CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0481 – quarkus: insecure permissions on temp files
https://notcve.org/view.php?id=CVE-2023-0481
In RestEasy Reactive implementation of Quarkus the insecure File.createTempFile() is used in the FileBodyHandler class which creates temp files with insecure permissions that could be read by a local user. • https://github.com/quarkusio/quarkus/pull/30694 https://access.redhat.com/security/cve/CVE-2023-0481 https://bugzilla.redhat.com/show_bug.cgi?id=2163533 • CWE-378: Creation of Temporary File With Insecure Permissions CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2023-0044 – quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure
https://notcve.org/view.php?id=CVE-2023-0044
If the Quarkus Form Authentication session cookie Path attribute is set to `/` then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature. A flaw was found in Quarkus. If the Quarkus Form Authentication session cookie Path attribute is set to `/`, then a cross-site attack may be initiated, which might lead to information disclosure. • https://access.redhat.com/security/cve/CVE-2023-0044 https://bugzilla.redhat.com/show_bug.cgi?id=2158081 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-4147 – quarkus-vertx-http: Security misconfiguration of CORS : OWASP A05_2021 level in Quarkus
https://notcve.org/view.php?id=CVE-2022-4147
Quarkus CORS filter allows simple GET and POST requests with invalid Origin to proceed. Simple GET or POST requests made with XMLHttpRequest are the ones which have no event listeners registered on the object returned by the XMLHttpRequest upload property and have no ReadableStream object used in the request. El filtro Quarkus CORS permite que continúen solicitudes GET y POST simples con origen no válido. Las solicitudes GET o POST simples realizadas con XMLHttpRequest son aquellas que no tienen detectores de eventos registrados en el objeto devuelto por la propiedad de carga XMLHttpRequest y no tienen ningún objeto ReadableStream utilizado en la solicitud. A vulnerability was found in Quarkus. • https://access.redhat.com/security/cve/CVE-2022-4147 https://bugzilla.redhat.com/show_bug.cgi?id=2148867 • CWE CATEGORY •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-4116 – quarkus_dev_ui: Dev UI Config Editor is vulnerable to drive-by localhost attacks leading to RCE
https://notcve.org/view.php?id=CVE-2022-4116
A vulnerability was found in quarkus. This security flaw happens in Dev UI Config Editor which is vulnerable to drive-by localhost attacks leading to remote code execution. Se encontró una vulnerabilidad en los quarkus. Esta falla de seguridad ocurre en Dev UI Config Editor, que es vulnerable a ataques de host local que conducen a la ejecución remota de código. A vulnerability was found in quarkus. • https://access.redhat.com/security/cve/CVE-2022-4116 https://bugzilla.redhat.com/show_bug.cgi?id=2144748 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 2CVE-2022-42003 – jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
https://notcve.org/view.php?id=CVE-2022-42003
In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. En FasterXML jackson-databind anterior a 2.14.0-rc1, puede producirse un agotamiento de recursos debido a la falta de una comprobación en los deserializadores de valores primitivos para evitar el anidamiento de arrays envolventes profundos, cuando la función UNWRAP_SINGLE_VALUE_ARRAYS está activada. Versión de corrección adicional en 2.13.4.1 y 2.12.17.1 A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting. • https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020 https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33 https://github.com/FasterXML/jackson-databind/issues/3590 https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html https://security.gentoo.org/glsa/202210-21 https://security.netapp.com/advisory/ntap-20221124-0004 https://www.debian.org/security/2022/dsa-5283 https://access.redhat.com/security/cve/CVE-2022-42003 https://bugzilla.r • CWE-502: Deserialization of Untrusted Data •