Red Hat Integration Camel K
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Red Hat Integration Camel K.
Recent Red Hat Integration Camel K Security Advisories
Advisory | Title | Published |
---|---|---|
RHSA-2024:8339 | (RHSA-2024:8339) Important: Red Hat Integration Camel K 1.10.8 release and security update. | October 22, 2024 |
RHSA-2024:0148 | (RHSA-2024:0148) Important: Red Hat Integration Camel K 1.10.5 release and security update | January 10, 2024 |
RHSA-2023:6117 | (RHSA-2023:6117) Important: Red Hat Integration Camel K 1.10.4 release and security update | October 25, 2023 |
RHSA-2023:5337 | (RHSA-2023:5337) Important: Red Hat Integration Camel K 1.10.2 release security update | September 21, 2023 |
RHSA-2023:3906 | (RHSA-2023:3906) Important: Red Hat Integration Camel K 1.10.1 release security update | June 28, 2023 |
By the Year
In 2024 there have been 1 vulnerability in Red Hat Integration Camel K with an average score of 7.5 out of ten. Last year Integration Camel K had 7 security vulnerabilities published. Right now, Integration Camel K is on track to have less security vulnerabilities in 2024 than it did last year. However, the average CVE base score of the vulnerabilities in 2024 is greater by 0.91.
Year | Vulnerabilities | Average Score |
---|---|---|
2024 | 1 | 7.50 |
2023 | 7 | 6.59 |
2022 | 7 | 7.01 |
2021 | 5 | 6.50 |
2020 | 0 | 0.00 |
2019 | 0 | 0.00 |
2018 | 0 | 0.00 |
It may take a day or so for new Integration Camel K vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Integration Camel K Security Vulnerabilities
A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests
CVE-2024-7885
7.5 - High
- August 21, 2024
A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments.
Race Condition
The HTTP/2 protocol
CVE-2023-44487
7.5 - High
- October 10, 2023
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Resource Exhaustion
A flaw was found in codeplex-codehaus
CVE-2022-4244
7.5 - High
- September 25, 2023
A flaw was found in codeplex-codehaus. A directory traversal attack (also known as path traversal) aims to access files and directories stored outside the intended folder. By manipulating files with "dot-dot-slash (../)" sequences and their variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code, configuration, and other critical system files.
Directory traversal
A flaw was found in codehaus-plexus
CVE-2022-4245
4.3 - Medium
- September 25, 2023
A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection.
XXE
A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests
CVE-2023-4853
8.1 - High
- September 20, 2023
A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.
AuthZ
A flaw was found in undertow
CVE-2023-1108
7.5 - High
- September 14, 2023
A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates.
Infinite Loop
In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption
CVE-2022-41862
3.7 - Low
- March 03, 2023
In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions a server can cause a libpq client to over-read and report an error message containing uninitialized bytes.
The undertow client is not checking the server identity presented by the server certificate in https connections
CVE-2022-4492
7.5 - High
- February 23, 2023
The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol.
A flaw was found in WildFly, where an attacker
CVE-2022-1278
7.5 - High
- September 13, 2022
A flaw was found in WildFly, where an attacker can see deployment names, endpoints, and any other data the trace payload may contain.
Insecure Default Initialization of Resource
A flaw was found in Undertow
CVE-2022-2764
4.9 - Medium
- September 01, 2022
A flaw was found in Undertow. Denial of service can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations.
A flaw was found in Undertow
CVE-2022-1259
7.5 - High
- August 31, 2022
A flaw was found in Undertow. A potential security issue in flow control handling by the browser over HTTP/2 may cause overhead or a denial of service in the server. This flaw exists because of an incomplete fix for CVE-2021-3629.
Resource Exhaustion
A flaw was found in XNIO, specifically in the notifyReadClosed method
CVE-2022-0084
7.5 - High
- August 26, 2022
A flaw was found in XNIO, specifically in the notifyReadClosed method. The issue revealed this method was logging a message to another expected end. This flaw allows an attacker to send flawed requests to a server, possibly causing log contention-related performance concerns or an unwanted disk fill-up.
Allocation of Resources Without Limits or Throttling
A arbitrary code execution flaw was found in the Fabric 8 Kubernetes client affecting versions 5.0.0-beta-1 and above
CVE-2021-4178
6.7 - Medium
- August 24, 2022
A arbitrary code execution flaw was found in the Fabric 8 Kubernetes client affecting versions 5.0.0-beta-1 and above. Due to an improperly configured YAML parsing, this will allow a local and privileged attacker to supply malicious YAML.
Marshaling, Unmarshaling
A flaw was found in Undertow
CVE-2021-3690
7.5 - High
- August 23, 2022
A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denial of service. The highest threat from this vulnerability is availability.
Memory Leak
When a POST request comes through AJP and the request exceeds the max-post-size limit (maxEntitySize)
CVE-2022-2053
7.5 - High
- August 05, 2022
When a POST request comes through AJP and the request exceeds the max-post-size limit (maxEntitySize), Undertow's AjpServerRequestConduit implementation closes a connection without sending any response to the client/proxy. This behavior results in that a front-end proxy marking the backend worker (application server) as an error state and not forward requests to the worker for a while. In mod_cluster, this continues until the next STATUS request (10 seconds intervals) from the application server updates the server state. So, in the worst case, it can result in "All workers are in error state" and mod_cluster responds "503 Service Unavailable" for a while (up to 10 seconds). In mod_proxy_balancer, it does not forward requests to the worker until the "retry" timeout passes. However, luckily, mod_proxy_balancer has "forcerecovery" setting (On by default; this parameter can force the immediate recovery of all workers without considering the retry parameter of the workers if all workers of a balancer are in error state.). So, unlike mod_cluster, mod_proxy_balancer does not result in responding "503 Service Unavailable". An attacker could use this behavior to send a malicious request and trigger server errors, resulting in DoS (denial of service). This flaw was fixed in Undertow 2.2.19.Final, Undertow 2.3.0.Alpha2.
Resource Exhaustion
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration
CVE-2021-4104
7.5 - High
- December 14, 2021
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Marshaling, Unmarshaling
A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final
CVE-2021-3642
5.3 - Medium
- August 05, 2021
A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality.
Side Channel Attack
A vulnerability was found in RESTEasy, where RootNode incorrectly caches routes
CVE-2020-14326
7.5 - High
- June 02, 2021
A vulnerability was found in RESTEasy, where RootNode incorrectly caches routes. This issue results in hash flooding, leading to slower requests with higher CPU time spent searching and adding the entry. This flaw allows an attacker to cause a denial of service.
A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode
CVE-2021-3536
4.8 - Medium
- May 20, 2021
A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode via the admin console, it is possible to add a payload in the name field, leading to XSS. This affects Confidentiality and Integrity.
XSS
A flaw was found in the fabric8 kubernetes-client in version 4.2.0 and after
CVE-2021-20218
7.4 - High
- March 16, 2021
A flaw was found in the fabric8 kubernetes-client in version 4.2.0 and after. This flaw allows a malicious pod/container to cause applications using the fabric8 kubernetes-client `copy` command to extract files outside the working path. The highest threat from this vulnerability is to integrity and system availability. This has been fixed in kubernetes-client-4.13.2 kubernetes-client-5.0.2 kubernetes-client-4.11.2 kubernetes-client-4.7.2
Directory traversal
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Red Hat Integration Camel K or by Red Hat? Click the Watch button to subscribe.