CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
99.8%
This release of Red Hat Fuse 7.12.1 serves as a replacement for Red Hat Fuse 7.12 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.
Security Fix(es):
A Red Hat Security Bulletin which addresses further details about the Rapid Reset flaw is available in the References section.
OpenWire Module: Unbounded deserialization causes ActiveMQ to be vulnerable to a remote code execution (RCE) attack (CVE-2023-46604)
undertow: OutOfMemoryError due to @MultipartConfig handling (CVE-2023-3223)
okio: GzipSource class improper exception handling (CVE-2023-3635)
spring-security: spring-security-webflux: path wildcard leads to security bypass (CVE-2023-34034)
http2-hpack: jetty: hpack header values cause denial of service in http/2 (CVE-2023-36478)
avro: apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK (CVE-2023-39410)
jetty: Improper validation of HTTP/1 content-length (CVE-2023-40167)
tomcat: FileUpload: DoS due to accumulation of temporary files on Windows (CVE-2023-42794)
tomcat: improper cleaning of recycled objects could lead to information leak (CVE-2023-42795)
tomcat: incorrectly parsed http trailer headers can cause request smuggling (CVE-2023-45648)
jetty: Improper addition of quotation marks to user inputs in CgiServlet (CVE-2023-36479)
jetty: OpenId Revoked authentication allows one request (CVE-2023-41900)
For more details about the security issues, including the impact, CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.