{
  "threat_severity" : "Moderate",
  "public_date" : "2021-02-23T00:00:00Z",
  "bugzilla" : {
    "description" : "json-smart: uncaught exception may lead to crash or information disclosure",
    "id" : "1939839",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1939839"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.9",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-200",
  "details" : [ "An issue was discovered in netplex json-smart-v1 through 2015-10-23 and json-smart-v2 through 2.4. An exception is thrown from a function, but it is not caught, as demonstrated by NumberFormatException. When it is not caught, it may cause programs using the library to crash or expose sensitive information.", "A flaw was found in json-smart. When an exception is thrown from a function, but is not caught, the program using the library may crash or expose sensitive information. The highest threat from this vulnerability is to data confidentiality and system availability.\nIn OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of json-smart package.\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated" ],
  "affected_release" : [ {
    "product_name" : "Red Hat AMQ Streams 1.8.0",
    "release_date" : "2021-08-19T00:00:00Z",
    "advisory" : "RHSA-2021:3225",
    "cpe" : "cpe:/a:redhat:amq_streams:1",
    "package" : "json-smart",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat Fuse 7.10",
    "release_date" : "2021-12-14T00:00:00Z",
    "advisory" : "RHSA-2021:5134",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7",
    "package" : "json-smart",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat Fuse 7.9",
    "release_date" : "2021-08-11T00:00:00Z",
    "advisory" : "RHSA-2021:3140",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat Integration",
    "release_date" : "2021-12-02T00:00:00Z",
    "advisory" : "RHSA-2021:4918",
    "cpe" : "cpe:/a:redhat:integration:1"
  }, {
    "product_name" : "Red Hat Integration Camel Quarkus 1",
    "release_date" : "2021-11-23T00:00:00Z",
    "advisory" : "RHSA-2021:4767",
    "cpe" : "cpe:/a:redhat:camel_quarkus:2.2"
  } ],
  "package_state" : [ {
    "product_name" : "Logging Subsystem for Red Hat OpenShift",
    "fix_state" : "Not affected",
    "package_name" : "openshift-logging/elasticsearch6-rhel8",
    "cpe" : "cpe:/a:redhat:logging:5"
  }, {
    "product_name" : "Red Hat Integration Camel K 1",
    "fix_state" : "Affected",
    "package_name" : "json-smart",
    "cpe" : "cpe:/a:redhat:integration:1",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat Integration Camel Quarkus 1",
    "fix_state" : "Not affected",
    "package_name" : "json-smart",
    "cpe" : "cpe:/a:redhat:camel_quarkus:2",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6",
    "fix_state" : "Out of support scope",
    "package_name" : "json-smart",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "fix_state" : "Not affected",
    "package_name" : "openshift3/ose-logging-elasticsearch5",
    "cpe" : "cpe:/a:redhat:openshift:3.11"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "jenkins-2-plugins",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Out of support scope",
    "package_name" : "openshift4/ose-logging-elasticsearch6",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Will not fix",
    "package_name" : "openshift4/ose-metering-hadoop",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Will not fix",
    "package_name" : "openshift4/ose-metering-hive",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Will not fix",
    "package_name" : "openshift4/ose-metering-presto",
    "cpe" : "cpe:/a:redhat:openshift:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-27568\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-27568" ],
  "name" : "CVE-2021-27568",
  "csaw" : false
}