gitimages.expertflow.com/campaign-manager/campaign-scheduler:4.4 (oracle 8.8) ============================================================================= Total: 40 (UNKNOWN: 0, LOW: 1, MEDIUM: 25, HIGH: 14, CRITICAL: 0) +------------------------+------------------+----------+---------------------+--------------------------+---------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +------------------------+------------------+----------+---------------------+--------------------------+---------------------------------------+ | binutils | CVE-2022-4285 | MEDIUM | 2.30-119.0.2.el8 | 2.30-119.0.2.el8_8.2 | binutils: NULL | | | | | | | pointer dereference in | | | | | | | _bfd_elf_get_symbol_version_string | | | | | | | leads to segfault | | | | | | | -->avd.aquasec.com/nvd/cve-2022-4285 | +------------------------+------------------+ +---------------------+--------------------------+---------------------------------------+ | curl | CVE-2023-28322 | | 7.61.1-30.el8_8.3 | 7.61.1-33.el8_9.5 | curl: more POST-after-PUT confusion | | | | | | | -->avd.aquasec.com/nvd/cve-2023-28322 | + +------------------+ + + +---------------------------------------+ | | CVE-2023-38546 | | | | curl: cookie injection with none file | | | | | | | -->avd.aquasec.com/nvd/cve-2023-38546 | + +------------------+ + + +---------------------------------------+ | | CVE-2023-46218 | | | | curl: information disclosure | | | | | | | by exploiting a mixed case flaw | | | | | | | -->avd.aquasec.com/nvd/cve-2023-46218 | +------------------------+------------------+ +---------------------+--------------------------+---------------------------------------+ | expat | CVE-2023-52425 | | 2.2.5-11.0.1.el8 | 2.2.5-11.0.1.el8_9.1 | expat: parsing large tokens | | | | | | | can trigger a denial of service | | | | | | | -->avd.aquasec.com/nvd/cve-2023-52425 | +------------------------+------------------+----------+---------------------+--------------------------+---------------------------------------+ | glibc | CVE-2023-4527 | HIGH | 2.28-225.0.3.el8 | 2.28-225.0.4.el8_8.6 | glibc: Stack read overflow in | | | | | | | getaddrinfo in no-aaaa mode | | | | | | | -->avd.aquasec.com/nvd/cve-2023-4527 | + +------------------+ + + +---------------------------------------+ | | CVE-2023-4806 | | | | glibc: potential | | | | | | | use-after-free in getaddrinfo() | | | | | | | -->avd.aquasec.com/nvd/cve-2023-4806 | + +------------------+ + + +---------------------------------------+ | | CVE-2023-4813 | | | | glibc: potential | | | | | | | use-after-free in gaih_inet() | | | | | | | -->avd.aquasec.com/nvd/cve-2023-4813 | + +------------------+ + + +---------------------------------------+ | | CVE-2023-4911 | | | | glibc: buffer overflow in ld.so | | | | | | | leading to privilege escalation | | | | | | | -->avd.aquasec.com/nvd/cve-2023-4911 | +------------------------+------------------+ + + +---------------------------------------+ | glibc-common | CVE-2023-4527 | | | | glibc: Stack read overflow in | | | | | | | getaddrinfo in no-aaaa mode | | | | | | | -->avd.aquasec.com/nvd/cve-2023-4527 | + +------------------+ + + +---------------------------------------+ | | CVE-2023-4806 | | | | glibc: potential | | | | | | | use-after-free in getaddrinfo() | | | | | | | -->avd.aquasec.com/nvd/cve-2023-4806 | + +------------------+ + + +---------------------------------------+ | | CVE-2023-4813 | | | | glibc: potential | | | | | | | use-after-free in gaih_inet() | | | | | | | -->avd.aquasec.com/nvd/cve-2023-4813 | + +------------------+ + + +---------------------------------------+ | | CVE-2023-4911 | | | | glibc: buffer overflow in ld.so | | | | | | | leading to privilege escalation | | | | | | | -->avd.aquasec.com/nvd/cve-2023-4911 | +------------------------+------------------+ + + +---------------------------------------+ | glibc-minimal-langpack | CVE-2023-4527 | | | | glibc: Stack read overflow in | | | | | | | getaddrinfo in no-aaaa mode | | | | | | | -->avd.aquasec.com/nvd/cve-2023-4527 | + +------------------+ + + +---------------------------------------+ | | CVE-2023-4806 | | | | glibc: potential | | | | | | | use-after-free in getaddrinfo() | | | | | | | -->avd.aquasec.com/nvd/cve-2023-4806 | + +------------------+ + + +---------------------------------------+ | | CVE-2023-4813 | | | | glibc: potential | | | | | | | use-after-free in gaih_inet() | | | | | | | -->avd.aquasec.com/nvd/cve-2023-4813 | + +------------------+ + + +---------------------------------------+ | | CVE-2023-4911 | | | | glibc: buffer overflow in ld.so | | | | | | | leading to privilege escalation | | | | | | | -->avd.aquasec.com/nvd/cve-2023-4911 | +------------------------+------------------+----------+---------------------+--------------------------+---------------------------------------+ | gnutls | CVE-2021-20231 | MEDIUM | 3.6.16-6.el8_7 | 10:3.6.16-4.0.1.el8_fips | gnutls: Use after free in | | | | | | | client key_share extension | | | | | | | -->avd.aquasec.com/nvd/cve-2021-20231 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-20232 | | | | gnutls: Use after free | | | | | | | in client_send_params in | | | | | | | lib/ext/pre_shared_key.c | | | | | | | -->avd.aquasec.com/nvd/cve-2021-20232 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-3580 | | | | nettle: Remote crash | | | | | | | in RSA decryption via | | | | | | | manipulated ciphertext | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3580 | + +------------------+ + +--------------------------+---------------------------------------+ | | CVE-2023-5981 | | | 3.6.16-8.el8_9 | gnutls: timing side-channel | | | | | | | in the RSA-PSK authentication | | | | | | | -->avd.aquasec.com/nvd/cve-2023-5981 | + +------------------+ + +--------------------------+---------------------------------------+ | | CVE-2024-0553 | | | 10:3.6.16-8.el8_9.1_fips | gnutls: incomplete | | | | | | | fix for CVE-2023-5981 | | | | | | | -->avd.aquasec.com/nvd/cve-2024-0553 | + +------------------+ + +--------------------------+---------------------------------------+ | | CVE-2024-28834 | | | 3.6.16-8.el8_9.3 | gnutls: vulnerable to Minerva | | | | | | | side-channel information leak | | | | | | | -->avd.aquasec.com/nvd/cve-2024-28834 | +------------------------+------------------+ +---------------------+--------------------------+---------------------------------------+ | libcurl | CVE-2023-28322 | | 7.61.1-30.el8_8.3 | 7.61.1-33.el8_9.5 | curl: more POST-after-PUT confusion | | | | | | | -->avd.aquasec.com/nvd/cve-2023-28322 | + +------------------+ + + +---------------------------------------+ | | CVE-2023-38546 | | | | curl: cookie injection with none file | | | | | | | -->avd.aquasec.com/nvd/cve-2023-38546 | + +------------------+ + + +---------------------------------------+ | | CVE-2023-46218 | | | | curl: information disclosure | | | | | | | by exploiting a mixed case flaw | | | | | | | -->avd.aquasec.com/nvd/cve-2023-46218 | +------------------------+------------------+----------+---------------------+--------------------------+---------------------------------------+ | libgcrypt | CVE-2021-40528 | HIGH | 1.8.5-7.el8_6 | 10:1.8.5-7.el8_6_fips | libgcrypt: ElGamal implementation | | | | | | | allows plaintext recovery | | | | | | | -->avd.aquasec.com/nvd/cve-2021-40528 | + +------------------+----------+ +--------------------------+---------------------------------------+ | | CVE-2021-33560 | MEDIUM | | 10:1.8.5-6.el8_fips | libgcrypt: mishandles ElGamal | | | | | | | encryption because it lacks | | | | | | | exponent blinding to address a... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-33560 | +------------------------+------------------+----------+---------------------+--------------------------+---------------------------------------+ | libnghttp2 | CVE-2023-44487 | HIGH | 1.33.0-3.el8_2.1 | 1.33.0-5.el8_8 | HTTP/2: Multiple HTTP/2 | | | | | | | enabled web servers are | | | | | | | vulnerable to a DDoS attack... | | | | | | | -->avd.aquasec.com/nvd/cve-2023-44487 | +------------------------+------------------+----------+---------------------+--------------------------+---------------------------------------+ | libssh | CVE-2023-48795 | MEDIUM | 0.9.6-10.el8_8 | 0.9.6-13.el8_9 | ssh: Prefix truncation attack | | | | | | | on Binary Packet Protocol (BPP) | | | | | | | -->avd.aquasec.com/nvd/cve-2023-48795 | +------------------------+ + + + + + | libssh-config | | | | | | | | | | | | | | | | | | | | +------------------------+------------------+ +---------------------+--------------------------+---------------------------------------+ | libxml2 | CVE-2023-39615 | | 2.9.7-16.el8_8.1 | 2.9.7-18.el8_9 | libxml2: crafted xml can | | | | | | | cause global buffer overflow | | | | | | | -->avd.aquasec.com/nvd/cve-2023-39615 | +------------------------+------------------+ +---------------------+--------------------------+---------------------------------------+ | rpm | CVE-2021-35937 | | 4.14.3-26.el8 | 4.14.3-28.0.2.el8_9 | rpm: TOCTOU race in | | | | | | | checks for unsafe symlinks | | | | | | | -->avd.aquasec.com/nvd/cve-2021-35937 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-35938 | | | | rpm: races with | | | | | | | chown/chmod/capabilities | | | | | | | calls during installation | | | | | | | -->avd.aquasec.com/nvd/cve-2021-35938 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-35939 | | | | rpm: checks for unsafe | | | | | | | symlinks are not performed | | | | | | | for intermediary directories | | | | | | | -->avd.aquasec.com/nvd/cve-2021-35939 | +------------------------+------------------+ + + +---------------------------------------+ | rpm-libs | CVE-2021-35937 | | | | rpm: TOCTOU race in | | | | | | | checks for unsafe symlinks | | | | | | | -->avd.aquasec.com/nvd/cve-2021-35937 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-35938 | | | | rpm: races with | | | | | | | chown/chmod/capabilities | | | | | | | calls during installation | | | | | | | -->avd.aquasec.com/nvd/cve-2021-35938 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-35939 | | | | rpm: checks for unsafe | | | | | | | symlinks are not performed | | | | | | | for intermediary directories | | | | | | | -->avd.aquasec.com/nvd/cve-2021-35939 | +------------------------+------------------+----------+---------------------+--------------------------+---------------------------------------+ | shadow-utils | CVE-2023-4641 | LOW | 2:4.6-17.el8 | 2:4.6-19.el8 | shadow-utils: possible password | | | | | | | leak during passwd(1) change | | | | | | | -->avd.aquasec.com/nvd/cve-2023-4641 | +------------------------+------------------+----------+---------------------+--------------------------+---------------------------------------+ | sqlite-libs | CVE-2023-7104 | MEDIUM | 3.26.0-18.0.1.el8_8 | 3.26.0-19.0.1.el8_9 | sqlite: heap-buffer-overflow | | | | | | | at sessionfuzz | | | | | | | -->avd.aquasec.com/nvd/cve-2023-7104 | +------------------------+------------------+----------+---------------------+--------------------------+---------------------------------------+ Java (jar) ========== Total: 21 (UNKNOWN: 0, LOW: 0, MEDIUM: 9, HIGH: 11, CRITICAL: 1) +------------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +------------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------------+ | ch.qos.logback:logback-classic | CVE-2023-6378 | HIGH | 1.4.7 | 1.3.12, 1.4.12, 1.2.13 | logback: serialization | | | | | | | vulnerability in logback receiver | | | | | | | -->avd.aquasec.com/nvd/cve-2023-6378 | +------------------------------------------------+ + + + + + | ch.qos.logback:logback-core | | | | | | | | | | | | | | | | | | | | +------------------------------------------------+------------------+ +-------------------+--------------------------------+-----------------------------------------------+ | com.google.code.gson:gson | CVE-2022-25647 | | 2.8.6 | 2.8.9 | com.google.code.gson-gson: | | | | | | | Deserialization of Untrusted | | | | | | | Data in com.google.code.gson-gson | | | | | | | -->avd.aquasec.com/nvd/cve-2022-25647 | +------------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------------+ | com.squareup.okio:okio | CVE-2023-3635 | MEDIUM | 2.8.0 | 3.4.0, 1.17.6 | okio: GzipSource class | | | | | | | improper exception handling | | | | | | | -->avd.aquasec.com/nvd/cve-2023-3635 | +------------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------------+ | org.apache.tomcat.embed:tomcat-embed-core | CVE-2023-46589 | HIGH | 10.1.8 | 11.0.0-M11, 10.1.16, 9.0.83, | tomcat: HTTP request smuggling | | | | | | 8.5.96 | via malformed trailer headers | | | | | | | -->avd.aquasec.com/nvd/cve-2023-46589 | + +------------------+----------+ +--------------------------------+-----------------------------------------------+ | | CVE-2023-41080 | MEDIUM | | 8.5.93, 9.0.80, 10.1.13, | tomcat: Open Redirect vulnerability | | | | | | 11.0.0-M11 | in FORM authentication | | | | | | | -->avd.aquasec.com/nvd/cve-2023-41080 | + +------------------+ + +--------------------------------+-----------------------------------------------+ | | CVE-2023-42795 | | | 11.0.0-M12, 10.1.14, 9.0.81, | tomcat: improper cleaning | | | | | | 8.5.94 | of recycled objects could | | | | | | | lead to information leak | | | | | | | -->avd.aquasec.com/nvd/cve-2023-42795 | + +------------------+ + + +-----------------------------------------------+ | | CVE-2023-44487 | | | | HTTP/2: Multiple HTTP/2 | | | | | | | enabled web servers are | | | | | | | vulnerable to a DDoS attack... | | | | | | | -->avd.aquasec.com/nvd/cve-2023-44487 | + +------------------+ + + +-----------------------------------------------+ | | CVE-2023-45648 | | | | tomcat: incorrectly parsed | | | | | | | http trailer headers can | | | | | | | cause request smuggling | | | | | | | -->avd.aquasec.com/nvd/cve-2023-45648 | + +------------------+ + +--------------------------------+-----------------------------------------------+ | | CVE-2024-24549 | | | 8.5.99, 9.0.86, 10.1.19, | : Apache Tomcat: HTTP/2 | | | | | | 11.0.0-M17 | header handling DoS | | | | | | | -->avd.aquasec.com/nvd/cve-2024-24549 | +------------------------------------------------+------------------+ + +--------------------------------+-----------------------------------------------+ | org.apache.tomcat.embed:tomcat-embed-websocket | CVE-2024-23672 | | | 11.0.0-M17, 10.1.19, 9.0.86, | Apache Tomcat: WebSocket DoS | | | | | | 8.5.99 | with incomplete closing handshake | | | | | | | -->avd.aquasec.com/nvd/cve-2024-23672 | +------------------------------------------------+------------------+ +-------------------+--------------------------------+-----------------------------------------------+ | org.hibernate.validator:hibernate-validator | CVE-2020-10693 | | 6.0.18.Final | 6.1.5.Final, 6.0.20.Final | hibernate-validator: Improper input | | | | | | | validation in the interpolation | | | | | | | of constraint error messages | | | | | | | -->avd.aquasec.com/nvd/cve-2020-10693 | +------------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------------+ | org.json:json | CVE-2022-45688 | HIGH | 20200518 | 20230227 | json stack overflow vulnerability | | | | | | | -->avd.aquasec.com/nvd/cve-2022-45688 | + +------------------+ + +--------------------------------+-----------------------------------------------+ | | CVE-2023-5072 | | | 20231013 | JSON-java: parser | | | | | | | confusion leads to OOM | | | | | | | -->avd.aquasec.com/nvd/cve-2023-5072 | +------------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------------+ | org.postgresql:postgresql | CVE-2024-1597 | CRITICAL | 42.6.0 | 42.2.28, 42.3.9, 42.4.4, | pgjdbc: PostgreSQL JDBC Driver | | | | | | 42.5.5, 42.6.1, 42.7.2 | allows attacker to inject SQL if | | | | | | | using PreferQueryMode=SIMPLE... | | | | | | | -->avd.aquasec.com/nvd/cve-2024-1597 | +------------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------------+ | org.springframework.boot:spring-boot | CVE-2023-34055 | MEDIUM | 3.1.0 | 2.7.18, 3.0.13, 3.1.6 | spring-boot: | | | | | | | org.springframework.boot:spring-boot-actuator | | | | | | | class vulnerable to denial of service | | | | | | | -->avd.aquasec.com/nvd/cve-2023-34055 | +------------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------------+ | org.springframework:spring-web | CVE-2024-22243 | HIGH | 6.0.9 | 6.1.4, 6.0.17, 5.3.32 | springframework: URL | | | | | | | Parsing with Host Validation | | | | | | | -->avd.aquasec.com/nvd/cve-2024-22243 | + +------------------+ + +--------------------------------+-----------------------------------------------+ | | CVE-2024-22259 | | | 6.1.5, 6.0.18, 5.3.33 | springframework: URL | | | | | | | Parsing with Host Validation | | | | | | | -->avd.aquasec.com/nvd/cve-2024-22259 | + +------------------+ + +--------------------------------+-----------------------------------------------+ | | CVE-2024-22262 | | | 5.3.34, 6.0.19, 6.1.6 | springframework: URL | | | | | | | Parsing with Host Validation | | | | | | | -->avd.aquasec.com/nvd/cve-2024-22262 | +------------------------------------------------+------------------+ + +--------------------------------+-----------------------------------------------+ | org.springframework:spring-webmvc | CVE-2023-34053 | | | 6.0.14 | springframework: | | | | | | | io.micrometer:micrometer-core | | | | | | | classpath vulnerable | | | | | | | to denial of service | | | | | | | -->avd.aquasec.com/nvd/cve-2023-34053 | +------------------------------------------------+------------------+ +-------------------+--------------------------------+-----------------------------------------------+ | org.yaml:snakeyaml | CVE-2022-1471 | | 1.33 | 2.0 | SnakeYaml: Constructor | | | | | | | Deserialization | | | | | | | Remote Code Execution | | | | | | | -->avd.aquasec.com/nvd/cve-2022-1471 | +------------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------------+