Red Hat Offline Knowledge Portal
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Red Hat Offline Knowledge Portal.
Recent Red Hat Offline Knowledge Portal Security Advisories
| Advisory | Title | Published |
|---|---|---|
| RHSA-2026:28573 | (RHSA-2026:28573) Red Hat Offline Knowledge Portal security and content update | June 23, 2026 |
| RHSA-2026:21773 | (RHSA-2026:21773) Red Hat Offline Knowledge Portal security and content update | May 28, 2026 |
By the Year
In 2026 there have been 11 vulnerabilities in Red Hat Offline Knowledge Portal with an average score of 7.1 out of ten.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 11 | 7.13 |
It may take a day or so for new Offline Knowledge Portal vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Offline Knowledge Portal Security Vulnerabilities
Netty 4.1/4.2 X509MT Wrapper Bug: No Hostname Verification
CVE-2026-50010
7.5 - High
- June 12, 2026
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SimpleTrustManagerFactory.engineGetTrustManagers() and related paths wrap any user-supplied plain X509TrustManager in X509TrustManagerWrapper, which extends X509ExtendedTrustManager but implements the 3-arg checkServerTrusted(chain, authType, SSLEngine) by discarding the SSLEngine and calling the 2-arg delegate. Because the object now IS an X509ExtendedTrustManager, neither SunJSSE's internal AbstractTrustManagerWrapper nor Netty's own OpenSslX509TrustManagerWrapper will re-wrap it to add endpoint-identification. Consequently, even though Netty 4.2 sets endpointIdentificationAlgorithm="HTTPS" by default, a client built with `SslContextBuilder.forClient().trustManager(somePlainX509TrustManager)` performs no hostname verification at all. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Improper Verification of Cryptographic Signature
Netty <4.1.135 / <4.2.15 TLS ClientHello Buffer Overflow
CVE-2026-45416
7.5 - High
- June 12, 2026
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SslClientHelloHandler.decode() reads the 24-bit TLS handshake length and, when the ClientHello does not fit in the first record, eagerly allocates `ctx.alloc().buffer(handshakeLength)` (line 161). The guard at line 140 is `handshakeLength > maxClientHelloLength && maxClientHelloLength != 0`, and the commonly-used SniHandler/AbstractSniHandler constructors (SniHandler(Mapping), SniHandler(AsyncMapping), AbstractSniHandler()) pass maxClientHelloLength=0 and handshakeTimeoutMillis=0, so the length guard is disabled and no timeout is scheduled. A 16 MiB request exceeds the default pooled chunk size and becomes a huge/unpooled allocation performed immediately. The buffer is retained in the handler until the channel closes. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Allocation of Resources Without Limits or Throttling
Netty IpSubnetFilterRule IPv6 Bypass < 4.1.135/4.2.15
CVE-2026-44249
8.1 - High
- June 11, 2026
Netty is a network application framework for development of protocol servers and clients. In netty-handler prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid public IP addresses can bypass the restrictions. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
Authorization
Unbounded Memory Allocation via Baggage Prop in OpenTelemetry Java <1.62.0
CVE-2026-45292
7.5 - High
- May 28, 2026
opentelemetry-java is the Java implementation of the OpenTelemetry API for recording telemetry, and SDK for managing telemetry recorded by the API. Prior to 1.62.0, a vulnerability affects the baggage propagation implementation in opentelemetry-api and opentelemetry-extension-trace-propagators. Parsing oversized baggage causes unbounded memory allocation and CPU consumption. Because baggage is automatically re-injected into every outgoing request, the effect can fan out to downstream services that never received the original malicious request. This vulnerability is fixed in 1.62.0.
Allocation of Resources Without Limits or Throttling
Apache HttpClient 5.6 Auth Bypass SCRAM-SHA-256 (CVE-2026-40542)
CVE-2026-40542
7.3 - High
- April 22, 2026
Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue.
Missing Critical Step in Authentication
Jetty HTTP/1.1 Parser Chunk Extension Smuggling Vulnerability
CVE-2026-2332
7.4 - High
- April 14, 2026
In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: * https://w4ke.info/2025/06/18/funky-chunks.html * https://w4ke.info/2025/10/29/funky-chunks-2.html Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as an error. POST / HTTP/1.1 Host: localhost Transfer-Encoding: chunked 1;ext="val X 0 GET /smuggled HTTP/1.1 ... Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.
HTTP Request Smuggling
Jetty JASPIAuthenticator ThreadLocal Leak Causes Privilege Escalation
CVE-2026-5795
7.4 - High
- April 08, 2026
In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable. Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals. A subsequent request using the same thread inherits the ThreadLocal values, leading to a broken access control and privilege escalation.
Sensitive Information in Resource Not Removed Before Reuse
Apache ZooKeeper 3.8.53.9.4 LOG Info Exposure via ZKConfig
CVE-2026-24308
3.3 - Low
- March 07, 2026
Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are exposed at INFO level logging rendering potential production systems affected by the issue. Users are recommended to upgrade to version 3.8.6 or 3.9.5 which fixes this issue.
Insertion of Sensitive Information into Log File
Apache ZooKeeper <=3.8.5 ZKTrustManager Reverse DNS Fallback
CVE-2026-24281
7.4 - High
- March 07, 2026
Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with a valid certificate for the PTR name. It's important to note that attacker must present a certificate which is trusted by ZKTrustManager which makes the attack vector harder to exploit. Users are recommended to upgrade to version 3.8.6 or 3.9.5, which fixes this issue by introducing a new configuration option to disable reverse DNS lookup in client and quorum protocols.
Reliance on Reverse DNS Resolution for a Security-Critical Action
Jetty GzipHandler resource leak before v12.0.31/12.1.0 due to JDK Inflater
CVE-2026-1605
7.5 - High
- March 05, 2026
In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed. This happens because the JDK Inflater is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response. In this case, since the response is not compressed, the release mechanism does not trigger, causing the leak.
Resource Exhaustion
urllib3 v1.22v2.6.3 Redirect Stream Decompress Bomb (preload_content=False)
CVE-2026-21441
7.5 - High
- January 07, 2026
urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when `preload_content=False`. If upgrading is not immediately possible, disable redirects by setting `redirect=False` for requests to untrusted source.
Data Amplification
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Red Hat Offline Knowledge Portal or by Red Hat? Click the Watch button to subscribe.
