Site icon API Security Blog

(RHSA-2022:6835) Important: Service Registry (container images) release and security update [2.3.0.GA]

This release of Red Hat Integration – Service registry 2.3.0.GA serves as a replacement for 2.0.3.GA, and includes the below security fixes.

Security Fix(es):

* cron-utils: template Injection leading to unauthenticated Remote Code Execution (CVE-2021-41269)

* prismjs: improperly escaped output allows a XSS (CVE-2022-23647)

* snakeyaml: Denial of Service due missing to nested depth limitation for collections (CVE-2022-25857)

* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)

* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)

* protobuf-java: potential DoS in the parsing procedure for binary data (CVE-2021-22569)

* quarkus: privilege escalation vulnerability with RestEasy Reactive scope leakage in Quarkus (CVE-2022-0981)

* quarkus-jdbc-postgresql-deployment: jdbc-postgresql: Unchecked Class Instantiation when providing Plugin Classes (CVE-2022-21724)

* netty-codec: SnappyFrameDecoder doesn’t restrict chunk length and may buffer skippable chunks in an unnecessary way (CVE-2021-37137)

* netty-codec: Bzip2Decoder doesn’t allow setting size restrictions for decompressed data (CVE-2021-37136)

* node-fetch: exposure of sensitive information to an unauthorized actor (CVE-2022-0235)

* follow-redirects: Exposure of Sensitive Information via Authorization Header leak (CVE-2022-0536)

* jdbc-postgresql: postgresql-jdbc: Arbitrary File Write Vulnerability (CVE-2022-26520)

* node-forge: Signature verification leniency in checking `digestAlgorithm` structure can lead to signature forgery (CVE-2022-24771)

* node-forge: Signature verification failing to check tailing garbage bytes can lead to signature forgery (CVE-2022-24772)

* node-forge: Signature verification leniency in checking `DigestInfo` structure (CVE-2022-24773)

* com.google.code.gson-gson: Deserialization of Untrusted Data in com.google.code.gson-gson (CVE-2022-25647)

* terser: insecure use of regular expressions leads to ReDoS (CVE-2022-25858)

* graphql-java: DoS by malicious query (CVE-2022-37734)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Read More

Exit mobile version