{ "threat_severity" : "Low", "public_date" : "2024-03-20T00:00:00Z", "bugzilla" : { "description" : "commons-configuration: StackOverflowError calling ListDelimiterHandler.flatten(Object, int) with a cyclical object tree", "id" : "2270673", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2270673" }, "cvss3" : { "cvss3_base_score" : "4.4", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "status" : "verified" }, "cwe" : "CWE-787", "details" : [ "Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1.\nUsers are recommended to upgrade to version 2.10.1, which fixes the issue.", "A vulnerability was found in Apache Commons-Configuration2, where a Stack Overflow Error occurs when calling ListDelimiterHandler.flatten(Object, int) with a cyclical object tree. This issue could allow an attacker to trigger an out-of-bounds write that could lead to memory corruption or cause a denial of service condition." ], "affected_release" : [ { "product_name" : "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date" : "2024-06-13T00:00:00Z", "advisory" : "RHSA-2024:3920", "cpe" : "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package" : "commons-configuration2" }, { "product_name" : "MTA-6.2-RHEL-9", "release_date" : "2024-06-20T00:00:00Z", "advisory" : "RHSA-2024:3989", "cpe" : "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "package" : "mta/mta-windup-addon-rhel9:6.2.3-2" }, { "product_name" : "Red Hat AMQ Broker 7", "release_date" : "2024-05-21T00:00:00Z", "advisory" : "RHSA-2024:2945", "cpe" : "cpe:/a:redhat:amq_broker:7.12", "package" : "commons-configuration2" } ], "package_state" : [ { "product_name" : "A-MQ Clients 2", "fix_state" : "Fix deferred", "package_name" : "commons-configuration2", "cpe" : "cpe:/a:redhat:a_mq_clients:2" }, { "product_name" : "OpenShift Developer Tools and Services", "fix_state" : "Fix deferred", "package_name" : "jenkins-2-plugins", "cpe" : "cpe:/a:redhat:ocp_tools" }, { "product_name" : "Red Hat AMQ Clients", "fix_state" : "Not affected", "package_name" : "commons-configuration2", "cpe" : "cpe:/a:redhat:amq_clients:2023" }, { "product_name" : "Red Hat build of Apache Camel 4 for Quarkus 3", "fix_state" : "Not affected", "package_name" : "commons-configuration2", "cpe" : "cpe:/a:redhat:camel_quarkus:3" }, { "product_name" : "Red Hat build of Apache Camel for Spring Boot 3", "fix_state" : "Not affected", "package_name" : "commons-configuration2", "cpe" : "cpe:/a:redhat:camel_spring_boot:3" }, { "product_name" : "Red Hat build of Apache Camel for Spring Boot 4", "fix_state" : "Not affected", "package_name" : "commons-configuration2", "cpe" : "cpe:/a:redhat:camel_spring_boot:4" }, { "product_name" : "Red Hat build of OptaPlanner 8", "fix_state" : "Not affected", "package_name" : "commons-configuration2", "cpe" : "cpe:/a:redhat:optaplanner:::el6" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Not affected", "package_name" : "commons-configuration2", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Out of support scope", "package_name" : "commons-configuration2", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Fix deferred", "package_name" : "commons-configuration2", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Not affected", "package_name" : "commons-configuration2", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "commons-configuration2", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "commons-configuration2", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "commons-configuration2", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Out of support scope", "package_name" : "jenkins-2-plugins", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Out of support scope", "package_name" : "commons-configuration2", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Out of support scope", "package_name" : "commons-configuration2", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" }, { "product_name" : "Red Hat support for Spring Boot", "fix_state" : "Out of support scope", "package_name" : "commons-configuration2", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-29133\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-29133\nhttps://github.com/apache/commons-configuration/commit/43f4dab021e9acb8db390db2ae80aa0cee4f9ee4\nhttps://issues.apache.org/jira/browse/CONFIGURATION-841" ], "name" : "CVE-2024-29133", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }