ID

VAR-202301-0598


CVE

CVE-2022-45787


TITLE

Apache James MIME4J  Vulnerability in plaintext storage of important information in

Trust: 0.8

sources: JVNDB: JVNDB-2023-001784

DESCRIPTION

Unproper laxist permissions on the temporary files used by MIME4J TempFileStorageProvider may lead to information disclosure to other local users. This issue affects Apache James MIME4J version 0.8.8 and prior versions. We recommend users to upgrade to MIME4j version 0.8.9 or later. Apache James MIME4J There is a vulnerability in plaintext storage of important information.Information may be obtained. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 7.4.10 on RHEL 7 security update Advisory ID: RHSA-2023:1512-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2023:1512 Issue date: 2023-03-29 CVE Names: CVE-2022-1471 CVE-2022-4492 CVE-2022-38752 CVE-2022-41853 CVE-2022-41854 CVE-2022-41881 CVE-2022-45787 CVE-2023-0482 CVE-2023-1108 ===================================================================== 1. Summary: A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss EAP 7.4 for RHEL 7 Server - noarch, x86_64 3. Description: Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.10 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.9 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.10 Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es): * SnakeYaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471) * hsqldb: Untrusted input may lead to RCE attack (CVE-2022-41853) * Undertow: Infinite loop in SslConduit during close (CVE-2023-1108) * undertow: Server identity in https connection is not checked by the undertow client (CVE-2022-4492) * snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode (CVE-2022-38752) * dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854) * codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS (CVE-2022-41881) * apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider (CVE-2022-45787) * RESTEasy: creation of insecure temp files (CVE-2023-0482) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2129710 - CVE-2022-38752 snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode 2136141 - CVE-2022-41853 hsqldb: Untrusted input may lead to RCE attack 2150009 - CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution 2151988 - CVE-2022-41854 dev-java/snakeyaml: DoS via stack overflow 2153260 - CVE-2022-4492 undertow: Server identity in https connection is not checked by the undertow client 2153379 - CVE-2022-41881 codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS 2158916 - CVE-2022-45787 apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider 2166004 - CVE-2023-0482 RESTEasy: creation of insecure temp files 2174246 - CVE-2023-1108 Undertow: Infinite loop in SslConduit during close 6. JIRA issues fixed (https://issues.jboss.org/): JBEAP-23572 - (7.4.z) Upgrade jbossws-spi from 3.3.1.Final-redhat-00001 to 3.4.0.Final-redhat-00001 JBEAP-24120 - Tracker bug for the EAP 7.4.10 release for RHEL-7 JBEAP-24172 - (7.4.z) Upgrade jbossws-cxf from 5.4.4.Final-redhat-00001 to 5.4.8.Final-redhat-00001 JBEAP-24182 - (7.4.z) Upgrade wildfly-http-ejb-client from 1.1.13.SP1-redhat-00001 to 1.1.16.Final-redhat-00002 JBEAP-24220 - [GSS](7.4.z) Upgrade JBoss Metadata from 13.0.0.Final-redhat-00001 to 13.4.0.Final-redhat-00001 JBEAP-24254 - JDK17, CLI script to update security doesn't apply to microprofile JBEAP-24292 - (7.4.z) Upgrade Artemis Native from 1.0.2.redhat-00001 to 1.0.2.redhat-00004 JBEAP-24339 - (7.4.z) Upgrade Undertow from 2.2.22.SP3-redhat-00001 to 2.2.23.SP1 JBEAP-24341 - (7.4.z) Upgrade Ironjacamar from 1.5.10.Final-redhat-00001 to 1.5.11.Final-redhat-00001 JBEAP-24363 - (7.4.z) Upgrade org.jboss.spec.javax.el:jboss-el-api_3.0_spec from 2.0.0.Final-redhat-00001 to 2.0.1.Final JBEAP-24372 - (7.4.z) Upgrade PicketLink from 2.5.5.SP12-redhat-00011 to 2.5.5.SP12-redhat-00012 JBEAP-24380 - (7.4.z) Upgrade jastow from 2.0.11.Final-redhat-00001 to 2.0.14.Final-redhat-00001 JBEAP-24383 - [GSS](7.4.z) Upgrade artemis-wildfly-integration from 1.0.4 to 1.0.7 JBEAP-24384 - (7.4.z) Upgrade netty from 4.1.77.Final-redhat-00001 to 4.1.86.Final JBEAP-24385 - (7.4.z) Upgrade WildFly Core from 15.0.22.Final-redhat-00001 to 15.0.23.Final-redhat-00001 JBEAP-24395 - [GSS](7.4.z) Upgrade jboss-ejb-client from 4.0.49.Final-redhat-00001 to 4.0.50.Final JBEAP-24507 - (7.4.z) RESTEASY-3285 Upgrade resteasy 3.15.x to mime4j 0.8.9 JBEAP-24535 - [GSS](7.4.z) UNDERTOW-2239 - Infinite loop in `SslConduit` during close on JDK 11 JBEAP-24574 - [PST](7.4.z) Upgrade snakeyaml from 1.33.0.redhat-00001 to 1.33.SP1.redhat-00001 JBEAP-24588 - [GSS](7.4.z) RHEL9 rpms: yum groupinstall jboss-eap7 installing JDK11 instead of JDK8 with EAP 7.4 Update 9 JBEAP-24605 - [PST](7.4.z) Upgrade undertow from 2.2.23.SP1-redhat-00001 to 2.2.23.SP2 JBEAP-24618 - (7.4.z) Upgrade WildFly Core from 15.0.23.Final-redhat-00001 to 15.0.25.Final-redhat-00001 7. Package List: Red Hat JBoss EAP 7.4 for RHEL 7 Server: Source: eap7-activemq-artemis-native-1.0.2-3.redhat_00004.1.el7eap.src.rpm eap7-apache-mime4j-0.8.9-1.redhat_00001.1.el7eap.src.rpm eap7-artemis-native-1.0.2-4.redhat_00004.1.el7eap.src.rpm eap7-artemis-wildfly-integration-1.0.7-1.redhat_00001.1.el7eap.src.rpm eap7-infinispan-11.0.17-1.Final_redhat_00001.1.el7eap.src.rpm eap7-ironjacamar-1.5.11-1.Final_redhat_00001.1.el7eap.src.rpm eap7-jboss-ejb-client-4.0.50-1.Final_redhat_00001.1.el7eap.src.rpm eap7-jboss-el-api_3.0_spec-2.0.1-1.Final_redhat_00001.1.el7eap.src.rpm eap7-jboss-metadata-13.4.0-1.Final_redhat_00001.1.el7eap.src.rpm eap7-jboss-server-migration-1.10.0-26.Final_redhat_00025.1.el7eap.src.rpm eap7-jbossws-cxf-5.4.8-1.Final_redhat_00001.1.el7eap.src.rpm eap7-jbossws-spi-3.4.0-2.Final_redhat_00001.1.el7eap.src.rpm eap7-netty-4.1.86-1.Final_redhat_00001.1.el7eap.src.rpm eap7-netty-transport-native-epoll-4.1.86-1.Final_redhat_00001.1.el7eap.src.rpm eap7-picketlink-federation-2.5.5-22.SP12_redhat_00012.1.el7eap.src.rpm eap7-resteasy-3.15.5-1.Final_redhat_00001.1.el7eap.src.rpm eap7-snakeyaml-1.33.0-2.SP1_redhat_00001.1.el7eap.src.rpm eap7-undertow-2.2.23-1.SP2_redhat_00001.1.el7eap.src.rpm eap7-undertow-jastow-2.0.14-1.Final_redhat_00001.1.el7eap.src.rpm eap7-wildfly-7.4.10-6.GA_redhat_00002.1.el7eap.src.rpm eap7-wildfly-http-client-1.1.16-1.Final_redhat_00002.1.el7eap.src.rpm noarch: eap7-activemq-artemis-native-1.0.2-3.redhat_00004.1.el7eap.noarch.rpm eap7-apache-mime4j-0.8.9-1.redhat_00001.1.el7eap.noarch.rpm eap7-artemis-wildfly-integration-1.0.7-1.redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-cachestore-jdbc-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-cachestore-remote-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-client-hotrod-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-commons-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-component-annotations-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-core-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-hibernate-cache-commons-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-hibernate-cache-spi-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-hibernate-cache-v53-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-common-api-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-common-impl-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-common-spi-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-core-api-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-core-impl-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-deployers-common-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-jdbc-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-validator-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-ejb-client-4.0.50-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-el-api_3.0_spec-2.0.1-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-metadata-13.4.0-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-metadata-appclient-13.4.0-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-metadata-common-13.4.0-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-metadata-ear-13.4.0-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-metadata-ejb-13.4.0-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-metadata-web-13.4.0-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-server-migration-1.10.0-26.Final_redhat_00025.1.el7eap.noarch.rpm eap7-jboss-server-migration-cli-1.10.0-26.Final_redhat_00025.1.el7eap.noarch.rpm eap7-jboss-server-migration-core-1.10.0-26.Final_redhat_00025.1.el7eap.noarch.rpm eap7-jbossws-cxf-5.4.8-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jbossws-spi-3.4.0-2.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-all-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-buffer-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-dns-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-haproxy-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-http-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-http2-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-memcache-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-mqtt-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-redis-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-smtp-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-socks-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-stomp-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-xml-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-common-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-handler-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-handler-proxy-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-resolver-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-resolver-dns-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-resolver-dns-classes-macos-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-classes-epoll-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-classes-kqueue-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-native-unix-common-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-rxtx-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-sctp-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-udt-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-picketlink-api-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm eap7-picketlink-common-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm eap7-picketlink-config-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm eap7-picketlink-federation-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm eap7-picketlink-idm-api-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm eap7-picketlink-idm-impl-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm eap7-picketlink-idm-simple-schema-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm eap7-picketlink-impl-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm eap7-resteasy-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-atom-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-cdi-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-client-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-crypto-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-jackson-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-jackson2-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-jaxb-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-jaxrs-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-jettison-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-jose-jwt-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-jsapi-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-json-binding-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-json-p-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-multipart-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-rxjava2-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-spring-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-validator-provider-11-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-yaml-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-snakeyaml-1.33.0-2.SP1_redhat_00001.1.el7eap.noarch.rpm eap7-undertow-2.2.23-1.SP2_redhat_00001.1.el7eap.noarch.rpm eap7-undertow-jastow-2.0.14-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-7.4.10-6.GA_redhat_00002.1.el7eap.noarch.rpm eap7-wildfly-http-client-common-1.1.16-1.Final_redhat_00002.1.el7eap.noarch.rpm eap7-wildfly-http-ejb-client-1.1.16-1.Final_redhat_00002.1.el7eap.noarch.rpm eap7-wildfly-http-naming-client-1.1.16-1.Final_redhat_00002.1.el7eap.noarch.rpm eap7-wildfly-http-transaction-client-1.1.16-1.Final_redhat_00002.1.el7eap.noarch.rpm eap7-wildfly-java-jdk11-7.4.10-6.GA_redhat_00002.1.el7eap.noarch.rpm eap7-wildfly-java-jdk8-7.4.10-6.GA_redhat_00002.1.el7eap.noarch.rpm eap7-wildfly-javadocs-7.4.10-6.GA_redhat_00002.1.el7eap.noarch.rpm eap7-wildfly-modules-7.4.10-6.GA_redhat_00002.1.el7eap.noarch.rpm x86_64: eap7-artemis-native-1.0.2-4.redhat_00004.1.el7eap.x86_64.rpm eap7-artemis-native-debuginfo-1.0.2-4.redhat_00004.1.el7eap.x86_64.rpm eap7-artemis-native-wildfly-1.0.2-4.redhat_00004.1.el7eap.x86_64.rpm eap7-netty-transport-native-epoll-4.1.86-1.Final_redhat_00001.1.el7eap.x86_64.rpm eap7-netty-transport-native-epoll-debuginfo-4.1.86-1.Final_redhat_00001.1.el7eap.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2022-1471 https://access.redhat.com/security/cve/CVE-2022-4492 https://access.redhat.com/security/cve/CVE-2022-38752 https://access.redhat.com/security/cve/CVE-2022-41853 https://access.redhat.com/security/cve/CVE-2022-41854 https://access.redhat.com/security/cve/CVE-2022-41881 https://access.redhat.com/security/cve/CVE-2022-45787 https://access.redhat.com/security/cve/CVE-2023-0482 https://access.redhat.com/security/cve/CVE-2023-1108 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/ 9. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZCT+zNzjgjWX9erEAQjgHg/+JaRL/MORx2YrlQ2vSQf3wEHiXL7cSG5b 81HEug+HhLXEzqjRLmFtsqM+eBYFMawokVsOX0PBat7yyJUcwttn7NdO8MlEvrKA Juh3RHqCSJPE3X5N7OnKTkdJUs7Zxfvmzo6mIly321gjUl51bxl/yVPzXuBiI89S rPgI1n6wdp4Tb/HDxZ5h2rAX7L8xckVzHnr3ld8MG3Mi2CqrvSnLkYy1YsAxiSrF Q8tT1dCnCAjUEA2wULxq0a+PrH5cCpkBJ8d6w5Y9lxGKuF1dYzUQAIaDuCvTw4w4 7i5g5Gt3X+/uks/8y00NWxDOTHWnzvlHTT7NWZAtSD1PwknaGQJ4dGPJMUo+Y2Tt cVuxyhcfQMixEc6+P6EwJrdWuaa6MdU8rceWKFc/a8X//BefU0chSAGi9CfXsC1y WBR75mfFZleVPRoJtQ0ZLz+Se0rsKwxV9F/FbHlcAhCvaZzbDi2PAHH3YhPqMcmu JdgRJlT/xBDeZMqb+4U9aiwKox53tuXW7ACUZeN8dlP/pCLiiFFaW0jaObR5zfVy R51T2b2Lyt7HHkxp/GGXNOfZHjkgYDHGssduzDADhMthLPLJrJb9jQdWRrkjFagt 4agw2EM+/mtBpB4Wcsp1CXb61UfU4jv0O5BPIvHx81l+vqZRKVuICmCb4FI/wnEi fsWX8UaljMw= =qlyL -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . Description: Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. Bugs fixed (https://bugzilla.redhat.com/): 2158916 - CVE-2022-45787 apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider 2163533 - CVE-2023-0481 quarkus: insecure permissions on temp files 2166004 - CVE-2023-0482 RESTEasy: creation of insecure temp files 2174854 - CVE-2023-26053 gradle: usage of long IDs for PGP keys is unsafe and is subject to collision attacks 2180886 - CVE-2023-1584 quarkus-oidc: ID and access tokens leak via the authorization code flow 2181977 - CVE-2023-28867 graphql-java: crafted GraphQL query causes stack consumption 2182788 - CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray 2211026 - CVE-2023-2974 quarkus-core: TLS protocol configured with quarkus.http.ssl.protocols is not enforced, client can enforce weaker supported TLS protocol 5. JIRA issues fixed (https://issues.redhat.com/): QUARKUS-2672 - Infinispan client is not aligned with newly released Red Hat Data Grid 8.4 QUARKUS-2787 - Rest Data Panache: Correct Open API integration QUARKUS-2846 - Ensure that new line chars don't break Panache projection QUARKUS-2978 - ExceptionMapper<WebApplicationException> is not working in DEV mode QUARKUS-3158 - Do not create session and PKCE encryption keys if only bearer tokens are expected QUARKUS-3159 - 2.13: Do not support any Origin by default if CORS is enabled QUARKUS-3161 - Fix security-csrf-prevention.adoc QUARKUS-3164 - Logging with Panache: fix LocalVariablesSorter usage QUARKUS-3167 - Make SDKMAN releases minor for maintenance and preview releases QUARKUS-3168 - Backport Ensure that ConfigBuilder classes work in native mode to 2.13 QUARKUS-3169 - New home for Narayana LRA coordinator Docker images QUARKUS-3170 - Fix truststore REST Client config when password is not set QUARKUS-3173 - Reinitialize sun.security.pkcs11.P11Util at runtime QUARKUS-3174 - Prevent SSE writing from potentially causing accumulation of headers QUARKUS-3175 - Filter out RESTEasy related warning in ProviderConfigInjectionWarningsTest QUARKUS-3176 - Make sure parent modules are loaded into workspace before those that depend on them QUARKUS-3177 - Fix copy paste error in qute docs QUARKUS-3178 - Pass `--userns=keep-id` to podman only when in rootless mode QUARKUS-3179 - Fix stuck HTTP2 request when sent challenge has resumed request QUARKUS-3181 - Make sure quarkus:go-offline properly supports test scoped dependencies QUARKUS-3184 - Use SchemaType.ARRAY instead of "ARRAY" for native support QUARKUS-3185 - Simplify logic in create-app.adoc and allow to define stream QUARKUS-3187 - Allow context propagation for OpenTelemetry QUARKUS-3188 - Fix RestAssured URL handling and unexpected restarts in QuarkusProdModeTest QUARKUS-3191 - Drop ':z' bind option when using MacOS and Podman QUARKUS-3194 - Exclude Netty's reflection configuration files QUARKUS-3195 - Integrate the api dependency from Infinispan 14 (#ISPN-14268) QUARKUS-3205 - Missing JARs and other discrepancies related to xpp3 dependency in 2.13.8. The purpose of this text-only errata is to inform you about the security issues fixed in this release

Trust: 2.34

sources: NVD: CVE-2022-45787 // JVNDB: JVNDB-2023-001784 // VULMON: CVE-2022-45787 // PACKETSTORM: 171600 // PACKETSTORM: 171593 // PACKETSTORM: 171664 // PACKETSTORM: 172281 // PACKETSTORM: 172266 // PACKETSTORM: 173213 // PACKETSTORM: 173162

AFFECTED PRODUCTS

vendor:apachemodel:jamesscope:ltversion:0.8.9

Trust: 1.0

vendor:日立model:hitachi ops center common servicesscope: - version: -

Trust: 0.8

vendor:apachemodel:jamesscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2023-001784 // NVD: CVE-2022-45787

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-45787
value: MEDIUM

Trust: 1.0

NVD: CVE-2022-45787
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202301-447
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2022-45787
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 1.8
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2022-45787
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2023-001784 // CNNVD: CNNVD-202301-447 // NVD: CVE-2022-45787

PROBLEMTYPE DATA

problemtype:CWE-312

Trust: 1.0

problemtype:Plaintext storage of important information (CWE-312) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2023-001784 // NVD: CVE-2022-45787

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202301-447

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-202301-447

PATCH

title:hitachi-sec-2023-143url:https://lists.apache.org/thread/26s8p9stl1z261c4qw15bsq03tt7t0rj

Trust: 0.8

title:Apache James Repair measures for information disclosure vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=221320

Trust: 0.6

title: - url:https://github.com/Live-Hack-CVE/CVE-2022-45787

Trust: 0.1

sources: VULMON: CVE-2022-45787 // JVNDB: JVNDB-2023-001784 // CNNVD: CNNVD-202301-447

EXTERNAL IDS

db:NVDid:CVE-2022-45787

Trust: 4.0

db:JVNDBid:JVNDB-2023-001784

Trust: 0.8

db:AUSCERTid:ESB-2023.3663

Trust: 0.6

db:AUSCERTid:ESB-2023.1879

Trust: 0.6

db:AUSCERTid:ESB-2023.1925

Trust: 0.6

db:AUSCERTid:ESB-2023.3726

Trust: 0.6

db:CNNVDid:CNNVD-202301-447

Trust: 0.6

db:VULMONid:CVE-2022-45787

Trust: 0.1

db:PACKETSTORMid:171600

Trust: 0.1

db:PACKETSTORMid:171593

Trust: 0.1

db:PACKETSTORMid:171664

Trust: 0.1

db:PACKETSTORMid:172281

Trust: 0.1

db:PACKETSTORMid:172266

Trust: 0.1

db:PACKETSTORMid:173213

Trust: 0.1

db:PACKETSTORMid:173162

Trust: 0.1

sources: VULMON: CVE-2022-45787 // JVNDB: JVNDB-2023-001784 // PACKETSTORM: 171600 // PACKETSTORM: 171593 // PACKETSTORM: 171664 // PACKETSTORM: 172281 // PACKETSTORM: 172266 // PACKETSTORM: 173213 // PACKETSTORM: 173162 // CNNVD: CNNVD-202301-447 // NVD: CVE-2022-45787

REFERENCES

url:https://lists.apache.org/thread/26s8p9stl1z261c4qw15bsq03tt7t0rj

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2022-45787

Trust: 1.5

url:https://listman.redhat.com/mailman/listinfo/rhsa-announce

Trust: 0.7

url:https://access.redhat.com/articles/11258

Trust: 0.7

url:https://access.redhat.com/security/cve/cve-2022-45787

Trust: 0.7

url:https://bugzilla.redhat.com/):

Trust: 0.7

url:https://access.redhat.com/security/team/contact/

Trust: 0.7

url:https://access.redhat.com/security/cve/cve-2023-0482

Trust: 0.6

url:https://nvd.nist.gov/vuln/detail/cve-2023-0482

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2023.1925

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2023.1879

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2023.3726

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2022-45787/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2023.3663

Trust: 0.6

url:https://access.redhat.com/security/cve/cve-2022-4492

Trust: 0.5

url:https://access.redhat.com/security/cve/cve-2022-41854

Trust: 0.5

url:https://nvd.nist.gov/vuln/detail/cve-2022-4492

Trust: 0.5

url:https://access.redhat.com/security/cve/cve-2022-38752

Trust: 0.5

url:https://nvd.nist.gov/vuln/detail/cve-2022-41881

Trust: 0.5

url:https://nvd.nist.gov/vuln/detail/cve-2022-38752

Trust: 0.5

url:https://nvd.nist.gov/vuln/detail/cve-2022-41854

Trust: 0.5

url:https://access.redhat.com/security/cve/cve-2022-41881

Trust: 0.5

url:https://access.redhat.com/security/updates/classification/#important

Trust: 0.4

url:https://issues.jboss.org/):

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2023-1108

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2023-1108

Trust: 0.3

url:https://access.redhat.com/security/team/key/

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2022-1471

Trust: 0.3

url:https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2022-41853

Trust: 0.3

url:https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2022-1471

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2022-41853

Trust: 0.3

url:https://access.redhat.com/security/updates/classification/#moderate

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2021-0341

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2021-0341

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2023-28867

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2023-28867

Trust: 0.2

url:https://cwe.mitre.org/data/definitions/200.html

Trust: 0.1

url:https://github.com/live-hack-cve/cve-2022-45787

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2023:1513

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2023:1512

Trust: 0.1

url:https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=securitypatches&product=appplatform&version=7.4

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2023:1516

Trust: 0.1

url:https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=core.service.rhsso&downloadtype=securitypatches&version=7.6

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2023:2713

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2023:2706

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2023-26053

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2023-1436

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/2.13/

Trust: 0.1

url:https://access.redhat.com/articles/4966181

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2023-26053

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2023-1584

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2023-0481

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2023-0481

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2023-1584

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2023-2974

Trust: 0.1

url:https://issues.redhat.com/):

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2023:3809

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2023-2974

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2023-1436

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-4742

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-25881

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-25881

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-3510

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-3509

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-46877

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-3782

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2023:3815

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-40152

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-3782

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-46877

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-3510

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-40152

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-3509

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-4742

Trust: 0.1

sources: VULMON: CVE-2022-45787 // JVNDB: JVNDB-2023-001784 // PACKETSTORM: 171600 // PACKETSTORM: 171593 // PACKETSTORM: 171664 // PACKETSTORM: 172281 // PACKETSTORM: 172266 // PACKETSTORM: 173213 // PACKETSTORM: 173162 // CNNVD: CNNVD-202301-447 // NVD: CVE-2022-45787

CREDITS

Red Hat

Trust: 0.7

sources: PACKETSTORM: 171600 // PACKETSTORM: 171593 // PACKETSTORM: 171664 // PACKETSTORM: 172281 // PACKETSTORM: 172266 // PACKETSTORM: 173213 // PACKETSTORM: 173162

SOURCES

db:VULMONid:CVE-2022-45787
db:JVNDBid:JVNDB-2023-001784
db:PACKETSTORMid:171600
db:PACKETSTORMid:171593
db:PACKETSTORMid:171664
db:PACKETSTORMid:172281
db:PACKETSTORMid:172266
db:PACKETSTORMid:173213
db:PACKETSTORMid:173162
db:CNNVDid:CNNVD-202301-447
db:NVDid:CVE-2022-45787

LAST UPDATE DATE

2024-12-21T20:01:11.955000+00:00


SOURCES UPDATE DATE

db:VULMONid:CVE-2022-45787date:2023-01-06T00:00:00
db:JVNDBid:JVNDB-2023-001784date:2023-10-04T05:41:00
db:CNNVDid:CNNVD-202301-447date:2023-06-30T00:00:00
db:NVDid:CVE-2022-45787date:2023-11-07T03:54:49.427

SOURCES RELEASE DATE

db:VULMONid:CVE-2022-45787date:2023-01-06T00:00:00
db:JVNDBid:JVNDB-2023-001784date:2023-05-11T00:00:00
db:PACKETSTORMid:171600date:2023-03-30T17:37:20
db:PACKETSTORMid:171593date:2023-03-30T17:23:56
db:PACKETSTORMid:171664date:2023-04-03T16:59:40
db:PACKETSTORMid:172281date:2023-05-11T15:05:35
db:PACKETSTORMid:172266date:2023-05-10T15:31:03
db:PACKETSTORMid:173213date:2023-06-30T14:34:04
db:PACKETSTORMid:173162date:2023-06-28T03:10:54
db:CNNVDid:CNNVD-202301-447date:2023-01-06T00:00:00
db:NVDid:CVE-2022-45787date:2023-01-06T10:15:10.383