management&release=7.0.1&platform=All&function=all> \"ELM 7.0 iFix003\" )\n * IBM Engineering Lifecycle Optimization - Publishing:_ _Upgrade to version 7.0.1 and install server from [ELM 7.0.1 iFix012](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Lifecycle+Management&release=7.0.1&platform=All&function=all> \"ELM 7.0 iFix003\" )\n * IBM Engineering Systems Design Rhapsody - Design Manager:_ _Upgrade to version 7.0.1 and install server from [ELM 7.0.1 iFix012](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Lifecycle+Management&release=7.0.1&platform=All&function=all> \"ELM 7.0 iFix003\" )\n * IBM Engineering Systems Design Rhapsody - Model Manager:_ _Upgrade to version 7.0.1 and install server from [ELM 7.0.1 iFix012](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Lifecycle+Management&release=7.0.1&platform=All&function=all> \"ELM 7.0 iFix003\" )\n\nUpgrade to version 7.0 iFix010 or later\n\n * [IBM Engineering Lifecycle Management 7.0 iFix012](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Lifecycle+Management&release=7.0&platform=All&function=all> \"IBM Engineering Lifecycle Management 7.0 iFix003\" )\n * [IBM Engineering Requirements Management DOORS Next 7.0 iFix012](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Requirements+Management+DOORS+Next&release=7.0&platform=All&function=all> \"IBM Engineering Requirements Management DOORS Next 7.0 iFix003\" )\n * [IBM Engineering Test Management 7.0 iFix012](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Test+Management&release=7.0&platform=All&function=all> \"IBM Engineering Test Management 7.0 iFix003\" )\n * [IBM Engineering Workflow Management 7.0 iFix012](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Workflow+Management&release=7.0&platform=All&function=all> \"IBM Engineering Workflow Management 7.0 iFix003\" )\n * IBM Engineering Lifecycle Optimization - Engineering Insights:_ _Upgrade to version 7.0 and install server from [ELM 7.0 iFix012](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Lifecycle+Management&release=7.0&platform=All&function=all> \"ELM 7.0 iFix003\" )\n * IBM Engineering Lifecycle Optimization - Publishing:_ _Upgrade to version 7.0 and install server from [ELM 7.0 iFix012](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Lifecycle+Management&release=7.0&platform=All&function=all> \"ELM 7.0 iFix003\" )\n * IBM Engineering Systems Design Rhapsody - Design Manager:_ _Upgrade to version 7.0 and install server from [ELM 7.0 iFix012](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Lifecycle+Management&release=7.0&platform=All&function=all> \"ELM 7.0 iFix003\" )\n * IBM Engineering Systems Design Rhapsody - Model Manager:_ _Upgrade to version 7.0 and install server from [ELM 7.0 iFix012](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Lifecycle+Management&release=7.0&platform=All&function=all> \"ELM 7.0 iFix003\" )\n 1. \n\n\nUpgrade to version 6.0.6.1 iFix018 or later\n\n * [Rational Collaborative Lifecycle Management 6.0.6.1 iFix020](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.6.1&platform=All&function=all>)\n * [Rational DOORS Next Generation 6.0.6.1 iFix020](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+DOORS+Next+Generation&release=6.0.6.1&platform=All&function=all>)\n * [Rational Quality Manager 6.0.6.1 iFix020](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Quality+Manager&release=6.0.6.1&platform=All&function=all>)\n * [Rational Team Concert 6.0.6.1 iFix020](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Team+Concert&release=6.0.6.1&platform=All&function=all>)\n * Rational Engineering Lifecycle Manager:_ _Upgrade to version 6.0.6.1 and install server from [CLM 6.0.6.1 iFix020](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.6.1&platform=All&function=all>)\n * Rational Publishing Engine:_ _Upgrade to version 6.0.6.1 and install server from [CLM 6.0.6.1 iFix020](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.6.1&platform=All&function=all>)\n * Rational Rhapsody Design Manager:_ _Upgrade to version 6.0.6.1 and install server from [CLM 6.0.6.1 iFix0202](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.6.1&platform=All&function=all>)\n * IBM Rhapsody Model Manager:_ _Upgrade to version 6.0.6.1 and install server from [CLM 6.0.6.1 iFix020](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.6.1&platform=All&function=all>)\n * Rational Software Architect Design Manager:_ _Upgrade to version 6.0.6.1 and install server from [CLM 6.0.6.1 iFix020](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.6.1&platform=All&function=all>)\n\n \n\n\nUpgrade to version 6.0.6 iFix022 or later\n\n * [Rational Collaborative Lifecycle Management 6.0.6 iFix023](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.6&platform=All&function=all>)\n * [Rational DOORS Next Generation 6.0.6 iFix023](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+DOORS+Next+Generation&release=6.0.6&platform=All&function=all>)\n * [Rational Quality Manager 6.0.6 iFix023](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Quality+Manager&release=6.0.6&platform=All&function=all>)\n * [Rational Team Concert 6.0.6 iFix023](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Team+Concert&release=6.0.6&platform=All&function=all>)\n * Rational Engineering Lifecycle Manager:_ _Upgrade to version 6.0.6 and install server from [CLM 6.0.6 iFix023](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.6&platform=All&function=all>)\n * Rational Publishing Engine:_ _Upgrade to version 6.0.6 and install server from [CLM 6.0.6 iFix023](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.6&platform=All&function=all>)\n * Rational Rhapsody Design Manager:_ _Upgrade to version 6.0.6 and install server from [CLM 6.0.6 iFix023](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.6&platform=All&function=all>)\n * IBM Rhapsody Model Manager:_ _Upgrade to version 6.0.6 and install server from [CLM 6.0.6 iFix023](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.6&platform=All&function=all>)\n * Rational Software Architect Design Manager:_ _Upgrade to version 6.0.6 and install server from [CLM 6.0.6 iFix023](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.6&platform=All&function=all>)\n\n \n\n\nFor IBM Engineering Requirements Quality Assistant On-Premises:\n\n * Please follow the [RQA Upgrade](<https://www.ibm.com/support/knowledgecenter/SS3UPN/com.ibm.help.rm.assist.doc/topics/c_rqa_upgrade_node.html>) instructions.\n\n \nFor any prior versions of the products listed above, IBM recommends upgrading to a fixed, supported version/release/platform of the product. \n \nIf the iFix is not found in the Fix Portal please contact IBM Support.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-25T20:01:15", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilites affect Engineering Lifecycle Management and IBM Engineering products.", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000632", "CVE-2020-10683", "CVE-2020-8908", "CVE-2021-27219", "CVE-2021-29673", "CVE-2021-29713", "CVE-2021-29774", "CVE-2021-29786", "CVE-2021-29844"], "modified": "2021-10-25T20:01:15", "id": "9308099D073B8B4A5B875ABF63A2A8BA4F4ABCB691E71E14B89B4833B4ED12AD", "href": "https://www.ibm.com/support/pages/node/6508583", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-07T18:17:17", "description": "## Summary\n\nMultiple vulnerabilities in Open Source software used by Cloud Pak System. IBM Cloud Pak System has addressed those vulnerabilities. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2015-1832](<https://vulners.com/cve/CVE-2015-1832>) \n** DESCRIPTION: **Apache Derby could allow a remote attacker to obtain sensitive information, caused by a XML external entity (XXE) error when processing XML data by the XML datatype and XmlVTI. An attacker could exploit this vulnerability to read arbitrary files on the system or cause a denial of service. \nCVSS Base score: 6.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/115625](<https://exchange.xforce.ibmcloud.com/vulnerabilities/115625>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P) \n \n** CVEID: **[CVE-2018-1313](<https://vulners.com/cve/CVE-2018-1313>) \n** DESCRIPTION: **Apache Derby could allow a remote attacker to bypass security restrictions, caused by improper validation of network packets received. By sending a specially-crafted network packet, an attacker could exploit this vulnerability to boot a database whose location and contents are under the user's control. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/142898](<https://exchange.xforce.ibmcloud.com/vulnerabilities/142898>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2020-13956](<https://vulners.com/cve/CVE-2020-13956>) \n** DESCRIPTION: **Apache HttpClient could allow a remote attacker to bypass security restrictions, caused by the improper handling of malformed authority component in request URIs. By passing request URIs to the library as java.net.URI object, an attacker could exploit this vulnerability to pick the wrong target host for request execution. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/189572](<https://exchange.xforce.ibmcloud.com/vulnerabilities/189572>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2020-13936](<https://vulners.com/cve/CVE-2020-13936>) \n** DESCRIPTION: **Apache Velocity could allow a remote attacker to execute arbitrary code on the system, caused by a sandbox bypass flaw. By modifying the Velocity templates, an attacker could exploit this vulnerability to execute arbitrary code with the same privileges as the account running the Servlet container. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/197993](<https://exchange.xforce.ibmcloud.com/vulnerabilities/197993>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2022-42004](<https://vulners.com/cve/CVE-2022-42004>) \n** DESCRIPTION: **FasterXML jackson-databind is vulnerable to a denial of service, caused by a lack of a check in in the BeanDeserializer._deserializeFromArray function. By sending a specially-crafted request using deeply nested arrays, a local attacker could exploit this vulnerability to exhaust all available resources. \nCVSS Base score: 6.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/237660](<https://exchange.xforce.ibmcloud.com/vulnerabilities/237660>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2020-36518](<https://vulners.com/cve/CVE-2020-36518>) \n** DESCRIPTION: **FasterXML jackson-databind is vulnerable to a denial of service, caused by a Java StackOverflow exception. By using a large depth of nested objects, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/222319](<https://exchange.xforce.ibmcloud.com/vulnerabilities/222319>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2022-42003](<https://vulners.com/cve/CVE-2022-42003>) \n** DESCRIPTION: **FasterXML jackson-databind is vulnerable to a denial of service, caused by a lack of a check in the primitive value deserializers when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. By sending a specially-crafted request using deep wrapper array nesting, a local attacker could exploit this vulnerability to exhaust all available resources. \nCVSS Base score: 6.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/237662](<https://exchange.xforce.ibmcloud.com/vulnerabilities/237662>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2020-11979](<https://vulners.com/cve/CVE-2020-11979>) \n** DESCRIPTION: **Apache Ant could allow a remote authenticated attacker to bypass security restrictions, caused by an insecure temporary file flaw. By sending a specially-crafted request, an attacker could exploit this vulnerability to inject modified source files into the build process. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/189164](<https://exchange.xforce.ibmcloud.com/vulnerabilities/189164>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2021-42550](<https://vulners.com/cve/CVE-2021-42550>) \n** DESCRIPTION: **Logback could allow a remote authenticated attacker to execute arbitrary code on the system. By using a specially-crafted configuration, an attacker could exploit this vulnerability to execute arbitrary code loaded from LDAP servers. \nCVSS Base score: 6.6 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215533](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215533>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2022-25857](<https://vulners.com/cve/CVE-2022-25857>) \n** DESCRIPTION: **Java package org.yaml:snakeyam is vulnerable to a denial of service, caused by missing to nested depth limitation for collections. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/234864](<https://exchange.xforce.ibmcloud.com/vulnerabilities/234864>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-37533](<https://vulners.com/cve/CVE-2021-37533>) \n** DESCRIPTION: **Apache Commons Net could allow a remote attacker to obtain sensitive information, caused by an issue with the FTP client trusts the host from PASV response by default. By persuading a victim to connect to specially-crafted server, an attacker could exploit this vulnerability to obtain information about services running on the private network, and use this information to launch further attacks against the affected system. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/241253](<https://exchange.xforce.ibmcloud.com/vulnerabilities/241253>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2021-36374](<https://vulners.com/cve/CVE-2021-36374>) \n** DESCRIPTION: **Apache Ant is vulnerable to a denial of service, caused by an out-of-memory error when large amounts of memory are allocated. By persuading a victim to open a specially-crafted ZIP archive, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/205314](<https://exchange.xforce.ibmcloud.com/vulnerabilities/205314>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-36373](<https://vulners.com/cve/CVE-2021-36373>) \n** DESCRIPTION: **Apache Ant is vulnerable to a denial of service, caused by an out-of-memory error when large amounts of memory are allocated. By persuading a victim to open a specially-crafted TAR archive, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/205311](<https://exchange.xforce.ibmcloud.com/vulnerabilities/205311>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2020-1945](<https://vulners.com/cve/CVE-2020-1945>) \n** DESCRIPTION: **Apache Ant could allow a remote attacker to bypass security restrictions, caused by the use of an insecure temporary directory to store source files. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information and inject modified source files into the build process. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181875](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181875>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-5259](<https://vulners.com/cve/CVE-2020-5259>) \n** DESCRIPTION: **Dojo dojox could allow a remote attacker to inject arbitrary code on the system, caused by a prototype pollution flaw. By injecting other values, an attacker could exploit this vulnerability to overwrite, or pollute, a JavaScript application object prototype of the base object. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177752](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177752>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2020-4051](<https://vulners.com/cve/CVE-2020-4051>) \n** DESCRIPTION: **Dijit is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the Editor's LinkDialog plugin. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183740](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183740>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2018-15494](<https://vulners.com/cve/CVE-2018-15494>) \n** DESCRIPTION: **Dojo Toolkit is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the DataGrid component. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/148556](<https://exchange.xforce.ibmcloud.com/vulnerabilities/148556>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2019-10785](<https://vulners.com/cve/CVE-2019-10785>) \n** DESCRIPTION: **Dojox is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the dojox.xmpp.util.xmlEncode. A remote attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/176460](<https://exchange.xforce.ibmcloud.com/vulnerabilities/176460>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2016-6814](<https://vulners.com/cve/CVE-2016-6814>) \n** DESCRIPTION: **Apache Groovy could allow a remote attacker to execute arbitrary code on the system, caused by a deserialization error. By a specially crafted serialized object, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.6 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/123944](<https://exchange.xforce.ibmcloud.com/vulnerabilities/123944>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2015-3253](<https://vulners.com/cve/CVE-2015-3253>) \n** DESCRIPTION: **Apache Groovy could allow a remote attacker to execute arbitrary code on the system, caused by the failure to isolate serialization code when using standard Java serialization mechanim to communicate between servers. An attacker could exploit this vulnerability to deserialize objects and execute arbitrary code on the system or cause a denial of service. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/104819](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104819>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2018-1000632](<https://vulners.com/cve/CVE-2018-1000632>) \n** DESCRIPTION: **dom4j could allow a remote attacker to execute arbitrary code on the system, caused by improper input validation in multiple methods. By sending a specially-crafted XML content, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/148750](<https://exchange.xforce.ibmcloud.com/vulnerabilities/148750>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** IBM X-Force ID: **217968 \n** DESCRIPTION: **FasterXML jackson-databind is vulnerable to a denial of service, caused by an error when using JDK serialization to serialize and deserialize JsonNode values. By sending a specially crafted request, an attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/217968 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/217968>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Cloud Pak System| 2.3.3.0 - 2.3.3.5 (Intel) \nIBM Cloud Pak System Software Suite| 2.3.3.0 - 2.3.3.5 \nIBM Cloud Pak System| 2.3 \n \n\n\n## Remediation/Fixes\n\nFor unsupported version/release/platform IBM recommends upgrading to a fixed, supported /release/platform of the product. \n\nCloud Pak System shipped derby and jackson databind and with Logstash that includes derby and jackson databind, Cloud Pak System upgraded libraries to fixed version and removed Logstash with Cloud Pak System v2.3.3.6. \n\nFor IBM Cloud Pak System v2.3.0, 2.3.0.1, 2.3.1.0, v2.3.3.0, v2.3.3.1, v2.3.3.2, v2.3.3.3, v2.3.3.3 Interim Fix1, v2.3.3.4, v2.3.3.5, \n\nUpgrade to Cloud Pak System v2.3.3.6 available at [FixCentral](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=PureSystems&product=ibm/WebSphere/IBM+Cloud+Pak+System&release=2.3.3.6&platform=Linux&function=all> \"FixCentral\" ).\n\nInformation on upgrading at : <http://www.ibm.com/support/docview.wss?uid=ibm10887959>\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-03-31T14:10:21", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in Open Source software used by Cloud Pak System", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1832", "CVE-2015-3253", "CVE-2016-6814", "CVE-2018-1000632", "CVE-2018-1313", "CVE-2018-15494", "CVE-2019-10785", "CVE-2020-11979", "CVE-2020-13936", "CVE-2020-13956", "CVE-2020-1945", "CVE-2020-36518", "CVE-2020-4051", "CVE-2020-5259", "CVE-2021-36373", "CVE-2021-36374", "CVE-2021-37533", "CVE-2021-42550", "CVE-2022-25857", "CVE-2022-42003", "CVE-2022-42004"], "modified": "2023-03-31T14:10:21", "id": "27BC70E2EA08EE1D00F1DC696806FF0E8D5E261D13D8DFE4629529B49DBE187D", "href": "https://www.ibm.com/support/pages/node/6967183", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-02-27T21:46:20", "description": "## Summary\n\nThis interim fix provides instructions on upgrading third parity libraries in IBM Spectrum Conductor 2.5.0 in order to address security vulnerabilities CVE-2015-9251, CVE-2019-11358, CVE-2020-11022, CVE-2020-11023, CVE-2019-17359, CVE-2019-8331, CVE-2018-1000632, CVE-2018-10237, CVE-2020-13956, CVE-2020-9488, CVE-2017-18214, CVE-2020-11979, CVE-2020-7760, CVE-2017-16042, CVE-2016-10540, CVE-2016-1000027, CVE-2012-0881, CVE-2013-4002, CVE-2020-26939, and CVE-2020-7598.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2015-9251](<https://vulners.com/cve/CVE-2015-9251>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/138029](<https://exchange.xforce.ibmcloud.com/vulnerabilities/138029>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2019-11358](<https://vulners.com/cve/CVE-2019-11358>) \n** DESCRIPTION: **jQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/159633](<https://exchange.xforce.ibmcloud.com/vulnerabilities/159633>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-11022](<https://vulners.com/cve/CVE-2020-11022>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the jQuery.htmlPrefilter method. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181349](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181349>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-11023](<https://vulners.com/cve/CVE-2020-11023>) \n** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the option elements. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181350](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181350>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2019-17359](<https://vulners.com/cve/CVE-2019-17359>) \n** DESCRIPTION: **Bouncy Castle Crypto is vulnerable to a denial of service, caused by OutOfMemoryError error in ASN.1 parser. By sending specially crafted ASN.1 data, a local attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168581](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168581>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2019-8331](<https://vulners.com/cve/CVE-2019-8331>) \n** DESCRIPTION: **Bootstrap is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the tooltip or popover data-template. A remote attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/157409](<https://exchange.xforce.ibmcloud.com/vulnerabilities/157409>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2018-1000632](<https://vulners.com/cve/CVE-2018-1000632>) \n** DESCRIPTION: **dom4j could allow a remote attacker to execute arbitrary code on the system, caused by improper input validation in multiple methods. By sending a specially-crafted XML content, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/148750](<https://exchange.xforce.ibmcloud.com/vulnerabilities/148750>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2018-10237](<https://vulners.com/cve/CVE-2018-10237>) \n** DESCRIPTION: **Google Guava is vulnerable to a denial of service, caused by improper eager allocation checks in the AtomicDoubleArray and CompoundOrdering class. By sending a specially-crafted data, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/142508](<https://exchange.xforce.ibmcloud.com/vulnerabilities/142508>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2020-13956](<https://vulners.com/cve/CVE-2020-13956>) \n** DESCRIPTION: **Apache HttpClient could allow a remote attacker to bypass security restrictions, caused by the improper handling of malformed authority component in request URIs. By passing request URIs to the library as java.net.URI object, an attacker could exploit this vulnerability to pick the wrong target host for request execution. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/189572](<https://exchange.xforce.ibmcloud.com/vulnerabilities/189572>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2020-9488](<https://vulners.com/cve/CVE-2020-9488>) \n** DESCRIPTION: **Apache Log4j is vulnerable to a man-in-the-middle attack, caused by improper certificate validation with host mismatch in the SMTP appender. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to obtain sensitive information or further compromise the system. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/180824](<https://exchange.xforce.ibmcloud.com/vulnerabilities/180824>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2017-18214](<https://vulners.com/cve/CVE-2017-18214>) \n** DESCRIPTION: **Node.js moment module is vulnerable to a denial of service. A remote attacker could exploit this vulnerability to cause a low severity regular expression denial of service. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/135364](<https://exchange.xforce.ibmcloud.com/vulnerabilities/135364>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2020-11979](<https://vulners.com/cve/CVE-2020-11979>) \n** DESCRIPTION: **Apache Ant could allow a remote authenticated attacker to bypass security restrictions, caused by an insecure temporary file flaw. By sending a specially-crafted request, an attacker could exploit this vulnerability to inject modified source files into the build process. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/189164](<https://exchange.xforce.ibmcloud.com/vulnerabilities/189164>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2020-7760](<https://vulners.com/cve/CVE-2020-7760>) \n** DESCRIPTION: **Node.js codemirror module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw. By using sub-pattern (s|/*.*?*/)*, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/190938](<https://exchange.xforce.ibmcloud.com/vulnerabilities/190938>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2017-16042](<https://vulners.com/cve/CVE-2017-16042>) \n** DESCRIPTION: **Node.js growl module could allow a remote attacker to execute arbitrary commands on the system, caused by improper input validation. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/145541](<https://exchange.xforce.ibmcloud.com/vulnerabilities/145541>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2016-10540](<https://vulners.com/cve/CVE-2016-10540>) \n** DESCRIPTION: **Node.js minimatch module is vulnerable to a denial of service, caused by a flaw in the minimatch function. By using a specially-crafted value, a remote attacker could exploit this vulnerability to cause a regular expression denial of service. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/149140](<https://exchange.xforce.ibmcloud.com/vulnerabilities/149140>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2016-1000027](<https://vulners.com/cve/CVE-2016-1000027>) \n** DESCRIPTION: **Pivota Spring Framework could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a code injection vulnerability. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 6.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/174367](<https://exchange.xforce.ibmcloud.com/vulnerabilities/174367>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2012-0881](<https://vulners.com/cve/CVE-2012-0881>) \n** DESCRIPTION: **Apache Xerces2 Java is vulnerable to a denial of service, caused by a flaw in the XML service. By sending a specially crafted message to an XML service, a remote attacker could exploit this vulnerability to consume available CPU resources from the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/134404](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134404>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2013-4002](<https://vulners.com/cve/CVE-2013-4002>) \n** DESCRIPTION: **A denial of service vulnerability in the Apache Xerces-J parser used by IBM Java could result in a complete availability impact on the affected system. \nCVSS Base score: 7.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/85260](<https://exchange.xforce.ibmcloud.com/vulnerabilities/85260>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C) \n \n** CVEID: **[CVE-2020-26939](<https://vulners.com/cve/CVE-2020-26939>) \n** DESCRIPTION: **Legion of the Bouncy Castle BC and Legion of the Bouncy Castle BC-FJA could allow a remote attacker to obtain sensitive information, caused by observable differences in behavior to rrror inputs in org.bouncycastle.crypto.encodings.OAEPEncoding. By using the OAEP Decoder to send invalid ciphertext that decrypts to a short payload, a remote attacker could exploit this vulnerability to obtain sensitive information and use this information to launch further attacks against the affected system. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/191108](<https://exchange.xforce.ibmcloud.com/vulnerabilities/191108>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2020-7598](<https://vulners.com/cve/CVE-2020-7598>) \n** DESCRIPTION: **minimist could provide weaker than expected security, caused by a prototype pollution flaw. By sending a specially crafted request, a remote attacker could exploit this vulnerability to add or modify properties of Object.prototype. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177780](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177780>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Spectrum Conductor| 2.5.0 \n \n\n\n## Remediation/Fixes\n\n**Products**| **VRMF**| **Remediation/First Fix** \n---|---|--- \nIBM Spectrum Conductor \n| 2.5.0| [sc-2.5-build600141](<https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Conductor+with+Spark&release=All&platform=All&function=fixId&fixids=sc-2.5-build600141&includeSupersedes=0> \"sc-2.5-build600141\" ) \n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-20T06:41:42", "type": "ibm", "title": "Security Bulletin: Multiple vulnerability issues affect IBM Spectrum Conductor 2.5.0", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0881", "CVE-2013-4002", "CVE-2015-9251", "CVE-2016-1000027", "CVE-2016-10540", "CVE-2017-16042", "CVE-2017-18214", "CVE-2018-1000632", "CVE-2018-10237", "CVE-2019-11358", "CVE-2019-17359", "CVE-2019-8331", "CVE-2020-11022", "CVE-2020-11023", "CVE-2020-11979", "CVE-2020-13956", "CVE-2020-26939", "CVE-2020-7598", "CVE-2020-7760", "CVE-2020-9488"], "modified": "2021-02-20T06:41:42", "id": "807F02BF5D04D1D709B1D383A56D073A3E2ABB5E058B819FF145C9C80E083AF4", "href": "https://www.ibm.com/support/pages/node/6416393", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-27T21:47:34", "description": "## Summary\n\nThere are multiple vulnerabilities identified in IBM Guardium Data Encryption (GDE). These vulnerabilities have been fixed in GDE 4.0.0.4. Please apply the latest version for the fixes.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2017-7957](<https://vulners.com/cve/CVE-2017-7957>) \n** DESCRIPTION: **XStream is vulnerable to a denial of service, caused by the improper handling of attempts to create an instance of the primitive type 'void' during unmarshalling. A remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/125800](<https://exchange.xforce.ibmcloud.com/vulnerabilities/125800>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2016-3674](<https://vulners.com/cve/CVE-2016-3674>) \n** DESCRIPTION: **XStream could allow a remote attacker to obtain sensitive information, caused by an error when processing XML external entities. By sending specially-crafted XML data, an attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/111806](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111806>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2018-10237](<https://vulners.com/cve/CVE-2018-10237>) \n** DESCRIPTION: **Google Guava is vulnerable to a denial of service, caused by improper eager allocation checks in the AtomicDoubleArray and CompoundOrdering class. By sending a specially-crafted data, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/142508](<https://exchange.xforce.ibmcloud.com/vulnerabilities/142508>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-4702](<https://vulners.com/cve/CVE-2019-4702>) \n** DESCRIPTION: **IBM Guardium Data Encryption (GDE) specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. \nCVSS Base score: 4.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/171937](<https://exchange.xforce.ibmcloud.com/vulnerabilities/171937>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2019-4160](<https://vulners.com/cve/CVE-2019-4160>) \n** DESCRIPTION: **IBM Guardium Data Encryption (GDE) uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/158577](<https://exchange.xforce.ibmcloud.com/vulnerabilities/158577>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2019-11272](<https://vulners.com/cve/CVE-2019-11272>) \n** DESCRIPTION: **Pivotal Spring Security could allow a remote attacker to bypass security restrictions, caused by a flaw in the PlaintextPasswordEncoder function. By using a password of \"null\", an attacker could exploit this vulnerability to bypass access restrictions. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166568](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166568>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2019-3795](<https://vulners.com/cve/CVE-2019-3795>) \n** DESCRIPTION: **Pivotal Spring Security could provide weaker than expected security, caused by an insecure randomness flaw when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. A remote attacker could exploit this vulnerability to launch further attacks on the system. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/159543](<https://exchange.xforce.ibmcloud.com/vulnerabilities/159543>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N) \n \n** CVEID: **[CVE-2019-3774](<https://vulners.com/cve/CVE-2019-3774>) \n** DESCRIPTION: **Pivotal Spring Batch could allow a remote attacker to obtain sensitive information, caused by improper handling of XML External Entity (XXE). By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to obtain sensitive information from the system. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155922](<https://exchange.xforce.ibmcloud.com/vulnerabilities/155922>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2018-15756](<https://vulners.com/cve/CVE-2018-15756>) \n** DESCRIPTION: **Pivotal Spring Framework is vulnerable to a denial of service, caused by improper handling of range request by the ResourceHttpRequestHandler. By adding a range header with a high number of ranges, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/151641](<https://exchange.xforce.ibmcloud.com/vulnerabilities/151641>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2018-11040](<https://vulners.com/cve/CVE-2018-11040>) \n** DESCRIPTION: **Pivotal Spring Framework could allow a remote attacker to bypass security restrictions, caused by a flaw in AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView. By sending a specially-crafted request, an attacker could exploit this vulnerability to perform cross-domain requests. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/145413](<https://exchange.xforce.ibmcloud.com/vulnerabilities/145413>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2018-11039](<https://vulners.com/cve/CVE-2018-11039>) \n** DESCRIPTION: **Pivotal Spring Framework is vulnerable to cross-site tracing, caused by a flaw in the HiddenHttpMethodFilter in Spring MVC. By persuading a victim to visit a specially-crafted Web site, an attacker could exploit this vulnerability to cause the victim's browser to invoke a TRACE request to return sensitive header information including cookies or authentication data from third-party domains. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/145412](<https://exchange.xforce.ibmcloud.com/vulnerabilities/145412>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2018-1275](<https://vulners.com/cve/CVE-2018-1275>) \n** DESCRIPTION: **Pivotal Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the exposure of STOMP over WebSocket endpoints with a STOMP broker through the spring-messaging module. By sending a specially-crafted message, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/141565](<https://exchange.xforce.ibmcloud.com/vulnerabilities/141565>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2018-1272](<https://vulners.com/cve/CVE-2018-1272>) \n** DESCRIPTION: **Pivotal Spring Framework could allow a remote authenticated attacker to gain elevated privileges on the system, caused by improper input validation. By sending a specially-crafted request, an attacker could exploit this vulnerability to gain elevated privileges. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/141286](<https://exchange.xforce.ibmcloud.com/vulnerabilities/141286>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2018-1271](<https://vulners.com/cve/CVE-2018-1271>) \n** DESCRIPTION: **Pivotal Spring Framework could allow a remote attacker to traverse directories on the system, caused by improper validation of user request. An attacker could send a specially-crafted URL request containing \"dot dot\" sequences (/../) to configure Spring MVC to serve static resources. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/141285](<https://exchange.xforce.ibmcloud.com/vulnerabilities/141285>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2018-1270](<https://vulners.com/cve/CVE-2018-1270>) \n** DESCRIPTION: **Pivotal Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the exposure of STOMP over WebSocket endpoints with a STOMP broker through the spring-messaging module. By sending a specially-crafted message, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/141284](<https://exchange.xforce.ibmcloud.com/vulnerabilities/141284>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2018-1257](<https://vulners.com/cve/CVE-2018-1257>) \n** DESCRIPTION: **Pivotal Spring Framework is vulnerable to a denial of service. By sending a specially-crafted message, a remote attacker could exploit this vulnerability to perform a regular expression denial of service attack. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/143316](<https://exchange.xforce.ibmcloud.com/vulnerabilities/143316>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2018-1199](<https://vulners.com/cve/CVE-2018-1199>) \n** DESCRIPTION: **Pivotal Spring Security and Spring Framework could allow a remote attacker to bypass security restrictions, caused by the failure to consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker could exploit this vulnerability to bypass access restrictions and gain access to the server and obtain sensitive information. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/138601](<https://exchange.xforce.ibmcloud.com/vulnerabilities/138601>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2016-9878](<https://vulners.com/cve/CVE-2016-9878>) \n** DESCRIPTION: **Pivotal Spring Framework could allow a remote attacker to traverse directories on the system, caused by the failure to sanitize paths provided to ResourceServlet. An attacker could send a specially-crafted URL request containing directory traversal sequences to view arbitrary files on the system. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/120241](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120241>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2017-4995](<https://vulners.com/cve/CVE-2017-4995>) \n** DESCRIPTION: **Pivotal Spring Security could allow a remote attacker to execute arbitrary code on the system, caused by a deserialization flaw in the default Jackson configuration. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/135391](<https://exchange.xforce.ibmcloud.com/vulnerabilities/135391>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2018-1000632](<https://vulners.com/cve/CVE-2018-1000632>) \n** DESCRIPTION: **dom4j could allow a remote attacker to execute arbitrary code on the system, caused by improper input validation in multiple methods. By sending a specially-crafted XML content, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/148750](<https://exchange.xforce.ibmcloud.com/vulnerabilities/148750>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2019-4687](<https://vulners.com/cve/CVE-2019-4687>) \n** DESCRIPTION: **IBM Guardium Data Encryption (GDE) stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/171823](<https://exchange.xforce.ibmcloud.com/vulnerabilities/171823>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2019-12814](<https://vulners.com/cve/CVE-2019-12814>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by a polymorphic typing issue. By sending a specially-crafted JSON message, an attacker could exploit this vulnerability to read arbitrary local files on the server. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/162875](<https://exchange.xforce.ibmcloud.com/vulnerabilities/162875>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2019-12384](<https://vulners.com/cve/CVE-2019-12384>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by the failure to block the logback-core class from polymorphic deserialization. By sending a specially-crafted JSON message, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/162849](<https://exchange.xforce.ibmcloud.com/vulnerabilities/162849>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-12086](<https://vulners.com/cve/CVE-2019-12086>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by a Polymorphic Typing issue that occurs due to missing com.mysql.cj.jdbc.admin.MiniAdmin validation. By sending a specially-crafted JSON message, a remote attacker could exploit this vulnerability to read arbitrary local files on the server. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/161256](<https://exchange.xforce.ibmcloud.com/vulnerabilities/161256>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2018-7489](<https://vulners.com/cve/CVE-2018-7489>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a deserialization flaw in the readValue method of the ObjectMapper. By sending specially crafted JSON input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/139549](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139549>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2018-5968](<https://vulners.com/cve/CVE-2018-5968>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by deserialization flaws. By using two different gadgets that bypass a blocklist, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/138088](<https://exchange.xforce.ibmcloud.com/vulnerabilities/138088>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2018-19362](<https://vulners.com/cve/CVE-2018-19362>) \n** DESCRIPTION: **An unspecified error with failure to block the jboss-common-core class from polymorphic deserialization in FasterXML jackson-databind has an unknown impact and attack vector. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155093](<https://exchange.xforce.ibmcloud.com/vulnerabilities/155093>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2018-19361](<https://vulners.com/cve/CVE-2018-19361>) \n** DESCRIPTION: **An unspecified error with failure to block the openjpa class from polymorphic deserialization in FasterXML jackson-databind has an unknown impact and attack vector. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155092](<https://exchange.xforce.ibmcloud.com/vulnerabilities/155092>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2018-19360](<https://vulners.com/cve/CVE-2018-19360>) \n** DESCRIPTION: **An unspecified error with failure to block the axis2-transport-jms class from polymorphic deserialization in FasterXML jackson-databind has an unknown impact and attack vector. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155091](<https://exchange.xforce.ibmcloud.com/vulnerabilities/155091>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2018-14721](<https://vulners.com/cve/CVE-2018-14721>) \n** DESCRIPTION: **FasterXML jackson-databind is vulnerable to server-side request forgery, caused by the failure to block the axis2-jaxws class from polymorphic deserialization. A remote authenticated attacker could exploit this vulnerability to obtain sensitive data. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155136](<https://exchange.xforce.ibmcloud.com/vulnerabilities/155136>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2018-14720](<https://vulners.com/cve/CVE-2018-14720>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by an XML external entity (XXE) error when processing XML data by JDK classes. By sending a specially-crafted XML data. A remote attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155137](<https://exchange.xforce.ibmcloud.com/vulnerabilities/155137>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2018-14719](<https://vulners.com/cve/CVE-2018-14719>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by the failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155138](<https://exchange.xforce.ibmcloud.com/vulnerabilities/155138>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2018-14718](<https://vulners.com/cve/CVE-2018-14718>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by the failure to block the slf4j-ext class from polymorphic deserialization. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155139](<https://exchange.xforce.ibmcloud.com/vulnerabilities/155139>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2018-12023](<https://vulners.com/cve/CVE-2018-12023>) \n** DESCRIPTION: **An unspecified vulnerability in multiple Oracle products could allow an unauthenticated attacker to take control of the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/151425](<https://exchange.xforce.ibmcloud.com/vulnerabilities/151425>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2018-12022](<https://vulners.com/cve/CVE-2018-12022>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a flaw when the Default Typing is enabled. By sending a specially-crafted request in LDAP service, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/163227](<https://exchange.xforce.ibmcloud.com/vulnerabilities/163227>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2018-11307](<https://vulners.com/cve/CVE-2018-11307>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by an issue when untrusted content is deserialized with default typing enabled. By sending specially-crafted content over FTP, an attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/163528](<https://exchange.xforce.ibmcloud.com/vulnerabilities/163528>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2018-1000873](<https://vulners.com/cve/CVE-2018-1000873>) \n** DESCRIPTION: **FasterXML jackson-databind is vulnerable to a denial of service, caused by improper input validation by the nanoseconds time value field. By persuading a victim to deserialize specially-crafted input, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/154804](<https://exchange.xforce.ibmcloud.com/vulnerabilities/154804>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2017-7525](<https://vulners.com/cve/CVE-2017-7525>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a deserialization flaw within the Jackson JSON library in the readValue method of the ObjectMapper. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/134639](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134639>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2017-17485](<https://vulners.com/cve/CVE-2017-17485>) \n** DESCRIPTION: **Jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the default-typing feature. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/137340](<https://exchange.xforce.ibmcloud.com/vulnerabilities/137340>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2017-15095](<https://vulners.com/cve/CVE-2017-15095>) \n** DESCRIPTION: **Jackson Library could allow a remote attacker to execute arbitrary code on the system, caused by a deserialization flaw in the readValue() method of the ObjectMapper. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/135123](<https://exchange.xforce.ibmcloud.com/vulnerabilities/135123>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nGDE| 3.0.0.2 \n \n\n\n## Remediation/Fixes\n\nProduct(s)| Fixed Version \n---|--- \nGDE| [4.0.0.4](<https://supportportal.thalesgroup.com/csm?id=kb_article_view&sys_kb_id=800f008fdb1ce41080b2345239961960&sysparm_article=KB0023194sys_kb_id=9269c25b1b795410f2888739cd4bcb16> \"4.0.0.0\" ) \n \n## Workarounds and Mitigations\n\nAffected Component| Fixed Version \n---|--- \nIBM Guardium for Cloud Key Management (GCKM)| GCKM 1.8.0 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-01-12T14:42:24", "type": "ibm", "title": "Security Bulletin: Multiple Vulnerabilities in IBM Guardium Data Encryption (GDE)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3674", "CVE-2016-9878", "CVE-2017-15095", "CVE-2017-17485", "CVE-2017-4995", "CVE-2017-7525", "CVE-2017-7957", "CVE-2018-1000632", "CVE-2018-1000873", "CVE-2018-10237", "CVE-2018-11039", "CVE-2018-11040", "CVE-2018-11307", "CVE-2018-1199", "CVE-2018-12022", "CVE-2018-12023", "CVE-2018-1257", "CVE-2018-1270", "CVE-2018-1271", "CVE-2018-1272", "CVE-2018-1275", "CVE-2018-14718", "CVE-2018-14719", "CVE-2018-14720", "CVE-2018-14721", "CVE-2018-15756", "CVE-2018-19360", "CVE-2018-19361", "CVE-2018-19362", "CVE-2018-5968", "CVE-2018-7489", "CVE-2019-11272", "CVE-2019-12086", "CVE-2019-12384", "CVE-2019-12814", "CVE-2019-3774", "CVE-2019-3795", "CVE-2019-4160", "CVE-2019-4687", "CVE-2019-4702"], "modified": "2021-01-12T14:42:24", "id": "366CE799D9AEE4234CE4D38A22D774A769300127F0319D9238DAEC27C48436E1", "href": "https://www.ibm.com/support/pages/node/6403331", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-07T19:08:36", "description": "## Summary\n\nSecurity vulnerabilities have been addressed in IBM Cognos Analytics 11.2.2. These vulnerabilities have also been previously addressed in IBM Cognos Analytics 11.1.7 FP4 where applicable.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-29824](<https://vulners.com/cve/CVE-2021-29824>) \n** DESCRIPTION: **IBM Cognos Analytics is vulnerable to priviledge escalation where a lower level user could have read access to to the 'Data Connections' page to which they don't have access. \nCVSS Base score: 3.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/204468](<https://exchange.xforce.ibmcloud.com/vulnerabilities/204468>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2021-23337](<https://vulners.com/cve/CVE-2021-23337>) \n** DESCRIPTION: **Node.js lodash module could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by a command injection flaw in the template. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system. \nCVSS Base score: 7.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/196797](<https://exchange.xforce.ibmcloud.com/vulnerabilities/196797>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2021-23840](<https://vulners.com/cve/CVE-2021-23840>) \n** DESCRIPTION: **OpenSSL is vulnerable to a denial of service, caused by an integer overflow in CipherUpdate. By sending an overly long argument, an attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/196848](<https://exchange.xforce.ibmcloud.com/vulnerabilities/196848>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-22884](<https://vulners.com/cve/CVE-2021-22884>) \n** DESCRIPTION: **Node.js is vulnerable to a denial of service, caused by an error when the whitelist includes \"localhost6\". By controlling the victim's DNS server or spoofing its responses, an attacker could exploit this vulnerability to bypass the DNS rebinding protection mechanism using the \"localhost6\" domain and cause a denial of service. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/197191](<https://exchange.xforce.ibmcloud.com/vulnerabilities/197191>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H) \n \n** CVEID: **[CVE-2021-22883](<https://vulners.com/cve/CVE-2021-22883>) \n** DESCRIPTION: **Node.js is vulnerable to a denial of service, caused by a file descriptor leak. By making multiple attempts to connect with an 'unknownProtocol', an attacker could exploit this vulnerability to lead to an excessive memory usage and cause the system to run out of memory. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/197190](<https://exchange.xforce.ibmcloud.com/vulnerabilities/197190>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-38886](<https://vulners.com/cve/CVE-2021-38886>) \n** DESCRIPTION: **IBM Cognos Analytics is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/209399](<https://exchange.xforce.ibmcloud.com/vulnerabilities/209399>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2018-1000632](<https://vulners.com/cve/CVE-2018-1000632>) \n** DESCRIPTION: **dom4j could allow a remote attacker to execute arbitrary code on the system, caused by improper input validation in multiple methods. By sending a specially-crafted XML content, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/148750](<https://exchange.xforce.ibmcloud.com/vulnerabilities/148750>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2020-8203](<https://vulners.com/cve/CVE-2020-8203>) \n** DESCRIPTION: **Node.js lodash module is vulnerable to a denial of service, caused by a prototype pollution attack. A remote attacker could exploit this vulnerability using the merge, mergeWith, and defaultsDeep functions to inject properties onto Object.prototype to crash the server and possibly execute arbitrary code on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183560](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183560>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-22939](<https://vulners.com/cve/CVE-2021-22939>) \n** DESCRIPTION: **Node.js could allow a remote attacker to bypass security restrictions. If the https API was used incorrectly and \"undefined\" was in passed for the \"rejectUnauthorized\" parameter, an attacker could exploit this vulnerability to connect to servers using an expired certificate. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/207233](<https://exchange.xforce.ibmcloud.com/vulnerabilities/207233>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2021-22931](<https://vulners.com/cve/CVE-2021-22931>) \n** DESCRIPTION: **Node.js could provide weaker than expected security, caused by missing input validation on hostnames returned by DNS servers. An attacker could exploit this vulnerability to cause output of wrong hostnames leading to Domain Hijacking and and injection vulnerabilities in applications using the library. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/207230](<https://exchange.xforce.ibmcloud.com/vulnerabilities/207230>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2020-28500](<https://vulners.com/cve/CVE-2020-28500>) \n** DESCRIPTION: **Node.js lodash module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) in the toNumber, trim and trimEnd functions. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/196972](<https://exchange.xforce.ibmcloud.com/vulnerabilities/196972>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-23343](<https://vulners.com/cve/CVE-2021-23343>) \n** DESCRIPTION: **path-parse is vulnerable to a denial of service. By sending a specially-crafted request via splitDeviceRe, splitTailRe, and splitPathRe regular expressions, a remote attacker could exploit this vulnerability to cause a regular expression denial of service (ReDoS). \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/201206](<https://exchange.xforce.ibmcloud.com/vulnerabilities/201206>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2021-32808](<https://vulners.com/cve/CVE-2021-32808>) \n** DESCRIPTION: **CKEditor is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the clipboard Widget plugin if used alongside the undo feature. A remote attacker could exploit this vulnerability using malformed widget HTML, which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 7.6 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/207430](<https://exchange.xforce.ibmcloud.com/vulnerabilities/207430>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N) \n \n** CVEID: **[CVE-2021-22940](<https://vulners.com/cve/CVE-2021-22940>) \n** DESCRIPTION: **Node.js could allow a remote attacker to bypass security restrictions, caused by an incomplete fix for CVE-2021-22930 related to a use-after-free on close http2 on stream canceling. An attacker could exploit this vulnerability to corrupt memory to change process behavior. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/207520](<https://exchange.xforce.ibmcloud.com/vulnerabilities/207520>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2021-38946](<https://vulners.com/cve/CVE-2021-38946>) \n** DESCRIPTION: **IBM Cognos Analytics is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. \nCVSS Base score: 5.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/211240](<https://exchange.xforce.ibmcloud.com/vulnerabilities/211240>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2021-22930](<https://vulners.com/cve/CVE-2021-22930>) \n** DESCRIPTION: **Node.js could allow a remote attacker to bypass security restrictions, caused by a use-after-free on close http2 on stream canceling. An attacker could exploit this vulnerability to corrupt memory to change process behavior. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/206473](<https://exchange.xforce.ibmcloud.com/vulnerabilities/206473>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2021-33829](<https://vulners.com/cve/CVE-2021-33829>) \n** DESCRIPTION: **CKEditor is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 7.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/203802](<https://exchange.xforce.ibmcloud.com/vulnerabilities/203802>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2021-22921](<https://vulners.com/cve/CVE-2021-22921>) \n** DESCRIPTION: **Node.js could allow a local attacker to gain elevated privileges on the system, caused by improper configuration of permissions in the installation directory. Under certain conditions. An attacker could exploit this vulnerability to perform PATH and DLL hijacking attacks. \nCVSS Base score: 7.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/204785](<https://exchange.xforce.ibmcloud.com/vulnerabilities/204785>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2021-22918](<https://vulners.com/cve/CVE-2021-22918>) \n** DESCRIPTION: **Node.js is vulnerable to a denial of service, caused by an out-of-bounds read in the libuv's uv__idna_toascii() function. By invoking the function using dns module's lookup() function, a remote attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/204784](<https://exchange.xforce.ibmcloud.com/vulnerabilities/204784>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L) \n \n** CVEID: **[CVE-2019-10744](<https://vulners.com/cve/CVE-2019-10744>) \n** DESCRIPTION: **Node.js lodash module is vulnerable to a denial of service, caused by a prototype pollution flaw. By sending a specially-crafted request using a constructor payload, a remote attacker could exploit this vulnerability to inject properties onto Object.prototype to cause a denial of service condition. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167415](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167415>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L) \n \n** CVEID: **[CVE-2021-36373](<https://vulners.com/cve/CVE-2021-36373>) \n** DESCRIPTION: **Apache Ant is vulnerable to a denial of service, caused by an out-of-memory error when large amounts of memory are allocated. By persuading a victim to open a specially-crafted TAR archive, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/205311](<https://exchange.xforce.ibmcloud.com/vulnerabilities/205311>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2020-36179](<https://vulners.com/cve/CVE-2020-36179>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/194374](<https://exchange.xforce.ibmcloud.com/vulnerabilities/194374>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-36180](<https://vulners.com/cve/CVE-2020-36180>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/194375](<https://exchange.xforce.ibmcloud.com/vulnerabilities/194375>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-36181](<https://vulners.com/cve/CVE-2020-36181>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/194376](<https://exchange.xforce.ibmcloud.com/vulnerabilities/194376>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-36182](<https://vulners.com/cve/CVE-2020-36182>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/194377](<https://exchange.xforce.ibmcloud.com/vulnerabilities/194377>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-36183](<https://vulners.com/cve/CVE-2020-36183>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/194378](<https://exchange.xforce.ibmcloud.com/vulnerabilities/194378>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-36184](<https://vulners.com/cve/CVE-2020-36184>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/194379](<https://exchange.xforce.ibmcloud.com/vulnerabilities/194379>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-36185](<https://vulners.com/cve/CVE-2020-36185>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/194380](<https://exchange.xforce.ibmcloud.com/vulnerabilities/194380>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-36186](<https://vulners.com/cve/CVE-2020-36186>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/194381](<https://exchange.xforce.ibmcloud.com/vulnerabilities/194381>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-36187](<https://vulners.com/cve/CVE-2020-36187>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/194382](<https://exchange.xforce.ibmcloud.com/vulnerabilities/194382>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2021-2369](<https://vulners.com/cve/CVE-2021-2369>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Library component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/205796](<https://exchange.xforce.ibmcloud.com/vulnerabilities/205796>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2019-8331](<https://vulners.com/cve/CVE-2019-8331>) \n** DESCRIPTION: **Bootstrap is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the tooltip or popover data-template. A remote attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/157409](<https://exchange.xforce.ibmcloud.com/vulnerabilities/157409>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2018-14041](<https://vulners.com/cve/CVE-2018-14041>) \n** DESCRIPTION: **Bootstrap is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the data-target property of scrollspy. A remote attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/146467](<https://exchange.xforce.ibmcloud.com/vulnerabilities/146467>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2018-14042](<https://vulners.com/cve/CVE-2018-14042>) \n** DESCRIPTION: **Bootstrap is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the data-container property of tooltip. A remote attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/146466](<https://exchange.xforce.ibmcloud.com/vulnerabilities/146466>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2018-14040](<https://vulners.com/cve/CVE-2018-14040>) \n** DESCRIPTION: **Bootstrap is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the collapse data-parent attribute. A remote attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/146468](<https://exchange.xforce.ibmcloud.com/vulnerabilities/146468>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2021-22959](<https://vulners.com/cve/CVE-2021-22959>) \n** DESCRIPTION: **Node.js is vulnerable to HTTP request smuggling, caused by an error related to a space in headers. A remote attacker could send a specially-crafted request with a space (SP) right after the header name before the colon to lead to HTTP Request Smuggling (HRS). An attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/211168](<https://exchange.xforce.ibmcloud.com/vulnerabilities/211168>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2021-36374](<https://vulners.com/cve/CVE-2021-36374>) \n** DESCRIPTION: **Apache Ant is vulnerable to a denial of service, caused by an out-of-memory error when large amounts of memory are allocated. By persuading a victim to open a specially-crafted ZIP archive, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/205314](<https://exchange.xforce.ibmcloud.com/vulnerabilities/205314>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-37714](<https://vulners.com/cve/CVE-2021-37714>) \n** DESCRIPTION: **jsoup is vulnerable to a denial of service, caused by improper input validation. By sending a specially-crafted input, a remote attacker could exploit this vulnerability to cause the HTML and XML parser to get stuck, timeout, or throw unchecked exceptions resulting in a denial of service condition. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/207858](<https://exchange.xforce.ibmcloud.com/vulnerabilities/207858>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-21290](<https://vulners.com/cve/CVE-2021-21290>) \n** DESCRIPTION: **Netty could allow a local authenticated attacker to obtain sensitive information, caused by an insecure temp file in Unix-like systems. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/197110](<https://exchange.xforce.ibmcloud.com/vulnerabilities/197110>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2021-38904](<https://vulners.com/cve/CVE-2021-38904>) \n** DESCRIPTION: **IBM Cognos Analytics could allow a remote attacker to obtain credentials from a user's browser via incorrect autocomplete settings. \nCVSS Base score: 4.6 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/209693](<https://exchange.xforce.ibmcloud.com/vulnerabilities/209693>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2021-20464](<https://vulners.com/cve/CVE-2021-20464>) \n** DESCRIPTION: **IBM Cognos Analytics PowerPlay could be vulnerable to an XML Bomb attack by a malicious authenticated user. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/196813](<https://exchange.xforce.ibmcloud.com/vulnerabilities/196813>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-22960](<https://vulners.com/cve/CVE-2021-22960>) \n** DESCRIPTION: **Node.js is vulnerable to HTTP request smuggling, caused by an error when parsing the body of chunked requests. A remote attacker could send a specially-crafted request to lead to HTTP Request Smuggling (HRS). An attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/211171](<https://exchange.xforce.ibmcloud.com/vulnerabilities/211171>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2021-38903](<https://vulners.com/cve/CVE-2021-38903>) \n** DESCRIPTION: **IBM Cognos Anlytics is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 5.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/209691](<https://exchange.xforce.ibmcloud.com/vulnerabilities/209691>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2021-32809](<https://vulners.com/cve/CVE-2021-32809>) \n** DESCRIPTION: **CKEditor is vulnerable to HTML injection. A remote authenticated attacker could inject malicious HTML code into the editor, which when viewed, would abuse the paste functionality and executed in the victim's Web browser within the security context of the hosting site. \nCVSS Base score: 4.6 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/207429](<https://exchange.xforce.ibmcloud.com/vulnerabilities/207429>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2021-38905](<https://vulners.com/cve/CVE-2021-38905>) \n** DESCRIPTION: **iBM Cognos Analytics could allow an authenticated user to view report pages that they should not have access to. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/209697](<https://exchange.xforce.ibmcloud.com/vulnerabilities/209697>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Cognos Analytics 11.2.x\n\nIBM Cognos Analytics 11.1.x\n\n## Remediation/Fixes\n\n**For IBM Cognos Analytics 11.2.x: \n**\n\n[Downloading IBM Cognos Analytics 11.2.2](<https://www.ibm.com/support/pages/node/6564061> \"Downloading IBM Cognos Analytics 11.2.2\" )\n\n**For IBM Cognos Analytics 11.1.x: \n**\n\n[IBM Cognos Analytics 11.1.7 IF9](<https://www.ibm.com/support/pages/node/6525664> \"IBM Cognos Analytics 11.1.7 IF9\" )\n\n**IBM Cognos Analytics on Cloud**\n\nThese vulnerabilities have been remediated on all IBM Cognos Analytics on Cloud environments and no further action is required.\n\n**Notes:**\n\nCVE-2021-23840 is specific to OpenSSL used within NodeJS.\n\nAlthough IBM Cognos Analytics is not vulnerable to the listed CVEs, all instances of Apache Log4j v1.x were proactively upgraded to Apache Log4j v2.17.1 for the IBM Cognos Analytics 11.1 and 11.2 streams. (CVE-2021-4104, CVE-2022-23302, CVE-2022-23305 and CVE-2022-23307)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-25T16:43:12", "type": "ibm", "title": "Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000632", "CVE-2018-14040", "CVE-2018-14041", "CVE-2018-14042", "CVE-2019-10744", "CVE-2019-8331", "CVE-2020-28500", "CVE-2020-36179", "CVE-2020-36180", "CVE-2020-36181", "CVE-2020-36182", "CVE-2020-36183", "CVE-2020-36184", "CVE-2020-36185", "CVE-2020-36186", "CVE-2020-36187", "CVE-2020-8203", "CVE-2021-20464", "CVE-2021-21290", "CVE-2021-22883", "CVE-2021-22884", "CVE-2021-22918", "CVE-2021-22921", "CVE-2021-22930", "CVE-2021-22931", "CVE-2021-22939", "CVE-2021-22940", "CVE-2021-22959", "CVE-2021-22960", "CVE-2021-23337", "CVE-2021-23343", "CVE-2021-2369", "CVE-2021-23840", "CVE-2021-29824", "CVE-2021-32808", "CVE-2021-32809", "CVE-2021-33829", "CVE-2021-36373", "CVE-2021-36374", "CVE-2021-37714", "CVE-2021-38886", "CVE-2021-38903", "CVE-2021-38904", "CVE-2021-38905", "CVE-2021-38946", "CVE-2021-4104", "CVE-2022-23302", "CVE-2022-23305", "CVE-2022-23307"], "modified": "2022-04-25T16:43:12", "id": "FE6D95CEEFE9596CD6D6134F8326AB13E3C97D550B3E62F57DECDBDBC51C329A", "href": "https://www.ibm.com/support/pages/node/6570957", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-12-08T22:20:31", "description": "## Summary\n\nThere are multiple vulnerabilities in open source libraries used by IBM MobileFirst Platform Foundation. They are addressed in this update.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-3517](<https://vulners.com/cve/CVE-2022-3517>) \n** DESCRIPTION: **minimatch is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the braceExpand function. By sending specially-crafted regex arguments, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/238615](<https://exchange.xforce.ibmcloud.com/vulnerabilities/238615>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2016-10540](<https://vulners.com/cve/CVE-2016-10540>) \n** DESCRIPTION: **Node.js minimatch module is vulnerable to a denial of service, caused by a flaw in the minimatch function. By using a specially-crafted value, a remote attacker could exploit this vulnerability to cause a regular expression denial of service. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/149140](<https://exchange.xforce.ibmcloud.com/vulnerabilities/149140>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2014-3577](<https://vulners.com/cve/CVE-2014-3577>) \n** DESCRIPTION: **Apache HttpComponents could allow a remote attacker to conduct spoofing attacks, caused by the failure to verify that the server hostname matches a domain name in the Subject's Common Name (CN) or SubjectAltName field of certificates. By persuading a victim to visit a Web site containing a specially-crafted certificate, an attacker could exploit this vulnerability using man-in-the-middle techniques to spoof an SSL server. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/95327](<https://exchange.xforce.ibmcloud.com/vulnerabilities/95327>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2020-13956](<https://vulners.com/cve/CVE-2020-13956>) \n** DESCRIPTION: **Apache HttpClient could allow a remote attacker to bypass security restrictions, caused by the improper handling of malformed authority component in request URIs. By passing request URIs to the library as java.net.URI object, an attacker could exploit this vulnerability to pick the wrong target host for request execution. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/189572](<https://exchange.xforce.ibmcloud.com/vulnerabilities/189572>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2015-5262](<https://vulners.com/cve/CVE-2015-5262>) \n** DESCRIPTION: **Apache Commons is vulnerable to a denial of service, caused by the failure to apply a configured connection during the initial handshake of an HTTPS connection by the HttpClient component. An attacker could exploit this vulnerability to accumulate multiple connections and exhaust all available resources. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/106932](<https://exchange.xforce.ibmcloud.com/vulnerabilities/106932>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2022-21680](<https://vulners.com/cve/CVE-2022-21680>) \n** DESCRIPTION: **Node.js marked module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in block.def. By sending a specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/217319](<https://exchange.xforce.ibmcloud.com/vulnerabilities/217319>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2022-21681](<https://vulners.com/cve/CVE-2022-21681>) \n** DESCRIPTION: **Node.js marked module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in inline.reflinkSearch. By sending a specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/217320](<https://exchange.xforce.ibmcloud.com/vulnerabilities/217320>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-3807](<https://vulners.com/cve/CVE-2021-3807>) \n** DESCRIPTION: **Chalk ansi-regex module for Node.js is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw. By sending a specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/209596](<https://exchange.xforce.ibmcloud.com/vulnerabilities/209596>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2018-1002204](<https://vulners.com/cve/CVE-2018-1002204>) \n** DESCRIPTION: **adm-zip could allow a remote attacker to traverse directories on the system. By persuading a victim to extract a specially-crafted ZIP archive containing \"dot dot slash\" sequences (../), an attacker could exploit this vulnerability to write to arbitrary files on the system. Note: This vulnerability is known as \"Zip-Slip\" \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/147550](<https://exchange.xforce.ibmcloud.com/vulnerabilities/147550>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2021-21366](<https://vulners.com/cve/CVE-2021-21366>) \n** DESCRIPTION: **Node.js xmldom module could allow a remote attacker to bypass security restrictions, caused by improper preserve of system identifiers, FPIs or namespaces during XML processing. By repeatedly parsing and serializing specially-crafted documents, an attacker could exploit this vulnerability to cause unexpected syntactic changes in some downstream applications. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/198139](<https://exchange.xforce.ibmcloud.com/vulnerabilities/198139>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2021-32796](<https://vulners.com/cve/CVE-2021-32796>) \n** DESCRIPTION: **Xmldom could provide weaker than expected security, caused by the failure to escape special characters when serializing elements removed from their ancestor. An attacker could exploit this vulnerability to launch further attacks on the system. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/206492](<https://exchange.xforce.ibmcloud.com/vulnerabilities/206492>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2021-29425](<https://vulners.com/cve/CVE-2021-29425>) \n** DESCRIPTION: **Apache Commons IO could allow a remote attacker to traverse directories on the system, caused by improper input validation by the FileNameUtils.normalize method. An attacker could send a specially-crafted URL request containing \"dot dot\" sequences (/../) to view arbitrary files on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/199852](<https://exchange.xforce.ibmcloud.com/vulnerabilities/199852>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2022-25647](<https://vulners.com/cve/CVE-2022-25647>) \n** DESCRIPTION: **Google Gson is vulnerable to a denial of service, caused by the deserialization of untrusted data. By using the writeReplace() method, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base score: 7.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/217225](<https://exchange.xforce.ibmcloud.com/vulnerabilities/217225>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H) \n \n** CVEID: **[CVE-2017-16138](<https://vulners.com/cve/CVE-2017-16138>) \n** DESCRIPTION: **Node.js mime module is vulnerable to a regular expression denial of service when a mime lookup is performed on untrusted user input. A remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/135677](<https://exchange.xforce.ibmcloud.com/vulnerabilities/135677>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-27292](<https://vulners.com/cve/CVE-2021-27292>) \n** DESCRIPTION: **UAParser.js is vulnerable to a denial of service. By sending a specially crafted User-Agent header, a remote attacker could exploit this vulnerability to cause the application to process the file for an extended time. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/198307](<https://exchange.xforce.ibmcloud.com/vulnerabilities/198307>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-7793](<https://vulners.com/cve/CVE-2020-7793>) \n** DESCRIPTION: **ua-parser-js is vulnerable to a denial of service, caused by regular expression denial of service (ReDoS) in multiple regexes. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192997](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192997>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2020-7733](<https://vulners.com/cve/CVE-2020-7733>) \n** DESCRIPTION: **ua-parser-js is vulnerable to a denial of service. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a regular expression denial of service. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/188397](<https://exchange.xforce.ibmcloud.com/vulnerabilities/188397>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2022-0436](<https://vulners.com/cve/CVE-2022-0436>) \n** DESCRIPTION: **Grunt could allow a local authenticated attacker to traverse directories on the system, caused by lack of protection in file.copy operations for both source and destination directories. An attacker could send a specially-crafted URL request containing \"dot dot\" sequences (/../) to read and write arbitrary files on the system, and gain elevated privileges on the system. \nCVSS Base score: 7.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224411](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224411>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) \n \n** CVEID: **[CVE-2022-1537](<https://vulners.com/cve/CVE-2022-1537>) \n** DESCRIPTION: **GruntJS Grunt could allow a local authenticated attacker to gain elevated privileges on the system, caused by TOCTOU race condition leading to arbitrary file write flaw. By using a specially-crafted symlink, an authenticated attacker could exploit this vulnerability to gain elevated privileges. \nCVSS Base score: 7.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/226275](<https://exchange.xforce.ibmcloud.com/vulnerabilities/226275>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-7729](<https://vulners.com/cve/CVE-2020-7729>) \n** DESCRIPTION: **Node.js grunt module could allow a remote authenticated attacker to execute arbitrary code on the system, caused by the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/187758](<https://exchange.xforce.ibmcloud.com/vulnerabilities/187758>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2017-18077](<https://vulners.com/cve/CVE-2017-18077>) \n** DESCRIPTION: **brace-expansion is vulnerable to a denial of service, caused by a flaw in the index.js. By using a specially-crafted expand argument, a remote attacker could exploit this vulnerability to perform a regular expression denial of service attack. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/138421](<https://exchange.xforce.ibmcloud.com/vulnerabilities/138421>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2017-16032](<https://vulners.com/cve/CVE-2017-16032>) \n** DESCRIPTION: **brace-expansion is vulnerable to a denial of service, caused by a flaw in the index.js. By using a specially-crafted expand argument, a remote attacker could exploit this vulnerability to perform a regular expression denial of service attack. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/219755](<https://exchange.xforce.ibmcloud.com/vulnerabilities/219755>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2022-46175](<https://vulners.com/cve/CVE-2022-46175>) \n** DESCRIPTION: **JSON5 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in the parse method. By adding or modifying properties of Object.prototype using a __proto__ or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system. \nCVSS Base score: 7.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/242965](<https://exchange.xforce.ibmcloud.com/vulnerabilities/242965>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H) \n \n** CVEID: **[CVE-2020-28499](<https://vulners.com/cve/CVE-2020-28499>) \n** DESCRIPTION: **Node.js merge module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in the_recursiveMerge function. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/197042](<https://exchange.xforce.ibmcloud.com/vulnerabilities/197042>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2018-16469](<https://vulners.com/cve/CVE-2018-16469>) \n** DESCRIPTION: **Node.js merge package is vulnerable to a denial of service. By adding or modifying properties of the Object prototype, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/152520](<https://exchange.xforce.ibmcloud.com/vulnerabilities/152520>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2015-8858](<https://vulners.com/cve/CVE-2015-8858>) \n** DESCRIPTION: **The Node.js uglify-js module is vulnerable to a denial of service, caused by an error in the regular expression implementation. An attacker could exploit this vulnerability using a regular expression to cause the application to hang. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/112573](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112573>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2015-8857](<https://vulners.com/cve/CVE-2015-8857>) \n** DESCRIPTION: **Node.js uglify-js module could provide weaker than expected security, caused by the improper handling of Non-Boolean comparisons during minification. An attacker could exploit this vulnerability using a specially crafted Javascript file to alter functionality after minification. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/112565](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112565>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2021-42550](<https://vulners.com/cve/CVE-2021-42550>) \n** DESCRIPTION: **Logback could allow a remote authenticated attacker to execute arbitrary code on the system. By using a specially-crafted configuration, an attacker could exploit this vulnerability to execute arbitrary code loaded from LDAP servers. \nCVSS Base score: 6.6 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215533](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215533>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2017-5929](<https://vulners.com/cve/CVE-2017-5929>) \n** DESCRIPTION: **QOS.ch Logback could allow a remote attacker to execute arbitrary code on the system, caused by a serialization error in the ocketServer and ServerSocketReceiver components. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/123503](<https://exchange.xforce.ibmcloud.com/vulnerabilities/123503>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2020-15168](<https://vulners.com/cve/CVE-2020-15168>) \n** DESCRIPTION: **Node.js node-fetch module is vulnerable to a denial of service, caused by the failure to honor the size option after following a redirect. By using a specially-crafted file, a remote attacker could exploit this vulnerability to consume excessive resource on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/188155](<https://exchange.xforce.ibmcloud.com/vulnerabilities/188155>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2022-0235](<https://vulners.com/cve/CVE-2022-0235>) \n** DESCRIPTION: **Node.js node-fetch could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw when fetching a remote url with Cookie. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/217758](<https://exchange.xforce.ibmcloud.com/vulnerabilities/217758>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2022-0144](<https://vulners.com/cve/CVE-2022-0144>) \n** DESCRIPTION: **ShellJS could allow a local authenticated attacker to gain elevated privileges on the system, caused by improper privilege management. By sending a specially-crafted request, an attacker could exploit this vulnerability to escalate privileges. \nCVSS Base score: 7.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/217066](<https://exchange.xforce.ibmcloud.com/vulnerabilities/217066>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H) \n \n** CVEID: **[CVE-2020-7789](<https://vulners.com/cve/CVE-2020-7789>) \n** DESCRIPTION: **node-notifier could allow a remote attacker to execute arbitrary commands on the system, caused by improper sanitization of options params. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system. \nCVSS Base score: 5.6 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/193001](<https://exchange.xforce.ibmcloud.com/vulnerabilities/193001>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2021-3777](<https://vulners.com/cve/CVE-2021-3777>) \n** DESCRIPTION: **Node.js nodejs-tmpl module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw. By sending a specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/209443](<https://exchange.xforce.ibmcloud.com/vulnerabilities/209443>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2018-1000632](<https://vulners.com/cve/CVE-2018-1000632>) \n** DESCRIPTION: **dom4j could allow a remote attacker to execute arbitrary code on the system, caused by improper input validation in multiple methods. By sending a specially-crafted XML content, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/148750](<https://exchange.xforce.ibmcloud.com/vulnerabilities/148750>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2022-2596](<https://vulners.com/cve/CVE-2022-2596>) \n** DESCRIPTION: **Node.js node-fetch module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the isOriginPotentiallyTrustworthy() function in the referrer.js script. By sending specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/232616](<https://exchange.xforce.ibmcloud.com/vulnerabilities/232616>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-10202](<https://vulners.com/cve/CVE-2019-10202>) \n** DESCRIPTION: **Red Hat JBoss Enterprise Application Platform (EAP) could allow a remote attacker to execute arbitrary code on the system, caused by improper deserialization in Codehaus. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168251](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168251>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-10172](<https://vulners.com/cve/CVE-2019-10172>) \n** DESCRIPTION: **Jackson-mapper-asl could allow a remote attacker to obtain sensitive information, caused by an XML external entity (XXE) error when processing XML data. By sending a specially-crafted XML data, a remote attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/172436](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172436>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2021-23440](<https://vulners.com/cve/CVE-2021-23440>) \n** DESCRIPTION: **Nodejs set-value module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw. By adding or modifying properties of Object.prototype using a __proto__ or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/209431](<https://exchange.xforce.ibmcloud.com/vulnerabilities/209431>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2019-10747](<https://vulners.com/cve/CVE-2019-10747>) \n** DESCRIPTION: **Node.js set-value module is vulnerable to a denial of service, caused by a prototype pollution flaw. By sending a specially-crafted request using a constructor payload, a remote attacker could exploit this vulnerability to inject properties onto Object.prototype to cause a denial of service condition. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167421](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167421>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2022-23437](<https://vulners.com/cve/CVE-2022-23437>) \n** DESCRIPTION: **Apache Xerces2 Java XML Parser is vulnerable to a denial of service, caused by an infinite loop in the XML parser. By persuading a victim to open a specially-crafted XML document payloads, a remote attacker could exploit this vulnerability to consume system resources for prolonged duration. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/217982](<https://exchange.xforce.ibmcloud.com/vulnerabilities/217982>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2022-24823](<https://vulners.com/cve/CVE-2022-24823>) \n** DESCRIPTION: **Netty could allow a local authenticated attacker to obtain sensitive information, caused by a flaw when temporary storing uploads on the disk is enabled. By gaining access to the local system temporary directory, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/225922](<https://exchange.xforce.ibmcloud.com/vulnerabilities/225922>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2019-10746](<https://vulners.com/cve/CVE-2019-10746>) \n** DESCRIPTION: **Node.js mixin-deep module is vulnerable to a denial of service, caused by a prototype pollution flaw. By sending a specially-crafted request using a constructor payload, a remote attacker could exploit this vulnerability to inject properties onto Object.prototype to cause a denial of service condition. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167420](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167420>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2019-5484](<https://vulners.com/cve/CVE-2019-5484>) \n** DESCRIPTION: **Node.js bower module could allow a local attacker to launch a symlink attack. The bower module creates temporary files insecurely. A local attacker could exploit this vulnerability by creating a symbolic link from a temporary file to various files on the system, which could allow the attacker to overwrite arbitrary files on the system with elevated privileges. \nCVSS Base score: 4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/156341](<https://exchange.xforce.ibmcloud.com/vulnerabilities/156341>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2020-28282](<https://vulners.com/cve/CVE-2020-28282>) \n** DESCRIPTION: **Node.js getobject module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/193998](<https://exchange.xforce.ibmcloud.com/vulnerabilities/193998>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2021-43138](<https://vulners.com/cve/CVE-2021-43138>) \n** DESCRIPTION: **Async could allow a remote attacker to execute arbitrary code on the system, caused by prototype pollution in the mapValues() method. By persuading a victim to open a specially-crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223605](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223605>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2021-32804](<https://vulners.com/cve/CVE-2021-32804>) \n** DESCRIPTION: **Node.js tar module could allow a local attacker to traverse directories on the system, caused by insufficient absolute path sanitization. An attacker could use a specially-crafted tar file containing \"dot dot\" sequences (/../) to create or overwrite arbitrary files on the system. \nCVSS Base score: 8.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/206719](<https://exchange.xforce.ibmcloud.com/vulnerabilities/206719>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N) \n \n** CVEID: **[CVE-2021-37713](<https://vulners.com/cve/CVE-2021-37713>) \n** DESCRIPTION: **Node.js tar module could allow a local attacker to execute arbitrary code on the system, caused by insufficient logic on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target. An attacker could exploit this vulnerability to create or overwrite arbitrary files and execute arbitrary code on the system. \nCVSS Base score: 8.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/208451](<https://exchange.xforce.ibmcloud.com/vulnerabilities/208451>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N) \n \n** CVEID: **[CVE-2021-37712](<https://vulners.com/cve/CVE-2021-37712>) \n** DESCRIPTION: **Node.js tar module could allow a local attacker to execute arbitrary code on the system, caused by an arbitrary file creation/overwrite vulnerability. By creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, an attacker could use an untrusted tar file to symlink into an arbitrary location and extract arbitrary files into that location to create or overwrite arbitrary files and execute arbitrary code on the system. \nCVSS Base score: 8.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/208450](<https://exchange.xforce.ibmcloud.com/vulnerabilities/208450>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N) \n \n** CVEID: **[CVE-2021-37701](<https://vulners.com/cve/CVE-2021-37701>) \n** DESCRIPTION: **Node.js tar module could allow a local attacker to execute arbitrary code on the system, caused by an arbitrary file creation/overwrite vulnerability. By creating a directory, and then replacing that directory with a symlink, an attacker could use an untrusted tar file to symlink into an arbitrary location and extract arbitrary files into that location to create or overwrite arbitrary files and execute arbitrary code on the system. \nCVSS Base score: 8.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/208442](<https://exchange.xforce.ibmcloud.com/vulnerabilities/208442>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N) \n \n** CVEID: **[CVE-2018-20834](<https://vulners.com/cve/CVE-2018-20834>) \n** DESCRIPTION: **node-tar could allow a remote attacker to overwrite arbitrary files, caused by a conjunction when extracting a tarball containing a hardlink to a file. An attacker could exploit this vulnerability to overwrite arbitrary files on the system. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/161634](<https://exchange.xforce.ibmcloud.com/vulnerabilities/161634>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2021-32803](<https://vulners.com/cve/CVE-2021-32803>) \n** DESCRIPTION: **Node.js tar module could allow a local attacker to traverse directories on the system, caused by insufficient symlink protection. An attacker could use a specially-crafted tar file containing \"dot dot\" sequences (/../) to create or overwrite arbitrary files on the system. \nCVSS Base score: 8.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/206717](<https://exchange.xforce.ibmcloud.com/vulnerabilities/206717>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N) \n \n** CVEID: **[CVE-2020-7788](<https://vulners.com/cve/CVE-2020-7788>) \n** DESCRIPTION: **Node.js ini module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192931](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192931>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2022-36033](<https://vulners.com/cve/CVE-2022-36033>) \n** DESCRIPTION: **jsoup is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/234845](<https://exchange.xforce.ibmcloud.com/vulnerabilities/234845>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2021-37714](<https://vulners.com/cve/CVE-2021-37714>) \n** DESCRIPTION: **jsoup is vulnerable to a denial of service, caused by improper input validation. By sending a specially-crafted input, a remote attacker could exploit this vulnerability to cause the HTML and XML parser to get stuck, timeout, or throw unchecked exceptions resulting in a denial of service condition. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/207858](<https://exchange.xforce.ibmcloud.com/vulnerabilities/207858>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2015-6748](<https://vulners.com/cve/CVE-2015-6748>) \n** DESCRIPTION: **jsoup is vulnerable to cross-site scripting, caused by improper validation of user-supplied input when handling tags without a closing > when reaching EOF. A remote attacker could exploit this vulnerability using specially crafted HTML to execute script in a victim's Web browser. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/106163](<https://exchange.xforce.ibmcloud.com/vulnerabilities/106163>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2014-3643](<https://vulners.com/cve/CVE-2014-3643>) \n** DESCRIPTION: **Jersey could allow a remote attacker to obtain sensitive information, caused by an XML external entity (XXE) error when processing XML data by jersey SAX parser. By sending a specially-crafted XML data, a remote attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/174788](<https://exchange.xforce.ibmcloud.com/vulnerabilities/174788>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2021-3803](<https://vulners.com/cve/CVE-2021-3803>) \n** DESCRIPTION: **nth-check is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw. By sending a specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/209593](<https://exchange.xforce.ibmcloud.com/vulnerabilities/209593>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2012-6153](<https://vulners.com/cve/CVE-2012-6153>) \n** DESCRIPTION: **Apache HttpComponents could allow a remote attacker to conduct spoofing attacks, caused by an incomplete fix related to the failure to verify that the server hostname matches a domain name in the Subject's Common Name (CN) or SubjectAltName field of certificates. By persuading a victim to visit a Web site containing a specially-crafted certificate, an attacker could exploit this vulnerability using man-in-the-middle techniques to spoof an SSL server. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/95328](<https://exchange.xforce.ibmcloud.com/vulnerabilities/95328>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2011-1498](<https://vulners.com/cve/CVE-2011-1498>) \n** DESCRIPTION: **Apache HttpComponents could allow a remote attacker to obtain sensitive information, caused by an unspecified error in HttpClient. An attacker could exploit this vulnerability to send the Proxy-Authorization header to the host and disclose the user's password. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/66241](<https://exchange.xforce.ibmcloud.com/vulnerabilities/66241>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n** CVEID: **[CVE-2018-10237](<https://vulners.com/cve/CVE-2018-10237>) \n** DESCRIPTION: **Google Guava is vulnerable to a denial of service, caused by improper eager allocation checks in the AtomicDoubleArray and CompoundOrdering class. By sending a specially-crafted data, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/142508](<https://exchange.xforce.ibmcloud.com/vulnerabilities/142508>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2020-8908](<https://vulners.com/cve/CVE-2020-8908>) \n** DESCRIPTION: **Guava could allow a remote authenticated attacker to bypass security restrictions, caused by a temp directory creation vulnerability in com.google.common.io.Files.createTempDir(). By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions. \nCVSS Base score: 5.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192996](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192996>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) \n \n** IBM X-Force ID: **220912 \n** DESCRIPTION: **Apache HttpComponents Client could allow a remote attacker to traverse directories on the system, caused by improper validation of user requests. An attacker could send a specially-crafted URL request containing \"dot dot\" sequences (/../) to view files on the system. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/220912 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/220912>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** IBM X-Force ID: **177835 \n** DESCRIPTION: **Apache Commons Codec could allow a remote attacker to obtain sensitive information, caused by the improper validation of input. An attacker could exploit this vulnerability using a method call to obtain sensitive information. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/177835 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177835>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** IBM X-Force ID: **220988 \n** DESCRIPTION: **Node.js xmlbuilder-js module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw. By sending a specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/220988 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/220988>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** IBM X-Force ID: **221209 \n** DESCRIPTION: **mem is vulnerable to a denial of service, caused by the failure in removal old values from the cache. By sending a specially-crafted request, a local attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base score: 6.2 \nCVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/221209 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/221209>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** IBM X-Force ID: **172542 \n** DESCRIPTION: **AngularJS could allow a remote attacker to hijack the clicking action of the victim, caused by an error when enabling the SVG setting without taking other precautions. By persuading a victim to visit a specially-crafted Web site, a remote attacker could hijack the victim's click actions. \nCVSS Base score: 6.8 \nCVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/172542 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172542>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N) \n \n** IBM X-Force ID: **172545 \n** DESCRIPTION: **AngularJS is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using assignment on constructor properties to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 5.4 \nCVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/172545 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172545>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) \n \n** IBM X-Force ID: **172544 \n** DESCRIPTION: **AngularJS is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the document.implementation.createHTMLDocument(). A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/172544 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172544>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) \n \n** IBM X-Force ID: **172547 \n** DESCRIPTION: **AngularJS is vulnerable to cross-site scripting, caused by the failure to blocklist the usemap attribute. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/172547 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172547>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) \n \n** IBM X-Force ID: **172541 \n** DESCRIPTION: **AngularJS is vulnerable to cross-site scripting, caused by attempting to check the input for possible mXSS payload and the verification errors by $sanitize sanitizer. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 7.1 \nCVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/172541 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172541>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N) \n \n** IBM X-Force ID: **172546 \n** DESCRIPTION: **AngularJS is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using the SVG element to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/172546 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172546>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) \n \n** IBM X-Force ID: **217225 \n** DESCRIPTION: **Google Gson is vulnerable to a denial of service, caused by the deserialization of untrusted data. By using the writeReplace() method, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base score: 7.7 \nCVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/217225 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/217225>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H) \n \n** IBM X-Force ID: **234366 \n** DESCRIPTION: **Newtonsoft.Json is vulnerable to a denial of service, caused by improper handling of StackOverFlow exception (SOE) whenever nested expressions are being processed. By sending specially-crafted requests, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/234366 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/234366>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** IBM X-Force ID: **220727 \n** DESCRIPTION: **Angular AngularJS could allow a remote attacker to bypass security restrictions, caused by improper access control to the constructors. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass sandbox protection. \nCVSS Base score: 7.4 \nCVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/220727 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/220727>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) \n \n** IBM X-Force ID: **207316 \n** DESCRIPTION: **Node.js marked module is vulnerable to a denial of service, caused by the inclusion of multiple unused capture groups in the em regex within src/rules.js file. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a Regular Expression Denial of Service (ReDoS). \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/207316 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/207316>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** IBM X-Force ID: **220997 \n** DESCRIPTION: **Node.js marked module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the heading. By sending a specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/220997 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/220997>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** IBM X-Force ID: **159366 \n** DESCRIPTION: **Node.js marked module is vulnerable to a denial of service, caused by improper regular expression validation by the Email addresses. By using specially-crafted input, a remote attacker could exploit this vulnerability to cause the node process to crash. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/159366 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/159366>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM MobileFirst Foundation| 8.x.x \n \n## Remediation/Fixes\n\n**Product(s)**| **Version Number(s) and/or range**| **Remediation/Fix/Instructions** \n---|---|--- \nIBM MobileFirst Platform Foundation| 8.0| \n\niFix build 8.0.0.0-MFPF-IF202302140510 build includes fixes to resolve vulnerable third party libraries(PH52648).\n\nPlease download from [Fix Central](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%2FOther%20software&product=ibm/Other+software/IBM+MobileFirst+Platform+Foundation&release=All&platform=All&function=fixId&fixids=8.0.0.0-MFPF-IF202302140510&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=dbluesearch&mhsrc=ibmsearch_a&mhq=IF202302140510>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-17T15:44:51", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities found with third-party libraries used by IBM\u00ae MobileFirst Platform", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-1498", "CVE-2012-6153", "CVE-2014-3577", "CVE-2014-3643", "CVE-2015-5262", "CVE-2015-6748", "CVE-2015-8857", "CVE-2015-8858", "CVE-2016-10540", "CVE-2017-16032", "CVE-2017-16138", "CVE-2017-18077", "CVE-2017-5929", "CVE-2018-1000632", "CVE-2018-1002204", "CVE-2018-10237", "CVE-2018-16469", "CVE-2018-20834", "CVE-2019-10172", "CVE-2019-10202", "CVE-2019-10746", "CVE-2019-10747", "CVE-2019-5484", "CVE-2020-13956", "CVE-2020-15168", "CVE-2020-28282", "CVE-2020-28499", "CVE-2020-7729", "CVE-2020-7733", "CVE-2020-7788", "CVE-2020-7789", "CVE-2020-7793", "CVE-2020-8908", "CVE-2021-21366", "CVE-2021-23440", "CVE-2021-27292", "CVE-2021-29425", "CVE-2021-32796", "CVE-2021-32803", "CVE-2021-32804", "CVE-2021-37701", "CVE-2021-37712", "CVE-2021-37713", "CVE-2021-37714", "CVE-2021-3777", "CVE-2021-3803", "CVE-2021-3807", "CVE-2021-42550", "CVE-2021-43138", "CVE-2022-0144", "CVE-2022-0235", "CVE-2022-0436", "CVE-2022-1537", "CVE-2022-21680", "CVE-2022-21681", "CVE-2022-23437", "CVE-2022-24823", "CVE-2022-25647", "CVE-2022-2596", "CVE-2022-3517", "CVE-2022-36033", "CVE-2022-46175"], "modified": "2023-02-17T15:44:51", "id": "9D9A01E02514803E9E0E5DD88830752E1595E1F1CC50F35B26CA6DC44AE2E184", "href": "https://www.ibm.com/support/pages/node/6956539", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-12-30T21:39:51", "description": "## Question\n\nIs there a list of security bulletins that describe resolved vulnerabilities affecting Log Analysis?\n\n## Answer\n\nLog Analysis is made up of several [components](<https://www.ibm.com/docs/en/oala/1.3.7?topic=analysis-architecture>). The following table contains security bulletins that address the vulnerability of various\n\ncomponents in Log Analysis, listed by release.\n\nVersion | CVE No. | Component | Vulnerability Description \n---|---|---|--- \n1.3.7 IF001 | Internal Vulnerability | Log Analysis | CSRFToken is not validated or updated on logout and login \nThe CSRFToken is not validated or updated on each logout and login by Log Analysis. Token value remains the same for all the logins and active sessions until users close the browser. \n1.3.7 IF001 | Internal Vulnerability | Log Analysis | Log Analysis Help pages are vulnerable to Clickjacking \nX-frame-Option header was implemented for Log Analysis application. However this was not implemented for Log Analysis help pages to prevent Clickjacking. \n1.3.7 | CVE-2017-1000190 | Apache Solr | [Security Bulletin: Vulnerability in Apache Solr affects IBM Operations Analytics - Log Analysis (CVE-2017-1000190)](<https://www.ibm.com/support/pages/node/6446147>) \n1.3.7 | CVE-2020-11620 \nCVE-2020-10969 \nCVE-2020-14062 \nCVE-2020-14060 \nCVE-2020-11112 \nCVE-2020-10968 \nCVE-2020-10672 \nCVE-2020-9548 \nCVE-2020-9546 \nCVE-2020-11619 \nCVE-2020-11111 \nCVE-2020-14195 \nCVE-2020-14061 \nCVE-2020-11113 \nCVE-2020-9547 \nCVE-2020-10673 \nCVE-2019-10202 \nCVE-2019-17531 \nCVE-2019-14893 \nCVE-2020-8840 \nCVE-2019-10172 | Apache Solr | [Security Bulletin: Series of vulnerabilities in FasterXML jackson-databind affect Apache Solr shipped with IBM Operations Analytics - Log Analysis](<https://www.ibm.com/support/pages/node/6446143>) \n1.3.7 | CVE-2019-17558 | Apache Solr | [Security Bulletin: Vulnerability in Apache Solr affects IBM Operations Analytics - Log Analysis (CVE-2019-17558)](<https://www.ibm.com/support/pages/node/6445363>) \n1.3.7 | CVE-2014-3643 | Apache Zookeeper | [Security Bulletin: Vulnerability in jersey affect Apache Zookeeper shipped with IBM Operations Analytics - Log Analysis (CVE-2014-3643)](<https://www.ibm.com/support/pages/node/6445361>) \n1.3.7 | CVE-2015-5237 | Apache Solr | [Security Bulletin: protobuf Vulnerability in Apache Solr affect IBM Operations Analytics - Log Analysis Analysis (CVE-2015-5237)](<https://www.ibm.com/support/pages/node/6445359>) \n1.3.7 | CVE-2019-10246 \nCVE-2019-10247 \nCVE-2019-10241 | Apache Solr | [Security Bulletin: Multiple vulnerabilities in Eclipse Jetty affect Apache Solr shipped with IBM Operations Analytics - Log Analysis](<https://www.ibm.com/support/pages/node/6445357>) \n1.3.7 | CVE-2020-1945 | Apache Ant | [Security Bulletin: Vulnerability in Apache Ant affect IBM Operations Analytics - Log Analysis Analysis (CVE-2020-1945)](<https://www.ibm.com/support/pages/node/6445355>) \n1.3.7 | CVE-2019-17359 | Apache Solr | [Security Bulletin: Vulnerability in Bouncy Castle affect Apache Solr shipped IBM Operations Analytics - Log Analysis Analysis (CVE-2019-17359)](<https://www.ibm.com/support/pages/node/6444781>) \n1.3.7 | CVE-2019-12402 | Apache Solr | [Security Bulletin: Vulnerability in Apache Commons Compress affect Apache Solr shipped IBM Operations Analytics - Log Analysis Analysis (CVE-2019-12402)](<https://www.ibm.com/support/pages/node/6444777>) \n1.3.7 | CVE-2018-11766 \nCVE-2017-15713 | Apache Solr | [Security Bulletin: Multiple vulnerabilities in Apache Hadoop affect Apache Solr shipped with IBM Operations Analytics - Log Analysis](<https://www.ibm.com/support/pages/node/6444773>) \n1.3.7 | CVE-2019-0201 | Apache Zookeeper | [Security Bulletin: IBM Operations Analytics - Log Analysis is affected by an Apache Zookeeper vulnerability (CVE-2019-0201)](<https://www.ibm.com/support/pages/node/6444771>) \n1.3.7 | CVE-2018-11768 | Apache Solr | [Security Bulletin: Vulnerability in Apache Hadoop affect Apache Solr shipped with IBM Operations Analytics - Log Analysis (CVE-2018-11768)](<https://www.ibm.com/support/pages/node/6444767>) \n1.3.7 | CVE-2019-12415 | Apache Solr | [Security Bulletin: Apache Solr, shipped with IBM Operations Analytics - Log Analysis, susceptible to vulnerability in Apache POI (CVE-2019-12415)](<https://www.ibm.com/support/pages/node/6444763>) \n1.3.7 | CVE-2019-0228 | Apache Solr | [Security Bulletin: Vulnerability in Apache PDFBox affect Apache Solr shipped with IBM Operations Analytics - Log Analysis (CVE-2019-0228)](<https://www.ibm.com/support/pages/node/6444757>) \n \n1.3.7 | CVE-2018-1000613 \nCVE-2016-1000342 \nCVE-2016-1000344 \nCVE-2016-1000345 \nCVE-2016-1000339 \nCVE-2016-1000346 \nCVE-2016-1000338 \nCVE-2016-1000343 \nCVE-2016-1000340 \nCVE-2016-1000352 \nCVE-2015-6644 \nCVE-2016-1000341 \nCVE-2018-1000180 | Apache Solr | \n\n[Security Bulletin: Multiple vulnerabilities in Bouncy Castle affects Apache Solr shipped with IBM Operations Analytics - Log Analysis](<https://www.ibm.com/support/pages/node/6444097>) \n \n \n1.3.7 | CVE-2018-14718 \nCVE-2018-14719 \nCVE-2018-19362 \nCVE-2018-14721 \nCVE-2018-11307 \nCVE-2019-16335 \nCVE-2018-19361 \nCVE-2018-14720 \nCVE-2018-19360 \nCVE-2019-14540 \nCVE-2019-14379 \nCVE-2018-12023 \nCVE-2019-14439 \nCVE-2019-12814 \nCVE-2018-12022 \nCVE-2018-5968 \nCVE-2019-12384 \nCVE-2019-12086 | Apache Solr | \n\n[Security Bulletin: Multiple vulnerabilities in FasterXML jackson-databind affect Apache Solr shipped with IBM Operations Analytics - Log Analysis](<https://www.ibm.com/support/pages/node/6444089>) \n \n \n1.3.7 | Internal Vulnerability | Apache Solr | Vulnerabilities from Apache Commons Fileupload: Apache Solr (Lucene) \nThe class FileUploadBase in Apache Commons Fileupload before 1.4 has potential resource leak - InputStream not closed on exception. \n1.3.7 | Internal Vulnerability | Apache Solr, \nLog Analysis | [Apache Solr (Lucene) and Unity are vulnerable to Apache commons-codec](<https://github.com/apache/commons-codec/commit/48b615756d1d770091ea3322eefc08011ee8b>) \n \n1.3.7 | CVE-2013-4002 \nCVE-2012-0881 \nCVE-2009-2625 | Apache Solr | [Security Bulletin: Apache Solr, shipped with IBM Operations Analytics - Log Analysis, susceptible to multiple vulnerabilities in Apache Xerces2](<https://www.ibm.com/support/pages/node/6444043>) \n1.3.7 | CVE-2018-10237 | Apache Solr | [Security Bulletin: A vulnerability in Apache Solr affects IBM Operations Analytics - Log Analysis Analysis (CVE-2018-10237)](<https://www.ibm.com/support/pages/node/6444041>) \n1.3.7 | CVE-2018-1000632 | Apache Solr | [Security Bulletin: dom4j Vulnerability in Apache Solr shipped with IBM Operations Analytics - Log Analysis Analysis (CVE-2018-1000632)](<https://www.ibm.com/support/pages/node/6444035>) \n1.3.7 | CVE-2018-11761 \nCVE-2018-17197 \nCVE-2019-10088 \nCVE-2019-10094 \nCVE-2018-11796 | Apache Solr | [Security Bulletin: Multiple vulnerabilities in Apache Tika affects Apache Solr shipped with IBM Operations Analytics - Log Analysis](<https://www.ibm.com/support/pages/node/6444033>) \n \n1.3.7 | CVE-2018-8017 | Apache Solr | [Security Bulletin: Vulnerability with Apache Tika in Apache Solr affects IBM Operations Analytics - Log Analysis Analysis (CVE-2018-8017)](<https://www.ibm.com/support/pages/node/6444031>) \n1.3.7 | CVE-2018-11797 | Apache Solr | [Security Bulletin: Vulnerability in Apache PDFBox affect Apache Solr shipped IBM Operations Analytics - Log Analysis Analysis (CVE-2018-11797)](<https://www.ibm.com/support/pages/node/6443675>) \n1.3.7 | CVE-2018-8036 | Apache Solr | [Security Bulletin: Vulnerability in Apache PDFBox affects Apache Solr shipped with IBM Operations Analytics - Log Analysis (CVE-2018-8036)](<https://www.ibm.com/support/pages/node/6443667>) \n1.3.6 FP001 | Internal Vulnerability | Log Analysis | [Security Bulletin: Content Spoofing vulnerability in IBM Operations Analytics - Log Analysis](<https://www.ibm.com/support/pages/node/6242186>) \n1.3.6 FP001 | Internal Vulnerability | Log Analysis | [Security Bulletin: Insecure Path Attribute in IBM Operations Analytics - Log Analysis (CSRFToken , LtpaToken2)](<https://www.ibm.com/support/pages/node/6242190>) \n1.3.6 FP001 | Internal Vulnerability | Log Analysis | [Security Bulletin: Cross site Scripting (Reflected) vulnerability in IBM Operations Analytics - Log Analysis](<https://www.ibm.com/support/pages/node/6242200>) \n1.3.6 FP001 | Internal Vulnerability | Log Analysis | [Security Bulletin: Host Header Injection vulnerability in IBM Operations Analytics - Log Analysis (pre-login scenario)](<https://www.ibm.com/support/pages/node/6242210>) \n1.3.6 FP001 | CVE-2017-3164 | Apache Solr | [Security Bulletin: Potential vulnerability (SSRF) in Apache Solr affect IBM Operations Analytics - Log Analysis (CVE-2017-3164)](<https://www.ibm.com/support/pages/security-bulletin-potential-vulnerability-ssrf-apache-solr-affect-ibm-operations-analytics-log-analysis-cve-2017-3164-0>) \n1.3.6 IF001 | Internal Vulnerability | Log Analysis | [Security Bulletin: Query Parameter in SSL vulnerability in IBM Operations Analytics - Log Analysis](<https://www.ibm.com/support/pages/node/6324045>) \n1.3.6 | CVE-2019-4216 | WebSphere Application Server Liberty | [Security Bulletin: IBM Operations Analytics - Log Analysis is vulnerable to potential Host Header Injection (CVE-2019-4216)](<https://www.ibm.com/support/pages/node/1109745>) \n1.3.6 | CVE-2019-4243 | Apache Solr | [Security Bulletin: A vulnerability in Apache Solr (Lucene) affects IBM Operations Analytics - Log Analysis (CVE-2019-4243)](<https://www.ibm.com/support/pages/node/1109721>) \n1.3.6 | CVE-2019-4215 | WebSphere Application Server Liberty | [Security Bulletin: Clickjacking vulnerability in IBM Operations Analytics - Log Analysis (CVE-2019-4215)](<https://www.ibm.com/support/pages/node/1109769>) \n1.3.6 | CVE-2019-4214 | WebSphere Application Server Liberty | [Security Bulletin: Log Analysis is vulnerable to a client side scripting attack due to missing HTTPOnly and Secure attribute in the cookie](<https://www.ibm.com/support/pages/node/1110171>) \n1.3.6 | CVE-2019-4244 | Apache Zookeeper | [Security Bulletin: IBM Operations Analytics - Log Analysis is affected by an Apache Zookeeper vulnerability (CVE-2019-4244)](<https://www.ibm.com/support/pages/node/1127523>) \n \n1.3.6 | Internal Vulnerability | Log Analysis | [Security Bulletin: Log Analysis is vulnerable to Injection Attacks](<https://www.ibm.com/support/pages/node/6155553>) \n1.3.6 | CVE-2020-13957 | Apache Solr | [Security Bulletin: Vulnerability related to unauthenticated uploads in Apache Solr affect IBM Operations Analytics - Log Analysis (CVE-2020-13957)](<https://www.ibm.com/support/pages/node/6359003>) \n \n1.3.5 FP003 | CVE-2019-0192 | Apache Solr | [Security Bulletin: Potential vulnerability related to Unsafe Deserialization in Apache Solr shipped with IBM Operations Analytics - Log Analysis (CVE-2019-0192)](<https://www.ibm.com/support/pages/security-bulletin-potential-vulnerability-related-unsafe-deserialization-apache-solr-shipped-ibm-operations-analytics-log-analysis-cve-2019-0192>) \n \nThis table contains a list of vulnerabilities that were resolved by the respective version of the component.\n\nAffected Log Analysis Version | CVE No. | Component | Vulnerability Description \n---|---|---|--- \n1.3.5FP3 1.3.6 1.3.6FP1 | CVE-2020-4590 | WebSphere Application Server Liberty | [Security Bulletin: Vulnerability in WebSphere Application Server Liberty affect IBM Operations Analytics - Log Analysis (CVE-2020-4590)](<https://www.ibm.com/support/pages/node/6340079>) \n \n1.3.1\n\n1.3.2\n\n1.3.3\n\n1.3.4\n\n1.3.5\n\n| CVE-2019-4046 | WebSphere Application Server Liberty | [Security Bulletin: Potential denial of service vulnerability in WebSphere Application Server affect IBM Operations Analytics - Log Analysis (CVE-2019-4046)](<https://www.ibm.com/support/pages/node/882870>) \n \n1.3.1\n\n1.3.2\n\n1.3.3\n\n1.3.4\n\n1.3.5FP1\n\n1.3.5FP2\n\n| CVE-2018-10237 | WebSphere Application Server Liberty | [Security Bulletin: Potential denial of service in WebSphere Application Server shipped with IBM Operations Analytics - Log Analysis (CVE-2018-10237)](<https://www.ibm.com/support/pages/security-bulletin-potential-denial-service-websphere-application-server-shipped-ibm-operations-analytics-log-analysis-cve-2018-10237?lnk=hm>) \n1.3.5 | CVE-2017-12624 | WebSphere Application Server Liberty | [Security Bulletin: Denial of Service in Apache CXF used by WebSphere Application Server affect IBM Operations Analytics - Log Analysis (CVE-2017-12624)](<https://www.ibm.com/support/pages/security-bulletin-denial-service-apache-cxf-used-websphere-application-server-affect-ibm-operations-analytics-log-analysis-cve-2017-12624>) \n \n1.3.1\n\n1.3.2\n\n1.3.3\n\n1.3.4\n\n1.3.5\n\n| CVE-2018-1447 \nCVE-2018-1388 \nCVE-2016-0702 \nCVE-2016-0705 \nCVE-2017-3732 \nCVE-2017-3736 \nCVE-2018-1428 \nCVE-2018-1427 \nCVE-2018-1426 | IBM Tivoli \nMonitoring | [Security Bulletin: Multiple vulnerabilities affect the GSKit component of IBM Tivoli Monitoring shipped with IBM Operations Analytics - Log Analysis](<https://www.ibm.com/support/pages/security-bulletin-multiple-vulnerabilities-affect-gskit-component-ibm-tivoli-monitoring-shipped-ibm-operations-analytics-log-analysis>) \n1.3.5 | CVE-2018-1683 | WebSphere Application Server Liberty | [Security Bulletin: Information disclosure in WebSphere Application Server Liberty bundled with IBM Operations Analytics - Log Analysis (CVE-2018-1683)](<https://www.ibm.com/support/pages/security-bulletin-information-disclosure-websphere-application-server-liberty-bundled-ibm-operations-analytics-log-analysis-cve-2018-1683>) \n1.3.5 | CVE-2018-8039 | WebSphere Application Server Liberty | [Security Bulletin: Potential MITM attack in Apache CXF used by WebSphere Application Server affects IBM Operations Analytics - Log Analysis (CVE-2018-8039)](<https://www.ibm.com/support/pages/security-bulletin-potential-mitm-attack-apache-cxf-used-websphere-application-server-affects-ibm-operations-analytics-log-analysis-cve-2018-8039>) \n \n1.3.1\n\n1.3.2\n\n1.3.3\n\n1.3.4\n\n1.3.5\n\n| CVE-2018-1901 | WebSphere Application Server Liberty | [Security Bulletin: Potential Privilege Escalation Vulnerability in WebSphere Application Server shipped with IBM Operations Analytics - Log Analysis (CVE-2018-1901)](<https://www.ibm.com/support/pages/security-bulletin-potential-privilege-escalation-vulnerability-websphere-application-server-shipped-ibm-operations-analytics-log-analysis-cve-2018-1901>) \n \n1.3.5 | CVE-2018-1553 | WebSphere Application Server Liberty | [Security Bulletin: Information disclosure in WebSphere Application Server Liberty affect IBM Operations Analytics - Log Analysis (CVE-2018-1553)](<https://www.ibm.com/support/pages/security-bulletin-information-disclosure-websphere-application-server-liberty-affect-ibm-operations-analytics-log-analysis-cve-2018-1553>) \n \n1.3.4\n\n1.3.5\n\n| CVE-2014-7810 | WebSphere Application Server Liberty | [Security Bulletin: Vulnerability in Expression Language library used by WebSphere Application Server shipped with IBM Operations Analytics - Log Analysis (CVE-2014-7810)](<https://www.ibm.com/support/pages/security-bulletin-vulnerability-expression-language-library-used-websphere-application-server-shipped-ibm-operations-analytics-log-analysis-cve-2014-7810>) \n1.3.5 | CVE-2018-1851 | WebSphere Application Server Liberty | [Security Bulletin: Code execution vulnerability with OpenID connect in WebSphere Application Server Liberty affects IBM Operations Analytics - Log Analysis (CVE-2018-1851)](<https://www.ibm.com/support/pages/security-bulletin-code-execution-vulnerability-openid-connect-websphere-application-server-liberty-affects-ibm-operations-analytics-log-analysis-cve-2018-1851>) \n \n1.3.1\n\n1.3.2\n\n1.3.3\n\n1.3.4\n\n1.3.5\n\n| CVE-2018-1755 | WebSphere Application Server Liberty | [Security Bulletin: Information disclosure in WebSphere Application Server Liberty affect IBM Operations Analytics - Log Analysis (CVE-2018-1755)](<https://www.ibm.com/support/pages/node/792677>) \n \n[{\"Type\":\"MASTER\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Product\":{\"code\":\"SSPFMY\",\"label\":\"IBM Operations Analytics - Log Analysis\"},\"ARM Category\":[{\"code\":\"a8m50000000L0qYAAS\",\"label\":\"Log Analysis\"},{\"code\":\"a8m50000000CcMiAAK\",\"label\":\"Log Analysis->Framework->Security - Vulnerabilities\"}],\"ARM Case Number\":\"\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"All Versions\"}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2021-09-01T11:04:11", "type": "ibm", "title": "Log Analysis Security Bulletin List", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-2625", "CVE-2012-0881", "CVE-2013-4002", "CVE-2014-3643", "CVE-2014-7810", "CVE-2015-5237", "CVE-2015-6644", "CVE-2016-0702", "CVE-2016-0705", "CVE-2016-1000338", "CVE-2016-1000339", "CVE-2016-1000340", "CVE-2016-1000341", "CVE-2016-1000342", "CVE-2016-1000343", "CVE-2016-1000344", "CVE-2016-1000345", "CVE-2016-1000346", "CVE-2016-1000352", "CVE-2017-1000190", "CVE-2017-12624", "CVE-2017-15713", "CVE-2017-3164", "CVE-2017-3732", "CVE-2017-3736", "CVE-2018-1000180", "CVE-2018-1000613", "CVE-2018-1000632", "CVE-2018-10237", "CVE-2018-11307", "CVE-2018-11761", "CVE-2018-11766", "CVE-2018-11768", "CVE-2018-11796", "CVE-2018-11797", "CVE-2018-12022", "CVE-2018-12023", "CVE-2018-1388", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1428", "CVE-2018-1447", "CVE-2018-14718", "CVE-2018-14719", "CVE-2018-14720", "CVE-2018-14721", "CVE-2018-1553", "CVE-2018-1683", "CVE-2018-17197", "CVE-2018-1755", "CVE-2018-1851", "CVE-2018-1901", "CVE-2018-19360", "CVE-2018-19361", "CVE-2018-19362", "CVE-2018-5968", "CVE-2018-8017", "CVE-2018-8036", "CVE-2018-8039", "CVE-2019-0192", "CVE-2019-0201", "CVE-2019-0228", "CVE-2019-10088", "CVE-2019-10094", "CVE-2019-10172", "CVE-2019-10202", "CVE-2019-10241", "CVE-2019-10246", "CVE-2019-10247", "CVE-2019-12086", "CVE-2019-12384", "CVE-2019-12402", "CVE-2019-12415", "CVE-2019-12814", "CVE-2019-14379", "CVE-2019-14439", "CVE-2019-14540", "CVE-2019-14893", "CVE-2019-16335", "CVE-2019-17359", "CVE-2019-17531", "CVE-2019-17558", "CVE-2019-4046", "CVE-2019-4214", "CVE-2019-4215", "CVE-2019-4216", "CVE-2019-4243", "CVE-2019-4244", "CVE-2020-10672", "CVE-2020-10673", "CVE-2020-10968", "CVE-2020-10969", "CVE-2020-11111", "CVE-2020-11112", "CVE-2020-11113", "CVE-2020-11619", "CVE-2020-11620", "CVE-2020-13957", "CVE-2020-14060", "CVE-2020-14061", "CVE-2020-14062", "CVE-2020-14195", "CVE-2020-1945", "CVE-2020-4590", "CVE-2020-8840", "CVE-2020-9546", "CVE-2020-9547", "CVE-2020-9548"], "modified": "2021-09-01T11:04:11", "id": "E298AFAE6C10545EEFE2EDCB1E58ACEB81769C82FC173BB89206A046496B5501", "href": "https://www.ibm.com/support/pages/node/6483079", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2023-12-07T14:54:54", "description": "dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-08-20T19:31:00", "type": "cve", "title": "CVE-2018-1000632", "cwe": ["CWE-91"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000632"], "modified": "2023-11-07T02:51:00", "cpe": ["cpe:/a:oracle:utilities_framework:4.4.0.0.0", "cpe:/a:oracle:utilities_framework:4.3.0.6.0", "cpe:/a:oracle:flexcube_investor_servicing:14.0.0", "cpe:/a:oracle:rapid_planning:12.1", "cpe:/a:oracle:retail_integration_bus:16.0", "cpe:/a:oracle:primavera_p6_enterprise_project_portfolio_management:17.12.17.1", "cpe:/a:oracle:flexcube_investor_servicing:12.0.4", "cpe:/a:netapp:snapcenter:-", "cpe:/a:oracle:flexcube_investor_servicing:12.4.0", "cpe:/a:redhat:satellite_capsule:6.6", "cpe:/a:oracle:flexcube_investor_servicing:12.1.0", "cpe:/a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8.19.0", "cpe:/o:debian:debian_linux:8.0", "cpe:/a:oracle:utilities_framework:4.2.0.2.0", "cpe:/a:redhat:jboss_enterprise_application_platform:6.0.0", "cpe:/a:oracle:utilities_framework:4.4.0.2", "cpe:/a:netapp:oncommand_workflow_automation:-", "cpe:/a:oracle:flexcube_investor_servicing:12.3.0", "cpe:/a:redhat:jboss_enterprise_application_platform:6.4.0", "cpe:/a:netapp:snap_creator_framework:-", "cpe:/a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2.20.1", "cpe:/a:redhat:jboss_enterprise_application_platform:7.1.0", "cpe:/a:oracle:utilities_framework:2.2.0", "cpe:/a:redhat:satellite:6.6", "cpe:/a:netapp:snapmanager:-", "cpe:/a:oracle:utilities_framework:4.2.0.3.0", "cpe:/a:oracle:retail_integration_bus:15.0", "cpe:/a:oracle:rapid_planning:12.2", "cpe:/a:oracle:primavera_p6_enterprise_project_portfolio_management:19.12.6.0"], "id": "CVE-2018-1000632", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000632", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2.20.1:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:sap:*:*", "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.12.17.1:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:flexcube_investor_servicing:12.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:19.12.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:utilities_framework:4.2.0.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:flexcube_investor_servicing:12.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:utilities_framework:4.2.0.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:rapid_planning:12.2:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8.19.0:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:oracle:*:*", "cpe:2.3:a:redhat:satellite:6.6:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:utilities_framework:2.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.4.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:rapid_planning:12.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:flexcube_investor_servicing:12.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:flexcube_investor_servicing:12.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:satellite_capsule:6.6:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_integration_bus:15.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_integration_bus:16.0:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:utilities_framework:4.4.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:utilities_framework:4.3.0.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:flexcube_investor_servicing:14.0.0:*:*:*:*:*:*:*"]}], "debian": [{"lastseen": "2023-12-07T16:43:45", "description": "Package : dom4j\nVersion : 1.6.1+dfsg.3-2+deb8u1\nCVE ID : CVE-2018-1000632\n\nMario Areias discovered that dom4j, a XML framework for Java, was\nvulnerable to a XML injection attack. An attacker able to specify\nattributes or elements in the XML document might be able to modify the\nwhole XML document.\n\nFor Debian 8 "Jessie", this problem has been fixed in version\n1.6.1+dfsg.3-2+deb8u1.\n\nWe recommend that you upgrade your dom4j packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-09-24T18:11:01", "type": "debian", "title": "[SECURITY] [DLA 1517-1] dom4j security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000632"], "modified": "2018-09-24T18:11:01", "id": "DEBIAN:DLA-1517-1:358D4", "href": "https://lists.debian.org/debian-lts-announce/2018/09/msg00028.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-10-22T12:50:08", "description": "Package : dom4j\nVersion : 1.6.1+dfsg.3-2+deb8u1\nCVE ID : CVE-2018-1000632\n\nMario Areias discovered that dom4j, a XML framework for Java, was\nvulnerable to a XML injection attack. An attacker able to specify\nattributes or elements in the XML document might be able to modify the\nwhole XML document.\n\nFor Debian 8 "Jessie", this problem has been fixed in version\n1.6.1+dfsg.3-2+deb8u1.\n\nWe recommend that you upgrade your dom4j packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2018-09-24T18:11:01", "type": "debian", "title": "[SECURITY] [DLA 1517-1] dom4j security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000632"], "modified": "2018-09-24T18:11:01", "id": "DEBIAN:DLA-1517-1:7BA55", "href": "https://lists.debian.org/debian-lts-announce/2018/09/msg00028.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "suse": [{"lastseen": "2018-12-08T03:29:34", "description": "This update for dom4j fixes the following issues:\n\n - CVE-2018-1000632: Prevent XML injection that could have resulted in an\n attacker tampering with XML documents (bsc#1105443).\n\n This update was imported from the SUSE:SLE-15:Update update project. This\n update was imported from the openSUSE:Leap:15.0:Update update project.\n\n", "cvss3": {}, "published": "2018-12-08T00:22:56", "type": "suse", "title": "Security update for dom4j (moderate)", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2018-1000632"], "modified": "2018-12-08T00:22:56", "id": "OPENSUSE-SU-2018:4045-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-12/msg00016.html", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-28T14:15:15", "description": "This update for dom4j fixes the following issues:\n\n - CVE-2018-1000632: Prevent XML injection vulnerability that allowed an\n attacker to tamper with XML documents (bsc#1105443)\n\n This update was imported from the SUSE:SLE-12:Update update project.\n\n", "cvss3": {}, "published": "2018-09-28T12:13:53", "type": "suse", "title": "Security update for dom4j (moderate)", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2018-1000632"], "modified": "2018-09-28T12:13:53", "id": "OPENSUSE-SU-2018:2931-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-09/msg00083.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-12-07T15:29:23", "description": "This update for dom4j fixes the following issues:\n\n - CVE-2018-1000632: Prevent XML injection that could have resulted in an\n attacker tampering with XML documents (bsc#1105443).\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n", "cvss3": {}, "published": "2018-12-07T12:12:51", "type": "suse", "title": "Security update for dom4j (moderate)", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2018-1000632"], "modified": "2018-12-07T12:12:51", "id": "OPENSUSE-SU-2018:3998-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-12/msg00000.html", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}], "prion": [{"lastseen": "2023-11-22T02:26:19", "description": "dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.", "cvss3": {"cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}}, "published": "2018-08-20T19:31:00", "type": "prion", "title": "Input validation", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000632"], "modified": "2021-09-07T06:15:00", "id": "PRION:CVE-2018-1000632", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2018-1000632", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "debiancve": [{"lastseen": "2023-12-07T18:21:05", "description": "dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-08-20T19:31:00", "type": "debiancve", "title": "CVE-2018-1000632", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000632"], "modified": "2018-08-20T19:31:00", "id": "DEBIANCVE:CVE-2018-1000632", "href": "https://security-tracker.debian.org/tracker/CVE-2018-1000632", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "fedora": [{"lastseen": "2023-12-08T13:08:58", "description": "dom4j is an Open Source XML framework for Java. dom4j allows you to read, write, navigate, create and modify XML documents. dom4j integrates with DOM and SAX and is seamlessly integrated with full XPath support. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-12T05:44:36", "type": "fedora", "title": "[SECURITY] Fedora 34 Update: dom4j-2.0.3-1.fc34", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000632"], "modified": "2021-05-12T05:44:36", "id": "FEDORA:8FE7330D68B0", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IOOVVCRQE6ATFD2JM2EMDXOQXTRIVZGP/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "ubuntu": [{"lastseen": "2023-12-07T17:39:28", "description": "## Releases\n\n * Ubuntu 16.04 ESM\n\n## Packages\n\n * dom4j \\- Flexible XML framework for Java\n\nM\u00e1rio Areias discovered that dom4j did not properly validate XML document \nelements. An attacker could exploit this with a crafted XML file to cause \ndom4j to crash, resulting in a denial of service, or possibly execute \narbitrary code. (CVE-2018-1000632)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-11-05T00:00:00", "type": "ubuntu", "title": "dom4j vulnerability", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000632"], "modified": "2020-11-05T00:00:00", "id": "USN-4619-1", "href": "https://ubuntu.com/security/notices/USN-4619-1", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "redhatcve": [{"lastseen": "2023-05-31T17:28:03", "description": "dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-03-16T07:35:07", "type": "redhatcve", "title": "CVE-2018-1000632", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000632"], "modified": "2023-05-20T05:42:57", "id": "RH:CVE-2018-1000632", "href": "https://access.redhat.com/security/cve/cve-2018-1000632", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "github": [{"lastseen": "2023-12-07T17:31:32", "description": "dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.\n\nNote: This advisory applies to `dom4j:dom4j` version 1.x legacy artifacts. To resolve this a change to the latest version of `org.dom4j:dom4j` is recommended.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-10-16T17:01:25", "type": "github", "title": "Dom4j contains a XML Injection vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000632"], "modified": "2023-02-01T05:03:22", "id": "GHSA-6PCC-3RFX-4GPM", "href": "https://github.com/advisories/GHSA-6pcc-3rfx-4gpm", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "redhat": [{"lastseen": "2023-11-29T06:41:11", "description": "Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.1.6 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.1.5, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* wildfly-core: Cross-site scripting (XSS) in JBoss Management Console (CVE-2018-10934)\n\n* undertow: Infoleak in some circumstances where Undertow can serve data from a random buffer (CVE-2018-14642)\n\n* dom4j: XML Injection in Class: Element. Methods: addElement, addAttribute which can impact the integrity of XML documents (CVE-2018-1000632)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}}, "published": "2019-02-18T15:33:24", "type": "redhat", "title": "(RHSA-2019:0362) Moderate: Red Hat JBoss Enterprise Application Platform 7.1.6 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000632", "CVE-2018-10934", "CVE-2018-14642"], "modified": "2019-02-18T15:33:35", "id": "RHSA-2019:0362", "href": "https://access.redhat.com/errata/RHSA-2019:0362", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-11-29T06:41:11", "description": "Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.1.6 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.1.5, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* wildfly-core: Cross-site scripting (XSS) in JBoss Management Console (CVE-2018-10934)\n\n* undertow: Infoleak in some circumstances where Undertow can serve data from a random buffer (CVE-2018-14642)\n\n* dom4j: XML Injection in Class: Element. Methods: addElement, addAttribute which can impact the integrity of XML documents (CVE-2018-1000632)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}}, "published": "2019-02-18T15:35:41", "type": "redhat", "title": "(RHSA-2019:0364) Moderate: Red Hat JBoss Enterprise Application Platform 7.1.6 on RHEL 6 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000632", "CVE-2018-10934", "CVE-2018-14642"], "modified": "2019-02-18T15:36:36", "id": "RHSA-2019:0364", "href": "https://access.redhat.com/errata/RHSA-2019:0364", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-12-06T12:41:48", "description": "Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.\n\nThis release of Red Hat JBoss Enterprise Application Platform 6.4.22 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.21, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* admin-cli: wildfly-core: Cross-site scripting (XSS) in JBoss Management\nConsole (CVE-2018-10934)\n\n* dom4j: XML Injection in Class: Element. Methods: addElement, addAttribute\nwhich can impact the integrity of XML documents (CVE-2018-1000632)\n\n* jbossweb: tomcat: host name verification missing in WebSocket client\n(CVE-2018-8034)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nAll users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-05-13T16:51:53", "type": "redhat", "title": "(RHSA-2019:1160) Moderate: Red Hat JBoss Enterprise Application Platform 6.4.22 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000632", "CVE-2018-10934", "CVE-2018-8034"], "modified": "2019-05-13T16:59:16", "id": "RHSA-2019:1160", "href": "https://access.redhat.com/errata/RHSA-2019:1160", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-12-06T12:41:48", "description": "Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.\n\nThis release of Red Hat JBoss Enterprise Application Platform 6.4.22 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.21, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* admin-cli: wildfly-core: Cross-site scripting (XSS) in JBoss Management Console (CVE-2018-10934)\n\n* dom4j: XML Injection in Class: Element. Methods: addElement, addAttribute which can impact the integrity of XML documents (CVE-2018-1000632)\n\n* jbossweb: tomcat: host name verification missing in WebSocket client (CVE-2018-8034)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nAll users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 5 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-05-13T16:51:48", "type": "redhat", "title": "(RHSA-2019:1159) Moderate: Red Hat JBoss Enterprise Application Platform 6.4.22 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000632", "CVE-2018-10934", "CVE-2018-8034"], "modified": "2019-05-13T16:57:15", "id": "RHSA-2019:1159", "href": "https://access.redhat.com/errata/RHSA-2019:1159", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-12-06T12:41:48", "description": "Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.\n\nThis release of Red Hat JBoss Enterprise Application Platform 6.4.22 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.21, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* admin-cli: wildfly-core: Cross-site scripting (XSS) in JBoss Management\nConsole (CVE-2018-10934)\n\n* dom4j: XML Injection in Class: Element. Methods: addElement, addAttribute\nwhich can impact the integrity of XML documents (CVE-2018-1000632)\n\n* jbossweb: tomcat: host name verification missing in WebSocket client\n(CVE-2018-8034)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nAll users of Red Hat JBoss Enterprise Application Platform 6.4 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-05-13T17:23:29", "type": "redhat", "title": "(RHSA-2019:1162) Moderate: Red Hat JBoss Enterprise Application Platform 6.4.22 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000632", "CVE-2018-10934", "CVE-2018-8034"], "modified": "2019-05-13T17:23:59", "id": "RHSA-2019:1162", "href": "https://access.redhat.com/errata/RHSA-2019:1162", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-11-29T06:41:11", "description": "Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.1.6 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.1.5, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* wildfly-core: Cross-site scripting (XSS) in JBoss Management Console (CVE-2018-10934)\n\n* undertow: Infoleak in some circumstances where Undertow can serve data from a random buffer (CVE-2018-14642)\n\n* dom4j: XML Injection in Class: Element. Methods: addElement, addAttribute which can impact the integrity of XML documents (CVE-2018-1000632)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}}, "published": "2019-02-18T15:35:43", "type": "redhat", "title": "(RHSA-2019:0365) Moderate: Red Hat JBoss Enterprise Application Platform 7.1.6 for RHEL 7 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000632", "CVE-2018-10934", "CVE-2018-14642"], "modified": "2019-02-18T15:36:30", "id": "RHSA-2019:0365", "href": "https://access.redhat.com/errata/RHSA-2019:0365", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-12-06T12:41:48", "description": "Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.\n\nThis release of Red Hat JBoss Enterprise Application Platform 6.4.22 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.21, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* admin-cli: wildfly-core: Cross-site scripting (XSS) in JBoss Management\nConsole (CVE-2018-10934)\n\n* dom4j: XML Injection in Class: Element. Methods: addElement, addAttribute\nwhich can impact the integrity of XML documents (CVE-2018-1000632)\n\n* jbossweb: tomcat: host name verification missing in WebSocket client\n(CVE-2018-8034)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nAll users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 7 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-05-13T16:51:54", "type": "redhat", "title": "(RHSA-2019:1161) Moderate: Red Hat JBoss Enterprise Application Platform 6.4.22 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000632", "CVE-2018-10934", "CVE-2018-8034"], "modified": "2019-05-13T16:59:16", "id": "RHSA-2019:1161", "href": "https://access.redhat.com/errata/RHSA-2019:1161", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-11-29T06:41:11", "description": "Red Hat Single Sign-On 7.2 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.2.6 serves as a replacement for Red Hat Single Sign-On 7.2.5, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* undertow: Infoleak in some circumstances where Undertow can serve data from a random buffer (CVE-2018-14642)\n\n* console: wildfly-core: Cross-site scripting (XSS) in JBoss Management Console (CVE-2018-10934)\n\n* dom4j: XML Injection in Class: Element. Methods: addElement, addAttribute which can impact the integrity of XML documents (CVE-2018-1000632)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}}, "published": "2019-02-19T16:43:24", "type": "redhat", "title": "(RHSA-2019:0380) Moderate: Red Hat Single Sign-On 7.2.6 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000632", "CVE-2018-10934", "CVE-2018-14642"], "modified": "2019-02-19T17:03:31", "id": "RHSA-2019:0380", "href": "https://access.redhat.com/errata/RHSA-2019:0380", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-12-07T18:41:55", "description": "Red Hat Satellite is a systems management tool for Linux-based infrastructure. It allows for provisioning, remote management, and monitoring of multiple Linux deployments with a single centralized tool.\n\nSecurity Fix(es):\n\n* rubygem-rack: Buffer size in multipart parser allows for denial of service (CVE-2018-16470)\n\n* dom4j: XML Injection in Class: Element. Methods: addElement, addAttribute which can impact the integrity of XML documents (CVE-2018-1000632)\n\n* foreman: authorization bypasses in foreman-tasks leading to information disclosure (CVE-2019-10198)\n\n* katello: registry credentials are captured in plain text during repository discovery (CVE-2019-14825)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nThis update also fixes several bugs and adds various enhancements. Documentation for these changes is available from the Release Notes document linked to in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.6, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.0}, "published": "2019-10-22T12:34:42", "type": "redhat", "title": "(RHSA-2019:3172) Moderate: Red Hat Satellite 6 security, bug fix, and enhancement update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-10516", "CVE-2016-10745", "CVE-2018-1000632", "CVE-2018-16470", "CVE-2019-10198", "CVE-2019-10906", "CVE-2019-12387", "CVE-2019-14825", "CVE-2019-3893"], "modified": "2020-08-05T10:27:51", "id": "RHSA-2019:3172", "href": "https://access.redhat.com/errata/RHSA-2019:3172", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-07T18:41:51", "description": "This release of Red Hat Fuse 7.7.0 serves as a replacement for Red Hat Fuse 7.6, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* netty (CVE-2016-4970 CVE-2020-7238 CVE-2019-20444 CVE-2019-20445)\n\n* dom4j (CVE-2018-1000632)\n\n* elasticsearch (CVE-2018-3831)\n\n* pdfbox (CVE-2018-11797)\n\n* vertx (CVE-2018-12541)\n\n* spring-data-jpa (CVE-2019-3797)\n\n* mina-core (CVE-2019-0231)\n\n* jackson-databind (CVE-2019-12086 CVE-2019-16335 CVE-2019-14540 CVE-2019-17267 CVE-2019-14892 CVE-2019-14893 CVE-2019-16942 CVE-2019-16943 CVE-2019-17531 CVE-2019-20330 CVE-2020-10673 CVE-2020-10672 CVE-2020-8840 CVE-2020-9546 CVE-2020-9547 CVE-2020-9548 CVE-2020-10968 CVE-2020-10969 CVE-2020-11111 CVE-2020-11112 CVE-2020-11113 CVE-2020-11620 CVE-2020-11619 CVE-2020-14195 CVE-2020-14060 CVE-2020-14061 CVE-2020-14062)\n\n* jackson-mapper-asl (CVE-2019-10172)\n\n* hawtio (CVE-2019-9827)\n\n* undertow (CVE-2019-9511 CVE-2020-1757 CVE-2019-14888 CVE-2020-1745)\n\n* santuario (CVE-2019-12400)\n\n* apache-commons-beanutils (CVE-2019-10086)\n\n* cxf (CVE-2019-17573)\n\n* apache-commons-configuration (CVE-2020-1953)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-28T15:50:16", "type": "redhat", "title": "(RHSA-2020:3192) Important: Red Hat Fuse 7.7.0 release and security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4970", "CVE-2018-1000632", "CVE-2018-11797", "CVE-2018-12541", "CVE-2018-3831", "CVE-2019-0231", "CVE-2019-10086", "CVE-2019-10172", "CVE-2019-12086", "CVE-2019-12400", "CVE-2019-12419", "CVE-2019-14540", "CVE-2019-14888", "CVE-2019-14892", "CVE-2019-14893", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17267", "CVE-2019-17531", "CVE-2019-17573", "CVE-2019-20330", "CVE-2019-20444", "CVE-2019-20445", "CVE-2019-3797", "CVE-2019-9511", "CVE-2019-9827", "CVE-2020-10672", "CVE-2020-10673", "CVE-2020-10687", "CVE-2020-10968", "CVE-2020-10969", "CVE-2020-11111", "CVE-2020-11112", "CVE-2020-11113", "CVE-2020-11619", "CVE-2020-11620", "CVE-2020-14060", "CVE-2020-14061", "CVE-2020-14062", "CVE-2020-14195", "CVE-2020-1745", "CVE-2020-1757", "CVE-2020-1953", "CVE-2020-7238", "CVE-2020-8840", "CVE-2020-9546", "CVE-2020-9547", "CVE-2020-9548"], "modified": "2021-03-04T16:06:31", "id": "RHSA-2020:3192", "href": "https://access.redhat.com/errata/RHSA-2020:3192", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "atlassian": [{"lastseen": "2021-09-01T06:43:22", "description": "Affected versions of Atlassian Fisheye and Crucible allow an unauthenticated remote attacker to achieve remote code execution, denial of service and XML external entities in Atlassian Gadgets. The CVEs involved were:\r\n * CVE-2012-0881\r\n * CVE-2019-10172\r\n * CVE-2018-1000632\r\n * CVE-2016-1000031\r\n * CVE-2014-0114\r\n * CVE-2020-26217\r\n\r\nThe affected versions are before version 4.8.6.\r\n\r\n*Affected versions:*\r\n * version < 4.8.6\r\n\r\n*Fixed versions:*\r\n * 4.8.6 \u00a0", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-03T22:43:13", "type": "atlassian", "title": "Update atlassian-gadgets to 4.2.39 to fix CVE-2012-0881, CVE-2014-0114 and other vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-26217", "CVE-2012-0881", "CVE-2014-0114", "CVE-2019-10172", "CVE-2018-1000632", "CVE-2016-1000031"], "modified": "2021-09-01T06:01:40", "id": "ATLASSIAN:FE-7345", "href": "https://jira.atlassian.com/browse/FE-7345", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-07T18:59:50", "description": "Affected versions of Atlassian Fisheye and Crucible allow an unauthenticated remote attacker to achieve remote code execution, denial of service and XML external entities in Atlassian Gadgets. The CVEs involved were:\r\n * CVE-2012-0881\r\n * CVE-2019-10172\r\n * CVE-2018-1000632\r\n * CVE-2016-1000031\r\n * CVE-2014-0114\r\n * CVE-2020-26217\r\n\r\nThe affected versions are before version 4.8.6.\r\n\r\n*Affected versions:*\r\n * version < 4.8.6\r\n\r\n*Fixed versions:*\r\n * 4.8.6 \u00a0", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-03T22:43:13", "type": "atlassian", "title": "Update atlassian-gadgets to 4.2.39 to fix CVE-2012-0881, CVE-2014-0114 and other vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0881", "CVE-2014-0114", "CVE-2016-1000031", "CVE-2018-1000632", "CVE-2019-10172", "CVE-2020-26217"], "modified": "2023-11-09T09:44:56", "id": "FE-7345", "href": "https://jira.atlassian.com/browse/FE-7345", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "hp": [{"lastseen": "2023-12-08T22:46:11", "description": "Previous versions of HP Device Manager (prior to HPDM 5.0.11) could potentially contain security vulnerabilities. HP has released HP Device Manager 5.0.11, which includes updates to mitigate potential vulnerabilities. \n\nAll of the identified vulnerabilities listed above were addressed and fixed as part of HP Device Manager 5.0.11, which released on September 28th, 2023. \n", "cvss3": {}, "published": "2023-10-20T00:00:00", "type": "hp", "title": "HP Device Manager Security Updates", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-0114", "CVE-2017-17485", "CVE-2018-1000632", "CVE-2018-11307", "CVE-2018-12022", "CVE-2018-12023", "CVE-2018-14718", "CVE-2018-14719", "CVE-2018-14720", "CVE-2018-14721", "CVE-2018-19360", "CVE-2018-19361", "CVE-2018-19362", "CVE-2018-5968", "CVE-2018-7489", "CVE-2019-10086", "CVE-2019-12086", "CVE-2019-14379", "CVE-2019-14439", "CVE-2019-14540", "CVE-2019-14892", "CVE-2019-14893", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17267", "CVE-2019-17531", "CVE-2019-20330", "CVE-2020-10650", "CVE-2020-10672", "CVE-2020-10673", "CVE-2020-10683", "CVE-2020-10968", "CVE-2020-10969", "CVE-2020-11111", "CVE-2020-11112", "CVE-2020-11113", "CVE-2020-11619", "CVE-2020-11620", "CVE-2020-14060", "CVE-2020-14061", "CVE-2020-14062", "CVE-2020-14195", "CVE-2020-24616", "CVE-2020-24750", "CVE-2020-25649", "CVE-2020-35490", "CVE-2020-35491", "CVE-2020-35728", "CVE-2020-36179", "CVE-2020-36180", "CVE-2020-36181", "CVE-2020-36182", "CVE-2020-36183", "CVE-2020-36184", "CVE-2020-36185", "CVE-2020-36186", "CVE-2020-36187", "CVE-2020-36188", "CVE-2020-36189", "CVE-2020-36518", "CVE-2020-8840", "CVE-2020-9546", "CVE-2020-9547", "CVE-2020-9548", "CVE-2021-20190", "CVE-2022-42003", "CVE-2023-0464", "CVE-2023-0465", "CVE-2023-0466", "CVE-2023-1255", "CVE-2023-21930", "CVE-2023-21939", "CVE-2023-21954", "CVE-2023-2650", "CVE-2023-2975", "CVE-2023-3247", "CVE-2023-3446", "CVE-2023-3817", "CVE-2023-3823", "CVE-2023-3824", "CVE-2023-4304", "CVE-2023-4807"], "modified": "2023-10-20T00:00:00", "id": "HPSBHF03876", "href": "https://support.hp.com/us-en/document/ish_9486447-9486479-16/HPSBHF03876", "cvss": {"score": "8.8", "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/"}}], "oracle": [{"lastseen": "2023-12-08T14:58:50", "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n * Critical Patch Updates, Security Alerts and Bulletins for information about Oracle Security Advisories.\n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.**\n\nThis Critical Patch Update contains 284 new security fixes across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at January 2019 Critical Patch Update: Executive Summary and Analysis.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2019-01-15T00:00:00", "type": "oracle", "title": "Oracle Critical Patch Update Advisory - January 2019", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0114", "CVE-2015-0852", "CVE-2015-1832", "CVE-2015-4760", "CVE-2015-7940", "CVE-2015-8965", "CVE-2015-9251", "CVE-2016-0635", "CVE-2016-1000031", "CVE-2016-1181", "CVE-2016-1182", "CVE-2016-4000", "CVE-2016-5684", "CVE-2016-6814", "CVE-2016-9389", "CVE-2016-9392", "CVE-2016-9583", "CVE-2017-0379", "CVE-2017-13745", "CVE-2017-14229", "CVE-2017-14735", "CVE-2017-15095", "CVE-2017-3735", "CVE-2017-3736", "CVE-2017-3738", "CVE-2017-5645", "CVE-2017-7525", "CVE-2017-7658", "CVE-2017-9526", "CVE-2017-9798", "CVE-2018-0732", "CVE-2018-0733", "CVE-2018-0734", "CVE-2018-0735", "CVE-2018-0737", "CVE-2018-0739", "CVE-2018-1000120", "CVE-2018-1000121", "CVE-2018-1000122", "CVE-2018-1000180", "CVE-2018-1000300", "CVE-2018-1000301", "CVE-2018-1000613", "CVE-2018-1000632", "CVE-2018-10933", "CVE-2018-11039", "CVE-2018-11040", "CVE-2018-11212", "CVE-2018-11307", "CVE-2018-11763", "CVE-2018-11775", "CVE-2018-11776", "CVE-2018-11784", "CVE-2018-12022", "CVE-2018-12023", "CVE-2018-1257", "CVE-2018-1258", "CVE-2018-1270", "CVE-2018-1271", "CVE-2018-1272", "CVE-2018-1275", "CVE-2018-1313", "CVE-2018-14718", "CVE-2018-14719", "CVE-2018-14720", "CVE-2018-14721", "CVE-2018-3125", "CVE-2018-3147", "CVE-2018-3246", "CVE-2018-3303", "CVE-2018-3304", "CVE-2018-3305", "CVE-2018-3309", "CVE-2018-3311", "CVE-2018-3639", "CVE-2018-3646", "CVE-2018-5390", "CVE-2018-5407", "CVE-2018-6922", "CVE-2018-7489", "CVE-2018-8013", "CVE-2018-9206", "CVE-2019-2395", "CVE-2019-2396", "CVE-2019-2397", "CVE-2019-2398", "CVE-2019-2399", "CVE-2019-2400", "CVE-2019-2401", "CVE-2019-2402", "CVE-2019-2403", "CVE-2019-2404", "CVE-2019-2405", "CVE-2019-2406", "CVE-2019-2407", "CVE-2019-2408", "CVE-2019-2409", "CVE-2019-2410", "CVE-2019-2411", "CVE-2019-2412", "CVE-2019-2413", "CVE-2019-2414", "CVE-2019-2415", "CVE-2019-2416", "CVE-2019-2417", "CVE-2019-2418", "CVE-2019-2419", "CVE-2019-2420", "CVE-2019-2421", "CVE-2019-2422", "CVE-2019-2423", "CVE-2019-2425", "CVE-2019-2426", "CVE-2019-2427", "CVE-2019-2429", "CVE-2019-2430", "CVE-2019-2431", "CVE-2019-2432", "CVE-2019-2433", "CVE-2019-2434", "CVE-2019-2435", "CVE-2019-2436", "CVE-2019-2437", "CVE-2019-2438", "CVE-2019-2439", "CVE-2019-2440", "CVE-2019-2441", "CVE-2019-2442", "CVE-2019-2443", "CVE-2019-2444", "CVE-2019-2445", "CVE-2019-2446", "CVE-2019-2447", "CVE-2019-2448", "CVE-2019-2449", "CVE-2019-2450", "CVE-2019-2451", "CVE-2019-2452", "CVE-2019-2453", "CVE-2019-2455", "CVE-2019-2456", "CVE-2019-2457", "CVE-2019-2458", "CVE-2019-2459", "CVE-2019-2460", "CVE-2019-2461", "CVE-2019-2462", "CVE-2019-2463", "CVE-2019-2464", "CVE-2019-2465", "CVE-2019-2466", "CVE-2019-2467", "CVE-2019-2468", "CVE-2019-2469", "CVE-2019-2470", "CVE-2019-2471", "CVE-2019-2472", "CVE-2019-2473", "CVE-2019-2474", "CVE-2019-2475", "CVE-2019-2476", "CVE-2019-2477", "CVE-2019-2478", "CVE-2019-2479", "CVE-2019-2480", "CVE-2019-2481", "CVE-2019-2482", "CVE-2019-2485", "CVE-2019-2486", "CVE-2019-2487", "CVE-2019-2488", "CVE-2019-2489", "CVE-2019-2490", "CVE-2019-2491", "CVE-2019-2492", "CVE-2019-2493", "CVE-2019-2494", "CVE-2019-2495", "CVE-2019-2496", "CVE-2019-2497", "CVE-2019-2498", "CVE-2019-2499", "CVE-2019-2500", "CVE-2019-2501", "CVE-2019-2502", "CVE-2019-2503", "CVE-2019-2504", "CVE-2019-2505", "CVE-2019-2506", "CVE-2019-2507", "CVE-2019-2508", "CVE-2019-2509", "CVE-2019-2510", "CVE-2019-2511", "CVE-2019-2512", "CVE-2019-2513", "CVE-2019-2519", "CVE-2019-2520", "CVE-2019-2521", "CVE-2019-2522", "CVE-2019-2523", "CVE-2019-2524", "CVE-2019-2525", "CVE-2019-2526", "CVE-2019-2527", "CVE-2019-2528", "CVE-2019-2529", "CVE-2019-2530", "CVE-2019-2531", "CVE-2019-2532", "CVE-2019-2533", "CVE-2019-2534", "CVE-2019-2535", "CVE-2019-2536", "CVE-2019-2537", "CVE-2019-2538", "CVE-2019-2539", "CVE-2019-2540", "CVE-2019-2541", "CVE-2019-2543", "CVE-2019-2544", "CVE-2019-2545", "CVE-2019-2546", "CVE-2019-2547", "CVE-2019-2548", "CVE-2019-2549", "CVE-2019-2550", "CVE-2019-2552", "CVE-2019-2553", "CVE-2019-2554", "CVE-2019-2555", "CVE-2019-2556"], "modified": "2020-02-13T00:00:00", "id": "ORACLE:CPUJAN2019", "href": "https://www.oracle.com/security-alerts/cpujan2019.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-07T20:10:35", "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to [\u201cCritical Patch Updates, Security Alerts and Bulletins\u201d](<https://www.oracle.com/security-alerts/>) for information about Oracle Security advisories. \n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.**\n\nThis Critical Patch Update contains 391 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ April 2021 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2765149.1>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-04-20T00:00:00", "type": "oracle", "title": "Oracle Critical Patch Update Advisory - April 2021", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-2542", "CVE-2016-5725", "CVE-2016-7103", "CVE-2017-1000061", "CVE-2017-12626", "CVE-2017-14735", "CVE-2017-18640", "CVE-2017-5645", "CVE-2018-1000180", "CVE-2018-1000613", "CVE-2018-1000632", "CVE-2018-1285", "CVE-2018-14040", "CVE-2018-14041", "CVE-2018-14042", "CVE-2018-14550", "CVE-2018-14613", "CVE-2018-16884", "CVE-2018-20843", "CVE-2018-8032", "CVE-2019-0219", "CVE-2019-0221", "CVE-2019-0227", "CVE-2019-0228", "CVE-2019-0230", "CVE-2019-0232", "CVE-2019-0233", "CVE-2019-10072", "CVE-2019-10080", "CVE-2019-10086", "CVE-2019-10098", "CVE-2019-10173", "CVE-2019-10246", "CVE-2019-10247", "CVE-2019-10638", "CVE-2019-10639", "CVE-2019-11358", "CVE-2019-11487", "CVE-2019-11599", "CVE-2019-12086", "CVE-2019-12399", "CVE-2019-12402", "CVE-2019-12406", "CVE-2019-1241", "CVE-2019-12415", "CVE-2019-12419", "CVE-2019-12423", "CVE-2019-14379", "CVE-2019-14898", "CVE-2019-15218", "CVE-2019-1551", "CVE-2019-16746", "CVE-2019-16942", "CVE-2019-17075", "CVE-2019-17133", "CVE-2019-17195", "CVE-2019-17495", "CVE-2019-17566", "CVE-2019-17571", "CVE-2019-17573", "CVE-2019-17632", "CVE-2019-17638", "CVE-2019-18885", "CVE-2019-19052", "CVE-2019-19063", "CVE-2019-19066", "CVE-2019-19073", "CVE-2019-19074", "CVE-2019-19078", "CVE-2019-19535", "CVE-2019-19922", "CVE-2019-20812", "CVE-2019-2904", "CVE-2019-3738", "CVE-2019-3739", "CVE-2019-3740", "CVE-2019-3773", "CVE-2019-3874", "CVE-2019-3900", "CVE-2019-5063", "CVE-2019-5064", "CVE-2019-5108", "CVE-2019-5428", "CVE-2019-7317", "CVE-2019-8331", "CVE-2020-10188", "CVE-2020-10543", "CVE-2020-10683", "CVE-2020-10751", "CVE-2020-10769", "CVE-2020-10878", "CVE-2020-11022", "CVE-2020-11023", "CVE-2020-11612", "CVE-2020-11655", "CVE-2020-11656", "CVE-2020-11973", "CVE-2020-11979", "CVE-2020-11987", "CVE-2020-11994", "CVE-2020-11998", "CVE-2020-12114", "CVE-2020-12723", "CVE-2020-12771", "CVE-2020-13434", "CVE-2020-13435", "CVE-2020-13871", "CVE-2020-13934", "CVE-2020-13935", "CVE-2020-13943", "CVE-2020-13954", "CVE-2020-13956", "CVE-2020-14039", "CVE-2020-14060", "CVE-2020-14061", "CVE-2020-14062", "CVE-2020-14195", "CVE-2020-1472", "CVE-2020-15358", "CVE-2020-15586", "CVE-2020-16166", "CVE-2020-16845", "CVE-2020-17521", "CVE-2020-17527", "CVE-2020-17530", "CVE-2020-1927", "CVE-2020-1941", "CVE-2020-1945", "CVE-2020-1967", "CVE-2020-1968", "CVE-2020-1971", "CVE-2020-24394", "CVE-2020-24553", "CVE-2020-24616", "CVE-2020-24750", "CVE-2020-25649", "CVE-2020-26217", "CVE-2020-26418", "CVE-2020-26419", "CVE-2020-26420", "CVE-2020-26421", "CVE-2020-26422", "CVE-2020-27193", "CVE-2020-27216", "CVE-2020-27218", "CVE-2020-27223", "CVE-2020-27841", "CVE-2020-27842", "CVE-2020-27843", "CVE-2020-27844", "CVE-2020-27845", "CVE-2020-28052", "CVE-2020-28196", "CVE-2020-35490", "CVE-2020-35491", "CVE-2020-35728", "CVE-2020-36179", "CVE-2020-36180", "CVE-2020-36181", "CVE-2020-36182", "CVE-2020-36183", "CVE-2020-36184", "CVE-2020-36185", "CVE-2020-36186", "CVE-2020-36187", "CVE-2020-36188", "CVE-2020-36189", "CVE-2020-5359", "CVE-2020-5360", "CVE-2020-5398", "CVE-2020-5407", "CVE-2020-5408", "CVE-2020-5413", "CVE-2020-5421", "CVE-2020-7059", "CVE-2020-7060", "CVE-2020-7069", "CVE-2020-7760", "CVE-2020-7774", "CVE-2020-7919", "CVE-2020-8203", "CVE-2020-8277", "CVE-2020-8284", "CVE-2020-8285", "CVE-2020-8286", "CVE-2020-8908", "CVE-2020-9281", "CVE-2020-9327", "CVE-2020-9480", "CVE-2020-9484", "CVE-2020-9488", "CVE-2020-9489", "CVE-2021-2008", "CVE-2021-20227", "CVE-2021-2053", "CVE-2021-21290", "CVE-2021-2134", "CVE-2021-21345", "CVE-2021-2135", "CVE-2021-2136", "CVE-2021-2140", "CVE-2021-2141", "CVE-2021-2142", "CVE-2021-2144", "CVE-2021-2145", "CVE-2021-2146", "CVE-2021-2147", "CVE-2021-2149", "CVE-2021-2150", "CVE-2021-2151", "CVE-2021-2152", "CVE-2021-2153", "CVE-2021-2154", "CVE-2021-2155", "CVE-2021-2156", "CVE-2021-2157", "CVE-2021-2158", "CVE-2021-2159", "CVE-2021-2160", "CVE-2021-2161", "CVE-2021-2162", "CVE-2021-2163", "CVE-2021-2164", "CVE-2021-2166", "CVE-2021-2167", "CVE-2021-2169", "CVE-2021-2170", "CVE-2021-2171", "CVE-2021-2172", "CVE-2021-2173", "CVE-2021-2174", "CVE-2021-2175", "CVE-2021-2177", "CVE-2021-2178", "CVE-2021-2179", "CVE-2021-2180", "CVE-2021-2181", "CVE-2021-2182", "CVE-2021-2183", "CVE-2021-2184", "CVE-2021-2185", "CVE-2021-2186", "CVE-2021-2187", "CVE-2021-2188", "CVE-2021-2189", "CVE-2021-2190", "CVE-2021-2191", "CVE-2021-2192", "CVE-2021-2193", "CVE-2021-2194", "CVE-2021-2195", "CVE-2021-2196", "CVE-2021-2197", "CVE-2021-2198", "CVE-2021-2199", "CVE-2021-2200", "CVE-2021-2201", "CVE-2021-2202", "CVE-2021-2203", "CVE-2021-2204", "CVE-2021-2205", "CVE-2021-2206", "CVE-2021-2207", "CVE-2021-2208", "CVE-2021-2209", "CVE-2021-2210", "CVE-2021-2211", "CVE-2021-22112", "CVE-2021-2212", "CVE-2021-2213", "CVE-2021-2214", "CVE-2021-2215", "CVE-2021-2216", "CVE-2021-2217", "CVE-2021-22173", "CVE-2021-22174", "CVE-2021-2218", "CVE-2021-2219", "CVE-2021-22191", "CVE-2021-2220", "CVE-2021-2221", "CVE-2021-2222", "CVE-2021-2223", "CVE-2021-2224", "CVE-2021-2225", "CVE-2021-2226", "CVE-2021-2227", "CVE-2021-2228", "CVE-2021-2229", "CVE-2021-2230", "CVE-2021-2231", "CVE-2021-2232", "CVE-2021-2233", "CVE-2021-2234", "CVE-2021-2235", "CVE-2021-2236", "CVE-2021-2237", "CVE-2021-2238", "CVE-2021-2239", "CVE-2021-2240", "CVE-2021-2241", "CVE-2021-2242", "CVE-2021-2244", "CVE-2021-2245", "CVE-2021-2246", "CVE-2021-2247", "CVE-2021-2248", "CVE-2021-2249", "CVE-2021-2250", "CVE-2021-2251", "CVE-2021-2252", "CVE-2021-2253", "CVE-2021-2254", "CVE-2021-2255", "CVE-2021-2256", "CVE-2021-2257", "CVE-2021-2258", "CVE-2021-2259", "CVE-2021-2260", "CVE-2021-2261", "CVE-2021-2262", "CVE-2021-2263", "CVE-2021-2264", "CVE-2021-2266", "CVE-2021-2267", "CVE-2021-2268", "CVE-2021-2269", "CVE-2021-2270", "CVE-2021-2271", "CVE-2021-2272", "CVE-2021-2273", "CVE-2021-2274", "CVE-2021-2275", "CVE-2021-2276", "CVE-2021-2277", "CVE-2021-2278", "CVE-2021-2279", "CVE-2021-2280", "CVE-2021-2281", "CVE-2021-2282", "CVE-2021-2283", "CVE-2021-2284", "CVE-2021-2285", "CVE-2021-2286", "CVE-2021-2287", "CVE-2021-2288", "CVE-2021-22883", "CVE-2021-22884", "CVE-2021-2289", "CVE-2021-2290", "CVE-2021-2291", "CVE-2021-2292", "CVE-2021-2293", "CVE-2021-2294", "CVE-2021-2295", "CVE-2021-2296", "CVE-2021-2297", "CVE-2021-2298", "CVE-2021-2299", "CVE-2021-2300", "CVE-2021-2301", "CVE-2021-2302", "CVE-2021-2303", "CVE-2021-2304", "CVE-2021-2305", "CVE-2021-2306", "CVE-2021-2307", "CVE-2021-2308", "CVE-2021-2309", "CVE-2021-2310", "CVE-2021-2311", "CVE-2021-2312", "CVE-2021-2314", "CVE-2021-2315", "CVE-2021-2316", "CVE-2021-2317", "CVE-2021-2318", "CVE-2021-2319", "CVE-2021-2320", "CVE-2021-2321", "CVE-2021-23336", "CVE-2021-23839", "CVE-2021-23840", "CVE-2021-23841", "CVE-2021-3449", "CVE-2021-3450"], "modified": "2021-09-04T00:00:00", "id": "ORACLE:CPUAPR2021", "href": "https://www.oracle.com/security-alerts/cpuapr2021.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-08T14:58:44", "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Please refer to:\n\n * [Critical Patch Updates, Security Alerts and Bulletins](<https://www.oracle.com/security-alerts>) for information about Oracle Security advisories.\n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.**\n\nThis Critical Patch Update contains 444 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ July 2020 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2684313.1>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-14T00:00:00", "type": "oracle", "title": "Oracle Critical Patch Update Advisory - July 2020", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7501", "CVE-2015-8607", "CVE-2015-8608", "CVE-2015-9251", "CVE-2016-0701", "CVE-2016-1000031", "CVE-2016-1181", "CVE-2016-1182", "CVE-2016-1923", "CVE-2016-1924", "CVE-2016-2183", "CVE-2016-2381", "CVE-2016-3183", "CVE-2016-4000", "CVE-2016-4796", "CVE-2016-4797", "CVE-2016-5017", "CVE-2016-5019", "CVE-2016-6306", "CVE-2016-6814", "CVE-2016-8332", "CVE-2016-8610", "CVE-2016-9112", "CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-0861", "CVE-2017-10140", "CVE-2017-12610", "CVE-2017-12626", "CVE-2017-12814", "CVE-2017-12837", "CVE-2017-12883", "CVE-2017-15265", "CVE-2017-15708", "CVE-2017-5637", "CVE-2017-5645", "CVE-2018-1000004", "CVE-2018-1000632", "CVE-2018-10237", "CVE-2018-10675", "CVE-2018-10872", "CVE-2018-10901", "CVE-2018-11039", "CVE-2018-11040", "CVE-2018-11054", "CVE-2018-11055", "CVE-2018-11056", "CVE-2018-11057", "CVE-2018-11058", "CVE-2018-11776", "CVE-2018-1199", "CVE-2018-12015", "CVE-2018-12023", "CVE-2018-12207", "CVE-2018-1257", "CVE-2018-1258", "CVE-2018-1270", "CVE-2018-1271", "CVE-2018-1272", "CVE-2018-1275", "CVE-2018-1288", "CVE-2018-15756", "CVE-2018-15769", "CVE-2018-17190", "CVE-2018-17196", "CVE-2018-18311", "CVE-2018-18312", "CVE-2018-18313", "CVE-2018-18314", "CVE-2018-3620", "CVE-2018-3639", "CVE-2018-3646", "CVE-2018-3665", "CVE-2018-3693", "CVE-2018-5390", "CVE-2018-6616", "CVE-2018-6797", "CVE-2018-6798", "CVE-2018-6913", "CVE-2018-7566", "CVE-2018-8012", "CVE-2018-8013", "CVE-2018-8032", "CVE-2018-8088", "CVE-2019-0188", "CVE-2019-0201", "CVE-2019-0220", "CVE-2019-0222", "CVE-2019-0227", "CVE-2019-10081", "CVE-2019-10082", "CVE-2019-10086", "CVE-2019-10092", "CVE-2019-10097", "CVE-2019-10192", "CVE-2019-10193", "CVE-2019-10246", "CVE-2019-10247", "CVE-2019-11358", "CVE-2019-12086", "CVE-2019-12384", "CVE-2019-12402", "CVE-2019-12415", "CVE-2019-12423", "CVE-2019-12814", "CVE-2019-12973", "CVE-2019-13990", "CVE-2019-14379", "CVE-2019-14439", "CVE-2019-14540", "CVE-2019-14862", "CVE-2019-14893", "CVE-2019-1547", "CVE-2019-1549", "CVE-2019-1551", "CVE-2019-1552", "CVE-2019-1563", "CVE-2019-16056", "CVE-2019-16335", "CVE-2019-16935", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17091", "CVE-2019-17267", "CVE-2019-17359", "CVE-2019-17531", "CVE-2019-17560", "CVE-2019-17561", "CVE-2019-17563", "CVE-2019-17569", "CVE-2019-17571", "CVE-2019-17573", "CVE-2019-19956", "CVE-2019-20330", "CVE-2019-20388", "CVE-2019-2094", "CVE-2019-2725", "CVE-2019-2729", "CVE-2019-2904", "CVE-2019-3738", "CVE-2019-3739", "CVE-2019-3740", "CVE-2019-5427", "CVE-2019-5489", "CVE-2019-8457", "CVE-2020-10650", "CVE-2020-10672", "CVE-2020-10673", "CVE-2020-10683", "CVE-2020-10968", "CVE-2020-10969", "CVE-2020-11022", "CVE-2020-11023", "CVE-2020-11080", "CVE-2020-11111", "CVE-2020-11112", "CVE-2020-11113", "CVE-2020-11619", "CVE-2020-11620", "CVE-2020-11655", "CVE-2020-11656", "CVE-2020-13434", "CVE-2020-13435", "CVE-2020-13630", "CVE-2020-13631", "CVE-2020-13632", "CVE-2020-14527", "CVE-2020-14528", "CVE-2020-14529", "CVE-2020-14530", "CVE-2020-14531", "CVE-2020-14532", "CVE-2020-14533", "CVE-2020-14534", "CVE-2020-14535", "CVE-2020-14536", "CVE-2020-14537", "CVE-2020-14539", "CVE-2020-14540", "CVE-2020-14541", "CVE-2020-14542", "CVE-2020-14543", "CVE-2020-14544", "CVE-2020-14545", "CVE-2020-14546", "CVE-2020-14547", "CVE-2020-14548", "CVE-2020-14549", "CVE-2020-14550", "CVE-2020-14551", "CVE-2020-14552", "CVE-2020-14553", "CVE-2020-14554", "CVE-2020-14555", "CVE-2020-14556", "CVE-2020-14557", "CVE-2020-14558", "CVE-2020-14559", "CVE-2020-14560", "CVE-2020-14561", "CVE-2020-14562", "CVE-2020-14563", "CVE-2020-14564", "CVE-2020-14565", "CVE-2020-14566", "CVE-2020-14567", "CVE-2020-14568", "CVE-2020-14569", "CVE-2020-14570", "CVE-2020-14571", "CVE-2020-14572", "CVE-2020-14573", "CVE-2020-14574", "CVE-2020-14575", "CVE-2020-14576", "CVE-2020-14577", "CVE-2020-14578", "CVE-2020-14579", "CVE-2020-14580", "CVE-2020-14581", "CVE-2020-14582", "CVE-2020-14583", "CVE-2020-14584", "CVE-2020-14585", "CVE-2020-14586", "CVE-2020-14587", "CVE-2020-14588", "CVE-2020-14589", "CVE-2020-14590", "CVE-2020-14591", "CVE-2020-14592", "CVE-2020-14593", "CVE-2020-14594", "CVE-2020-14595", "CVE-2020-14596", "CVE-2020-14597", "CVE-2020-14598", "CVE-2020-14599", "CVE-2020-14600", "CVE-2020-14601", "CVE-2020-14602", "CVE-2020-14603", "CVE-2020-14604", "CVE-2020-14605", "CVE-2020-14606", "CVE-2020-14607", "CVE-2020-14608", "CVE-2020-14609", "CVE-2020-14610", "CVE-2020-14611", "CVE-2020-14612", "CVE-2020-14613", "CVE-2020-14614", "CVE-2020-14615", "CVE-2020-14616", "CVE-2020-14617", "CVE-2020-14618", "CVE-2020-14619", "CVE-2020-14620", "CVE-2020-14621", "CVE-2020-14622", "CVE-2020-14623", "CVE-2020-14624", "CVE-2020-14625", "CVE-2020-14626", "CVE-2020-14627", "CVE-2020-14628", "CVE-2020-14629", "CVE-2020-14630", "CVE-2020-14631", "CVE-2020-14632", "CVE-2020-14633", "CVE-2020-14634", "CVE-2020-14635", "CVE-2020-14636", "CVE-2020-14637", "CVE-2020-14638", "CVE-2020-14639", "CVE-2020-14640", "CVE-2020-14641", "CVE-2020-14642", "CVE-2020-14643", "CVE-2020-14644", "CVE-2020-14645", "CVE-2020-14646", "CVE-2020-14647", "CVE-2020-14648", "CVE-2020-14649", "CVE-2020-14650", "CVE-2020-14651", "CVE-2020-14652", "CVE-2020-14653", "CVE-2020-14654", "CVE-2020-14655", "CVE-2020-14656", "CVE-2020-14657", "CVE-2020-14658", "CVE-2020-14659", "CVE-2020-14660", "CVE-2020-14661", "CVE-2020-14662", "CVE-2020-14663", "CVE-2020-14664", "CVE-2020-14665", "CVE-2020-14666", "CVE-2020-14667", "CVE-2020-14668", "CVE-2020-14669", "CVE-2020-14670", "CVE-2020-14671", "CVE-2020-14673", "CVE-2020-14674", "CVE-2020-14675", "CVE-2020-14676", "CVE-2020-14677", "CVE-2020-14678", "CVE-2020-14679", "CVE-2020-14680", "CVE-2020-14681", "CVE-2020-14682", "CVE-2020-14684", "CVE-2020-14685", "CVE-2020-14686", "CVE-2020-14687", "CVE-2020-14688", "CVE-2020-14690", "CVE-2020-14691", "CVE-2020-14692", "CVE-2020-14693", "CVE-2020-14694", "CVE-2020-14695", "CVE-2020-14696", "CVE-2020-14697", "CVE-2020-14698", "CVE-2020-14699", "CVE-2020-14700", "CVE-2020-14701", "CVE-2020-14702", "CVE-2020-14703", "CVE-2020-14704", "CVE-2020-14705", "CVE-2020-14706", "CVE-2020-14707", "CVE-2020-14708", "CVE-2020-14709", "CVE-2020-14710", "CVE-2020-14711", "CVE-2020-14712", "CVE-2020-14713", "CVE-2020-14714", "CVE-2020-14715", "CVE-2020-14716", "CVE-2020-14717", "CVE-2020-14718", "CVE-2020-14719", "CVE-2020-14720", "CVE-2020-14721", "CVE-2020-14722", "CVE-2020-14723", "CVE-2020-14724", "CVE-2020-14725", "CVE-2020-1927", "CVE-2020-1934", "CVE-2020-1935", "CVE-2020-1938", "CVE-2020-1941", "CVE-2020-1945", "CVE-2020-1950", "CVE-2020-1951", "CVE-2020-1967", "CVE-2020-2513", "CVE-2020-2555", "CVE-2020-2562", "CVE-2020-2966", "CVE-2020-2967", "CVE-2020-2968", "CVE-2020-2969", "CVE-2020-2971", "CVE-2020-2972", "CVE-2020-2973", "CVE-2020-2974", "CVE-2020-2975", "CVE-2020-2976", "CVE-2020-2977", "CVE-2020-2978", "CVE-2020-2981", "CVE-2020-2982", "CVE-2020-2983", "CVE-2020-2984", "CVE-2020-5258", "CVE-2020-5397", "CVE-2020-5398", "CVE-2020-6851", "CVE-2020-7059", "CVE-2020-7060", "CVE-2020-7595", "CVE-2020-8112", "CVE-2020-8172", "CVE-2020-9327", "CVE-2020-9484", "CVE-2020-9488", "CVE-2020-9546", "CVE-2020-9547", "CVE-2020-9548"], "modified": "2020-12-01T00:00:00", "id": "ORACLE:CPUJUL2020", "href": "https://www.oracle.com/security-alerts/cpujul2020.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-08T20:12:48", "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Please refer to:\n\n * [Critical Patch Updates, Security Alerts and Bulletins](<https://www.oracle.com/security-alerts>) for information about Oracle Security Advisories.\n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.**\n\nThis Critical Patch Update contains 399 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ April 2020 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2652714.1>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-04-14T00:00:00", "type": "oracle", "title": "Oracle Critical Patch Update Advisory - April 2020", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "source": "nvd@nist.gov", "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "type": "Primary", "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0254", "CVE-2015-1832", "CVE-2015-3253", "CVE-2015-7940", "CVE-2015-9251", "CVE-2016-0701", "CVE-2016-1000031", "CVE-2016-10244", "CVE-2016-10251", "CVE-2016-10328", "CVE-2016-2183", "CVE-2016-2381", "CVE-2016-3092", "CVE-2016-4000", "CVE-2016-4463", "CVE-2016-6306", "CVE-2016-6489", "CVE-2016-7103", "CVE-2016-8610", "CVE-2017-12626", "CVE-2017-13745", "CVE-2017-14232", "CVE-2017-14735", "CVE-2017-15706", "CVE-2017-3160", "CVE-2017-5130", "CVE-2017-5529", "CVE-2017-5533", "CVE-2017-5645", "CVE-2017-5754", "CVE-2017-7857", "CVE-2017-7858", "CVE-2017-7864", "CVE-2017-8105", "CVE-2017-8287", "CVE-2018-0732", "CVE-2018-0734", "CVE-2018-0737", "CVE-2018-1000180", "CVE-2018-1000613", "CVE-2018-1000632", "CVE-2018-1000873", "CVE-2018-10237", "CVE-2018-11054", "CVE-2018-11055", "CVE-2018-11056", "CVE-2018-11057", "CVE-2018-11058", "CVE-2018-11307", "CVE-2018-1165", "CVE-2018-11775", "CVE-2018-11784", "CVE-2018-11797", "CVE-2018-12022", "CVE-2018-12023", "CVE-2018-1258", "CVE-2018-1304", "CVE-2018-1305", "CVE-2018-1320", "CVE-2018-1336", "CVE-2018-14718", "CVE-2018-14719", "CVE-2018-14720", "CVE-2018-14721", "CVE-2018-15756", "CVE-2018-15769", "CVE-2018-17197", "CVE-2018-18227", "CVE-2018-18311", "CVE-2018-18873", "CVE-2018-19139", "CVE-2018-19360", "CVE-2018-19361", "CVE-2018-19362", "CVE-2018-19539", "CVE-2018-19540", "CVE-2018-19541", "CVE-2018-19542", "CVE-2018-19543", "CVE-2018-19622", "CVE-2018-19623", "CVE-2018-19624", "CVE-2018-19625", "CVE-2018-19626", "CVE-2018-19627", "CVE-2018-19628", "CVE-2018-20346", "CVE-2018-20506", "CVE-2018-20570", "CVE-2018-20584", "CVE-2018-20622", "CVE-2018-20843", "CVE-2018-20852", "CVE-2018-5407", "CVE-2018-5711", "CVE-2018-5712", "CVE-2018-6942", "CVE-2018-8014", "CVE-2018-8032", "CVE-2018-8034", "CVE-2018-8036", "CVE-2018-8037", "CVE-2018-8039", "CVE-2018-9055", "CVE-2018-9154", "CVE-2018-9252", "CVE-2019-0196", "CVE-2019-0197", "CVE-2019-0199", "CVE-2019-0211", "CVE-2019-0215", "CVE-2019-0217", "CVE-2019-0220", "CVE-2019-0221", "CVE-2019-0222", "CVE-2019-0227", "CVE-2019-0228", "CVE-2019-0232", "CVE-2019-10072", "CVE-2019-10081", "CVE-2019-10082", "CVE-2019-10086", "CVE-2019-10088", "CVE-2019-10092", "CVE-2019-10093", "CVE-2019-10094", "CVE-2019-10097", "CVE-2019-10098", "CVE-2019-1010238", "CVE-2019-10173", "CVE-2019-10246", "CVE-2019-10247", "CVE-2019-11358", "CVE-2019-12086", "CVE-2019-12384", "CVE-2019-12387", "CVE-2019-12402", "CVE-2019-12406", "CVE-2019-12415", "CVE-2019-12418", "CVE-2019-12419", "CVE-2019-12855", "CVE-2019-13057", "CVE-2019-13565", "CVE-2019-13990", "CVE-2019-14379", "CVE-2019-14439", "CVE-2019-14540", "CVE-2019-14821", "CVE-2019-14889", "CVE-2019-15161", "CVE-2019-15162", "CVE-2019-15163", "CVE-2019-15164", "CVE-2019-15165", "CVE-2019-1543", "CVE-2019-1547", "CVE-2019-1549", "CVE-2019-1552", "CVE-2019-15601", "CVE-2019-15604", "CVE-2019-15605", "CVE-2019-15606", "CVE-2019-1563", "CVE-2019-15903", "CVE-2019-16056", "CVE-2019-16168", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17091", "CVE-2019-17195", "CVE-2019-17359", "CVE-2019-17531", "CVE-2019-17563", "CVE-2019-17571", "CVE-2019-18197", "CVE-2019-19242", "CVE-2019-19244", "CVE-2019-19269", "CVE-2019-19317", "CVE-2019-19553", "CVE-2019-19603", "CVE-2019-19645", "CVE-2019-19646", "CVE-2019-19880", "CVE-2019-19923", "CVE-2019-19924", "CVE-2019-19925", "CVE-2019-19926", "CVE-2019-19959", "CVE-2019-20218", "CVE-2019-20330", "CVE-2019-2412", "CVE-2019-2725", "CVE-2019-2729", "CVE-2019-2756", "CVE-2019-2759", "CVE-2019-2852", "CVE-2019-2853", "CVE-2019-2878", "CVE-2019-2880", "CVE-2019-2899", "CVE-2019-2904", "CVE-2019-3008", "CVE-2019-5427", "CVE-2019-5435", "CVE-2019-5436", "CVE-2019-5443", "CVE-2019-5481", "CVE-2019-5482", "CVE-2019-8457", "CVE-2019-9517", "CVE-2019-9579", "CVE-2020-2514", "CVE-2020-2522", "CVE-2020-2524", "CVE-2020-2553", "CVE-2020-2558", "CVE-2020-2575", "CVE-2020-2578", "CVE-2020-2594", "CVE-2020-2680", "CVE-2020-2706", "CVE-2020-2733", "CVE-2020-2734", "CVE-2020-2735", "CVE-2020-2737", "CVE-2020-2738", "CVE-2020-2739", "CVE-2020-2740", "CVE-2020-2741", "CVE-2020-2742", "CVE-2020-2743", "CVE-2020-2744", "CVE-2020-2745", "CVE-2020-2746", "CVE-2020-2747", "CVE-2020-2748", "CVE-2020-2749", "CVE-2020-2750", "CVE-2020-2751", "CVE-2020-2752", "CVE-2020-2753", "CVE-2020-2754", "CVE-2020-2755", "CVE-2020-2756", "CVE-2020-2757", "CVE-2020-2758", "CVE-2020-2759", "CVE-2020-2760", "CVE-2020-2761", "CVE-2020-2762", "CVE-2020-2763", "CVE-2020-2764", "CVE-2020-2765", "CVE-2020-2766", "CVE-2020-2767", "CVE-2020-2768", "CVE-2020-2769", "CVE-2020-2770", "CVE-2020-2771", "CVE-2020-2772", "CVE-2020-2773", "CVE-2020-2774", "CVE-2020-2775", "CVE-2020-2776", "CVE-2020-2777", "CVE-2020-2778", "CVE-2020-2779", "CVE-2020-2780", "CVE-2020-2781", "CVE-2020-2782", "CVE-2020-2783", "CVE-2020-2784", "CVE-2020-2785", "CVE-2020-2786", "CVE-2020-2787", "CVE-2020-2789", "CVE-2020-2790", "CVE-2020-2791", "CVE-2020-2793", "CVE-2020-2794", "CVE-2020-2795", "CVE-2020-2796", "CVE-2020-2797", "CVE-2020-2798", "CVE-2020-2799", "CVE-2020-2800", "CVE-2020-2801", "CVE-2020-2802", "CVE-2020-2803", "CVE-2020-2804", "CVE-2020-2805", "CVE-2020-2806", "CVE-2020-2807", "CVE-2020-2808", "CVE-2020-2809", "CVE-2020-2810", "CVE-2020-2811", "CVE-2020-2812", "CVE-2020-2813", "CVE-2020-2814", "CVE-2020-2815", "CVE-2020-2816", "CVE-2020-2817", "CVE-2020-2818", "CVE-2020-2819", "CVE-2020-2820", "CVE-2020-2821", "CVE-2020-2822", "CVE-2020-2823", "CVE-2020-2824", "CVE-2020-2825", "CVE-2020-2826", "CVE-2020-2827", "CVE-2020-2828", "CVE-2020-2829", "CVE-2020-2830", "CVE-2020-2831", "CVE-2020-2832", "CVE-2020-2833", "CVE-2020-2834", "CVE-2020-2835", "CVE-2020-2836", "CVE-2020-2837", "CVE-2020-2838", "CVE-2020-2839", "CVE-2020-2840", "CVE-2020-2841", "CVE-2020-2842", "CVE-2020-2843", "CVE-2020-2844", "CVE-2020-2845", "CVE-2020-2846", "CVE-2020-2847", "CVE-2020-2848", "CVE-2020-2849", "CVE-2020-2850", "CVE-2020-2851", "CVE-2020-2852", "CVE-2020-2853", "CVE-2020-2854", "CVE-2020-2855", "CVE-2020-2856", "CVE-2020-2857", "CVE-2020-2858", "CVE-2020-2859", "CVE-2020-2860", "CVE-2020-2861", "CVE-2020-2862", "CVE-2020-2863", "CVE-2020-2864", "CVE-2020-2865", "CVE-2020-2866", "CVE-2020-2867", "CVE-2020-2868", "CVE-2020-2869", "CVE-2020-2870", "CVE-2020-2871", "CVE-2020-2872", "CVE-2020-2873", "CVE-2020-2874", "CVE-2020-2875", "CVE-2020-2876", "CVE-2020-2877", "CVE-2020-2878", "CVE-2020-2879", "CVE-2020-2880", "CVE-2020-2881", "CVE-2020-2882", "CVE-2020-2883", "CVE-2020-2884", "CVE-2020-2885", "CVE-2020-2886", "CVE-2020-2887", "CVE-2020-2888", "CVE-2020-2889", "CVE-2020-2890", "CVE-2020-2891", "CVE-2020-2892", "CVE-2020-2893", "CVE-2020-2894", "CVE-2020-2895", "CVE-2020-2896", "CVE-2020-2897", "CVE-2020-2898", "CVE-2020-2899", "CVE-2020-2900", "CVE-2020-2901", "CVE-2020-2902", "CVE-2020-2903", "CVE-2020-2904", "CVE-2020-2905", "CVE-2020-2906", "CVE-2020-2907", "CVE-2020-2908", "CVE-2020-2909", "CVE-2020-2910", "CVE-2020-2911", "CVE-2020-2912", "CVE-2020-2913", "CVE-2020-2914", "CVE-2020-2915", "CVE-2020-2920", "CVE-2020-2921", "CVE-2020-2922", "CVE-2020-2923", "CVE-2020-2924", "CVE-2020-2925", "CVE-2020-2926", "CVE-2020-2927", "CVE-2020-2928", "CVE-2020-2929", "CVE-2020-2930", "CVE-2020-2931", "CVE-2020-2932", "CVE-2020-2933", "CVE-2020-2934", "CVE-2020-2935", "CVE-2020-2936", "CVE-2020-2937", "CVE-2020-2938", "CVE-2020-2939", "CVE-2020-2940", "CVE-2020-2941", "CVE-2020-2942", "CVE-2020-2943", "CVE-2020-2944", "CVE-2020-2945", "CVE-2020-2946", "CVE-2020-2947", "CVE-2020-2949", "CVE-2020-2950", "CVE-2020-2951", "CVE-2020-2952", "CVE-2020-2953", "CVE-2020-2954", "CVE-2020-2955", "CVE-2020-2956", "CVE-2020-2958", "CVE-2020-2959", "CVE-2020-2961", "CVE-2020-2963", "CVE-2020-2964", "CVE-2020-5397", "CVE-2020-5398", "CVE-2020-7044", "CVE-2020-8840"], "modified": "2020-07-20T00:00:00", "id": "ORACLE:CPUAPR2020", "href": "https://www.oracle.com/security-alerts/cpuapr2020.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}
[SECURITY] Fedora 33 Update: dom4j-2.0.3-1.fc33
