Risk | High |
Patch available | YES |
Number of vulnerabilities | 3 |
CVE-ID | CVE-2021-44906 CVE-2022-24823 CVE-2022-25647 |
CWE-ID | CWE-400 CWE-378 CWE-502 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
JBoss Enterprise Application Platform Server applications / Application servers eap7-javapackages-tools (Red Hat package) Operating systems & Components / Operating system package or component eap7 (Red Hat package) Operating systems & Components / Operating system package or component |
Vendor | Red Hat Inc. |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
EUVDB-ID: #VU64030
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-44906
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.
MitigationInstall updates from vendor's website.
JBoss Enterprise Application Platform: 7.4.0 - 7.4.5
eap7-javapackages-tools (Red Hat package): before 3.4.1-5.15.6.el9eap
eap7 (Red Hat package): before 1-18.el9eap
External linkshttp://access.redhat.com/errata/RHSA-2022:5894
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU62849
Risk: Low
CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-24823
CWE-ID:
CWE-378 - Creation of Temporary File With Insecure Permissions
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to usage of insecure permissions for temporary files. A local user can view contents of temporary files and gain access to sensitive information.
Install updates from vendor's website.
JBoss Enterprise Application Platform: 7.4.0 - 7.4.5
eap7-javapackages-tools (Red Hat package): before 3.4.1-5.15.6.el9eap
eap7 (Red Hat package): before 1-18.el9eap
External linkshttp://access.redhat.com/errata/RHSA-2022:5894
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU64152
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-25647
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to insecure input validation when processing serialized data passed to writeReplace() method. A remote attacker can pass specially crafted data to the application and perform a denial of service attack.
MitigationInstall updates from vendor's website.
JBoss Enterprise Application Platform: 7.4.0 - 7.4.5
eap7-javapackages-tools (Red Hat package): before 3.4.1-5.15.6.el9eap
eap7 (Red Hat package): before 1-18.el9eap
External linkshttp://access.redhat.com/errata/RHSA-2022:5894
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.