CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
96.2%
Red Hat Fuse 7.13.0 is released which includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.
Security Fix(es):
undertow: OutOfMemoryError due to @MultipartConfig handling (CVE-2023-3223)
jetty-servlets: jetty: Improper addition of quotation marks to user inputs in CgiServlet (CVE-2023-36479)
jetty: Improper validation of HTTP/1 content-length (CVE-2023-40167)
jetty-http: jetty: Improper validation of HTTP/1 content-length (CVE-2023-40167)
avro: apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK (CVE-2023-39410)
JSON-java: parser confusion leads to OOM (CVE-2023-5072)
http2-hpack: jetty: hpack header values cause denial of service in http/2 (CVE-2023-36478)
spring-boot: org.springframework.boot:spring-boot-actuator class vulnerable to denial of service (CVE-2023-34055)
tomcat: HTTP request smuggling via malformed trailer headers (CVE-2023-46589)
activemq: Apache ActiveMQ: Deserialization vulnerability on Jolokia that allows authenticated users to perform RCE (CVE-2022-41678)
logback: serialization vulnerability in logback receiver (CVE-2023-6378)
logback: A serialization vulnerability in logback receiver (CVE-2023-6481)
solr: : Apache Solr: Host environment variables are published via the Metrics API (CVE-2023-50290)
shiro: path traversal attack may lead to authentication bypass (CVE-2023-46749)
tomcat: Leaking of unrelated request bodies in default error page (CVE-2024-21733)
springframework: URL Parsing with Host Validation (CVE-2024-22243)
For more details about the security issues, including the impact, CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.