ISHACK AI BOT

Red Hat JBossEAP: Origin Validation Error (CVE-2024-1249) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 04/16/2024 Created 09/20/2024 Added 09/19/2024 Modified 12/20/2024 Description A flaw was found in Keycloak's OIDC component in the "checkLoginIframe," which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages.. A flaw was found in Keycloak's OIDC component in the "checkLoginIframe," which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages. Solution(s) red-hat-jboss-eap-upgrade-latest References https://attackerkb.com/topics/cve-2024-1249 CVE - 2024-1249 https://access.redhat.com/security/cve/CVE-2024-1249 https://bugzilla.redhat.com/show_bug.cgi?id=2262918

Debian: CVE-2024-21094: openjdk-11, openjdk-17 -- security update Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 04/16/2024 Created 04/24/2024 Added 04/23/2024 Modified 01/28/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). Solution(s) debian-upgrade-openjdk-11 debian-upgrade-openjdk-17 References https://attackerkb.com/topics/cve-2024-21094 CVE - 2024-21094 DSA-5671-1

Debian: CVE-2024-1135: gunicorn -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/16/2024 Created 12/24/2024 Added 12/23/2024 Modified 12/23/2024 Description Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handling of Transfer-Encoding headers, where it incorrectly processes requests with multiple, conflicting Transfer-Encoding headers, treating them as chunked regardless of the final encoding specified. This vulnerability allows for a range of attacks including cache poisoning, session manipulation, and data exposure. Solution(s) debian-upgrade-gunicorn References https://attackerkb.com/topics/cve-2024-1135 CVE - 2024-1135 DLA-3851-1 DLA-3996-1

Ubuntu: (Multiple Advisories) (CVE-2024-3860): Firefox vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/16/2024 Created 04/25/2024 Added 04/25/2024 Modified 05/03/2024 Description An out-of-memory condition during object initialization could result in an empty shape list. If the JIT subsequently traced the object it would crash. This vulnerability affects Firefox < 125. Solution(s) ubuntu-upgrade-firefox References https://attackerkb.com/topics/cve-2024-3860 CVE - 2024-3860 USN-6747-1 USN-6747-2

Ubuntu: (Multiple Advisories) (CVE-2024-3855): Firefox vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/16/2024 Created 04/25/2024 Added 04/25/2024 Modified 05/03/2024 Description In certain cases the JIT incorrectly optimized MSubstr operations, which led to out-of-bounds reads. This vulnerability affects Firefox < 125. Solution(s) ubuntu-upgrade-firefox References https://attackerkb.com/topics/cve-2024-3855 CVE - 2024-3855 USN-6747-1 USN-6747-2

Ubuntu: (Multiple Advisories) (CVE-2024-3854): Firefox vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/16/2024 Created 04/25/2024 Added 04/25/2024 Modified 05/03/2024 Description In some code patterns the JIT incorrectly optimized switch statements and generated code with out-of-bounds-reads. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10. Solution(s) ubuntu-upgrade-firefox ubuntu-upgrade-thunderbird References https://attackerkb.com/topics/cve-2024-3854 CVE - 2024-3854 USN-6747-1 USN-6747-2 USN-6750-1

Ubuntu: (Multiple Advisories) (CVE-2024-3857): Firefox vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/16/2024 Created 04/25/2024 Added 04/25/2024 Modified 05/03/2024 Description The JIT created incorrect code for arguments in certain cases. This led to potential use-after-free crashes during garbage collection. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10. Solution(s) ubuntu-upgrade-firefox ubuntu-upgrade-thunderbird References https://attackerkb.com/topics/cve-2024-3857 CVE - 2024-3857 USN-6747-1 USN-6747-2 USN-6750-1

Rocky Linux: CVE-2022-24807: net-snmp (RLSA-2024-7260) Severity 7 CVSS (AV:N/AC:L/Au:S/C:N/I:C/A:N) Published 04/16/2024 Created 10/03/2024 Added 10/02/2024 Modified 01/28/2025 Description net-snmp provides various tools relating to the Simple Network Management Protocol. Prior to version 5.9.2, a malformed OID in a SET request to `SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable` can cause an out-of-bounds memory access. A user with read-write credentials can exploit the issue. Version 5.9.2 contains a patch. Users should use strong SNMPv3 credentials and avoid sharing the credentials. Those who must use SNMPv1 or SNMPv2c should use a complex community string and enhance the protection by restricting access to a given IP address range. Solution(s) rocky-upgrade-net-snmp rocky-upgrade-net-snmp-agent-libs rocky-upgrade-net-snmp-agent-libs-debuginfo rocky-upgrade-net-snmp-debuginfo rocky-upgrade-net-snmp-debugsource rocky-upgrade-net-snmp-devel rocky-upgrade-net-snmp-libs rocky-upgrade-net-snmp-libs-debuginfo rocky-upgrade-net-snmp-perl rocky-upgrade-net-snmp-perl-debuginfo rocky-upgrade-net-snmp-utils rocky-upgrade-net-snmp-utils-debuginfo rocky-upgrade-python3-net-snmp rocky-upgrade-python3-net-snmp-debuginfo References https://attackerkb.com/topics/cve-2022-24807 CVE - 2022-24807 https://errata.rockylinux.org/RLSA-2024:7260

Alpine Linux: CVE-2022-24805: Vulnerability in Multiple Components Severity 7 CVSS (AV:N/AC:L/Au:S/C:N/I:C/A:N) Published 04/16/2024 Created 06/11/2024 Added 06/06/2024 Modified 01/20/2025 Description net-snmp provides various tools relating to the Simple Network Management Protocol. Prior to version 5.9.2, a buffer overflow in the handling of the `INDEX` of `NET-SNMP-VACM-MIB` can cause an out-of-bounds memory access. A user with read-only credentials can exploit the issue. Version 5.9.2 contains a patch. Users should use strong SNMPv3 credentials and avoid sharing the credentials. Those who must use SNMPv1 or SNMPv2c should use a complex community string and enhance the protection by restricting access to a given IP address range. Solution(s) alpine-linux-upgrade-net-snmp References https://attackerkb.com/topics/cve-2022-24805 CVE - 2022-24805 https://security.alpinelinux.org/vuln/CVE-2022-24805

Rocky Linux: CVE-2022-24810: net-snmp (RLSA-2024-7260) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/16/2024 Created 10/03/2024 Added 10/02/2024 Modified 02/12/2025 Description net-snmp provides various tools relating to the Simple Network Management Protocol. Prior to version 5.9.2, a user with read-write credentials can use a malformed OID in a SET to the nsVacmAccessTable to cause a NULL pointer dereference. Version 5.9.2 contains a patch. Users should use strong SNMPv3 credentials and avoid sharing the credentials. Those who must use SNMPv1 or SNMPv2c should use a complex community string and enhance the protection by restricting access to a given IP address range. Solution(s) rocky-upgrade-net-snmp rocky-upgrade-net-snmp-agent-libs rocky-upgrade-net-snmp-agent-libs-debuginfo rocky-upgrade-net-snmp-debuginfo rocky-upgrade-net-snmp-debugsource rocky-upgrade-net-snmp-devel rocky-upgrade-net-snmp-libs rocky-upgrade-net-snmp-libs-debuginfo rocky-upgrade-net-snmp-perl rocky-upgrade-net-snmp-perl-debuginfo rocky-upgrade-net-snmp-utils rocky-upgrade-net-snmp-utils-debuginfo rocky-upgrade-python3-net-snmp rocky-upgrade-python3-net-snmp-debuginfo References https://attackerkb.com/topics/cve-2022-24810 CVE - 2022-24810 https://errata.rockylinux.org/RLSA-2024:7260

Alpine Linux: CVE-2022-24807: Vulnerability in Multiple Components Severity 7 CVSS (AV:N/AC:L/Au:S/C:N/I:C/A:N) Published 04/16/2024 Created 06/11/2024 Added 06/06/2024 Modified 10/02/2024 Description net-snmp provides various tools relating to the Simple Network Management Protocol. Prior to version 5.9.2, a malformed OID in a SET request to `SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable` can cause an out-of-bounds memory access. A user with read-write credentials can exploit the issue. Version 5.9.2 contains a patch. Users should use strong SNMPv3 credentials and avoid sharing the credentials. Those who must use SNMPv1 or SNMPv2c should use a complex community string and enhance the protection by restricting access to a given IP address range. Solution(s) alpine-linux-upgrade-net-snmp References https://attackerkb.com/topics/cve-2022-24807 CVE - 2022-24807 https://security.alpinelinux.org/vuln/CVE-2022-24807

Alpine Linux: CVE-2022-24809: Vulnerability in Multiple Components Severity 7 CVSS (AV:N/AC:L/Au:S/C:N/I:C/A:N) Published 04/16/2024 Created 06/11/2024 Added 06/06/2024 Modified 01/20/2025 Description net-snmp provides various tools relating to the Simple Network Management Protocol. Prior to version 5.9.2, a user with read-only credentials can use a malformed OID in a `GET-NEXT` to the `nsVacmAccessTable` to cause a NULL pointer dereference. Version 5.9.2 contains a patch. Users should use strong SNMPv3 credentials and avoid sharing the credentials. Those who must use SNMPv1 or SNMPv2c should use a complex community string and enhance the protection by restricting access to a given IP address range. Solution(s) alpine-linux-upgrade-net-snmp References https://attackerkb.com/topics/cve-2022-24809 CVE - 2022-24809 https://security.alpinelinux.org/vuln/CVE-2022-24809

Rocky Linux: CVE-2022-24806: net-snmp (RLSA-2024-7260) Severity 6 CVSS (AV:N/AC:M/Au:S/C:N/I:N/A:C) Published 04/16/2024 Created 10/03/2024 Added 10/02/2024 Modified 01/28/2025 Description net-snmp provides various tools relating to the Simple Network Management Protocol. Prior to version 5.9.2, a user with read-write credentials can exploit an Improper Input Validation vulnerability when SETing malformed OIDs in master agent and subagent simultaneously. Version 5.9.2 contains a patch. Users should use strong SNMPv3 credentials and avoid sharing the credentials. Those who must use SNMPv1 or SNMPv2c should use a complex community string and enhance the protection by restricting access to a given IP address range. Solution(s) rocky-upgrade-net-snmp rocky-upgrade-net-snmp-agent-libs rocky-upgrade-net-snmp-agent-libs-debuginfo rocky-upgrade-net-snmp-debuginfo rocky-upgrade-net-snmp-debugsource rocky-upgrade-net-snmp-devel rocky-upgrade-net-snmp-libs rocky-upgrade-net-snmp-libs-debuginfo rocky-upgrade-net-snmp-perl rocky-upgrade-net-snmp-perl-debuginfo rocky-upgrade-net-snmp-utils rocky-upgrade-net-snmp-utils-debuginfo rocky-upgrade-python3-net-snmp rocky-upgrade-python3-net-snmp-debuginfo References https://attackerkb.com/topics/cve-2022-24806 CVE - 2022-24806 https://errata.rockylinux.org/RLSA-2024:7260

AdoptOpenJDK: CVE-2024-21003: Vulnerability with JavaFX component Severity 3 CVSS (AV:N/AC:H/Au:N/C:N/I:P/A:N) Published 04/16/2024 Created 04/29/2024 Added 04/26/2024 Modified 01/28/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JavaFX).Supported versions that are affected are Oracle Java SE: 8u401; Oracle GraalVM Enterprise Edition: 20.3.13 and21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N). Solution(s) adoptopenjdk-upgrade-latest References https://attackerkb.com/topics/cve-2024-21003 CVE - 2024-21003 https://adoptopenjdk.net/releases

Rocky Linux: CVE-2022-24808: net-snmp (RLSA-2024-7260) Severity 7 CVSS (AV:N/AC:L/Au:S/C:N/I:N/A:C) Published 04/16/2024 Created 10/03/2024 Added 10/02/2024 Modified 01/28/2025 Description net-snmp provides various tools relating to the Simple Network Management Protocol. Prior to version 5.9.2, a user with read-write credentials can use a malformed OID in a `SET` request to `NET-SNMP-AGENT-MIB::nsLogTable` to cause a NULL pointer dereference. Version 5.9.2 contains a patch. Users should use strong SNMPv3 credentials and avoid sharing the credentials. Those who must use SNMPv1 or SNMPv2c should use a complex community string and enhance the protection by restricting access to a given IP address range. Solution(s) rocky-upgrade-net-snmp rocky-upgrade-net-snmp-agent-libs rocky-upgrade-net-snmp-agent-libs-debuginfo rocky-upgrade-net-snmp-debuginfo rocky-upgrade-net-snmp-debugsource rocky-upgrade-net-snmp-devel rocky-upgrade-net-snmp-libs rocky-upgrade-net-snmp-libs-debuginfo rocky-upgrade-net-snmp-perl rocky-upgrade-net-snmp-perl-debuginfo rocky-upgrade-net-snmp-utils rocky-upgrade-net-snmp-utils-debuginfo rocky-upgrade-python3-net-snmp rocky-upgrade-python3-net-snmp-debuginfo References https://attackerkb.com/topics/cve-2022-24808 CVE - 2022-24808 https://errata.rockylinux.org/RLSA-2024:7260

AdoptOpenJDK: CVE-2024-21005: Vulnerability with JavaFX component Severity 3 CVSS (AV:N/AC:H/Au:N/C:N/I:P/A:N) Published 04/16/2024 Created 04/29/2024 Added 04/26/2024 Modified 01/28/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JavaFX).Supported versions that are affected are Oracle Java SE: 8u401; Oracle GraalVM Enterprise Edition: 20.3.13 and21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N). Solution(s) adoptopenjdk-upgrade-latest References https://attackerkb.com/topics/cve-2024-21005 CVE - 2024-21005 https://adoptopenjdk.net/releases

Debian: CVE-2024-3861: firefox-esr, thunderbird -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/16/2024 Created 04/19/2024 Added 04/19/2024 Modified 04/23/2024 Description If an AlignedBuffer were assigned to itself, the subsequent self-move could result in an incorrect reference count and later use-after-free. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10. Solution(s) debian-upgrade-firefox-esr debian-upgrade-thunderbird References https://attackerkb.com/topics/cve-2024-3861 CVE - 2024-3861 DSA-5663-1

Alpine Linux: CVE-2024-21012: Vulnerability in Multiple Components Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 04/16/2024 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking).Supported versions that are affected are Oracle Java SE: 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). Solution(s) alpine-linux-upgrade-openjdk11 alpine-linux-upgrade-openjdk17 alpine-linux-upgrade-openjdk21 References https://attackerkb.com/topics/cve-2024-21012 CVE - 2024-21012 https://security.alpinelinux.org/vuln/CVE-2024-21012

Red Hat: CVE-2024-3864: Mozilla: Memory safety bug fixed in Firefox 125, Firefox ESR 115.10, and Thunderbird 115.10 (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/16/2024 Created 04/19/2024 Added 04/19/2024 Modified 09/03/2024 Description Memory safety bug present in Firefox 124, Firefox ESR 115.9, and Thunderbird 115.9. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10. Solution(s) redhat-upgrade-firefox redhat-upgrade-firefox-debuginfo redhat-upgrade-firefox-debugsource redhat-upgrade-firefox-x11 redhat-upgrade-thunderbird redhat-upgrade-thunderbird-debuginfo redhat-upgrade-thunderbird-debugsource References CVE-2024-3864 RHSA-2024:1905 RHSA-2024:1906 RHSA-2024:1907 RHSA-2024:1908 RHSA-2024:1909 RHSA-2024:1910 RHSA-2024:1912 RHSA-2024:1935 RHSA-2024:1936 RHSA-2024:1937 RHSA-2024:1938 RHSA-2024:1939 RHSA-2024:1940 RHSA-2024:1941 View more

Red Hat: CVE-2024-3852: Mozilla: GetBoundName in the JIT returned the wrong object (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/16/2024 Created 04/19/2024 Added 04/19/2024 Modified 09/03/2024 Description GetBoundName could return the wrong version of an object when JIT optimizations were applied. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10. Solution(s) redhat-upgrade-firefox redhat-upgrade-firefox-debuginfo redhat-upgrade-firefox-debugsource redhat-upgrade-firefox-x11 redhat-upgrade-thunderbird redhat-upgrade-thunderbird-debuginfo redhat-upgrade-thunderbird-debugsource References CVE-2024-3852 RHSA-2024:1905 RHSA-2024:1906 RHSA-2024:1907 RHSA-2024:1908 RHSA-2024:1909 RHSA-2024:1910 RHSA-2024:1912 RHSA-2024:1935 RHSA-2024:1936 RHSA-2024:1937 RHSA-2024:1938 RHSA-2024:1939 RHSA-2024:1940 RHSA-2024:1941 View more

Red Hat: CVE-2024-21011: OpenJDK: long Exception message leading to crash (8319851) (Multiple Advisories) Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:P) Published 04/16/2024 Created 04/18/2024 Added 04/18/2024 Modified 01/28/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). Solution(s) redhat-upgrade-java-1-8-0-openjdk redhat-upgrade-java-1-8-0-openjdk-accessibility redhat-upgrade-java-1-8-0-openjdk-accessibility-fastdebug redhat-upgrade-java-1-8-0-openjdk-accessibility-slowdebug redhat-upgrade-java-1-8-0-openjdk-debuginfo redhat-upgrade-java-1-8-0-openjdk-debugsource redhat-upgrade-java-1-8-0-openjdk-demo redhat-upgrade-java-1-8-0-openjdk-demo-debuginfo redhat-upgrade-java-1-8-0-openjdk-demo-fastdebug redhat-upgrade-java-1-8-0-openjdk-demo-fastdebug-debuginfo redhat-upgrade-java-1-8-0-openjdk-demo-slowdebug redhat-upgrade-java-1-8-0-openjdk-demo-slowdebug-debuginfo redhat-upgrade-java-1-8-0-openjdk-devel redhat-upgrade-java-1-8-0-openjdk-devel-debuginfo redhat-upgrade-java-1-8-0-openjdk-devel-fastdebug redhat-upgrade-java-1-8-0-openjdk-devel-fastdebug-debuginfo redhat-upgrade-java-1-8-0-openjdk-devel-slowdebug redhat-upgrade-java-1-8-0-openjdk-devel-slowdebug-debuginfo redhat-upgrade-java-1-8-0-openjdk-fastdebug redhat-upgrade-java-1-8-0-openjdk-fastdebug-debuginfo redhat-upgrade-java-1-8-0-openjdk-headless redhat-upgrade-java-1-8-0-openjdk-headless-debuginfo redhat-upgrade-java-1-8-0-openjdk-headless-fastdebug redhat-upgrade-java-1-8-0-openjdk-headless-fastdebug-debuginfo redhat-upgrade-java-1-8-0-openjdk-headless-slowdebug redhat-upgrade-java-1-8-0-openjdk-headless-slowdebug-debuginfo redhat-upgrade-java-1-8-0-openjdk-javadoc redhat-upgrade-java-1-8-0-openjdk-javadoc-zip redhat-upgrade-java-1-8-0-openjdk-slowdebug redhat-upgrade-java-1-8-0-openjdk-slowdebug-debuginfo redhat-upgrade-java-1-8-0-openjdk-src redhat-upgrade-java-1-8-0-openjdk-src-fastdebug redhat-upgrade-java-1-8-0-openjdk-src-slowdebug redhat-upgrade-java-11-openjdk redhat-upgrade-java-11-openjdk-debuginfo redhat-upgrade-java-11-openjdk-debugsource redhat-upgrade-java-11-openjdk-demo redhat-upgrade-java-11-openjdk-demo-fastdebug redhat-upgrade-java-11-openjdk-demo-slowdebug redhat-upgrade-java-11-openjdk-devel redhat-upgrade-java-11-openjdk-devel-debuginfo redhat-upgrade-java-11-openjdk-devel-fastdebug redhat-upgrade-java-11-openjdk-devel-fastdebug-debuginfo redhat-upgrade-java-11-openjdk-devel-slowdebug redhat-upgrade-java-11-openjdk-devel-slowdebug-debuginfo redhat-upgrade-java-11-openjdk-fastdebug redhat-upgrade-java-11-openjdk-fastdebug-debuginfo redhat-upgrade-java-11-openjdk-headless redhat-upgrade-java-11-openjdk-headless-debuginfo redhat-upgrade-java-11-openjdk-headless-fastdebug redhat-upgrade-java-11-openjdk-headless-fastdebug-debuginfo redhat-upgrade-java-11-openjdk-headless-slowdebug redhat-upgrade-java-11-openjdk-headless-slowdebug-debuginfo redhat-upgrade-java-11-openjdk-javadoc redhat-upgrade-java-11-openjdk-javadoc-zip redhat-upgrade-java-11-openjdk-jmods redhat-upgrade-java-11-openjdk-jmods-fastdebug redhat-upgrade-java-11-openjdk-jmods-slowdebug redhat-upgrade-java-11-openjdk-slowdebug redhat-upgrade-java-11-openjdk-slowdebug-debuginfo redhat-upgrade-java-11-openjdk-src redhat-upgrade-java-11-openjdk-src-fastdebug redhat-upgrade-java-11-openjdk-src-slowdebug redhat-upgrade-java-11-openjdk-static-libs redhat-upgrade-java-11-openjdk-static-libs-fastdebug redhat-upgrade-java-11-openjdk-static-libs-slowdebug redhat-upgrade-java-17-openjdk redhat-upgrade-java-17-openjdk-debuginfo redhat-upgrade-java-17-openjdk-debugsource redhat-upgrade-java-17-openjdk-demo redhat-upgrade-java-17-openjdk-demo-fastdebug redhat-upgrade-java-17-openjdk-demo-slowdebug redhat-upgrade-java-17-openjdk-devel redhat-upgrade-java-17-openjdk-devel-debuginfo redhat-upgrade-java-17-openjdk-devel-fastdebug redhat-upgrade-java-17-openjdk-devel-fastdebug-debuginfo redhat-upgrade-java-17-openjdk-devel-slowdebug redhat-upgrade-java-17-openjdk-devel-slowdebug-debuginfo redhat-upgrade-java-17-openjdk-fastdebug redhat-upgrade-java-17-openjdk-fastdebug-debuginfo redhat-upgrade-java-17-openjdk-headless redhat-upgrade-java-17-openjdk-headless-debuginfo redhat-upgrade-java-17-openjdk-headless-fastdebug redhat-upgrade-java-17-openjdk-headless-fastdebug-debuginfo redhat-upgrade-java-17-openjdk-headless-slowdebug redhat-upgrade-java-17-openjdk-headless-slowdebug-debuginfo redhat-upgrade-java-17-openjdk-javadoc redhat-upgrade-java-17-openjdk-javadoc-zip redhat-upgrade-java-17-openjdk-jmods redhat-upgrade-java-17-openjdk-jmods-fastdebug redhat-upgrade-java-17-openjdk-jmods-slowdebug redhat-upgrade-java-17-openjdk-slowdebug redhat-upgrade-java-17-openjdk-slowdebug-debuginfo redhat-upgrade-java-17-openjdk-src redhat-upgrade-java-17-openjdk-src-fastdebug redhat-upgrade-java-17-openjdk-src-slowdebug redhat-upgrade-java-17-openjdk-static-libs redhat-upgrade-java-17-openjdk-static-libs-fastdebug redhat-upgrade-java-17-openjdk-static-libs-slowdebug redhat-upgrade-java-21-openjdk redhat-upgrade-java-21-openjdk-debuginfo redhat-upgrade-java-21-openjdk-debugsource redhat-upgrade-java-21-openjdk-demo redhat-upgrade-java-21-openjdk-demo-fastdebug redhat-upgrade-java-21-openjdk-demo-slowdebug redhat-upgrade-java-21-openjdk-devel redhat-upgrade-java-21-openjdk-devel-debuginfo redhat-upgrade-java-21-openjdk-devel-fastdebug redhat-upgrade-java-21-openjdk-devel-fastdebug-debuginfo redhat-upgrade-java-21-openjdk-devel-slowdebug redhat-upgrade-java-21-openjdk-devel-slowdebug-debuginfo redhat-upgrade-java-21-openjdk-fastdebug redhat-upgrade-java-21-openjdk-fastdebug-debuginfo redhat-upgrade-java-21-openjdk-headless redhat-upgrade-java-21-openjdk-headless-debuginfo redhat-upgrade-java-21-openjdk-headless-fastdebug redhat-upgrade-java-21-openjdk-headless-fastdebug-debuginfo redhat-upgrade-java-21-openjdk-headless-slowdebug redhat-upgrade-java-21-openjdk-headless-slowdebug-debuginfo redhat-upgrade-java-21-openjdk-javadoc redhat-upgrade-java-21-openjdk-javadoc-zip redhat-upgrade-java-21-openjdk-jmods redhat-upgrade-java-21-openjdk-jmods-fastdebug redhat-upgrade-java-21-openjdk-jmods-slowdebug redhat-upgrade-java-21-openjdk-slowdebug redhat-upgrade-java-21-openjdk-slowdebug-debuginfo redhat-upgrade-java-21-openjdk-src redhat-upgrade-java-21-openjdk-src-fastdebug redhat-upgrade-java-21-openjdk-src-slowdebug redhat-upgrade-java-21-openjdk-static-libs redhat-upgrade-java-21-openjdk-static-libs-fastdebug redhat-upgrade-java-21-openjdk-static-libs-slowdebug References CVE-2024-21011 RHSA-2024:1817 RHSA-2024:1818 RHSA-2024:1821 RHSA-2024:1822 RHSA-2024:1825 RHSA-2024:1828 View more

Red Hat: CVE-2024-21096: mysql: Client: mysqldump unspecified vulnerability (CPU Apr 2024) (Multiple Advisories) Severity 4 CVSS (AV:L/AC:H/Au:N/C:P/I:P/A:P) Published 04/16/2024 Created 01/31/2025 Added 01/30/2025 Modified 02/05/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Client: mysqldump).Supported versions that are affected are 8.0.36 and prior and8.3.0 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server.Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of MySQL Server accessible data as well asunauthorized read access to a subset of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Confidentiality, Integrity and Availability impacts).CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L). Solution(s) redhat-upgrade-galera redhat-upgrade-galera-debuginfo redhat-upgrade-galera-debugsource redhat-upgrade-judy redhat-upgrade-judy-debuginfo redhat-upgrade-judy-debugsource redhat-upgrade-mariadb redhat-upgrade-mariadb-backup redhat-upgrade-mariadb-backup-debuginfo redhat-upgrade-mariadb-common redhat-upgrade-mariadb-debuginfo redhat-upgrade-mariadb-debugsource redhat-upgrade-mariadb-devel redhat-upgrade-mariadb-embedded redhat-upgrade-mariadb-embedded-debuginfo redhat-upgrade-mariadb-embedded-devel redhat-upgrade-mariadb-errmsg redhat-upgrade-mariadb-gssapi-server redhat-upgrade-mariadb-gssapi-server-debuginfo redhat-upgrade-mariadb-oqgraph-engine redhat-upgrade-mariadb-oqgraph-engine-debuginfo redhat-upgrade-mariadb-pam redhat-upgrade-mariadb-pam-debuginfo redhat-upgrade-mariadb-server redhat-upgrade-mariadb-server-debuginfo redhat-upgrade-mariadb-server-galera redhat-upgrade-mariadb-server-utils redhat-upgrade-mariadb-server-utils-debuginfo redhat-upgrade-mariadb-test redhat-upgrade-mariadb-test-debuginfo References CVE-2024-21096 RHSA-2025:0737 RHSA-2025:0739 RHSA-2025:0912 RHSA-2025:0914

Red Hat: CVE-2024-21085: OpenJDK: Pack200 excessive memory allocation (8322114) (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/16/2024 Created 04/18/2024 Added 04/18/2024 Modified 09/03/2024 Description Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Concurrency).Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf, 11.0.22; Oracle GraalVM Enterprise Edition: 20.3.13 and21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). Solution(s) redhat-upgrade-java-1-8-0-openjdk redhat-upgrade-java-1-8-0-openjdk-accessibility redhat-upgrade-java-1-8-0-openjdk-accessibility-fastdebug redhat-upgrade-java-1-8-0-openjdk-accessibility-slowdebug redhat-upgrade-java-1-8-0-openjdk-debuginfo redhat-upgrade-java-1-8-0-openjdk-debugsource redhat-upgrade-java-1-8-0-openjdk-demo redhat-upgrade-java-1-8-0-openjdk-demo-debuginfo redhat-upgrade-java-1-8-0-openjdk-demo-fastdebug redhat-upgrade-java-1-8-0-openjdk-demo-fastdebug-debuginfo redhat-upgrade-java-1-8-0-openjdk-demo-slowdebug redhat-upgrade-java-1-8-0-openjdk-demo-slowdebug-debuginfo redhat-upgrade-java-1-8-0-openjdk-devel redhat-upgrade-java-1-8-0-openjdk-devel-debuginfo redhat-upgrade-java-1-8-0-openjdk-devel-fastdebug redhat-upgrade-java-1-8-0-openjdk-devel-fastdebug-debuginfo redhat-upgrade-java-1-8-0-openjdk-devel-slowdebug redhat-upgrade-java-1-8-0-openjdk-devel-slowdebug-debuginfo redhat-upgrade-java-1-8-0-openjdk-fastdebug redhat-upgrade-java-1-8-0-openjdk-fastdebug-debuginfo redhat-upgrade-java-1-8-0-openjdk-headless redhat-upgrade-java-1-8-0-openjdk-headless-debuginfo redhat-upgrade-java-1-8-0-openjdk-headless-fastdebug redhat-upgrade-java-1-8-0-openjdk-headless-fastdebug-debuginfo redhat-upgrade-java-1-8-0-openjdk-headless-slowdebug redhat-upgrade-java-1-8-0-openjdk-headless-slowdebug-debuginfo redhat-upgrade-java-1-8-0-openjdk-javadoc redhat-upgrade-java-1-8-0-openjdk-javadoc-zip redhat-upgrade-java-1-8-0-openjdk-slowdebug redhat-upgrade-java-1-8-0-openjdk-slowdebug-debuginfo redhat-upgrade-java-1-8-0-openjdk-src redhat-upgrade-java-1-8-0-openjdk-src-fastdebug redhat-upgrade-java-1-8-0-openjdk-src-slowdebug redhat-upgrade-java-11-openjdk redhat-upgrade-java-11-openjdk-debuginfo redhat-upgrade-java-11-openjdk-debugsource redhat-upgrade-java-11-openjdk-demo redhat-upgrade-java-11-openjdk-demo-fastdebug redhat-upgrade-java-11-openjdk-demo-slowdebug redhat-upgrade-java-11-openjdk-devel redhat-upgrade-java-11-openjdk-devel-debuginfo redhat-upgrade-java-11-openjdk-devel-fastdebug redhat-upgrade-java-11-openjdk-devel-fastdebug-debuginfo redhat-upgrade-java-11-openjdk-devel-slowdebug redhat-upgrade-java-11-openjdk-devel-slowdebug-debuginfo redhat-upgrade-java-11-openjdk-fastdebug redhat-upgrade-java-11-openjdk-fastdebug-debuginfo redhat-upgrade-java-11-openjdk-headless redhat-upgrade-java-11-openjdk-headless-debuginfo redhat-upgrade-java-11-openjdk-headless-fastdebug redhat-upgrade-java-11-openjdk-headless-fastdebug-debuginfo redhat-upgrade-java-11-openjdk-headless-slowdebug redhat-upgrade-java-11-openjdk-headless-slowdebug-debuginfo redhat-upgrade-java-11-openjdk-javadoc redhat-upgrade-java-11-openjdk-javadoc-zip redhat-upgrade-java-11-openjdk-jmods redhat-upgrade-java-11-openjdk-jmods-fastdebug redhat-upgrade-java-11-openjdk-jmods-slowdebug redhat-upgrade-java-11-openjdk-slowdebug redhat-upgrade-java-11-openjdk-slowdebug-debuginfo redhat-upgrade-java-11-openjdk-src redhat-upgrade-java-11-openjdk-src-fastdebug redhat-upgrade-java-11-openjdk-src-slowdebug redhat-upgrade-java-11-openjdk-static-libs redhat-upgrade-java-11-openjdk-static-libs-fastdebug redhat-upgrade-java-11-openjdk-static-libs-slowdebug References CVE-2024-21085 RHSA-2024:1817 RHSA-2024:1818 RHSA-2024:1821 RHSA-2024:1822

Red Hat: CVE-2024-3857: Mozilla: Incorrect JITting of arguments led to use-after-free during garbage collection (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/16/2024 Created 04/19/2024 Added 04/19/2024 Modified 09/03/2024 Description The JIT created incorrect code for arguments in certain cases. This led to potential use-after-free crashes during garbage collection. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10. Solution(s) redhat-upgrade-firefox redhat-upgrade-firefox-debuginfo redhat-upgrade-firefox-debugsource redhat-upgrade-firefox-x11 redhat-upgrade-thunderbird redhat-upgrade-thunderbird-debuginfo redhat-upgrade-thunderbird-debugsource References CVE-2024-3857 RHSA-2024:1905 RHSA-2024:1906 RHSA-2024:1907 RHSA-2024:1908 RHSA-2024:1909 RHSA-2024:1910 RHSA-2024:1912 RHSA-2024:1935 RHSA-2024:1936 RHSA-2024:1937 RHSA-2024:1938 RHSA-2024:1939 RHSA-2024:1940 RHSA-2024:1941 View more

VMware Photon OS: CVE-2024-20994 Severity 5 CVSS (AV:N/AC:H/Au:S/C:N/I:N/A:C) Published 04/16/2024 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema).Supported versions that are affected are 8.0.36 and prior and8.3.0 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.3 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H). Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2024-20994 CVE - 2024-20994