Red Hat Integration Service Registry
By the Year
In 2023 there have been 5 vulnerabilities in Red Hat Integration Service Registry with an average score of 6.9 out of ten. Last year Integration Service Registry had 1 security vulnerability published. That is, 4 more vulnerabilities have already been reported in 2023 as compared to last year. Last year, the average CVE base score was greater by 0.64
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2023 | 5 | 6.86 |
| 2022 | 1 | 7.50 |
| 2021 | 1 | 4.80 |
| 2020 | 0 | 0.00 |
| 2019 | 0 | 0.00 |
| 2018 | 0 | 0.00 |
It may take a day or so for new Integration Service Registry vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Integration Service Registry Security Vulnerabilities
The HTTP/2 protocol
CVE-2023-44487
7.5 - High
- October 10, 2023
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Resource Exhaustion
A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests
CVE-2023-4853
8.1 - High
- September 20, 2023
A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.
AuthZ
A flaw was found in undertow
CVE-2023-1108
7.5 - High
- September 14, 2023
A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates.
Infinite Loop
In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption
CVE-2022-41862
3.7 - Low
- March 03, 2023
In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions a server can cause a libpq client to over-read and report an error message containing uninitialized bytes.
The undertow client is not checking the server identity presented by the server certificate in https connections
CVE-2022-4492
7.5 - High
- February 23, 2023
The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol.
A flaw was found in WildFly, where an attacker
CVE-2022-1278
7.5 - High
- September 13, 2022
A flaw was found in WildFly, where an attacker can see deployment names, endpoints, and any other data the trace payload may contain.
Insecure Default Initialization of Resource
A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode
CVE-2021-3536
4.8 - Medium
- May 20, 2021
A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode via the admin console, it is possible to add a payload in the name field, leading to XSS. This affects Confidentiality and Integrity.
XSS
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Red Hat Wildfly or by Red Hat? Click the Watch button to subscribe.
