Multiple vulnerabilities in Fuse 7.3



| Updated: 2025-04-24
Risk High
Patch available YES
Number of vulnerabilities 5
CVE-ID CVE-2016-2510
CVE-2017-5645
CVE-2017-15691
CVE-2018-3258
CVE-2018-11798
CWE-ID CWE-20
CWE-502
CWE-611
CWE-288
CWE-200
Exploitation vector Network
Public exploit N/A
Vulnerable software
 Fuse
Server applications / Application servers

Vendor Red Hat Inc.

Security Bulletin

This security bulletin contains information about 5 vulnerabilities.

1) Improper input validation

EUVDB-ID: #VU48025

Risk: High

CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2016-2510

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the Jave APIs (BeanShell) component in Oracle Data Integrator. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Fuse: before 7.3.1

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2019:1545


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Deserialization of untrusted data

EUVDB-ID: #VU12127

Risk: High

CVSSv4.0: 0 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2017-5645

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists receiving serialized log events from another application when using the TCP socket server or UDP socket server. A remote attacker can submit a specially crafted binary payload, when deserialized, and execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Fuse: before 7.3.1

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2019:1545


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) XXE attack

EUVDB-ID: #VU12328

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-15691

CWE-ID: CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

Exploit availability: No

Description

The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists due to improper restriction of XML External Entity (XXE) references. A remote attacker can trick the victim into opening a specially crafted XML document that submits malicious XML entities that are parsed by the XML parser, gain access to potentially sensitive information, such as local files or other internal information.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Fuse: before 7.3.1

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2019:1545


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Authentication bypass using an alternate path or channel

EUVDB-ID: #VU19264

Risk: High

CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2018-3258

CWE-ID: CWE-288 - Authentication Bypass Using an Alternate Path or Channel

Exploit availability: No

Description

The vulnerability allows an attacker to operate the product.

The vulnerability exists due to the access control bypass in the in the "Connector/J" component. A remote authenticated attacker with network access via multiple protocols can takeover the MySQL Connectors.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Fuse: before 7.3.1

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2019:1545


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Information disclosure

EUVDB-ID: #VU16947

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-11798

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to unspecified flaw. A remote attacker can access files outside the set webservers docroot path.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Fuse: before 7.3.1

CPE2.3 External links

https://access.redhat.com/errata/RHSA-2019:1545


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###