Search

Chapter 6. Fixed Common Vulnerabilities and Exposures

download PDF

This section details Common Vulnerabilities and Exposures (CVEs) fixed in the AMQ Broker 7.12 release.

  • ENTMQBR-8644 - TRIAGE CVE-2023-6717 keycloak: XSS via assertion consumer service URL in SAML POST-binding flow [amq-7]
  • ENTMQBR-8976 - TRIAGE CVE-2024-29025 netty-codec-http: Allocation of Resources Without Limits or Throttling [amq-7]
  • ENTMQBR-8927 - CVE-2024-22259 springframework: URL Parsing with Host Validation [amq-7]
  • ENTMQBR-8740 - CVE-2024-1132 keycloak: path transversal in redirection validation [amq-7]
  • ENTMQBR-8758 - CVE-2024-1249 keycloak: org.keycloak.protocol.oidc: unvalidated cross-origin messages in checkLoginIframe leads to DDoS [amq-7]
  • ENTMQBR-8626 - CVE-2023-6378 logback: serialization vulnerability in logback receiver [amq-7]
  • ENTMQBR-8627 - CVE-2023-6481 logback: A serialization vulnerability in logback receiver [amq-7]
  • ENTMQBR-8953 - CVE-2024-29131 CVE-2024-29133 commons-configuration2: various flaws [amq-7]
  • ENTMQBR-8702 - CVE-2023-44981 zookeeper: Authorization Bypass in Apache ZooKeeper [amq-7]
  • ENTMQBR-8611 - CVE-2022-41678 activemq: Apache ActiveMQ: Deserialization vulnerability on Jolokia that allows authenticated users to perform RCE [amq-7]
  • ENTMQBR-8225 - CVE-2023-24540 amq-broker-rhel8-operator-container: golang: html/template: improper handling of JavaScript whitespace [amq-7]
  • ENTMQBR-8227 - CVE-2022-21698 amq-broker-rhel8-operator-container: prometheus/client_golang: Denial of service using InstrumentHandlerCounter [amq-7]
  • ENTMQBR-8238 - CVE-2022-21698 CVE-2023-24534 amq-broker-rhel8-operator-container: golang: net/http, net/textproto: denial of service from excessive memory allocation [amq-7]
  • ENTMQBR-8239 - CVE-2023-29400 amq-broker-rhel8-operator-container: golang: html/template: improper handling of empty HTML attributes [amq-7]
  • ENTMQBR-8240 - CVE-2023-24539 amq-broker-rhel8-operator-container: golang: html/template: improper sanitization of CSS values [amq-7]
  • ENTMQBR-8228 - CVE-2021-43565 amq-broker-rhel8-operator-container: golang.org/x/crypto: empty plaintext packet causes panic [amq-7]
  • ENTMQBR-8230 - CVE-2022-41723 amq-broker-rhel8-operator-container: net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding [amq-7]
  • ENTMQBR-8236 - CVE-2023-24536 amq-broker-rhel8-operator-container: golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption [amq-7]
  • ENTMQBR-8237 - CVE-2023-24537 amq-broker-rhel8-operator-container: golang: go/parser: Infinite loop in parsing [amq-7]
  • ENTMQBR-8231 - CVE-2022-2879 amq-broker-rhel8-operator-container: golang: archive/tar: unbounded memory consumption when reading headers [amq-7]
  • ENTMQBR-8229 - CVE-2022-27664 amq-broker-rhel8-operator-container: golang: net/http: handle server errors after sending GOAWAY [amq-7]
  • ENTMQBR-8226 - CVE-2022-32189 amq-broker-rhel8-operator-container: golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service [amq-7]
  • ENTMQBR-8232 - CVE-2022-41715 amq-broker-rhel8-operator-container: golang: regexp/syntax: limit memory used by parsing regexps [amq-7]
  • ENTMQBR-8241 - CVE-2023-24538 amq-broker-rhel8-operator-container: golang: html/template: backticks not treated as string delimiters [amq-7]
  • ENTMQBR-8233 - CVE-2022-2880 amq-broker-rhel8-operator-container: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters [amq-7]
  • ENTMQBR-8234 - CVE-2022-41724 amq-broker-rhel8-operator-container: golang: crypto/tls: large handshake records may cause panics [amq-7]
  • ENTMQBR-8608 - CVE-2022-41678 activemq-broker-operator: Apache ActiveMQ: Deserialization vulnerability on Jolokia that allows authenticated users to perform RCE [amq-7]
  • ENTMQBR-8235 - CVE-2022-41725 amq-broker-rhel8-operator-container: golang: net/http, mime/multipart: denial of service from excessive resource consumption [amq-7]
  • ENTMQBR-8671 - CVE-2023-51074 json-path: stack-based buffer overflow in Criteria.parse method [amq-7]
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.