Filtered by vendor Redhat Subscriptions
Filtered by product Service Registry Subscriptions
Total 51 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2022-0981 2 Quarkus, Redhat 4 Quarkus, Camel Quarkus, Quarkus and 1 more 2024-11-21 8.8 High
A flaw was found in Quarkus. The state and potentially associated permissions can leak from one web request to another in RestEasy Reactive. This flaw allows a low-privileged user to perform operations on the database with a different set of privileges than intended.
CVE-2022-0536 2 Follow-redirects Project, Redhat 7 Follow-redirects, Acm, Openshift Data Foundation and 4 more 2024-11-21 2.6 Low
Improper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8.
CVE-2022-0235 4 Debian, Node-fetch Project, Redhat and 1 more 14 Debian Linux, Node-fetch, Acm and 11 more 2024-11-21 6.1 Medium
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
CVE-2021-46877 2 Fasterxml, Redhat 13 Jackson-databind, Amq Streams, Camel Spring Boot and 10 more 2024-11-21 7.5 High
jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.
CVE-2021-41269 2 Cron-utils Project, Redhat 4 Cron-utils, Camel Quarkus, Openshift Application Runtimes and 1 more 2024-11-21 10 Critical
cron-utils is a Java library to define, parse, validate, migrate crons as well as get human readable descriptions for them. In affected versions A template Injection was identified in cron-utils enabling attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. Versions up to 9.1.2 are susceptible to this vulnerability. Please note, that only projects using the @Cron annotation to validate untrusted Cron expressions are affected. The issue was patched and a new version was released. Please upgrade to version 9.1.6. There are no known workarounds known.
CVE-2021-40690 4 Apache, Debian, Oracle and 1 more 26 Cxf, Santuario Xml Security For Java, Tomee and 23 more 2024-11-21 7.5 High
All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.
CVE-2021-38153 4 Apache, Oracle, Quarkus and 1 more 15 Kafka, Communications Brm - Elastic Charging Engine, Communications Cloud Native Core Policy and 12 more 2024-11-21 5.9 Medium
Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.
CVE-2021-37137 6 Debian, Netapp, Netty and 3 more 23 Debian Linux, Oncommand Insight, Netty and 20 more 2024-11-21 7.5 High
The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
CVE-2021-37136 6 Debian, Netapp, Netty and 3 more 30 Debian Linux, Oncommand Insight, Netty and 27 more 2024-11-21 7.5 High
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
CVE-2021-22569 3 Google, Oracle, Redhat 14 Google-protobuf, Protobuf-java, Protobuf-kotlin and 11 more 2024-11-21 7.5 High
An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.
CVE-2023-4639 1 Redhat 14 Camel Quarkus, Camel Spring Boot, Integration and 11 more 2024-11-18 7.4 High
A flaw was found in Undertow, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity.