Multiple vulnerabilities in Red Hat Build of Apache Camel for Quarkus 3.2
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2023-39410 CVE-2023-5072 |
| CWE-ID | CWE-502 CWE-770 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Red Hat build of Quarkus Server applications / Other server solutions |
| Vendor | Red Hat Inc. |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Deserialization of Untrusted Data
EUVDB-ID: #VU83219
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-39410
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to reader can consume memory beyond the allowed constraints and thus lead to out of memory on the system, when deserializing untrusted or corrupted data. A remote attacker can pass specially crafted data to the application and perform a denial of service attack.
MitigationInstall updates from vendor's website.
Red Hat build of Quarkus: 3.2.0 - 3.2.8
CPE2.3- cpe:2.3:a:red_hat:red_hat_build_of_quarkus:3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:red_hat:red_hat_build_of_quarkus:3.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:red_hat:red_hat_build_of_quarkus:3.2.2:*:*:*:*:*:*:*
https://access.redhat.com/errata/RHSA-2023:7617
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Allocation of Resources Without Limits or Throttling
EUVDB-ID: #VU82276
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-5072
CWE-ID:
CWE-770 - Allocation of Resources Without Limits or Throttling
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to allocation of resources without limits or throttling. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Red Hat build of Quarkus: 3.2.0 - 3.2.8
CPE2.3- cpe:2.3:a:red_hat:red_hat_build_of_quarkus:3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:red_hat:red_hat_build_of_quarkus:3.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:red_hat:red_hat_build_of_quarkus:3.2.2:*:*:*:*:*:*:*
https://access.redhat.com/errata/RHSA-2023:7617
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
