{ "threat_severity" : "Low", "public_date" : "2024-03-20T00:00:00Z", "bugzilla" : { "description" : "commons-configuration: StackOverflowError adding property in AbstractListDelimiterHandler.flattenIterator()", "id" : "2270674", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2270674" }, "cvss3" : { "cvss3_base_score" : "4.4", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "status" : "verified" }, "cwe" : "CWE-787", "details" : [ "Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1.\nUsers are recommended to upgrade to version 2.10.1, which fixes the issue.", "A vulnerability was found in Apache Commons-Configuration2, where a Stack Overflow Error can occur when adding a property in AbstractListDelimiterHandler.flattenIterator(). This issue could allow an attacker to corrupt memory or execute a denial of service attack by crafting malicious property that triggers an out-of-bounds write issue when processed by the vulnerable method." ], "affected_release" : [ { "product_name" : "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date" : "2024-06-13T00:00:00Z", "advisory" : "RHSA-2024:3920", "cpe" : "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package" : "commons-configuration2" }, { "product_name" : "MTA-6.2-RHEL-9", "release_date" : "2024-06-20T00:00:00Z", "advisory" : "RHSA-2024:3989", "cpe" : "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "package" : "mta/mta-windup-addon-rhel9:6.2.3-2" }, { "product_name" : "Red Hat AMQ Broker 7", "release_date" : "2024-05-21T00:00:00Z", "advisory" : "RHSA-2024:2945", "cpe" : "cpe:/a:redhat:amq_broker:7.12", "package" : "commons-configuration2" } ], "package_state" : [ { "product_name" : "A-MQ Clients 2", "fix_state" : "Will not fix", "package_name" : "commons-configuration2", "cpe" : "cpe:/a:redhat:a_mq_clients:2" }, { "product_name" : "OpenShift Developer Tools and Services", "fix_state" : "Fix deferred", "package_name" : "jenkins-2-plugins", "cpe" : "cpe:/a:redhat:ocp_tools" }, { "product_name" : "Red Hat AMQ Clients", "fix_state" : "Not affected", "package_name" : "commons-configuration2", "cpe" : "cpe:/a:redhat:amq_clients:2023" }, { "product_name" : "Red Hat build of Apache Camel 4 for Quarkus 3", "fix_state" : "Not affected", "package_name" : "commons-configuration2", "cpe" : "cpe:/a:redhat:camel_quarkus:3" }, { "product_name" : "Red Hat build of Apache Camel for Spring Boot 3", "fix_state" : "Not affected", "package_name" : "commons-configuration2", "cpe" : "cpe:/a:redhat:camel_spring_boot:3" }, { "product_name" : "Red Hat build of Apache Camel for Spring Boot 4", "fix_state" : "Not affected", "package_name" : "commons-configuration2", "cpe" : "cpe:/a:redhat:camel_spring_boot:4" }, { "product_name" : "Red Hat build of OptaPlanner 8", "fix_state" : "Not affected", "package_name" : "commons-configuration2", "cpe" : "cpe:/a:redhat:optaplanner:::el6" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Not affected", "package_name" : "commons-configuration2", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Out of support scope", "package_name" : "commons-configuration2", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Will not fix", "package_name" : "commons-configuration2", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Not affected", "package_name" : "commons-configuration2", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "commons-configuration2", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "commons-configuration2", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "commons-configuration2", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Out of support scope", "package_name" : "jenkins-2-plugins", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Out of support scope", "package_name" : "commons-configuration2", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Will not fix", "package_name" : "commons-configuration2", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" }, { "product_name" : "Red Hat support for Spring Boot", "fix_state" : "Out of support scope", "package_name" : "commons-configuration2", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-29131\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-29131\nhttps://github.com/apache/commons-configuration/commit/56b5c4dcdffbde27870df5a3105d6a5f9b22f554\nhttps://github.com/apache/commons-configuration/commit/7d7d399d0598cb0ca5f81891de34694178156dab\nhttps://issues.apache.org/jira/browse/CONFIGURATION-840" ], "name" : "CVE-2024-29131", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }