CVE-2021-3690 – undertow: buffer leak on incoming websocket PONG message may lead to DoS
https://notcve.org/view.php?id=CVE-2021-3690
A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denial of service. The highest threat from this vulnerability is availability. Se ha encontrado un fallo en Undertow. • https://access.redhat.com/security/cve/CVE-2021-3690 https://bugzilla.redhat.com/show_bug.cgi?id=1991299 https://github.com/undertow-io/undertow/commit/c7e84a0b7efced38506d7d1dfea5902366973877 https://issues.redhat.com/browse/UNDERTOW-1935 • CWE-400: Uncontrolled Resource Consumption CWE-401: Missing Release of Memory after Effective Lifetime •
CVE-2021-3642 – wildfly-elytron: possible timing attack in ScramServer
https://notcve.org/view.php?id=CVE-2021-3642
A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality. Se ha detectado un fallo en Wildfly Elytron en versiones anteriores a 1.10.14.Final, en versiones anteriores a la 1.15.5.Final y en versiones anteriores a la 1.16.1.Final donde ScramServer puede ser susceptible a Timing Attack si está habilitado. La mayor amenaza de esta vulnerabilidad es la confidencialidad. A flaw was found in Wildfly Elytron where ScramServer may be susceptible to Timing Attack if enabled. • https://bugzilla.redhat.com/show_bug.cgi?id=1981407 https://access.redhat.com/security/cve/CVE-2021-3642 • CWE-203: Observable Discrepancy •
CVE-2021-3536 – wildfly: XSS via admin console when creating roles in domain mode
https://notcve.org/view.php?id=CVE-2021-3536
A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode via the admin console, it is possible to add a payload in the name field, leading to XSS. This affects Confidentiality and Integrity. Se encontró un fallo en Wildfly en versiones anteriores a 23.0.2.Final, mientras se crea un nuevo rol en el modo de dominio por medio de la consola de administración, es posible agregar una carga útil en el campo name, conllevando a una vulnerabilidad de tipo XSS. Esto afecta la Confidencialidad y la Integridad A flaw was found in Wildfly. While creating a new role in the domain mode via the admin console, it is possible to add a payload in the name field, leading to a Cross-site scripting attack (XSS). • https://bugzilla.redhat.com/show_bug.cgi?id=1948001 https://access.redhat.com/security/cve/CVE-2021-3536 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-20218 – fabric8-kubernetes-client: vulnerable to a path traversal leading to integrity and availability compromise
https://notcve.org/view.php?id=CVE-2021-20218
A flaw was found in the fabric8 kubernetes-client in version 4.2.0 and after. This flaw allows a malicious pod/container to cause applications using the fabric8 kubernetes-client `copy` command to extract files outside the working path. The highest threat from this vulnerability is to integrity and system availability. This has been fixed in kubernetes-client-4.13.2 kubernetes-client-5.0.2 kubernetes-client-4.11.2 kubernetes-client-4.7.2 Se encontró un fallo en fabric8 kubernetes-client en versión 4.2.0 y posteriores. Este fallo permite a un pod/container malicioso causar que unas aplicaciones que usan el comando "copy" de fabric8 kubernetes-client extraigan archivos fuera de la ruta de trabajo. • https://bugzilla.redhat.com/show_bug.cgi?id=1923405 https://github.com/fabric8io/kubernetes-client/issues/2715 https://access.redhat.com/security/cve/CVE-2021-20218 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2020-14326 – RESTEasy: Caching routes in RootNode may result in DoS
https://notcve.org/view.php?id=CVE-2020-14326
A vulnerability was found in RESTEasy, where RootNode incorrectly caches routes. This issue results in hash flooding, leading to slower requests with higher CPU time spent searching and adding the entry. This flaw allows an attacker to cause a denial of service. Se encontrado una vulnerabilidad en RESTEasy, donde RootNode almacena incorrectamente las rutas en caché. Este problema resulta en una inundación de hash, lo que conlleva a una ralentización de las peticiones con un mayor tiempo de CPU dedicado a buscar y añadir la entrada. • https://bugzilla.redhat.com/show_bug.cgi?id=1855826 https://security.netapp.com/advisory/ntap-20210713-0001 https://access.redhat.com/security/cve/CVE-2020-14326 https://issues.redhat.com/secure/ReleaseNote.jspa?version=12346372&projectId=12310560 • CWE-400: Uncontrolled Resource Consumption CWE-407: Inefficient Algorithmic Complexity •