Decision Manager Red Hat Decision Manager

Do you want an email whenever new security vulnerabilities are reported in Red Hat Decision Manager?

Recent Red Hat Decision Manager Security Advisories

Advisory Title Published
RHSA-2022:1379 (RHSA-2022:1379) Low: Red Hat Decision Manager 7.12.1 security update April 14, 2022
RHSA-2022:1110 (RHSA-2022:1110) Moderate: Red Hat Decision Manager 7.12.1 security update March 29, 2022
RHSA-2022:0297 (RHSA-2022:0297) Moderate: Red Hat Decision Manager 7.12.0 security update January 26, 2022
RHSA-2021:2476 (RHSA-2021:2476) Moderate: Red Hat Decision Manager 7.11.0 security update June 17, 2021

By the Year

In 2022 there have been 0 vulnerabilities in Red Hat Decision Manager . Decision Manager did not have any published security vulnerabilities last year.

Year Vulnerabilities Average Score
2022 0 0.00
2021 0 0.00
2020 8 7.23
2019 5 8.88
2018 0 0.00

It may take a day or so for new Decision Manager vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Red Hat Decision Manager Security Vulnerabilities

A flaw was found in all supported versions before wildfly-elytron-1.6.8.Final-redhat-00001

CVE-2020-1748 7.5 - High - September 16, 2020

A flaw was found in all supported versions before wildfly-elytron-1.6.8.Final-redhat-00001, where the WildFlySecurityManager checks were bypassed when using custom security managers, resulting in an improper authorization. This flaw leads to information exposure by unauthenticated access to secure resources.

A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1

CVE-2019-14900 6.5 - Medium - July 06, 2020

A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.

SQL Injection

A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks

CVE-2020-1714 8.8 - High - May 13, 2020

A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution.

Improper Input Validation

A flaw was found in PostgreSQL's "ALTER

CVE-2020-1720 6.5 - Medium - March 17, 2020

A flaw was found in PostgreSQL's "ALTER ... DEPENDS ON EXTENSION", where sub-commands did not perform authorization checks. An authenticated attacker could use this flaw in certain configurations to perform drop objects such as function, triggers, et al., leading to database corruption. This issue affects PostgreSQL versions before 12.2, before 11.7, before 10.12 and before 9.6.17.

AuthZ

A vulnerability was found in business-central

CVE-2019-14886 6.5 - Medium - March 05, 2020

A vulnerability was found in business-central, as shipped in rhdm-7.5.1 and rhpam-7.5.1, where encoded passwords are stored in errai_security_context. The encoding used for storing the passwords is Base64, not an encryption algorithm, and any recovery of these passwords could lead to user passwords being exposed.

Cleartext Storage of Sensitive Information

A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it

CVE-2019-14892 9.8 - Critical - March 02, 2020

A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.

Marshaling, Unmarshaling

There is a vulnerability in knockout before version 3.5.0-beta

CVE-2019-14862 6.1 - Medium - January 02, 2020

There is a vulnerability in knockout before version 3.5.0-beta, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it.

XSS

There is a vulnerability in all angular versions before 1.5.0-beta.0

CVE-2019-14863 6.1 - Medium - January 02, 2020

There is a vulnerability in all angular versions before 1.5.0-beta.0, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it.

XSS

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6

CVE-2018-12022 7.5 - High - March 21, 2019

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

Marshaling, Unmarshaling

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6

CVE-2018-12023 7.5 - High - March 21, 2019

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

Marshaling, Unmarshaling

FasterXML jackson-databind 2.x before 2.9.8 might

CVE-2018-19360 9.8 - Critical - January 02, 2019

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.

Marshaling, Unmarshaling

FasterXML jackson-databind 2.x before 2.9.8 might

CVE-2018-19361 9.8 - Critical - January 02, 2019

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.

Marshaling, Unmarshaling

FasterXML jackson-databind 2.x before 2.9.8 might

CVE-2018-19362 9.8 - Critical - January 02, 2019

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.

Marshaling, Unmarshaling

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Debian Linux or by Red Hat? Click the Watch button to subscribe.

Red Hat
Vendor

subscribe