Issued:: 2024-06-20
Updated:: 2024-06-20

RHSA-2024:3989 - Important: Migration Toolkit for Applications security and bug fix update

Synopsis

Important: Migration Toolkit for Applications security and bug fix update

Type/Severity

Security Advisory Important

Topic

Migration Toolkit for Applications 6.2.3 release

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Migration Toolkit for Applications 6.2.3 Images

Security Fix(es) from Bugzilla:

keycloak: path transversal in redirection validation (CVE-2024-1132)
webpack-dev-middleware: lack of URL validation may lead to file leak (CVE-2024-29180)
axios: exposure of confidential data stored in cookies (CVE-2023-45857)
css-tools: Improper Input Validation causes Denial of Service via Regular Expression (CVE-2023-26364)
css-tools: regular expression denial of service (ReDoS) when parsing CSS (CVE-2023-48631)
follow-redirects: Improper Input Validation due to the improper handling of URLs by the url.parse() (CVE-2023-26159)
io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx (CVE-2024-1023)
io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support (CVE-2024-1300)
commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file (CVE-2024-25710)
commons-compress: OutOfMemoryError unpacking broken Pack200 file (CVE-2024-26308)
follow-redirects: Possible credential leak (CVE-2024-28849)
jetty: Improper addition of quotation marks to user inputs in CgiServlet (CVE-2023-36479)
commons-configuration: StackOverflowError calling ListDelimiterHandler.flatten(Object, int) with a cyclical object tree (CVE-2024-29133)
commons-configuration: StackOverflowError adding property in AbstractListDelimiterHandler.flattenIterator() (CVE-2024-29131)

Solution

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

Product	Version	Arch
Red Hat Migration Toolkit for Applications	Container Advisories	x86_64

Fixes

CVEs

CVE-2014-1745
CVE-2021-29390
CVE-2022-33065
CVE-2022-40090
CVE-2022-48554
CVE-2023-2975
CVE-2023-3446
CVE-2023-3618
CVE-2023-3817
CVE-2023-5678
CVE-2023-6129
CVE-2023-6228
CVE-2023-6237
CVE-2023-7008
CVE-2023-25193
CVE-2023-26159
CVE-2023-26364
CVE-2023-32359
CVE-2023-36479
CVE-2023-37328
CVE-2023-38469
CVE-2023-38470
CVE-2023-38471
CVE-2023-38472
CVE-2023-38473
CVE-2023-39928
CVE-2023-40414
CVE-2023-40745
CVE-2023-41175
CVE-2023-41983
CVE-2023-42852
CVE-2023-42883
CVE-2023-42890
CVE-2023-43785
CVE-2023-43786
CVE-2023-43787
CVE-2023-45857
CVE-2023-47038
CVE-2023-48631
CVE-2024-0727
CVE-2024-1023
CVE-2024-1132
CVE-2024-1300
CVE-2024-2961
CVE-2024-21011
CVE-2024-21012
CVE-2024-21068
CVE-2024-21085
CVE-2024-21094
CVE-2024-22365
CVE-2024-23206
CVE-2024-23213
CVE-2024-25062
CVE-2024-25710
CVE-2024-26308
CVE-2024-28182
CVE-2024-28834
CVE-2024-28835
CVE-2024-28849
CVE-2024-29131
CVE-2024-29133
CVE-2024-29180
CVE-2024-32487
CVE-2024-33599
CVE-2024-33600
CVE-2024-33601
CVE-2024-33602

References

https://access.redhat.com/security/updates/classification/#important

Additional information

The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.