Red Hat Decision Manager
Recent Red Hat Decision Manager Security Advisories
Advisory | Title | Published |
---|---|---|
RHSA-2022:1379 | (RHSA-2022:1379) Low: Red Hat Decision Manager 7.12.1 security update | April 14, 2022 |
RHSA-2022:1110 | (RHSA-2022:1110) Moderate: Red Hat Decision Manager 7.12.1 security update | March 29, 2022 |
RHSA-2022:0297 | (RHSA-2022:0297) Moderate: Red Hat Decision Manager 7.12.0 security update | January 26, 2022 |
RHSA-2021:2476 | (RHSA-2021:2476) Moderate: Red Hat Decision Manager 7.11.0 security update | June 17, 2021 |
By the Year
In 2024 there have been 0 vulnerabilities in Red Hat Decision Manager . Last year Decision Manager had 4 security vulnerabilities published. Right now, Decision Manager is on track to have less security vulnerabilities in 2024 than it did last year.
Year | Vulnerabilities | Average Score |
---|---|---|
2024 | 0 | 0.00 |
2023 | 4 | 7.98 |
2022 | 2 | 8.15 |
2021 | 0 | 0.00 |
2020 | 8 | 7.23 |
2019 | 5 | 8.88 |
2018 | 0 | 0.00 |
It may take a day or so for new Decision Manager vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Decision Manager Security Vulnerabilities
The HTTP/2 protocol
CVE-2023-44487
7.5 - High
- October 10, 2023
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Resource Exhaustion
A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests
CVE-2023-4853
8.1 - High
- September 20, 2023
A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.
AuthZ
A flaw was found in undertow
CVE-2023-1108
7.5 - High
- September 14, 2023
A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates.
Infinite Loop
A flaw was found where some utility classes in Drools core did not use proper safeguards when deserializing data
CVE-2022-1415
8.8 - High
- September 11, 2023
A flaw was found where some utility classes in Drools core did not use proper safeguards when deserializing data. This flaw allows an authenticated attacker to construct malicious serialized objects (usually called gadgets) and achieve code execution on the server.
Marshaling, Unmarshaling
A flaw was found in the RHDM, where sensitive HTML form fields like Password has auto-complete enabled
CVE-2019-14840
7.5 - High
- October 17, 2022
A flaw was found in the RHDM, where sensitive HTML form fields like Password has auto-complete enabled which may lead to leak of credentials.
Insufficiently Protected Credentials
A flaw was found in the RHDM, where an authenticated attacker can change their assigned role in the response header
CVE-2019-14841
8.8 - High
- October 17, 2022
A flaw was found in the RHDM, where an authenticated attacker can change their assigned role in the response header. This flaw allows an attacker to gain admin privileges in the Business Central Console.
Improper Preservation of Permissions
A flaw was found in all supported versions before wildfly-elytron-1.6.8.Final-redhat-00001
CVE-2020-1748
7.5 - High
- September 16, 2020
A flaw was found in all supported versions before wildfly-elytron-1.6.8.Final-redhat-00001, where the WildFlySecurityManager checks were bypassed when using custom security managers, resulting in an improper authorization. This flaw leads to information exposure by unauthenticated access to secure resources.
A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1
CVE-2019-14900
6.5 - Medium
- July 06, 2020
A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.
SQL Injection
A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks
CVE-2020-1714
8.8 - High
- May 13, 2020
A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution.
Improper Input Validation
A flaw was found in PostgreSQL's "ALTER
CVE-2020-1720
6.5 - Medium
- March 17, 2020
A flaw was found in PostgreSQL's "ALTER ... DEPENDS ON EXTENSION", where sub-commands did not perform authorization checks. An authenticated attacker could use this flaw in certain configurations to perform drop objects such as function, triggers, et al., leading to database corruption. This issue affects PostgreSQL versions before 12.2, before 11.7, before 10.12 and before 9.6.17.
AuthZ
A vulnerability was found in business-central
CVE-2019-14886
6.5 - Medium
- March 05, 2020
A vulnerability was found in business-central, as shipped in rhdm-7.5.1 and rhpam-7.5.1, where encoded passwords are stored in errai_security_context. The encoding used for storing the passwords is Base64, not an encryption algorithm, and any recovery of these passwords could lead to user passwords being exposed.
Cleartext Storage of Sensitive Information
A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it
CVE-2019-14892
9.8 - Critical
- March 02, 2020
A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.
Marshaling, Unmarshaling
There is a vulnerability in all angular versions before 1.5.0-beta.0
CVE-2019-14863
6.1 - Medium
- January 02, 2020
There is a vulnerability in all angular versions before 1.5.0-beta.0, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it.
XSS
There is a vulnerability in knockout before version 3.5.0-beta
CVE-2019-14862
6.1 - Medium
- January 02, 2020
There is a vulnerability in knockout before version 3.5.0-beta, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it.
XSS
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6
CVE-2018-12023
7.5 - High
- March 21, 2019
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
Marshaling, Unmarshaling
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6
CVE-2018-12022
7.5 - High
- March 21, 2019
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
Marshaling, Unmarshaling
FasterXML jackson-databind 2.x before 2.9.8 might
CVE-2018-19362
9.8 - Critical
- January 02, 2019
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.
Marshaling, Unmarshaling
FasterXML jackson-databind 2.x before 2.9.8 might
CVE-2018-19361
9.8 - Critical
- January 02, 2019
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.
Marshaling, Unmarshaling
FasterXML jackson-databind 2.x before 2.9.8 might
CVE-2018-19360
9.8 - Critical
- January 02, 2019
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.
Marshaling, Unmarshaling
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Debian Linux or by Red Hat? Click the Watch button to subscribe.