CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
94.5%
Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products and packaged under Red Hat JBoss Core Services, to allow for faster distribution of updates and for a more consistent update experience.
This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.57 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.51 Service Pack 2, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
apr-util: integer overflow/wraparound in apr_encode (CVE-2022-24963)
apr-util: Windows out-of-bounds write in apr_socket_sendv function (CVE-2022-28331)
httpd: mod_proxy_ajp: Possible request smuggling (CVE-2022-36760)
httpd: mod_proxy: HTTP response splitting (CVE-2022-37436)
mod_security: incorrect parsing of HTTP multipart requests leads to web application firewall bypass (CVE-2022-48279)
modsecurity: lacking the complete content in FILES_TMP_CONTENT leads to web application firewall bypass (CVE-2023-24021)
httpd: mod_proxy_uwsgi HTTP response splitting (CVE-2023-27522)
curl: use after free in SSH sha256 fingerprint check (CVE-2023-28319)
curl: IDN wildcard match may lead to Improper Cerificate Validation (CVE-2023-28321)
libxml2: NULL dereference in xmlSchemaFixupComplexType (CVE-2023-28484)
libxml2: Hashing of empty dict strings isn’t deterministic (CVE-2023-29469)
curl: more POST-after-PUT confusion (CVE-2023-28322)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.