{
  "threat_severity" : "Moderate",
  "public_date" : "2022-09-20T00:00:00Z",
  "bugzilla" : {
    "description" : "jettison: parser crash by stackoverflow",
    "id" : "2135771",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-787",
  "details" : [ "Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.", "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack." ],
  "affected_release" : [ {
    "product_name" : "OCP-Tools-4.12-RHEL-8",
    "release_date" : "2023-06-15T00:00:00Z",
    "advisory" : "RHSA-2023:3610",
    "cpe" : "cpe:/a:redhat:ocp_tools:4.12::el8",
    "package" : "jenkins-2-plugins-0:4.12.1686649756-1.el8"
  }, {
    "product_name" : "OpenShift Developer Tools and Services for OCP 4.11",
    "release_date" : "2023-06-19T00:00:00Z",
    "advisory" : "RHSA-2023:3663",
    "cpe" : "cpe:/a:redhat:ocp_tools:4.11::el8",
    "package" : "jenkins-2-plugins-0:4.11.1686831822-1.el8"
  }, {
    "product_name" : "Red Hat AMQ Streams 2.4.0",
    "release_date" : "2023-05-18T00:00:00Z",
    "advisory" : "RHSA-2023:3223",
    "cpe" : "cpe:/a:redhat:amq_streams:2",
    "package" : "jettison"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7",
    "release_date" : "2023-01-31T00:00:00Z",
    "advisory" : "RHSA-2023:0556",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4",
    "package" : "jettison"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7",
    "release_date" : "2025-04-28T00:00:00Z",
    "advisory" : "RHSA-2025:4226",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7",
    "package" : "eap7-activemq-artemis-0:1.5.5.016-1.redhat_00001.1.ep7.el7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7",
    "release_date" : "2025-04-28T00:00:00Z",
    "advisory" : "RHSA-2025:4226",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7",
    "package" : "eap7-artemis-native-1:1.5.5.016-1.redhat_00001.1.ep7.el7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7",
    "release_date" : "2025-04-28T00:00:00Z",
    "advisory" : "RHSA-2025:4226",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7",
    "package" : "eap7-jboss-xnio-base-0:3.5.11-1.Final_redhat_00001.1.ep7.el7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7",
    "release_date" : "2025-04-28T00:00:00Z",
    "advisory" : "RHSA-2025:4226",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7",
    "package" : "eap7-jsoup-0:1.14.2-1.redhat_00002.1.ep7.el7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7",
    "release_date" : "2025-04-28T00:00:00Z",
    "advisory" : "RHSA-2025:4226",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7",
    "package" : "eap7-undertow-0:1.4.18-14.SP13_redhat_00001.1.ep7.el7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7",
    "release_date" : "2025-04-28T00:00:00Z",
    "advisory" : "RHSA-2025:4226",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7",
    "package" : "eap7-wildfly-0:7.1.10-2.GA_redhat_00002.1.ep7.el7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7",
    "release_date" : "2025-04-28T00:00:00Z",
    "advisory" : "RHSA-2025:4226",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7",
    "package" : "eap7-woodstox-core-0:5.0.3-2.redhat_00002.1.ep7.el7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7",
    "release_date" : "2025-04-28T00:00:00Z",
    "advisory" : "RHSA-2025:4226",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7",
    "package" : "eap7-xml-security-0:2.0.10-2.redhat_00002.1.ep7.el7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7",
    "release_date" : "2025-05-05T00:00:00Z",
    "advisory" : "RHSA-2025:4437",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7",
    "package" : "eap7-activemq-artemis-0:2.9.0-10.redhat_00021.1.el7eap"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7",
    "release_date" : "2025-05-05T00:00:00Z",
    "advisory" : "RHSA-2025:4437",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7",
    "package" : "eap7-gson-0:2.8.9-1.redhat_00001.1.el7eap"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7",
    "release_date" : "2025-05-05T00:00:00Z",
    "advisory" : "RHSA-2025:4437",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7",
    "package" : "eap7-hal-console-0:3.2.18-1.Final_redhat_00001.1.el7eap"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7",
    "release_date" : "2025-05-05T00:00:00Z",
    "advisory" : "RHSA-2025:4437",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7",
    "package" : "eap7-jboss-server-migration-0:1.7.2-14.Final_redhat_00015.1.el7eap"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7",
    "release_date" : "2025-05-05T00:00:00Z",
    "advisory" : "RHSA-2025:4437",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7",
    "package" : "eap7-jboss-xnio-base-0:3.7.14-3.Final_redhat_00001.1.el7eap"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7",
    "release_date" : "2025-05-05T00:00:00Z",
    "advisory" : "RHSA-2025:4437",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7",
    "package" : "eap7-wildfly-0:7.3.13-4.GA_redhat_00002.1.el7eap"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7",
    "release_date" : "2025-05-05T00:00:00Z",
    "advisory" : "RHSA-2025:4437",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7",
    "package" : "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8",
    "release_date" : "2023-01-31T00:00:00Z",
    "advisory" : "RHSA-2023:0553",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8",
    "package" : "eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9",
    "release_date" : "2023-01-31T00:00:00Z",
    "advisory" : "RHSA-2023:0554",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9",
    "package" : "eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7",
    "release_date" : "2023-01-31T00:00:00Z",
    "advisory" : "RHSA-2023:0552",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7",
    "package" : "eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap"
  }, {
    "product_name" : "Red Hat Single Sign-On 7",
    "release_date" : "2023-03-01T00:00:00Z",
    "advisory" : "RHSA-2023:1049",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6",
    "package" : "jettison"
  }, {
    "product_name" : "Red Hat Single Sign-On 7.6 for RHEL 7",
    "release_date" : "2023-03-01T00:00:00Z",
    "advisory" : "RHSA-2023:1043",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7",
    "package" : "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso"
  }, {
    "product_name" : "Red Hat Single Sign-On 7.6 for RHEL 8",
    "release_date" : "2023-03-01T00:00:00Z",
    "advisory" : "RHSA-2023:1044",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8",
    "package" : "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso"
  }, {
    "product_name" : "Red Hat Single Sign-On 7.6 for RHEL 9",
    "release_date" : "2023-03-01T00:00:00Z",
    "advisory" : "RHSA-2023:1045",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9",
    "package" : "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso"
  }, {
    "product_name" : "RHEL-8 based Middleware Containers",
    "release_date" : "2023-03-01T00:00:00Z",
    "advisory" : "RHSA-2023:1047",
    "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8",
    "package" : "rh-sso-7/sso76-openshift-rhel8:7.6-20"
  }, {
    "product_name" : "RHINT Camel-Q 2.13.2",
    "release_date" : "2023-01-26T00:00:00Z",
    "advisory" : "RHSA-2023:0469",
    "cpe" : "cpe:/a:redhat:camel_quarkus:2.13",
    "package" : "jettison"
  }, {
    "product_name" : "RHINT Camel-Springboot 3.14.5.P1",
    "release_date" : "2023-01-30T00:00:00Z",
    "advisory" : "RHSA-2023:0544",
    "cpe" : "cpe:/a:redhat:camel_spring_boot:3.14.5",
    "package" : "jettison"
  }, {
    "product_name" : "RHPAM 7.13.1 async",
    "release_date" : "2023-05-04T00:00:00Z",
    "advisory" : "RHSA-2023:2135",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13"
  } ],
  "package_state" : [ {
    "product_name" : "A-MQ Clients 2",
    "fix_state" : "Not affected",
    "package_name" : "jettison",
    "cpe" : "cpe:/a:redhat:a_mq_clients:2"
  }, {
    "product_name" : "Logging Subsystem for Red Hat OpenShift",
    "fix_state" : "Will not fix",
    "package_name" : "openshift-logging/elasticsearch6-rhel8",
    "cpe" : "cpe:/a:redhat:logging:5"
  }, {
    "product_name" : "Red Hat build of Quarkus",
    "fix_state" : "Will not fix",
    "package_name" : "jettison",
    "cpe" : "cpe:/a:redhat:quarkus:2"
  }, {
    "product_name" : "Red Hat Data Grid 8",
    "fix_state" : "Not affected",
    "package_name" : "jettison",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:8"
  }, {
    "product_name" : "Red Hat Decision Manager 7",
    "fix_state" : "Out of support scope",
    "package_name" : "jettison",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "jettison",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Will not fix",
    "package_name" : "jettison",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat Integration Camel K 1",
    "fix_state" : "Affected",
    "package_name" : "jettison",
    "cpe" : "cpe:/a:redhat:integration:1"
  }, {
    "product_name" : "Red Hat JBoss Data Grid 7",
    "fix_state" : "Out of support scope",
    "package_name" : "jettison",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:7"
  }, {
    "product_name" : "Red Hat JBoss Data Virtualization 6",
    "fix_state" : "Out of support scope",
    "package_name" : "jettison",
    "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 6",
    "fix_state" : "Out of support scope",
    "package_name" : "eap6-jettison",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 6",
    "fix_state" : "Out of support scope",
    "package_name" : "jbossas-modules-eap",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 6",
    "fix_state" : "Out of support scope",
    "package_name" : "jboss-on",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 6",
    "fix_state" : "Out of support scope",
    "package_name" : "jettison",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 6",
    "fix_state" : "Out of support scope",
    "package_name" : "keycloak-adapter-eap6",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 6",
    "fix_state" : "Out of support scope",
    "package_name" : "keycloak-adapter-sso7_2-eap6",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 6",
    "fix_state" : "Out of support scope",
    "package_name" : "keycloak-adapter-sso7_3-eap6",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 6",
    "fix_state" : "Out of support scope",
    "package_name" : "keycloak-adapter-sso7_4-eap6",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 6",
    "fix_state" : "Out of support scope",
    "package_name" : "keycloak-adapter-sso7_5-eap6",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Will not fix",
    "package_name" : "jettison",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6",
    "fix_state" : "Out of support scope",
    "package_name" : "jettison",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6"
  }, {
    "product_name" : "Red Hat JBoss Fuse Service Works 6",
    "fix_state" : "Out of support scope",
    "package_name" : "jettison",
    "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6"
  }, {
    "product_name" : "Red Hat JBoss Operations Network 3",
    "fix_state" : "Out of support scope",
    "package_name" : "jboss-on",
    "cpe" : "cpe:/a:redhat:jboss_operations_network:3"
  }, {
    "product_name" : "Red Hat JBoss Operations Network 3",
    "fix_state" : "Out of support scope",
    "package_name" : "org.jboss.on-jboss-on-parent",
    "cpe" : "cpe:/a:redhat:jboss_operations_network:3"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "fix_state" : "Out of support scope",
    "package_name" : "jenkins-2-plugins",
    "cpe" : "cpe:/a:redhat:openshift:3.11"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "jenkins-2-plugins",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat Process Automation 7",
    "fix_state" : "Out of support scope",
    "package_name" : "jettison",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Not affected",
    "package_name" : "jettison",
    "cpe" : "cpe:/a:redhat:satellite:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-40149\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-40149\nhttps://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1" ],
  "name" : "CVE-2022-40149",
  "csaw" : false
}