Filtered by vendor Redhat Subscriptions
Filtered by product Trusted Profile Analyzer Subscriptions
Total 7 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2024-7254 2 Google, Redhat 10 Google-protobuf, Protobuf, Protobuf-java and 7 more 2024-12-13 7.5 High
Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.
CVE-2024-3508 1 Redhat 1 Trusted Profile Analyzer 2024-11-21 4.3 Medium
A flaw was found in Bombastic, which allows authenticated users to upload compressed (bzip2 or zstd) SBOMs. The API endpoint verifies the presence of some fields and values in the JSON. To perform this verification, the uploaded file must first be decompressed.
CVE-2024-39249 1 Redhat 2 Advanced Cluster Security, Trusted Profile Analyzer 2024-11-21 7.5 High
Async <= 2.6.4 and <= 3.2.5 are vulnerable to ReDoS (Regular Expression Denial of Service) while parsing function in autoinject function. NOTE: this is disputed by the supplier because there is no realistic threat model: regular expressions are not used with untrusted input.
CVE-2024-21538 2 Cross-spawn, Redhat 6 Cross-spawn, Advanced Cluster Security, Openshift and 3 more 2024-11-19 7.5 High
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
CVE-2024-21536 2 Chimurai, Redhat 4 Http-proxy-middleware, Openshift Distributed Tracing, Service Mesh and 1 more 2024-11-01 7.5 High
Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.
CVE-2024-45590 3 Expressjs, Openjsf, Redhat 10 Body-parser, Body-parser, Advanced Cluster Security and 7 more 2024-09-20 7.5 High
body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.
CVE-2024-45296 2 Pillarjs, Redhat 15 Path-to-regexp, Acm, Ansible Automation Platform and 12 more 2024-09-10 7.5 High
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.