{ "threat_severity" : "Low", "public_date" : "2022-09-20T00:00:00Z", "bugzilla" : { "description" : "jettison: memory exhaustion via user-supplied XML or JSON data", "id" : "2135770", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2135770" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-400", "details" : [ "Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack.", "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack." ], "affected_release" : [ { "product_name" : "OCP-Tools-4.12-RHEL-8", "release_date" : "2023-06-15T00:00:00Z", "advisory" : "RHSA-2023:3610", "cpe" : "cpe:/a:redhat:ocp_tools:4.12::el8", "package" : "jenkins-2-plugins-0:4.12.1686649756-1.el8" }, { "product_name" : "OpenShift Developer Tools and Services for OCP 4.11", "release_date" : "2023-06-19T00:00:00Z", "advisory" : "RHSA-2023:3663", "cpe" : "cpe:/a:redhat:ocp_tools:4.11::el8", "package" : "jenkins-2-plugins-0:4.11.1686831822-1.el8" }, { "product_name" : "Red Hat AMQ Streams 2.4.0", "release_date" : "2023-05-18T00:00:00Z", "advisory" : "RHSA-2023:3223", "cpe" : "cpe:/a:redhat:amq_streams:2", "package" : "jettison" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "release_date" : "2023-01-31T00:00:00Z", "advisory" : "RHSA-2023:0556", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "package" : "jettison" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-05-05T00:00:00Z", "advisory" : "RHSA-2025:4437", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-activemq-artemis-0:2.9.0-10.redhat_00021.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-05-05T00:00:00Z", "advisory" : "RHSA-2025:4437", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-gson-0:2.8.9-1.redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-05-05T00:00:00Z", "advisory" : "RHSA-2025:4437", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-hal-console-0:3.2.18-1.Final_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-05-05T00:00:00Z", "advisory" : "RHSA-2025:4437", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-jboss-server-migration-0:1.7.2-14.Final_redhat_00015.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-05-05T00:00:00Z", "advisory" : "RHSA-2025:4437", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-jboss-xnio-base-0:3.7.14-3.Final_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-05-05T00:00:00Z", "advisory" : "RHSA-2025:4437", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-wildfly-0:7.3.13-4.GA_redhat_00002.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-05-05T00:00:00Z", "advisory" : "RHSA-2025:4437", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date" : "2023-01-31T00:00:00Z", "advisory" : "RHSA-2023:0553", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package" : "eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date" : "2023-01-31T00:00:00Z", "advisory" : "RHSA-2023:0554", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package" : "eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date" : "2023-01-31T00:00:00Z", "advisory" : "RHSA-2023:0552", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package" : "eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap" }, { "product_name" : "Red Hat Single Sign-On 7", "release_date" : "2023-03-01T00:00:00Z", "advisory" : "RHSA-2023:1049", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6", "package" : "jettison" }, { "product_name" : "Red Hat Single Sign-On 7.6 for RHEL 7", "release_date" : "2023-03-01T00:00:00Z", "advisory" : "RHSA-2023:1043", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7", "package" : "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso" }, { "product_name" : "Red Hat Single Sign-On 7.6 for RHEL 8", "release_date" : "2023-03-01T00:00:00Z", "advisory" : "RHSA-2023:1044", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8", "package" : "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso" }, { "product_name" : "Red Hat Single Sign-On 7.6 for RHEL 9", "release_date" : "2023-03-01T00:00:00Z", "advisory" : "RHSA-2023:1045", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9", "package" : "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso" }, { "product_name" : "RHEL-8 based Middleware Containers", "release_date" : "2023-03-01T00:00:00Z", "advisory" : "RHSA-2023:1047", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8", "package" : "rh-sso-7/sso76-openshift-rhel8:7.6-20" }, { "product_name" : "RHINT Camel-Q 2.13.2", "release_date" : "2023-01-26T00:00:00Z", "advisory" : "RHSA-2023:0469", "cpe" : "cpe:/a:redhat:camel_quarkus:2.13", "package" : "jettison" }, { "product_name" : "RHINT Camel-Springboot 3.20.1", "release_date" : "2023-05-03T00:00:00Z", "advisory" : "RHSA-2023:2100", "cpe" : "cpe:/a:redhat:camel_spring_boot:3.20.1", "package" : "jettison" }, { "product_name" : "RHPAM 7.13.1 async", "release_date" : "2023-05-04T00:00:00Z", "advisory" : "RHSA-2023:2135", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13" } ], "package_state" : [ { "product_name" : "A-MQ Clients 2", "fix_state" : "Not affected", "package_name" : "jettison", "cpe" : "cpe:/a:redhat:a_mq_clients:2" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Fix deferred", "package_name" : "openshift-logging/elasticsearch6-rhel8", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Red Hat build of Quarkus", "fix_state" : "Fix deferred", "package_name" : "jettison", "cpe" : "cpe:/a:redhat:quarkus:2" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Not affected", "package_name" : "jettison", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Decision Manager 7", "fix_state" : "Out of support scope", "package_name" : "jettison", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "jettison", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Fix deferred", "package_name" : "jettison", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Not affected", "package_name" : "jettison", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Out of support scope", "package_name" : "jettison", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Data Virtualization 6", "fix_state" : "Out of support scope", "package_name" : "jettison", "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "eap6-jettison", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "jbossas-modules-eap", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "jboss-on", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "jettison", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "keycloak-adapter-eap6", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "keycloak-adapter-sso7_2-eap6", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "keycloak-adapter-sso7_3-eap6", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "keycloak-adapter-sso7_4-eap6", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "keycloak-adapter-sso7_5-eap6", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Affected", "package_name" : "jettison", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Out of support scope", "package_name" : "jettison", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat JBoss Fuse Service Works 6", "fix_state" : "Out of support scope", "package_name" : "jettison", "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6" }, { "product_name" : "Red Hat JBoss Operations Network 3", "fix_state" : "Out of support scope", "package_name" : "jboss-on", "cpe" : "cpe:/a:redhat:jboss_operations_network:3" }, { "product_name" : "Red Hat JBoss Operations Network 3", "fix_state" : "Out of support scope", "package_name" : "org.jboss.on-jboss-on-parent", "cpe" : "cpe:/a:redhat:jboss_operations_network:3" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Out of support scope", "package_name" : "jenkins-2-plugins", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "jenkins-2-plugins", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Out of support scope", "package_name" : "jettison", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Not affected", "package_name" : "jettison", "cpe" : "cpe:/a:redhat:satellite:6" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-40150\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-40150\nhttps://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1" ], "name" : "CVE-2022-40150", "csaw" : false }