First published: Thu Jun 15 2023(Updated: )
This release of Camel for Spring Boot 3.18.3.P2 serves as a replacement for Camel for Spring Boot 3.18.3.P1 and includes bug fixes and enhancements, which are documented in the Release Notes linked in the References. The purpose of this text-only errata is to inform you about the security issues fixed.<br><li> spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883)</li> <li> woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)</li> <li> xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40156)</li> <li> dev-java-snakeyaml: dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)</li> <li> snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)</li> <li> sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)</li> <li> jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)</li> <li> json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)</li> <li> jackson-databind: use of deeply nested arrays (CVE-2022-42004)</li> <li> jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)</li> <li> snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)</li> <li> snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)</li> <li> snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern.match (CVE-2022-38751)</li> <li> snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode (CVE-2022-38752)</li> <li> snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)</li> <li> CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)</li> <li> CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)</li> For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Software | Affected Version | How to fix |
---|
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.