Filtered by vendor Redhat Subscriptions
Filtered by product Cryostat Subscriptions
Total 45 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2023-44487 32 Akka, Amazon, Apache and 29 more 364 Http Server, Opensearch Data Prepper, Apisix and 361 more 2024-12-20 7.5 High
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVE-2024-12397 1 Redhat 13 Amq Streams, Build Keycloak, Camel Quarkus and 10 more 2024-12-13 7.4 High
A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity.
CVE-2024-12401 1 Redhat 8 Cert Manager, Cryostat, Hybrid Cloud Gateway and 5 more 2024-12-12 4.4 Medium
A flaw was found in the cert-manager package. This flaw allows an attacker who can modify PEM data that the cert-manager reads, for example, in a Secret resource, to use large amounts of CPU in the cert-manager controller pod to effectively create a denial-of-service (DoS) vector for the cert-manager in the cluster.
CVE-2023-33201 2 Bouncycastle, Redhat 10 Bc-java, Amq Broker, Amq Streams and 7 more 2024-12-04 5.3 Medium
Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certificate's Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability.
CVE-2023-24537 2 Golang, Redhat 21 Go, Advanced Cluster Security, Ansible Automation Platform and 18 more 2024-11-29 7.5 High
Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow.
CVE-2024-1300 1 Redhat 20 A Mq Clients, Amq Broker, Amq Streams and 17 more 2024-11-25 5.4 Medium
A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.
CVE-2024-1023 1 Redhat 20 A Mq Clients, Amq Broker, Amq Streams and 17 more 2024-11-25 6.5 Medium
A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate runtime knowledge, allowing an attacker to exploit this vulnerability. For instance, a server accepting arbitrary internet addresses could serve as an attack vector by connecting to these addresses, thereby accelerating the memory leak.
CVE-2023-5675 1 Redhat 11 A Mq Clients, Camel Quarkus, Cryostat and 8 more 2024-11-24 6.5 Medium
A flaw was found in Quarkus. When a Quarkus RestEasy Classic or Reactive JAX-RS endpoint has its methods declared in the abstract Java class or customized by Quarkus extensions using the annotation processor, the authorization of these methods will not be enforced if it is enabled by either 'quarkus.security.jaxrs.deny-unannotated-endpoints' or 'quarkus.security.jaxrs.default-roles-allowed' properties.
CVE-2023-7008 3 Debian, Redhat, Systemd Project 4 Debian Linux, Cryostat, Enterprise Linux and 1 more 2024-11-23 5.9 Medium
A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.
CVE-2024-24788 1 Redhat 13 Ansible Automation Platform, Cost Management, Cryostat and 10 more 2024-11-21 5.9 Medium
A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.
CVE-2024-40094 1 Redhat 2 Cryostat, Quarkus 2024-11-21 5.3 Medium
GraphQL Java (aka graphql-java) before 21.5 does not properly consider ExecutableNormalizedFields (ENFs) as part of preventing denial of service via introspection queries. 20.9 and 19.11 are also fixed versions.
CVE-2024-34158 2 Go Build Constraint, Redhat 11 Go Standard Library, Cryostat, Enterprise Linux and 8 more 2024-11-21 7.5 High
Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.
CVE-2024-34156 2 Go Standard Library, Redhat 16 Encoding\/gob, Advanced Cluster Security, Cryostat and 13 more 2024-11-21 7.5 High
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
CVE-2024-34155 1 Redhat 13 Cost Management, Cryostat, Enterprise Linux and 10 more 2024-11-21 4.3 Medium
Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.
CVE-2024-30171 1 Redhat 6 Amq Broker, Apache Camel Spring Boot, Camel Quarkus and 3 more 2024-11-21 5.9 Medium
An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing.
CVE-2024-29025 1 Redhat 10 Amq Broker, Amq Streams, Cryostat and 7 more 2024-11-21 5.3 Medium
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `HttpPostRequestDecoder` can be tricked to accumulate data. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the `bodyListHttpData` list. The decoder cumulates bytes in the `undecodedChunk` buffer until it can decode a field, this field can cumulate data without limits. This vulnerability is fixed in 4.1.108.Final.
CVE-2024-24791 2 Go Standard Library, Redhat 16 Net\/http, Container Native Virtualization, Cost Management and 13 more 2024-11-21 7.5 High
The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.
CVE-2024-24790 2 Golang, Redhat 18 Go, Advanced Cluster Security, Ansible Automation Platform and 15 more 2024-11-21 9.8 Critical
The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.
CVE-2024-24783 1 Redhat 21 Advanced Cluster Security, Ansible Automation Platform, Cryostat and 18 more 2024-11-21 5.9 Medium
Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates.
CVE-2023-4043 2 Eclipse, Redhat 6 Parsson, Camel Quarkus, Camel Spring Boot and 3 more 2024-11-21 5.9 Medium
In Eclipse Parsson before versions 1.1.4 and 1.0.5, Parsing JSON from untrusted sources can lead malicious actors to exploit the fact that the built-in support for parsing numbers with large scale in Java has a number of edge cases where the input text of a number can lead to much larger processing time than one would expect. To mitigate the risk, parsson put in place a size limit for the numbers as well as their scale.