Lucene search

K
redhatRedHatRHSA-2023:1334
HistoryMar 20, 2023 - 9:11 a.m.

(RHSA-2023:1334) Critical: Red Hat Process Automation Manager 7.13.2 security update

2023-03-2009:11:08
access.redhat.com
68
red hat process automation manager
security update
code execution
denial of service
vulnerabilities

7.8 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.974 High

EPSS

Percentile

99.9%

Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.

This asynchronous security patch is an update to Red Hat Process Automation Manager 7.

Security Fixes:

  • lucene: Solr: Code execution via entity expansion (CVE-2017-12629)

  • handlebars: nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS (CVE-2019-20922)

  • handlebars: nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution (CVE-2019-20920)

  • handlebars: nodejs-handlebars: Remote code execution when compiling untrusted compile templates with compat:true option (CVE-2021-23383)

  • handlebars: nodejs-handlebars: Remote code execution when compiling untrusted compile templates with strict:true option (CVE-2021-23369)

  • rhpam-7-businesscentral-rhel8-container: maven: Block repositories using http by default (CVE-2021-26291)

  • unboundid-ldapsdk: Incorrect Access Control vulnerability in process function in SimpleBindRequest class (CVE-2018-1000134)

  • handlebars: nodejs-handlebars: prototype pollution leading to remote code execution via crafted payloads (CVE-2019-19919)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

7.8 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.974 High

EPSS

Percentile

99.9%