- Issued:
- 2024-06-20
- Updated:
- 2024-06-20
RHSA-2024:3989 - Security Advisory
Synopsis
Important: Migration Toolkit for Applications security and bug fix update
Type/Severity
Security Advisory: Important
Topic
Migration Toolkit for Applications 6.2.3 release
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
Description
Migration Toolkit for Applications 6.2.3 Images
Security Fix(es) from Bugzilla:
- keycloak: path transversal in redirection validation (CVE-2024-1132)
- webpack-dev-middleware: lack of URL validation may lead to file leak (CVE-2024-29180)
- axios: exposure of confidential data stored in cookies (CVE-2023-45857)
- css-tools: Improper Input Validation causes Denial of Service via Regular Expression (CVE-2023-26364)
- css-tools: regular expression denial of service (ReDoS) when parsing CSS (CVE-2023-48631)
- follow-redirects: Improper Input Validation due to the improper handling of URLs by the url.parse() (CVE-2023-26159)
- io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx (CVE-2024-1023)
- io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support (CVE-2024-1300)
- commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file (CVE-2024-25710)
- commons-compress: OutOfMemoryError unpacking broken Pack200 file (CVE-2024-26308)
- follow-redirects: Possible credential leak (CVE-2024-28849)
- jetty: Improper addition of quotation marks to user inputs in CgiServlet (CVE-2023-36479)
- commons-configuration: StackOverflowError calling ListDelimiterHandler.flatten(Object, int) with a cyclical object tree (CVE-2024-29133)
- commons-configuration: StackOverflowError adding property in AbstractListDelimiterHandler.flattenIterator() (CVE-2024-29131)
Affected Products
- Red Hat Migration Toolkit for Applications 1 x86_64
Fixes
- BZ - 2239630 - CVE-2023-36479 jetty: Improper addition of quotation marks to user inputs in CgiServlet
- BZ - 2248979 - CVE-2023-45857 axios: exposure of confidential data stored in cookies
- BZ - 2250364 - CVE-2023-26364 css-tools: Improper Input Validation causes Denial of Service via Regular Expression
- BZ - 2254559 - CVE-2023-48631 css-tools: regular expression denial of service (ReDoS) when parsing CSS
- BZ - 2256413 - CVE-2023-26159 follow-redirects: Improper Input Validation due to the improper handling of URLs by the url.parse()
- BZ - 2260840 - CVE-2024-1023 io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx
- BZ - 2262117 - CVE-2024-1132 keycloak: path transversal in redirection validation
- BZ - 2263139 - CVE-2024-1300 io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support
- BZ - 2264988 - CVE-2024-25710 commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file
- BZ - 2264989 - CVE-2024-26308 commons-compress: OutOfMemoryError unpacking broken Pack200 file
- BZ - 2269576 - CVE-2024-28849 follow-redirects: Possible credential leak
- BZ - 2270673 - CVE-2024-29133 commons-configuration: StackOverflowError calling ListDelimiterHandler.flatten(Object, int) with a cyclical object tree
- BZ - 2270674 - CVE-2024-29131 commons-configuration: StackOverflowError adding property in AbstractListDelimiterHandler.flattenIterator()
- BZ - 2270863 - CVE-2024-29180 webpack-dev-middleware: lack of URL validation may lead to file leak
CVEs
- CVE-2014-1745
- CVE-2021-29390
- CVE-2022-33065
- CVE-2022-40090
- CVE-2022-48554
- CVE-2023-2975
- CVE-2023-3446
- CVE-2023-3618
- CVE-2023-3817
- CVE-2023-5678
- CVE-2023-6129
- CVE-2023-6228
- CVE-2023-6237
- CVE-2023-7008
- CVE-2023-25193
- CVE-2023-26159
- CVE-2023-26364
- CVE-2023-32359
- CVE-2023-36479
- CVE-2023-37328
- CVE-2023-38469
- CVE-2023-38470
- CVE-2023-38471
- CVE-2023-38472
- CVE-2023-38473
- CVE-2023-39928
- CVE-2023-40414
- CVE-2023-40745
- CVE-2023-41175
- CVE-2023-41983
- CVE-2023-42852
- CVE-2023-42883
- CVE-2023-42890
- CVE-2023-43785
- CVE-2023-43786
- CVE-2023-43787
- CVE-2023-45857
- CVE-2023-47038
- CVE-2023-48631
- CVE-2024-0727
- CVE-2024-1023
- CVE-2024-1132
- CVE-2024-1300
- CVE-2024-2961
- CVE-2024-21011
- CVE-2024-21012
- CVE-2024-21068
- CVE-2024-21085
- CVE-2024-21094
- CVE-2024-22365
- CVE-2024-23206
- CVE-2024-23213
- CVE-2024-25062
- CVE-2024-25710
- CVE-2024-26308
- CVE-2024-28182
- CVE-2024-28834
- CVE-2024-28835
- CVE-2024-28849
- CVE-2024-29131
- CVE-2024-29133
- CVE-2024-29180
- CVE-2024-32487
- CVE-2024-33599
- CVE-2024-33600
- CVE-2024-33601
- CVE-2024-33602
x86_64
| mta/mta-hub-rhel9@sha256:325bec37f1ab499f8ae0abb38ca3929f66a0fe63b6ebdf60a1cdc3bbd79ad25e |
| mta/mta-operator-bundle@sha256:a13643117c2867351718a872f7f1b2350c67855ca73a727a1dc140754ffe6589 |
| mta/mta-pathfinder-rhel9@sha256:851d4890717247af6aa9b0b6da9be95fe8aeb70183834e9de15a4302c487b9f0 |
| mta/mta-rhel8-operator@sha256:f588b869c3f273eb20c4c80a9aa5acd4a84c56c1dd85429a39a7d2d60f28d41e |
| mta/mta-ui-rhel9@sha256:0e0167affe099168142b9ebdce5520e972dea63ff6c7f3cda48e0bb4ae4cd0ec |
| mta/mta-windup-addon-rhel9@sha256:7884928eb3d01d4f9c8b5463ef9f6cec7d7df4d669e6d30cafe05af60202b003 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
