Details of VAR-202201-1553

ID

VAR-202201-1553

CVE

CVE-2022-23437

TITLE

Apache Xerces Java XML Blinds in parsers XPath Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2022-002358

DESCRIPTION

There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions. Xerces is an open source project for XML document parsing promoted by the Apache organization. Description: Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services. Security Fix(es): * chart.js: prototype pollution (CVE-2020-7746) * moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129) * package immer before 9.0.6. After installing the update, restart the server by starting the JBoss Application Server process. The References section of this erratum contains a download link. You must log in to download the update. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform 7.4.5 security update on RHEL 7 Advisory ID: RHSA-2022:4918-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2022:4918 Issue date: 2022-06-06 CVE Names: CVE-2020-36518 CVE-2021-37136 CVE-2021-37137 CVE-2021-42392 CVE-2021-43797 CVE-2022-0084 CVE-2022-0853 CVE-2022-0866 CVE-2022-1319 CVE-2022-21299 CVE-2022-21363 CVE-2022-23221 CVE-2022-23437 CVE-2022-23913 CVE-2022-24785 ==================================================================== 1. Summary: A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss EAP 7.4 for RHEL 7 Server - noarch, x86_64 3. Description: Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.5 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.4 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.5 Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es): * h2: Loading of custom classes from remote servers through JNDI (CVE-2022-23221) * jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518) * netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data (CVE-2021-37136) * netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way (CVE-2021-37137) * h2: Remote Code Execution in Console (CVE-2021-42392) * netty: control chars in header names may lead to HTTP request smuggling (CVE-2021-43797) * xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr (CVE-2022-0084) * wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled (CVE-2022-0866) * undertow: Double AJP response for 400 from EAP 7 results in CPING failures (CVE-2022-1319) * OpenJDK: Infinite loop related to incorrect handling of newlines in XMLEntityScanner (JAXP, 8270646) (CVE-2022-21299) * mysql-connector-java: Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors (CVE-2022-21363) * xerces-j2: infinite loop when handling specially crafted XML document payloads (CVE-2022-23437) * artemis-commons: Apache ActiveMQ Artemis DoS (CVE-2022-23913) * Moment.js: Path traversal in moment.locale (CVE-2022-24785) * jboss-client: memory leakage in remote client transaction (CVE-2022-0853) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data 2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way 2031958 - CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling 2039403 - CVE-2021-42392 h2: Remote Code Execution in Console 2041472 - CVE-2022-21299 OpenJDK: Infinite loop related to incorrect handling of newlines in XMLEntityScanner (JAXP, 8270646) 2044596 - CVE-2022-23221 h2: Loading of custom classes from remote servers through JNDI 2047200 - CVE-2022-23437 xerces-j2: infinite loop when handling specially crafted XML document payloads 2047343 - CVE-2022-21363 mysql-connector-java: Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors 2060725 - CVE-2022-0853 jboss-client: memory leakage in remote client transaction 2060929 - CVE-2022-0866 wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled 2063601 - CVE-2022-23913 artemis-commons: Apache ActiveMQ Artemis DoS 2064226 - CVE-2022-0084 xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr 2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects 2072009 - CVE-2022-24785 Moment.js: Path traversal in moment.locale 2073890 - CVE-2022-1319 undertow: Double AJP response for 400 from EAP 7 results in CPING failures 6. JIRA issues fixed (https://issues.jboss.org/): JBEAP-23120 - Tracker bug for the EAP 7.4.5 release for RHEL-7 JBEAP-23171 - (7.4.z) Upgrade HAL from 3.3.9.Final-redhat-00001 to 3.3.12.Final-redhat-00001 JBEAP-23194 - Upgrade hibernate-validator from 6.0.22.Final-redhat-00002 to 6.0.23-redhat-00001 JBEAP-23241 - [GSS](7.4.z) Upgrade jberet from 1.3.9 to 1.3.9.SP1 JBEAP-23299 - (7.4.z) Upgrade Artemis from 2.16.0.redhat-00034 to 2.16.0.redhat-00042 JBEAP-23300 - [GSS](7.4.z) Upgrade JBoss Remoting from 5.0.23.SP1 to 5.0.24.SP1 JBEAP-23312 - (7.4.z) Upgrade WildFly Core from 15.0.8.Final-redhat-00001 to 15.0.12.Final-redhat-00001 JBEAP-23313 - (7.4.z) Upgrade Elytron from 1.15.11.Final-redhat-00002 to 1.15.12.Final-redhat-00001 JBEAP-23336 - (7.4.z) Upgrade Hibernate ORM from 5.3.25.Final-redhat-00002 to 5.3.26.Final-redhat-00002 JBEAP-23338 - [GSS](7.4.z) Upgrade Undertow from 2.2.16 to 2.2.17.SP3 JBEAP-23339 - [GSS](7.4.z) Upgrade wildfly-http-ejb-client from 1.1.10 to 1.1.11.SP1 JBEAP-23351 - (7.4.z) Upgrade org.apache.logging.log4j from 2.17.1.redhat-00001 to 2.17.1.redhat-00002 JBEAP-23353 - (7.4.z) Upgrade wildfly-transaction-client from 1.1.14.Final-redhat-00001 to 1.1.15.Final-redhat-x JBEAP-23429 - [PM](7.4.z) JDK17 Update Tested Configurations page and make note in Update release notes JBEAP-23432 - [GSS](7.4.z) Upgrade JSF API from 3.0.0.SP04 to 3.0.0.SP05 JBEAP-23451 - [PST] (7.4.z) Upgrade to FasterXML Jackson to 2.12.6.redhat-00001 and Jackson Databind to 2.12.6.1.redhat-00003 JBEAP-23531 - [GSS](7.4.z) Upgrade Undertow from 2.2.17.SP3 to 2.2.17.SP4 JBEAP-23532 - (7.4.z) Upgrade WildFly Core from 15.0.12.Final-redhat-00001 to 15.0.13.Final-redhat-00001 7. Package List: Red Hat JBoss EAP 7.4 for RHEL 7 Server: Source: eap7-activemq-artemis-2.16.0-9.redhat_00042.1.el7eap.src.rpm eap7-h2database-1.4.197-2.redhat_00004.1.el7eap.src.rpm eap7-hal-console-3.3.12-1.Final_redhat_00001.1.el7eap.src.rpm eap7-hibernate-5.3.26-1.Final_redhat_00002.2.el7eap.src.rpm eap7-hibernate-validator-6.0.23-1.Final_redhat_00001.1.el7eap.src.rpm eap7-jackson-annotations-2.12.6-1.redhat_00001.1.el7eap.src.rpm eap7-jackson-core-2.12.6-1.redhat_00001.1.el7eap.src.rpm eap7-jackson-databind-2.12.6.1-1.redhat_00003.1.el7eap.src.rpm eap7-jackson-jaxrs-providers-2.12.6-1.redhat_00001.1.el7eap.src.rpm eap7-jackson-modules-base-2.12.6-1.redhat_00001.1.el7eap.src.rpm eap7-jackson-modules-java8-2.12.6-1.redhat_00001.1.el7eap.src.rpm eap7-jberet-1.3.9-1.SP1_redhat_00001.1.el7eap.src.rpm eap7-jboss-jsf-api_2.3_spec-3.0.0-4.SP05_redhat_00002.1.el7eap.src.rpm eap7-jboss-remoting-5.0.24-1.SP1_redhat_00001.1.el7eap.src.rpm eap7-jboss-server-migration-1.10.0-16.Final_redhat_00015.1.el7eap.src.rpm eap7-jboss-xnio-base-3.8.7-1.SP1_redhat_00001.1.el7eap.src.rpm eap7-log4j-2.17.1-2.redhat_00002.1.el7eap.src.rpm eap7-netty-4.1.72-4.Final_redhat_00001.1.el7eap.src.rpm eap7-netty-tcnative-2.0.48-1.Final_redhat_00001.1.el7eap.src.rpm eap7-netty-transport-native-epoll-4.1.72-1.Final_redhat_00001.1.el7eap.src.rpm eap7-snakeyaml-1.29.0-1.redhat_00001.2.el7eap.src.rpm eap7-undertow-2.2.17-2.SP4_redhat_00001.1.el7eap.src.rpm eap7-wildfly-7.4.5-3.GA_redhat_00001.1.el7eap.src.rpm eap7-wildfly-elytron-1.15.12-1.Final_redhat_00001.1.el7eap.src.rpm eap7-wildfly-http-client-1.1.11-1.SP1_redhat_00001.1.el7eap.src.rpm eap7-wildfly-transaction-client-1.1.15-1.Final_redhat_00001.1.el7eap.src.rpm eap7-xerces-j2-2.12.0-3.SP04_redhat_00001.1.el7eap.src.rpm noarch: eap7-activemq-artemis-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-cli-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-commons-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-core-client-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-dto-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-hornetq-protocol-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-hqclient-protocol-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-jdbc-store-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-jms-client-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-jms-server-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-journal-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-ra-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-selector-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-server-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-service-extensions-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-tools-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-h2database-1.4.197-2.redhat_00004.1.el7eap.noarch.rpm eap7-hal-console-3.3.12-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-hibernate-5.3.26-1.Final_redhat_00002.2.el7eap.noarch.rpm eap7-hibernate-core-5.3.26-1.Final_redhat_00002.2.el7eap.noarch.rpm eap7-hibernate-entitymanager-5.3.26-1.Final_redhat_00002.2.el7eap.noarch.rpm eap7-hibernate-envers-5.3.26-1.Final_redhat_00002.2.el7eap.noarch.rpm eap7-hibernate-java8-5.3.26-1.Final_redhat_00002.2.el7eap.noarch.rpm eap7-hibernate-validator-6.0.23-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-hibernate-validator-cdi-6.0.23-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jackson-annotations-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm eap7-jackson-core-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm eap7-jackson-databind-2.12.6.1-1.redhat_00003.1.el7eap.noarch.rpm eap7-jackson-datatype-jdk8-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm eap7-jackson-datatype-jsr310-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm eap7-jackson-jaxrs-base-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm eap7-jackson-jaxrs-json-provider-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm eap7-jackson-module-jaxb-annotations-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm eap7-jackson-modules-base-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm eap7-jackson-modules-java8-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm eap7-jberet-1.3.9-1.SP1_redhat_00001.1.el7eap.noarch.rpm eap7-jberet-core-1.3.9-1.SP1_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-jsf-api_2.3_spec-3.0.0-4.SP05_redhat_00002.1.el7eap.noarch.rpm eap7-jboss-remoting-5.0.24-1.SP1_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-server-migration-1.10.0-16.Final_redhat_00015.1.el7eap.noarch.rpm eap7-jboss-server-migration-cli-1.10.0-16.Final_redhat_00015.1.el7eap.noarch.rpm eap7-jboss-server-migration-core-1.10.0-16.Final_redhat_00015.1.el7eap.noarch.rpm eap7-jboss-xnio-base-3.8.7-1.SP1_redhat_00001.1.el7eap.noarch.rpm eap7-log4j-2.17.1-2.redhat_00002.1.el7eap.noarch.rpm eap7-netty-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-all-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-buffer-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-dns-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-haproxy-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-http-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-http2-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-memcache-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-mqtt-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-redis-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-smtp-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-socks-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-stomp-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-xml-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-common-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-handler-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-handler-proxy-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-resolver-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-resolver-dns-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-resolver-dns-classes-macos-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-tcnative-2.0.48-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-classes-epoll-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-classes-kqueue-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-native-unix-common-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-rxtx-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-sctp-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-udt-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-snakeyaml-1.29.0-1.redhat_00001.2.el7eap.noarch.rpm eap7-undertow-2.2.17-2.SP4_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-7.4.5-3.GA_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-elytron-1.15.12-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-elytron-tool-1.15.12-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-http-client-common-1.1.11-1.SP1_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-http-ejb-client-1.1.11-1.SP1_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-http-naming-client-1.1.11-1.SP1_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-http-transaction-client-1.1.11-1.SP1_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-java-jdk11-7.4.5-3.GA_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-java-jdk8-7.4.5-3.GA_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-javadocs-7.4.5-3.GA_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-modules-7.4.5-3.GA_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-transaction-client-1.1.15-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-xerces-j2-2.12.0-3.SP04_redhat_00001.1.el7eap.noarch.rpm x86_64: eap7-netty-transport-native-epoll-4.1.72-1.Final_redhat_00001.1.el7eap.x86_64.rpm eap7-netty-transport-native-epoll-debuginfo-4.1.72-1.Final_redhat_00001.1.el7eap.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2020-36518 https://access.redhat.com/security/cve/CVE-2021-37136 https://access.redhat.com/security/cve/CVE-2021-37137 https://access.redhat.com/security/cve/CVE-2021-42392 https://access.redhat.com/security/cve/CVE-2021-43797 https://access.redhat.com/security/cve/CVE-2022-0084 https://access.redhat.com/security/cve/CVE-2022-0853 https://access.redhat.com/security/cve/CVE-2022-0866 https://access.redhat.com/security/cve/CVE-2022-1319 https://access.redhat.com/security/cve/CVE-2022-21299 https://access.redhat.com/security/cve/CVE-2022-21363 https://access.redhat.com/security/cve/CVE-2022-23221 https://access.redhat.com/security/cve/CVE-2022-23437 https://access.redhat.com/security/cve/CVE-2022-23913 https://access.redhat.com/security/cve/CVE-2022-24785 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/ 9. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYp5qBdzjgjWX9erEAQgudg/+KIuaXQZawyOnSNF4IIR8WYnfcW8Ojsfk 27VFNY6WCSn07IkzyDFuCLHsmUEesiJvpYssOx4CuX1YEmlF7S/KepyI6QDVC+BV hFAfaVE1gdrny1sqaS8k4VFE9rHODML1q2yyeUNgdtL4YGdOeduqOEn6Q6GS/rvh +8vCZFkFb9QKxxItc1xvxvU8kAomQun+eqr040IHuF0jAZfLI18/5vzsPqeQG+Ua qU4CG5FucVytEkJCnQ8Ci3QH3FCm/BPqotyhO3OAi1b5+db+fT+UqJpiuHYCsPcQ 8DRKizi/ia6Rq5b/OTFodA8lo6U3nDIljJ7QcuADgGzX4fak+BxQNkQMfhS4/b01 /yFU034PmQBTJpm0r5Vb4V4lBWzAi5QMDttI4wncuM3VGbxSoEEXzdzFHVzgoy1r qDGfJ1C5VnSJeLawDa6tGyndBiVga/PPgx0CoSIPsAYnjXYfJM1DsohUXppTL1k+ z8W2UIoIGqycYdCm60uJ+qbzqLlODNXmXn154OJL3O/o6Nz7O+uqVt+WfaNnwO/Y wf85wHGjzLaOALZfly/fENQr5Aijb9WqavN3tbcipj6+F4D3OLJMOSap8+TOXF3C StEX/XQpQASMmemvHJr/8c9Fx6tumJ+hLI4EyXfNdlYFJFQY4l4J0X6+mH047B3G R+RN8v8nzXQ{m6 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce

Trust: 2.16

sources: NVD: CVE-2022-23437 // JVNDB: JVNDB-2022-002358 // VULHUB: VHN-412572 // VULMON: CVE-2022-23437 // PACKETSTORM: 168638 // PACKETSTORM: 167424 // PACKETSTORM: 167423 // PACKETSTORM: 167422

AFFECTED PRODUCTS

vendor:	日立	model:	ucosminexus primary server base	scope:	-	version:	-	Trust: 1.6
vendor:	日立	model:	ucosminexus service platform	scope:	-	version:	-	Trust: 1.6
vendor:	日立	model:	ucosminexus application server	scope:	-	version:	-	Trust: 1.6
vendor:	oracle	model:	financial services analytical applications infrastructure	scope:	gte	version:	8.1.0.0	Trust: 1.0
vendor:	oracle	model:	primavera gateway	scope:	gte	version:	18.8.0	Trust: 1.0
vendor:	oracle	model:	retail service backbone	scope:	eq	version:	14.1.3.2	Trust: 1.0
vendor:	oracle	model:	financial services enterprise case management	scope:	eq	version:	8.0.8.1	Trust: 1.0
vendor:	oracle	model:	retail financial integration	scope:	eq	version:	19.0.1	Trust: 1.0
vendor:	oracle	model:	agile plm	scope:	eq	version:	9.3.6	Trust: 1.0
vendor:	oracle	model:	banking deposits and lines of credit servicing	scope:	eq	version:	2.7	Trust: 1.0
vendor:	oracle	model:	financial services enterprise case management	scope:	eq	version:	8.0.7.2.0	Trust: 1.0
vendor:	oracle	model:	retail financial integration	scope:	eq	version:	15.0.3.1	Trust: 1.0
vendor:	oracle	model:	financial services behavior detection platform	scope:	eq	version:	8.1.1.1	Trust: 1.0
vendor:	oracle	model:	retail integration bus	scope:	eq	version:	16.0.3	Trust: 1.0
vendor:	oracle	model:	weblogic server	scope:	eq	version:	12.2.1.3.0	Trust: 1.0
vendor:	oracle	model:	primavera gateway	scope:	lte	version:	19.12.13	Trust: 1.0
vendor:	oracle	model:	financial services behavior detection platform	scope:	eq	version:	8.1.1.0	Trust: 1.0
vendor:	oracle	model:	agile engineering data management	scope:	eq	version:	6.2.1.0	Trust: 1.0
vendor:	oracle	model:	primavera gateway	scope:	gte	version:	19.12.0	Trust: 1.0
vendor:	oracle	model:	health sciences information manager	scope:	gte	version:	3.0.1	Trust: 1.0
vendor:	oracle	model:	financial services analytical applications infrastructure	scope:	gte	version:	8.0.6.0.0	Trust: 1.0
vendor:	oracle	model:	financial services enterprise case management	scope:	eq	version:	8.0.7.1	Trust: 1.0
vendor:	oracle	model:	communications session report manager	scope:	lt	version:	9.0	Trust: 1.0
vendor:	oracle	model:	global lifecycle management nextgen oui framework	scope:	eq	version:	13.9.4.2.2	Trust: 1.0
vendor:	oracle	model:	retail extract transform and load	scope:	eq	version:	13.2.8	Trust: 1.0
vendor:	oracle	model:	retail integration bus	scope:	eq	version:	14.1.3.2	Trust: 1.0
vendor:	oracle	model:	retail merchandising system	scope:	eq	version:	19.0.1	Trust: 1.0
vendor:	oracle	model:	retail service backbone	scope:	eq	version:	15.0.3.1	Trust: 1.0
vendor:	oracle	model:	retail service backbone	scope:	eq	version:	19.0.1	Trust: 1.0
vendor:	oracle	model:	weblogic server	scope:	eq	version:	14.1.1.0.0	Trust: 1.0
vendor:	netapp	model:	active iq unified manager	scope:	eq	version:	-	Trust: 1.0
vendor:	oracle	model:	financial services crime and compliance management studio	scope:	eq	version:	8.0.8.3.0	Trust: 1.0
vendor:	oracle	model:	primavera gateway	scope:	gte	version:	17.7	Trust: 1.0
vendor:	oracle	model:	financial services analytical applications infrastructure	scope:	lte	version:	8.0.9.0	Trust: 1.0
vendor:	oracle	model:	product lifecycle analytics	scope:	eq	version:	3.6.1	Trust: 1.0
vendor:	oracle	model:	retail merchandising system	scope:	eq	version:	16.0.3	Trust: 1.0
vendor:	oracle	model:	ilearning	scope:	eq	version:	6.2	Trust: 1.0
vendor:	oracle	model:	primavera gateway	scope:	lte	version:	17.12.11	Trust: 1.0
vendor:	oracle	model:	primavera gateway	scope:	lte	version:	18.8.14	Trust: 1.0
vendor:	oracle	model:	financial services analytical applications infrastructure	scope:	lt	version:	8.1.2.0	Trust: 1.0
vendor:	oracle	model:	communications asap	scope:	eq	version:	7.3	Trust: 1.0
vendor:	oracle	model:	financial services crime and compliance management studio	scope:	eq	version:	8.0.8.2.0	Trust: 1.0
vendor:	oracle	model:	financial services behavior detection platform	scope:	lte	version:	8.0.8.0	Trust: 1.0
vendor:	oracle	model:	retail financial integration	scope:	eq	version:	16.0.3	Trust: 1.0
vendor:	oracle	model:	primavera gateway	scope:	lte	version:	20.12.8	Trust: 1.0
vendor:	oracle	model:	retail bulk data integration	scope:	eq	version:	16.0.3.0	Trust: 1.0
vendor:	oracle	model:	financial services enterprise case management	scope:	eq	version:	8.0.8.0	Trust: 1.0
vendor:	oracle	model:	global lifecycle management opatch	scope:	lt	version:	12.2.0.1.30	Trust: 1.0
vendor:	apache	model:	xerces-j	scope:	lte	version:	2.12.1	Trust: 1.0
vendor:	oracle	model:	health sciences information manager	scope:	eq	version:	3.0.0.1	Trust: 1.0
vendor:	oracle	model:	peoplesoft enterprise peopletools	scope:	eq	version:	8.58	Trust: 1.0
vendor:	oracle	model:	retail integration bus	scope:	eq	version:	19.0.1	Trust: 1.0
vendor:	oracle	model:	retail integration bus	scope:	eq	version:	15.0.3.1	Trust: 1.0
vendor:	oracle	model:	communications element manager	scope:	lt	version:	9.0	Trust: 1.0
vendor:	oracle	model:	global lifecycle management nextgen oui framework	scope:	lt	version:	13.9.4.2.2	Trust: 1.0
vendor:	oracle	model:	peoplesoft enterprise peopletools	scope:	eq	version:	8.59	Trust: 1.0
vendor:	oracle	model:	flexcube universal banking	scope:	eq	version:	12.4.0	Trust: 1.0
vendor:	oracle	model:	financial services enterprise case management	scope:	eq	version:	8.1.1.1	Trust: 1.0
vendor:	oracle	model:	primavera gateway	scope:	gte	version:	20.12.0	Trust: 1.0
vendor:	oracle	model:	retail financial integration	scope:	eq	version:	14.1.3.2	Trust: 1.0
vendor:	oracle	model:	weblogic server	scope:	eq	version:	12.2.1.4.0	Trust: 1.0
vendor:	oracle	model:	financial services enterprise case management	scope:	eq	version:	8.1.1.0	Trust: 1.0
vendor:	oracle	model:	retail service backbone	scope:	eq	version:	16.0.3	Trust: 1.0
vendor:	oracle	model:	financial services behavior detection platform	scope:	gte	version:	8.0.6.0.0	Trust: 1.0
vendor:	oracle	model:	ilearning	scope:	eq	version:	6.3	Trust: 1.0
vendor:	oracle	model:	financial services behavior detection platform	scope:	eq	version:	8.1.2.0	Trust: 1.0
vendor:	oracle	model:	communications session route manager	scope:	lt	version:	9.0	Trust: 1.0
vendor:	oracle	model:	health sciences information manager	scope:	lte	version:	3.0.5	Trust: 1.0
vendor:	oracle	model:	banking party management	scope:	eq	version:	2.7.0	Trust: 1.0
vendor:	日立	model:	ucosminexus application server smart edition	scope:	-	version:	-	Trust: 0.8
vendor:	日立	model:	ucosminexus developer professional	scope:	-	version:	-	Trust: 0.8
vendor:	オラクル	model:	oracle retail bulk data integration	scope:	-	version:	-	Trust: 0.8
vendor:	オラクル	model:	oracle ilearning	scope:	-	version:	-	Trust: 0.8
vendor:	日立	model:	ucosminexus developer	scope:	-	version:	-	Trust: 0.8
vendor:	オラクル	model:	oracle retail extract transform and load	scope:	-	version:	-	Trust: 0.8
vendor:	日立	model:	ucosminexus operator	scope:	-	version:	-	Trust: 0.8
vendor:	オラクル	model:	oracle financial services enterprise case management	scope:	-	version:	-	Trust: 0.8
vendor:	オラクル	model:	communications session route manager	scope:	-	version:	-	Trust: 0.8
vendor:	日立	model:	ucosminexus developer standard	scope:	-	version:	-	Trust: 0.8
vendor:	オラクル	model:	oracle communications session element manager	scope:	-	version:	-	Trust: 0.8
vendor:	オラクル	model:	oracle financial services analytical applications infrastructure	scope:	-	version:	-	Trust: 0.8
vendor:	オラクル	model:	oracle communications session report manager	scope:	-	version:	-	Trust: 0.8
vendor:	日立	model:	ucosminexus application server standard-r	scope:	-	version:	-	Trust: 0.8
vendor:	日立	model:	ucosminexus application server enterprise	scope:	-	version:	-	Trust: 0.8
vendor:	日立	model:	ucosminexus application server-r	scope:	-	version:	-	Trust: 0.8
vendor:	日立	model:	ucosminexus service architect	scope:	-	version:	-	Trust: 0.8
vendor:	apache	model:	xerces2 java	scope:	-	version:	-	Trust: 0.8
vendor:	オラクル	model:	oracle retail financial integration	scope:	-	version:	-	Trust: 0.8
vendor:	日立	model:	ucosminexus application server standard	scope:	-	version:	-	Trust: 0.8
vendor:	日立	model:	ucosminexus client	scope:	-	version:	-	Trust: 0.8
vendor:	オラクル	model:	oracle financial services behavior detection platform	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2022-002358 // NVD: CVE-2022-23437

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-23437
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2022-23437
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202201-2238
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-412572
value:	HIGH
Trust: 0.1
VULMON:	CVE-2022-23437
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2022-23437
severity:	HIGH
baseScore:	7.1
vectorString:	AV:N/AC:M/AU:N/C:N/I:N/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-412572
severity:	HIGH
baseScore:	7.1
vectorString:	AV:N/AC:M/AU:N/C:N/I:N/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2022-23437
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2022-23437
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-412572 // VULMON: CVE-2022-23437 // JVNDB: JVNDB-2022-002358 // CNNVD: CNNVD-202201-2238 // NVD: CVE-2022-23437

PROBLEMTYPE DATA

problemtype:	CWE-835	Trust: 1.0
problemtype:	BLIND XPath injection (CWE-91) [NVD evaluation ]	Trust: 0.8
problemtype:	CWE-91	Trust: 0.1

sources: VULHUB: VHN-412572 // JVNDB: JVNDB-2022-002358 // NVD: CVE-2022-23437

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202201-2238

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202201-2238

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-412572

PATCH

title:	hitachi-sec-2022-129 Software product security information	url:	https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl	Trust: 0.8
title:	Xerces Security vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=183803	Trust: 0.6
title:	Debian CVElist Bug Report Logs: libxerces2-java: CVE-2022-23437	url:	https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=a1fbd856d1d488007b4277fd666e30c1	Trust: 0.1
title:	Red Hat: CVE-2022-23437	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2022-23437	Trust: 0.1
title:	Hitachi Security Advisories: Vulnerability in Cosminexus XML Processor	url:	https://vulmon.com/vendoradvisory?qidtp=hitachi_security_advisories&qid=hitachi-sec-2022-129	Trust: 0.1
title:	Red Hat: Moderate: Red Hat JBoss Enterprise Application Platform 7.4.5 security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20224922 - Security Advisory	Trust: 0.1
title:	Red Hat: Moderate: Red Hat JBoss Enterprise Application Platform 7.4.5 security update on RHEL 8	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20224919 - Security Advisory	Trust: 0.1
title:	Red Hat: Moderate: Red Hat JBoss Enterprise Application Platform 7.4.5 security update on RHEL 7	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20224918 - Security Advisory	Trust: 0.1
title:	Red Hat: Important: Red Hat Process Automation Manager 7.13.1 security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20226813 - Security Advisory	Trust: 0.1
title:	Hitachi Security Advisories: Multiple Vulnerabilities in Hitachi Ops Center Common Services	url:	https://vulmon.com/vendoradvisory?qidtp=hitachi_security_advisories&qid=hitachi-sec-2022-136	Trust: 0.1
title:	CVE-2022-XXXX	url:	https://github.com/AlphabugX/CVE-2022-23305	Trust: 0.1
title:	CVE-2022-XXXX	url:	https://github.com/AlphabugX/CVE-2022-RCE	Trust: 0.1

sources: VULMON: CVE-2022-23437 // JVNDB: JVNDB-2022-002358 // CNNVD: CNNVD-202201-2238

EXTERNAL IDS

db:	NVD	id:	CVE-2022-23437	Trust: 3.8
db:	OPENWALL	id:	OSS-SECURITY/2022/01/24/3	Trust: 1.8
db:	PACKETSTORM	id:	167423	Trust: 0.8
db:	JVNDB	id:	JVNDB-2022-002358	Trust: 0.8
db:	CNNVD	id:	CNNVD-202201-2238	Trust: 0.7
db:	PACKETSTORM	id:	168638	Trust: 0.7
db:	CS-HELP	id:	SB2022072056	Trust: 0.6
db:	CS-HELP	id:	SB2022012503	Trust: 0.6
db:	CS-HELP	id:	SB2022041946	Trust: 0.6
db:	CS-HELP	id:	SB2022042289	Trust: 0.6
db:	CS-HELP	id:	SB2022072096	Trust: 0.6
db:	CS-HELP	id:	SB2022060838	Trust: 0.6
db:	CS-HELP	id:	SB2022042544	Trust: 0.6
db:	CS-HELP	id:	SB2022071806	Trust: 0.6
db:	AUSCERT	id:	ESB-2022.0760	Trust: 0.6
db:	AUSCERT	id:	ESB-2023.1653	Trust: 0.6
db:	AUSCERT	id:	ESB-2022.2799	Trust: 0.6
db:	PACKETSTORM	id:	167422	Trust: 0.2
db:	PACKETSTORM	id:	167424	Trust: 0.2
db:	CNVD	id:	CNVD-2022-14709	Trust: 0.1
db:	VULHUB	id:	VHN-412572	Trust: 0.1
db:	VULMON	id:	CVE-2022-23437	Trust: 0.1

sources: VULHUB: VHN-412572 // VULMON: CVE-2022-23437 // JVNDB: JVNDB-2022-002358 // PACKETSTORM: 168638 // PACKETSTORM: 167424 // PACKETSTORM: 167423 // PACKETSTORM: 167422 // CNNVD: CNNVD-202201-2238 // NVD: CVE-2022-23437

REFERENCES

url:	https://www.oracle.com/security-alerts/cpuapr2022.html	Trust: 2.4
url:	https://security.netapp.com/advisory/ntap-20221028-0005/	Trust: 1.8
url:	https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl	Trust: 1.8
url:	https://www.oracle.com/security-alerts/cpujul2022.html	Trust: 1.8
url:	http://www.openwall.com/lists/oss-security/2022/01/24/3	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2022-23437	Trust: 1.8
url:	https://www.auscert.org.au/bulletins/esb-2022.2799	Trust: 0.6
url:	https://packetstormsecurity.com/files/167423/red-hat-security-advisory-2022-4918-01.html	Trust: 0.6
url:	https://vigilance.fr/vulnerability/apache-xerces-java-overload-37356	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2022.0760	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022072056	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022042544	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022060838	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2023.1653	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022042289	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022072096	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022041946	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022012503	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022071806	Trust: 0.6
url:	https://packetstormsecurity.com/files/168638/red-hat-security-advisory-2022-6813-01.html	Trust: 0.6
url:	https://access.redhat.com/security/cve/cve-2022-23437	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2022-23913	Trust: 0.4
url:	https://access.redhat.com/security/team/contact/	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2022-21363	Trust: 0.4
url:	https://listman.redhat.com/mailman/listinfo/rhsa-announce	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2022-24785	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2022-23913	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2022-21363	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2020-36518	Trust: 0.4
url:	https://bugzilla.redhat.com/):	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2020-36518	Trust: 0.4
url:	https://issues.jboss.org/):	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2022-0084	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2021-43797	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2022-0866	Trust: 0.3
url:	https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2022-0084	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2021-37137	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2022-21299	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2022-21299	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2021-42392	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2022-23221	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2022-24785	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2021-43797	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2021-37137	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2021-42392	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2022-1319	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2021-37136	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2022-1319	Trust: 0.3
url:	https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2022-0866	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2021-37136	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2022-0853	Trust: 0.3
url:	https://access.redhat.com/security/updates/classification/#moderate	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2022-23221	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2022-0853	Trust: 0.3
url:	https://access.redhat.com/articles/11258	Trust: 0.2
url:	https://access.redhat.com/security/team/key/	Trust: 0.2
url:	https://cwe.mitre.org/data/definitions/835.html	Trust: 0.1
url:	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016975	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/alphabugx/cve-2022-23305	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-24771	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-31129	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-0235	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-21724	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-23436	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-7746	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-1365	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-44906	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-0722	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-0235	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2021-23436	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-1365	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-1650	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-26520	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2021-44906	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-24771	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-2458	Trust: 0.1
url:	https://access.redhat.com/security/updates/classification/#important	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:6813	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-2458	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-24772	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-7746	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-21724	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-0722	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-1650	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:4919	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:4918	Trust: 0.1
url:	https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=securitypatches&product=appplatform&version=7.4	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:4922	Trust: 0.1

CREDITS

Red Hat

Trust: 0.4

sources: PACKETSTORM: 168638 // PACKETSTORM: 167424 // PACKETSTORM: 167423 // PACKETSTORM: 167422

SOURCES

db:	VULHUB	id:	VHN-412572
db:	VULMON	id:	CVE-2022-23437
db:	JVNDB	id:	JVNDB-2022-002358
db:	PACKETSTORM	id:	168638
db:	PACKETSTORM	id:	167424
db:	PACKETSTORM	id:	167423
db:	PACKETSTORM	id:	167422
db:	CNNVD	id:	CNNVD-202201-2238
db:	NVD	id:	CVE-2022-23437

LAST UPDATE DATE

2024-08-14T13:08:35.885000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-412572	date:	2022-12-07T00:00:00
db:	VULMON	id:	CVE-2022-23437	date:	2023-08-08T00:00:00
db:	JVNDB	id:	JVNDB-2022-002358	date:	2022-11-02T07:40:00
db:	CNNVD	id:	CNNVD-202201-2238	date:	2023-03-21T00:00:00
db:	NVD	id:	CVE-2022-23437	date:	2023-08-08T14:22:24.967

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-412572	date:	2022-01-24T00:00:00
db:	VULMON	id:	CVE-2022-23437	date:	2022-01-24T00:00:00
db:	JVNDB	id:	JVNDB-2022-002358	date:	2022-09-07T00:00:00
db:	PACKETSTORM	id:	168638	date:	2022-10-06T12:37:43
db:	PACKETSTORM	id:	167424	date:	2022-06-07T15:15:05
db:	PACKETSTORM	id:	167423	date:	2022-06-07T15:14:53
db:	PACKETSTORM	id:	167422	date:	2022-06-07T15:14:37
db:	CNNVD	id:	CNNVD-202201-2238	date:	2022-01-24T00:00:00
db:	NVD	id:	CVE-2022-23437	date:	2022-01-24T15:15:09.317