CVE-2022-1278 – WildFly: possible information disclosure
https://notcve.org/view.php?id=CVE-2022-1278
A flaw was found in WildFly, where an attacker can see deployment names, endpoints, and any other data the trace payload may contain. Se ha encontrado un fallo en WildFly, en el que un atacante puede visualizar los nombres de los despliegues, los endpoints y cualquier otro dato que pueda contener la carga útil de rastreo A flaw was found in WildFly. This flaw allows an attacker to see deployment names, endpoints, and any other data the trace payload may contain. • https://bugzilla.redhat.com/show_bug.cgi?id=2073401 https://access.redhat.com/security/cve/CVE-2022-1278 • CWE-1188: Initialization of a Resource with an Insecure Default •
CVE-2022-1833 – amq: AMQ Broker Operator ClusterWide Edit Permissions Due Token Exposure
https://notcve.org/view.php?id=CVE-2022-1833
A flaw was found in AMQ Broker Operator 7.9.4 installed via UI using OperatorHub where a low-privilege user that has access to the namespace where the AMQ Operator is deployed has access to clusterwide edit rights by checking the secrets. The service account used for building the Operator gives more permission than expected and an attacker could benefit from it. This requires at least an already compromised low-privilege account or insider attack. Se ha encontrado un fallo en AMQ Broker Operator versión 7.9.4, instalado por medio de la interfaz de usuario usando OperatorHub, en el que un usuario poco privilegiado que presenta acceso al espacio de nombres donde es desplegado el AMQ Operator presenta acceso a los derechos de edición de todo el clúster mediante la comprobación de los secretos. La cuenta de servicio usada para construir el Operador da más permisos de los esperados y un atacante podría beneficiarse de ello. • https://bugzilla.redhat.com/show_bug.cgi?id=2089406#c4 https://access.redhat.com/security/cve/CVE-2022-1833 https://bugzilla.redhat.com/show_bug.cgi?id=2089406 https://access.redhat.com/documentation/en-us/red_hat_amq/7.4/html/deploying_amq_broker_on_openshift_container_platform/broker-operator-broker-ocp • CWE-276: Incorrect Default Permissions •
CVE-2021-4040 – Broker: Malformed message can result in partial DoS (OOM)
https://notcve.org/view.php?id=CVE-2021-4040
A flaw was found in AMQ Broker. This issue can cause a partial interruption to the availability of AMQ Broker via an Out of memory (OOM) condition. This flaw allows an attacker to partially disrupt availability to the broker through a sustained attack of maliciously crafted messages. The highest threat from this vulnerability is system availability. Se ha encontrado un fallo en AMQ Broker. • https://access.redhat.com/security/cve/CVE-2021-4040 https://bugzilla.redhat.com/show_bug.cgi?id=2028254 https://github.com/apache/activemq-artemis/pull/3871/commits https://issues.apache.org/jira/browse/ARTEMIS-3593 • CWE-400: Uncontrolled Resource Consumption CWE-787: Out-of-bounds Write •
CVE-2021-3763 – 7: Incorrect privilege in Management Console
https://notcve.org/view.php?id=CVE-2021-3763
A flaw was found in the Red Hat AMQ Broker management console in version 7.8 where an existing user is able to access some limited information even when the role the user is assigned to should not be allow access to the management console. The main impact is to confidentiality as this flaw means some role bindings are incorrectly checked, some privileged meta information such as queue names and configuration details are disclosed but the impact is limited as not all information is accessible and there is no affect to integrity. Se ha encontrado un fallo en la consola de administración de Red Hat AMQ Broker en versión 7.8, en el que un usuario presente puede acceder a determinada información limitada incluso cuando el rol al que está asignado el usuario no debería permitir el acceso a la consola de gestión. El principal impacto es en la confidencialidad, ya que este fallo significa que algunas vinculaciones de rol son comprobados de forma incorrecta, son divulgados algunos metadatos privilegiados como los nombres de las colas y los detalles de configuración, pero el impacto es limitado, ya que no puede accederse a toda la información y no afecta a la integridad. • https://access.redhat.com/security/cve/CVE-2021-3763 https://bugzilla.redhat.com/show_bug.cgi?id=2000654 https://issues.redhat.com/browse/ENTMQBR-5372 • CWE-863: Incorrect Authorization •
CVE-2020-14348 – AMQ: Denial of Service via unrecognized field injection
https://notcve.org/view.php?id=CVE-2020-14348
It was found in AMQ Online before 1.5.2 that injecting an invalid field to a user's AddressSpace configuration of the user namespace puts AMQ Online in an inconsistent state, where the AMQ Online components do not operate properly, such as the failure of provisioning and the failure of creating addresses, though this does not impact upon already existing messaging clients or brokers. Se encontró en AMQ Online versiones anteriores a 1.5.2, que inyectar un campo no válido a una configuración AddressSpace del espacio de nombres de usuario coloca a AMQ Online en un estado inconsistente, donde los componentes de AMQ Online no funcionan apropiadamente, tal y como el fallo de aprovisionamiento y el fallo en la creación de direcciones, aunque esto no afecta a los clientes o agentes de mensajería ya existentes A flaw was found in AMQ Online before 1.5.2, where injecting an invalid field to a user's address space configuration of the user namespace puts AMQ Online in an inconsistent state. In this inconsistent state, the AMQ Online components do not operate properly. For example, the failure of provisioning and the failure of creating addresses may occur. However, this issue does not impact already existing messaging clients or brokers. • https://bugzilla.redhat.com/show_bug.cgi?id=1861814 https://access.redhat.com/security/cve/CVE-2020-14348 • CWE-248: Uncaught Exception CWE-754: Improper Check for Unusual or Exceptional Conditions •