Red Hat Integration
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Red Hat Integration.
Recent Red Hat Integration Security Advisories
| Advisory | Title | Published |
|---|---|---|
| RHSA-2025:3540 | (RHSA-2025:3540) Important: Red Hat Integration Camel K 1.10.10 release and security update. | April 2, 2025 |
| RHSA-2025:1154 | (RHSA-2025:1154) Important: Red Hat Integration Camel K 1.10.9 release and security update. | February 6, 2025 |
| RHSA-2024:8339 | (RHSA-2024:8339) Important: Red Hat Integration Camel K 1.10.8 release and security update. | October 22, 2024 |
| RHSA-2024:0793 | (RHSA-2024:0793) Important: Red Hat Integration Camel for Spring Boot 4.0.3 release security update | February 12, 2024 |
| RHSA-2024:0792 | (RHSA-2024:0792) Moderate: Red Hat Integration Camel for Spring Boot 3.20.5 release and security update | February 12, 2024 |
| RHSA-2024:0148 | (RHSA-2024:0148) Important: Red Hat Integration Camel K 1.10.5 release and security update | January 10, 2024 |
| RHSA-2023:7845 | (RHSA-2023:7845) Important: Red Hat Integration Camel for Spring Boot 3.20.4 release and security update | December 14, 2023 |
| RHSA-2023:7842 | (RHSA-2023:7842) Important: Red Hat Integration Camel for Spring Boot 4.0.2 release security update | December 14, 2023 |
| RHSA-2023:6117 | (RHSA-2023:6117) Important: Red Hat Integration Camel K 1.10.4 release and security update | October 25, 2023 |
| RHSA-2023:6080 | (RHSA-2023:6080) Important: Red Hat Integration Camel for Spring Boot 4.0.1 release security update | October 24, 2023 |
By the Year
In 2026 there have been 1 vulnerability in Red Hat Integration with an average score of 7.5 out of ten. Last year, in 2025 Integration had 4 security vulnerabilities published. At the current rates, it appears that the number of vulnerabilities last year and this year may equal out. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.38.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 1 | 7.50 |
| 2025 | 4 | 7.13 |
| 2024 | 12 | 7.02 |
| 2023 | 0 | 0.00 |
| 2022 | 1 | 5.90 |
It may take a day or so for new Integration vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Integration Security Vulnerabilities
Undertow OOM via large servlet param names
CVE-2024-4027
7.5 - High
- January 30, 2026
A flaw was found in Undertow. Servlets using a method that calls HttpServletRequestImpl.getParameterNames() can cause an OutOfMemoryError when the client sends a request with large parameter names. This issue can be exploited by an unauthorized user to cause a remote denial-of-service (DoS) attack.
Improper Input Validation
Undertow OOM DoS via Large application/x-www-form-urlencoded
CVE-2024-3884
7.5 - High
- December 03, 2025
A flaw was found in Undertow that can cause remote denial of service attacks. When the server uses the FormEncodedDataDefinition.doParse(StreamSourceChannel) method to parse large form data encoding with application/x-www-form-urlencoded, the method will cause an OutOfMemory issue. This flaw allows unauthorized users to cause a remote denial of service (DoS) attack.
Improper Input Validation
Smallrye Fault Tolerance OOM DoS via /metrics URI
CVE-2025-2240
7.5 - High
- March 12, 2025
A flaw was found in Smallrye, where smallrye-fault-tolerance is vulnerable to an out-of-memory (OOM) issue. This vulnerability is externally triggered when calling the metrics URI. Every call creates a new object within meterMap and may lead to a denial of service (DoS) issue.
Stack Exhaustion
Wildfly Elytron CLI Brute Force Vulnerability
CVE-2025-23368
8.1 - High
- March 04, 2025
A flaw was found in Wildfly Elytron integration. The component does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks via CLI.
Improper Restriction of Excessive Authentication Attempts
serialize-javascript XSS via unsanitized regex input
CVE-2024-11831
5.4 - Medium
- February 10, 2025
A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.
XSS
Quarkus-HTTP Cookie Parsing Vulnerability
CVE-2024-12397
7.4 - High
- December 12, 2024
A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity.
HTTP Request Smuggling
Undertow ProxyProtocolReadListener StringBuilder reuse info-leak
CVE-2024-7885
7.5 - High
- August 21, 2024
A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments.
Race Condition
Undertow MaxAge Default -1 Exposes HTTP Learning-Push handler
CVE-2024-3653
5.3 - Medium
- July 08, 2024
A vulnerability was found in Undertow. This issue requires enabling the learning-push handler in the server's config, which is disabled by default, leaving the maxAge config in the handler unconfigured. The default is -1, which makes the handler vulnerable. If someone overwrites that config, the server is not subject to the attack. The attacker needs to be able to reach the server with a normal HTTP request.
Memory Leak
Undertow Chunked DoS: Missing 0\r\n Termination in Java 17 TLSv1.3
CVE-2024-5971
7.5 - High
- July 08, 2024
A vulnerability was found in Undertow, where the chunked response hangs after the body was flushed. The response headers and body were sent but the client would continue waiting as Undertow does not send the expected 0\r\n termination of the chunked response. This results in uncontrolled resource consumption, leaving the server side to a denial of service attack. This happens only with Java 17 TLSv1.3 scenarios.
Stack Exhaustion
Undertow AJP Path Decoding Race Cond. DOS
CVE-2024-6162
7.5 - High
- June 20, 2024
A vulnerability was found in Undertow, where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener. This issue arises because the same buffer is used to decode the paths for multiple requests simultaneously, leading to incorrect path information being processed. As a result, the server may attempt to access the wrong path, causing errors such as "404 Not Found" or other application failures. This flaw can potentially lead to a denial of service, as legitimate resources become inaccessible due to the path mix-up.
Exposure of Data Element to Wrong Session
Quarkus JAX-RS Auth Bypass via Abstract Class Methods
CVE-2023-5675
6.5 - Medium
- April 25, 2024
A flaw was found in Quarkus. When a Quarkus RestEasy Classic or Reactive JAX-RS endpoint has its methods declared in the abstract Java class or customized by Quarkus extensions using the annotation processor, the authorization of these methods will not be enforced if it is enabled by either 'quarkus.security.jaxrs.deny-unannotated-endpoints' or 'quarkus.security.jaxrs.default-roles-allowed' properties.
AuthZ
Quarkus Core Env Var Leakage in Build
CVE-2024-2700
7 - High
- April 04, 2024
A vulnerability was found in the quarkus-core component. Quarkus captures local environment variables from the Quarkus namespace during the application's build, therefore, running the resulting application inherits the values captured at build time. Some local environment variables may have been set by the developer or CI environment for testing purposes, such as dropping the database during application startup or trusting all TLS certificates to accept self-signed certificates. If these properties are configured using environment variables or the .env facility, they are captured into the built application, which can lead to dangerous behavior if the application does not override these values. This behavior only happens for configuration properties from the `quarkus.*` namespace. Application-specific properties are not captured.
Exposure of Sensitive Information Through Environmental Variables
Memory Leak in Eclipse Vert.x TCP TLS Server via Fake SNI
CVE-2024-1300
5.4 - Medium
- April 02, 2024
A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.
Missing Release of Resource after Effective Lifetime
Vert.x HTTP Client Memory Leak via Netty FastThreadLocal
CVE-2024-1023
6.5 - Medium
- March 27, 2024
A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate runtime knowledge, allowing an attacker to exploit this vulnerability. For instance, a server accepting arbitrary internet addresses could serve as an attack vector by connecting to these addresses, thereby accelerating the memory leak.
Memory Leak
Xnio NotifierState Chain Overflow Uncontrolled Resource DoS
CVE-2023-5685
7.5 - High
- March 22, 2024
A flaw was found in XNIO. The XNIO NotifierState that can cause a Stack Overflow Exception when the chain of notifier states becomes problematically large can lead to uncontrolled resource management and a possible denial of service (DoS).
Resource Exhaustion
Undertow WriteTimeoutStreamSinkConduit Causing Memory/File Exhaustion
CVE-2024-1635
7.5 - High
- February 19, 2024
A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available. At HTTP upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting ServerConnectionOpenListener. Because the remoting connection originates in Undertow as part of the HTTP upgrade, there is an external layer to the remoting connection. This connection is unaware of the outermost layer when closing the connection during the connection opening procedure. Hence, the Undertow WriteTimeoutStreamSinkConduit is not notified of the closed connection in this scenario. Because WriteTimeoutStreamSinkConduit creates a timeout task, the whole dependency tree leaks via that task, which is added to XNIO WorkerThread. So, the workerThread points to the Undertow conduit, which contains the connections and causes the leak.
Resource Exhaustion
Deserialization Before Auth in SpringSec CVE-2023-6267
CVE-2023-6267
8.6 - High
- January 25, 2024
A flaw was found in the json payload. If annotation based security is used to secure a REST resource, the JSON body that the resource may consume is being processed (deserialized) prior to the security constraints being evaluated and applied. This does not happen with configuration based security.
Improper Handling of Exceptional Conditions
A flaw was found in Undertow
CVE-2021-3629
5.9 - Medium
- May 24, 2022
A flaw was found in Undertow. A potential security issue in flow control handling by the browser over http/2 may potentially cause overhead or a denial of service in the server. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.40.Final and prior to 2.2.11.Final.
Resource Exhaustion
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Red Hat Integration or by Red Hat? Click the Watch button to subscribe.
