CVE-2023-0044 – quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure
https://notcve.org/view.php?id=CVE-2023-0044
If the Quarkus Form Authentication session cookie Path attribute is set to `/` then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature. A flaw was found in Quarkus. If the Quarkus Form Authentication session cookie Path attribute is set to `/`, then a cross-site attack may be initiated, which might lead to information disclosure. • https://access.redhat.com/security/cve/CVE-2023-0044 https://bugzilla.redhat.com/show_bug.cgi?id=2158081 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-4147 – quarkus-vertx-http: Security misconfiguration of CORS : OWASP A05_2021 level in Quarkus
https://notcve.org/view.php?id=CVE-2022-4147
Quarkus CORS filter allows simple GET and POST requests with invalid Origin to proceed. Simple GET or POST requests made with XMLHttpRequest are the ones which have no event listeners registered on the object returned by the XMLHttpRequest upload property and have no ReadableStream object used in the request. El filtro Quarkus CORS permite que continúen solicitudes GET y POST simples con origen no válido. Las solicitudes GET o POST simples realizadas con XMLHttpRequest son aquellas que no tienen detectores de eventos registrados en el objeto devuelto por la propiedad de carga XMLHttpRequest y no tienen ningún objeto ReadableStream utilizado en la solicitud. A vulnerability was found in Quarkus. • https://access.redhat.com/security/cve/CVE-2022-4147 https://bugzilla.redhat.com/show_bug.cgi?id=2148867 • CWE CATEGORY •
CVE-2022-4116 – quarkus_dev_ui: Dev UI Config Editor is vulnerable to drive-by localhost attacks leading to RCE
https://notcve.org/view.php?id=CVE-2022-4116
A vulnerability was found in quarkus. This security flaw happens in Dev UI Config Editor which is vulnerable to drive-by localhost attacks leading to remote code execution. Se encontró una vulnerabilidad en los quarkus. Esta falla de seguridad ocurre en Dev UI Config Editor, que es vulnerable a ataques de host local que conducen a la ejecución remota de código. A vulnerability was found in quarkus. • https://access.redhat.com/security/cve/CVE-2022-4116 https://bugzilla.redhat.com/show_bug.cgi?id=2144748 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2022-42003 – jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
https://notcve.org/view.php?id=CVE-2022-42003
In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. En FasterXML jackson-databind anterior a 2.14.0-rc1, puede producirse un agotamiento de recursos debido a la falta de una comprobación en los deserializadores de valores primitivos para evitar el anidamiento de arrays envolventes profundos, cuando la función UNWRAP_SINGLE_VALUE_ARRAYS está activada. Versión de corrección adicional en 2.13.4.1 y 2.12.17.1 A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting. • https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020 https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33 https://github.com/FasterXML/jackson-databind/issues/3590 https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html https://security.gentoo.org/glsa/202210-21 https://security.netapp.com/advisory/ntap-20221124-0004 https://www.debian.org/security/2022/dsa-5283 https://access.redhat.com/security/cve/CVE-2022-42003 https://bugzilla.r • CWE-502: Deserialization of Untrusted Data •
CVE-2022-42004 – jackson-databind: use of deeply nested arrays
https://notcve.org/view.php?id=CVE-2022-42004
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization. En FasterXML jackson-databind versiones anteriores a 2.13.4, el agotamiento de los recursos puede ocurrir debido a una falta de comprobación en BeanDeserializer._deserializeFromArray para impedir el uso de arrays profundamente anidados. • https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490 https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88 https://github.com/FasterXML/jackson-databind/issues/3582 https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html https://security.gentoo.org/glsa/202210-21 https://security.netapp.com/advisory/ntap-20221118-0008 https://www.debian.org/security/2022/dsa-5283 https://access.redhat.com/security/cve/CVE-2022-42004 https://bugzilla.r • CWE-502: Deserialization of Untrusted Data •