CVSS: 6.8EPSS: 3%CPEs: 31EXPL: 0CVE-2024-1023 – Io.vertx/vertx-core: memory leak due to the use of netty fastthreadlocal data structures in vertx
https://notcve.org/view.php?id=CVE-2024-1023
27 Mar 2024 — A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate runtime knowledge, allowing an attacker to exploit this vulnerability. For instance, a server accepting arbitrary internet addresses could serve as an attack vector by connecting to these addresses, thereby accelerating the memory le... • https://access.redhat.com/errata/RHSA-2024:1662 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 7.8EPSS: 3%CPEs: 18EXPL: 0CVE-2023-5685 – Xnio: stackoverflowexception when the chain of notifier states becomes problematically big
https://notcve.org/view.php?id=CVE-2023-5685
22 Mar 2024 — A flaw was found in XNIO. The XNIO NotifierState that can cause a Stack Overflow Exception when the chain of notifier states becomes problematically large can lead to uncontrolled resource management and a possible denial of service (DoS). Se encontró una falla en XNIO. El XNIO NotifierState que puede provocar una excepción de desbordamiento de pila cuando la cadena de estados de notificador se vuelve problemáticamente grande puede provocar una gestión descontrolada de recursos y una posible denegación de s... • https://access.redhat.com/errata/RHSA-2023:7637 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.4EPSS: 63%CPEs: 26EXPL: 0CVE-2024-1635 – Undertow: out-of-memory error after several closed connections with wildfly-http-client protocol
https://notcve.org/view.php?id=CVE-2024-1635
19 Feb 2024 — A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available. At HTTP upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting Ser... • https://access.redhat.com/errata/RHSA-2024:1674 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.8EPSS: 94%CPEs: 444EXPL: 17CVE-2023-44487 – HTTP/2 Rapid Reset Attack Vulnerability
https://notcve.org/view.php?id=CVE-2023-44487
10 Oct 2023 — The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. El protocolo HTTP/2 permite una denegación de servicio (consumo de recursos del servidor) porque la cancelación de solicitudes puede restablecer muchas transmisiones rápidamente, como se explotó en la naturaleza entre agosto y octubre de 2023. A flaw was found in handling multiplexed streams in the HTTP/2 protocol. ... • https://github.com/imabee101/CVE-2023-44487 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 8.1EPSS: 4%CPEs: 18EXPL: 1CVE-2023-4853 – Quarkus: http security policy bypass
https://notcve.org/view.php?id=CVE-2023-4853
15 Sep 2023 — A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service. Se encontró una falla en Quarkus donde las políticas de seguridad HTTP no sanitiza correctamente ciertas permutaciones de caracteres al aceptar solicitudes, lo que res... • https://access.redhat.com/errata/RHSA-2023:5170 • CWE-148: Improper Neutralization of Input Leaders CWE-863: Incorrect Authorization •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-4244 – Codehaus-plexus: directory traversal
https://notcve.org/view.php?id=CVE-2022-4244
30 Jun 2023 — A flaw was found in codeplex-codehaus. A directory traversal attack (also known as path traversal) aims to access files and directories stored outside the intended folder. By manipulating files with "dot-dot-slash (../)" sequences and their variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code, configuration, and other critical system files. Se encontró una falla en codeplex-codehaus. Un ataque de... • https://access.redhat.com/errata/RHSA-2023:2135 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2022-4245 – Codehaus-plexus: xml external entity (xxe) injection
https://notcve.org/view.php?id=CVE-2022-4245
30 Jun 2023 — A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection. Se encontró una falla en codehaus-plexus. El org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment no puede sanitizar los comentarios para una secuencia -->. • https://access.redhat.com/errata/RHSA-2023:2135 • CWE-91: XML Injection (aka Blind XPath Injection) CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.8EPSS: 4%CPEs: 29EXPL: 0CVE-2023-1108 – Undertow: infinite loop in sslconduit during close
https://notcve.org/view.php?id=CVE-2023-1108
10 Mar 2023 — A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates. Se encontró una falla en undertow. Este problema hace posible lograr una denegación de servicio debido a un estado de protocolo de enlace inesperado actualizado en SslConduit, donde el bucle nunca termina Red Hat Single Sign-On is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized i... • https://access.redhat.com/errata/RHSA-2023:1184 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 3.7EPSS: 0%CPEs: 9EXPL: 0CVE-2022-41862 – postgresql: Client memory disclosure when connecting with Kerberos to modified server
https://notcve.org/view.php?id=CVE-2022-41862
02 Mar 2023 — In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions a server can cause a libpq client to over-read and report an error message containing uninitialized bytes. A flaw was found In PostgreSQL. A modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions, a server can cause a libpq client to over-read and report an ... • https://bugzilla.redhat.com/show_bug.cgi?id=2165722 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.8EPSS: 0%CPEs: 10EXPL: 0CVE-2022-4492 – undertow: Server identity in https connection is not checked by the undertow client
https://notcve.org/view.php?id=CVE-2022-4492
23 Feb 2023 — The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol. A flaw was found in undertow. The undertow client is not checking the server identity the server certificate presents in HTTPS connections. • https://access.redhat.com/security/cve/CVE-2022-4492 • CWE-550: Server-generated Error Message Containing Sensitive Information CWE-918: Server-Side Request Forgery (SSRF) •