diff --git a/rhel/vex/fetcher_test.go b/rhel/vex/fetcher_test.go index 9c001502b..3c563af85 100644 --- a/rhel/vex/fetcher_test.go +++ b/rhel/vex/fetcher_test.go @@ -4,51 +4,50 @@ import ( "bufio" "bytes" "context" - "fmt" "io" "net/http" "net/http/httptest" + "net/textproto" "os" + "path/filepath" "testing" "github.com/quay/zlog" + "golang.org/x/tools/txtar" "github.com/quay/claircore/pkg/csaf" ) +func parseFilenameHeaders(data []byte) (string, http.Header, error) { + pf, h, _ := bytes.Cut(data, []byte{' '}) + compressedFilepath := bytes.TrimSuffix(pf, []byte{'\n'}) + h = bytes.ReplaceAll(h, []byte(`\n`), []byte{'\n'}) + // Do headers + tp := textproto.NewReader(bufio.NewReader(bytes.NewReader(h))) + hdr, err := tp.ReadMIMEHeader() + if err != nil && err != io.EOF { + return "", nil, err + } + return string(compressedFilepath), http.Header(hdr), nil +} + func serveSecDB(t *testing.T) (string, *http.Client) { mux := http.NewServeMux() - mux.HandleFunc("/archive_latest.txt", func(w http.ResponseWriter, _ *http.Request) { - _, err := w.Write([]byte("csaf_vex_2023-10-31.tar.zst")) - if err != nil { - t.Fatal(err) - } - }) - mux.HandleFunc("/csaf_vex_2023-10-31.tar.zst", func(w http.ResponseWriter, _ *http.Request) { - w.Header().Set("last-modified", "Mon, 11 Dec 2023 00:00:00 UTC") - f, err := os.Open("testdata/server/csaf_vex_2023-10-31.tar.zst") - if err != nil { - t.Fatal(err) - } - if _, err := io.Copy(w, f); err != nil { - t.Fatal(err) - } - }) - mux.HandleFunc("/changes.csv", func(w http.ResponseWriter, _ *http.Request) { - w.Header().Set("etag", "something") - _, err := w.Write([]byte(`"2023/cve-2023-0030.json","2023-12-10T00:00:00+00:00" -"2023/cve-2023-0044.json","2023-12-12T00:00:00+00:00" -"2023/cve-2023-0118.json","2023-12-12T00:00:00+00:00" -`)) - if err != nil { - t.Fatal(err) + archive, err := txtar.ParseFile("testdata/server.txt") + if err != nil { + t.Fatal(err) + } + relFilepath, headers, err := parseFilenameHeaders(archive.Comment) + if err != nil { + t.Fatal(err) + } + filename := filepath.Base(relFilepath) + mux.HandleFunc("/"+filename, func(w http.ResponseWriter, _ *http.Request) { + for k, v := range headers { + w.Header().Set(k, v[0]) } - }) - mux.HandleFunc("/2023/cve-2023-0030.json", func(w http.ResponseWriter, _ *http.Request) { - t.Fatal("should not be called as compressed data is newer than this entry") - }) - mux.HandleFunc("/2023/cve-2023-0044.json", func(w http.ResponseWriter, _ *http.Request) { - f, err := os.Open("testdata/server/2023/cve-2023-0044.json") + + f, err := os.Open("testdata/" + relFilepath) if err != nil { t.Fatal(err) } @@ -56,15 +55,22 @@ func serveSecDB(t *testing.T) (string, *http.Client) { t.Fatal(err) } }) - mux.HandleFunc("/2023/cve-2023-0118.json", func(w http.ResponseWriter, _ *http.Request) { - f, err := os.Open("testdata/server/2023/cve-2023-0118.json") + for _, f := range archive.Files { + urlPath, headers, err := parseFilenameHeaders([]byte(f.Name)) if err != nil { t.Fatal(err) } - if _, err := io.Copy(w, f); err != nil { - t.Fatal(err) - } - }) + fi := f + mux.HandleFunc(urlPath, func(w http.ResponseWriter, _ *http.Request) { + for k, v := range headers { + w.Header().Set(k, v[0]) + } + _, err := w.Write(bytes.TrimSuffix(fi.Data, []byte{'\n'})) + if err != nil { + t.Fatal(err) + } + }) + } srv := httptest.NewServer(mux) t.Cleanup(srv.Close) @@ -110,11 +116,10 @@ func TestFactory(t *testing.T) { lnCt := 0 r := bufio.NewReader(data) for b, err := r.ReadBytes('\n'); err == nil; b, err = r.ReadBytes('\n') { - c, err := csaf.ParseCSAF(b) + _, err := csaf.ParseCSAF(b) if err != nil { t.Error(err) } - fmt.Println(c.Document.Tracking.ID) lnCt++ } if lnCt != expectedLnCt { diff --git a/rhel/vex/testdata/server/2023/cve-2023-0118.json b/rhel/vex/testdata/server.txt similarity index 99% rename from rhel/vex/testdata/server/2023/cve-2023-0118.json rename to rhel/vex/testdata/server.txt index 1c440c0a0..a38a3ac39 100644 --- a/rhel/vex/testdata/server/2023/cve-2023-0118.json +++ b/rhel/vex/testdata/server.txt @@ -1,3 +1,515 @@ +server/csaf_vex_2023-10-31.tar.zst last-modified:Mon, 11 Dec 2023 00:00:00 UTC\nanother:header +-- /archive_latest.txt -- +csaf_vex_2023-10-31.tar.zst +-- /changes.csv etag:something -- +"2023/cve-2023-0030.json","2023-12-10T00:00:00+00:00" +"2023/cve-2023-0044.json","2023-12-12T00:00:00+00:00" +"2023/cve-2023-0118.json","2023-12-12T00:00:00+00:00" +-- /2023/cve-2023-0044.json -- +{ + "document": { + "aggregate_severity": { + "namespace": "https://access.redhat.com/security/updates/classification/", + "text": "low" + }, + "category": "csaf_vex", + "csaf_version": "2.0", + "distribution": { + "text": "Copyright © Red Hat, Inc. All rights reserved.", + "tlp": { + "label": "WHITE", + "url": "https://www.first.org/tlp/" + } + }, + "lang": "en", + "notes": [ + { + "category": "legal_disclaimer", + "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", + "title": "Terms of Use" + } + ], + "publisher": { + "category": "vendor", + "contact_details": "https://access.redhat.com/security/team/contact/", + "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.", + "name": "Red Hat Product Security", + "namespace": "https://www.redhat.com" + }, + "references": [ + { + "category": "self", + "summary": "Canonical URL", + "url": "https://access.redhat.com/security/data/csaf/beta/vex/2023/cve-2023-0044.json" + } + ], + "title": "quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure", + "tracking": { + "current_release_date": "2023-11-13T11:31:31+00:00", + "generator": { + "date": "2023-11-13T12:16:30+00:00", + "engine": { + "name": "Red Hat SDEngine", + "version": "3.24.0" + } + }, + "id": "CVE-2023-0044", + "initial_release_date": "2023-01-04T00:00:00+00:00", + "revision_history": [ + { + "date": "2023-01-04T00:00:00+00:00", + "number": "1", + "summary": "Initial version" + }, + { + "date": "2023-11-13T11:31:31+00:00", + "number": "2", + "summary": "Current version" + } + ], + "status": "final", + "version": "1" + } + }, + "product_tree": { + "branches": [ + { + "branches": [ + { + "category": "product_name", + "name": "A-MQ Clients 2", + "product": { + "name": "A-MQ Clients 2", + "product_id": "a-mq_clients_2", + "product_identification_helper": { + "cpe": "cpe:/a:redhat:a_mq_clients:2" + } + } + }, + { + "category": "product_name", + "name": "Red Hat build of Quarkus", + "product": { + "name": "Red Hat build of Quarkus", + "product_id": "red_hat_build_of_quarkus", + "product_identification_helper": { + "cpe": "cpe:/a:redhat:quarkus:2" + } + } + }, + { + "category": "product_name", + "name": "Red Hat Integration Camel K", + "product": { + "name": "Red Hat Integration Camel K", + "product_id": "red_hat_integration_camel_k", + "product_identification_helper": { + "cpe": "cpe:/a:redhat:integration:1" + } + } + }, + { + "category": "product_name", + "name": "Red Hat Integration Camel Quarkus", + "product": { + "name": "Red Hat Integration Camel Quarkus", + "product_id": "red_hat_integration_camel_quarkus", + "product_identification_helper": { + "cpe": "cpe:/a:redhat:camel_quarkus:2" + } + } + }, + { + "category": "product_name", + "name": "Red Hat Integration Change Data Capture", + "product": { + "name": "Red Hat Integration Change Data Capture", + "product_id": "red_hat_integration_change_data_capture", + "product_identification_helper": { + "cpe": "cpe:/a:redhat:integration:1" + } + } + }, + { + "category": "product_name", + "name": "Red Hat Integration Service Registry", + "product": { + "name": "Red Hat Integration Service Registry", + "product_id": "red_hat_integration_service_registry", + "product_identification_helper": { + "cpe": "cpe:/a:redhat:service_registry:2" + } + } + }, + { + "category": "product_name", + "name": "Red Hat JBoss Enterprise Application Platform 7", + "product": { + "name": "Red Hat JBoss Enterprise Application Platform 7", + "product_id": "red_hat_jboss_enterprise_application_platform_7", + "product_identification_helper": { + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7" + } + } + }, + { + "category": "product_name", + "name": "Red Hat JBoss Enterprise Application Platform Expansion Pack", + "product": { + "name": "Red Hat JBoss Enterprise Application Platform Expansion Pack", + "product_id": "red_hat_jboss_enterprise_application_platform_expansion_pack", + "product_identification_helper": { + "cpe": "cpe:/a:redhat:jbosseapxp" + } + } + }, + { + "category": "product_name", + "name": "Red Hat JBoss Fuse 7", + "product": { + "name": "Red Hat JBoss Fuse 7", + "product_id": "red_hat_jboss_fuse_7", + "product_identification_helper": { + "cpe": "cpe:/a:redhat:jboss_fuse:7" + } + } + }, + { + "category": "product_name", + "name": "Red Hat Process Automation 7", + "product": { + "name": "Red Hat Process Automation 7", + "product_id": "red_hat_process_automation_7", + "product_identification_helper": { + "cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" + } + } + }, + { + "branches": [ + { + "category": "product_name", + "name": "Red Hat build of Quarkus 2.7.7", + "product": { + "name": "Red Hat build of Quarkus 2.7.7", + "product_id": "Red Hat build of Quarkus 2.7.7", + "product_identification_helper": { + "cpe": "cpe:/a:redhat:quarkus:2.7" + } + } + } + ], + "category": "product_family", + "name": "Red Hat build of Quarkus" + }, + { + "branches": [ + { + "category": "product_name", + "name": "Red Hat build of Quarkus", + "product": { + "name": "Red Hat build of Quarkus", + "product_id": "Red Hat build of Quarkus", + "product_identification_helper": { + "cpe": "cpe:/a:redhat:quarkus:2.13" + } + } + } + ], + "category": "product_family", + "name": "Red Hat build of Quarkus" + }, + { + "category": "product_version", + "name": "quarkus-vertx-http", + "product": { + "name": "quarkus-vertx-http", + "product_id": "quarkus-vertx-http" + } + }, + { + "category": "product_version", + "name": "io.quarkus/quarkus-vertx-http", + "product": { + "name": "io.quarkus/quarkus-vertx-http", + "product_id": "io.quarkus/quarkus-vertx-http" + } + } + ], + "category": "vendor", + "name": "Red Hat" + } + ], + "relationships": [ + { + "category": "default_component_of", + "full_product_name": { + "name": "quarkus-vertx-http as a component of A-MQ Clients 2", + "product_id": "a-mq_clients_2:quarkus-vertx-http" + }, + "product_reference": "quarkus-vertx-http", + "relates_to_product_reference": "a-mq_clients_2" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "io.quarkus/quarkus-vertx-http as a component of Red Hat build of Quarkus", + "product_id": "red_hat_build_of_quarkus:io.quarkus/quarkus-vertx-http" + }, + "product_reference": "io.quarkus/quarkus-vertx-http", + "relates_to_product_reference": "red_hat_build_of_quarkus" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "quarkus-vertx-http as a component of Red Hat Integration Camel K", + "product_id": "red_hat_integration_camel_k:quarkus-vertx-http" + }, + "product_reference": "quarkus-vertx-http", + "relates_to_product_reference": "red_hat_integration_camel_k" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "quarkus-vertx-http as a component of Red Hat Integration Camel Quarkus", + "product_id": "red_hat_integration_camel_quarkus:quarkus-vertx-http" + }, + "product_reference": "quarkus-vertx-http", + "relates_to_product_reference": "red_hat_integration_camel_quarkus" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "quarkus-vertx-http as a component of Red Hat Integration Change Data Capture", + "product_id": "red_hat_integration_change_data_capture:quarkus-vertx-http" + }, + "product_reference": "quarkus-vertx-http", + "relates_to_product_reference": "red_hat_integration_change_data_capture" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "quarkus-vertx-http as a component of Red Hat Integration Service Registry", + "product_id": "red_hat_integration_service_registry:quarkus-vertx-http" + }, + "product_reference": "quarkus-vertx-http", + "relates_to_product_reference": "red_hat_integration_service_registry" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "quarkus-vertx-http as a component of Red Hat JBoss Enterprise Application Platform 7", + "product_id": "red_hat_jboss_enterprise_application_platform_7:quarkus-vertx-http" + }, + "product_reference": "quarkus-vertx-http", + "relates_to_product_reference": "red_hat_jboss_enterprise_application_platform_7" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "quarkus-vertx-http as a component of Red Hat JBoss Enterprise Application Platform Expansion Pack", + "product_id": "red_hat_jboss_enterprise_application_platform_expansion_pack:quarkus-vertx-http" + }, + "product_reference": "quarkus-vertx-http", + "relates_to_product_reference": "red_hat_jboss_enterprise_application_platform_expansion_pack" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "quarkus-vertx-http as a component of Red Hat JBoss Fuse 7", + "product_id": "red_hat_jboss_fuse_7:quarkus-vertx-http" + }, + "product_reference": "quarkus-vertx-http", + "relates_to_product_reference": "red_hat_jboss_fuse_7" + }, + { + "category": "default_component_of", + "full_product_name": { + "name": "quarkus-vertx-http as a component of Red Hat Process Automation 7", + "product_id": "red_hat_process_automation_7:quarkus-vertx-http" + }, + "product_reference": "quarkus-vertx-http", + "relates_to_product_reference": "red_hat_process_automation_7" + } + ] + }, + "vulnerabilities": [ + { + "acknowledgments": [ + { + "names": [ + "Paulo Lopes" + ], + "organization": "Red Hat", + "summary": "This issue was discovered by Red Hat." + } + ], + "cve": "CVE-2023-0044", + "discovery_date": "2023-01-04T00:00:00+00:00", + "flags": [ + { + "label": "vulnerable_code_not_present", + "product_ids": [ + "a-mq_clients_2:quarkus-vertx-http", + "red_hat_integration_camel_k:quarkus-vertx-http", + "red_hat_integration_camel_quarkus:quarkus-vertx-http", + "red_hat_integration_change_data_capture:quarkus-vertx-http", + "red_hat_integration_service_registry:quarkus-vertx-http", + "red_hat_jboss_enterprise_application_platform_7:quarkus-vertx-http", + "red_hat_jboss_enterprise_application_platform_expansion_pack:quarkus-vertx-http", + "red_hat_jboss_fuse_7:quarkus-vertx-http", + "red_hat_process_automation_7:quarkus-vertx-http" + ] + } + ], + "ids": [ + { + "system_name": "Red Hat Bugzilla ID", + "text": "2158081" + } + ], + "notes": [ + { + "category": "description", + "text": "A flaw was found in Quarkus. If the Quarkus Form Authentication session cookie Path attribute is set to `/`, then a cross-site attack may be initiated, which might lead to information disclosure.", + "title": "Vulnerability description" + }, + { + "category": "summary", + "text": "quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure", + "title": "Vulnerability summary" + }, + { + "category": "general", + "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", + "title": "CVSS score applicability" + } + ], + "product_status": { + "fixed": [ + "Red Hat build of Quarkus", + "Red Hat build of Quarkus 2.7.7" + ], + "known_affected": [ + "red_hat_build_of_quarkus:io.quarkus/quarkus-vertx-http" + ], + "known_not_affected": [ + "a-mq_clients_2:quarkus-vertx-http", + "red_hat_integration_camel_k:quarkus-vertx-http", + "red_hat_integration_camel_quarkus:quarkus-vertx-http", + "red_hat_integration_change_data_capture:quarkus-vertx-http", + "red_hat_integration_service_registry:quarkus-vertx-http", + "red_hat_jboss_enterprise_application_platform_7:quarkus-vertx-http", + "red_hat_jboss_enterprise_application_platform_expansion_pack:quarkus-vertx-http", + "red_hat_jboss_fuse_7:quarkus-vertx-http", + "red_hat_process_automation_7:quarkus-vertx-http" + ] + }, + "references": [ + { + "category": "self", + "summary": "Canonical URL", + "url": "https://access.redhat.com/security/cve/CVE-2023-0044" + }, + { + "category": "external", + "summary": "RHBZ#2158081", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158081" + }, + { + "category": "external", + "summary": "https://www.cve.org/CVERecord?id=CVE-2023-0044", + "url": "https://www.cve.org/CVERecord?id=CVE-2023-0044" + }, + { + "category": "external", + "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0044", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0044" + } + ], + "release_date": "2023-01-04T00:00:00+00:00", + "remediations": [ + { + "category": "vendor_fix", + "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", + "product_ids": [ + "Red Hat build of Quarkus 2.7.7" + ], + "url": "https://access.redhat.com/errata/RHSA-2023:1006" + }, + { + "category": "vendor_fix", + "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", + "product_ids": [ + "Red Hat build of Quarkus" + ], + "url": "https://access.redhat.com/errata/RHSA-2023:0758" + }, + { + "category": "workaround", + "details": "This attack can be prevented with the Quarkus CSRF Prevention feature.", + "product_ids": [ + "Red Hat build of Quarkus", + "Red Hat build of Quarkus 2.7.7", + "a-mq_clients_2:quarkus-vertx-http", + "red_hat_build_of_quarkus:io.quarkus/quarkus-vertx-http", + "red_hat_integration_camel_k:quarkus-vertx-http", + "red_hat_integration_camel_quarkus:quarkus-vertx-http", + "red_hat_integration_change_data_capture:quarkus-vertx-http", + "red_hat_integration_service_registry:quarkus-vertx-http", + "red_hat_jboss_enterprise_application_platform_7:quarkus-vertx-http", + "red_hat_jboss_enterprise_application_platform_expansion_pack:quarkus-vertx-http", + "red_hat_jboss_fuse_7:quarkus-vertx-http", + "red_hat_process_automation_7:quarkus-vertx-http" + ] + }, + { + "category": "none_available", + "details": "Affected", + "product_ids": [ + "red_hat_build_of_quarkus:io.quarkus/quarkus-vertx-http" + ] + } + ], + "scores": [ + { + "cvss_v3": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "version": "3.1" + }, + "products": [ + "Red Hat build of Quarkus", + "Red Hat build of Quarkus 2.7.7", + "red_hat_build_of_quarkus:io.quarkus/quarkus-vertx-http" + ] + } + ], + "threats": [ + { + "category": "impact", + "details": "Low", + "product_ids": [ + "Red Hat build of Quarkus", + "Red Hat build of Quarkus 2.7.7", + "red_hat_build_of_quarkus:io.quarkus/quarkus-vertx-http" + ] + } + ], + "title": "quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure" + } + ] +} +-- /2023/cve-2023-0118.json -- { "document": { "aggregate_severity": { @@ -39684,4 +40196,4 @@ "title": "Arbitrary code execution through templates" } ] -} \ No newline at end of file +} diff --git a/rhel/vex/testdata/server/2023/cve-2023-0044.json b/rhel/vex/testdata/server/2023/cve-2023-0044.json deleted file mode 100644 index 036b31e27..000000000 --- a/rhel/vex/testdata/server/2023/cve-2023-0044.json +++ /dev/null @@ -1,503 +0,0 @@ -{ - "document": { - "aggregate_severity": { - "namespace": "https://access.redhat.com/security/updates/classification/", - "text": "low" - }, - "category": "csaf_vex", - "csaf_version": "2.0", - "distribution": { - "text": "Copyright © Red Hat, Inc. All rights reserved.", - "tlp": { - "label": "WHITE", - "url": "https://www.first.org/tlp/" - } - }, - "lang": "en", - "notes": [ - { - "category": "legal_disclaimer", - "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", - "title": "Terms of Use" - } - ], - "publisher": { - "category": "vendor", - "contact_details": "https://access.redhat.com/security/team/contact/", - "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.", - "name": "Red Hat Product Security", - "namespace": "https://www.redhat.com" - }, - "references": [ - { - "category": "self", - "summary": "Canonical URL", - "url": "https://access.redhat.com/security/data/csaf/beta/vex/2023/cve-2023-0044.json" - } - ], - "title": "quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure", - "tracking": { - "current_release_date": "2023-11-13T11:31:31+00:00", - "generator": { - "date": "2023-11-13T12:16:30+00:00", - "engine": { - "name": "Red Hat SDEngine", - "version": "3.24.0" - } - }, - "id": "CVE-2023-0044", - "initial_release_date": "2023-01-04T00:00:00+00:00", - "revision_history": [ - { - "date": "2023-01-04T00:00:00+00:00", - "number": "1", - "summary": "Initial version" - }, - { - "date": "2023-11-13T11:31:31+00:00", - "number": "2", - "summary": "Current version" - } - ], - "status": "final", - "version": "1" - } - }, - "product_tree": { - "branches": [ - { - "branches": [ - { - "category": "product_name", - "name": "A-MQ Clients 2", - "product": { - "name": "A-MQ Clients 2", - "product_id": "a-mq_clients_2", - "product_identification_helper": { - "cpe": "cpe:/a:redhat:a_mq_clients:2" - } - } - }, - { - "category": "product_name", - "name": "Red Hat build of Quarkus", - "product": { - "name": "Red Hat build of Quarkus", - "product_id": "red_hat_build_of_quarkus", - "product_identification_helper": { - "cpe": "cpe:/a:redhat:quarkus:2" - } - } - }, - { - "category": "product_name", - "name": "Red Hat Integration Camel K", - "product": { - "name": "Red Hat Integration Camel K", - "product_id": "red_hat_integration_camel_k", - "product_identification_helper": { - "cpe": "cpe:/a:redhat:integration:1" - } - } - }, - { - "category": "product_name", - "name": "Red Hat Integration Camel Quarkus", - "product": { - "name": "Red Hat Integration Camel Quarkus", - "product_id": "red_hat_integration_camel_quarkus", - "product_identification_helper": { - "cpe": "cpe:/a:redhat:camel_quarkus:2" - } - } - }, - { - "category": "product_name", - "name": "Red Hat Integration Change Data Capture", - "product": { - "name": "Red Hat Integration Change Data Capture", - "product_id": "red_hat_integration_change_data_capture", - "product_identification_helper": { - "cpe": "cpe:/a:redhat:integration:1" - } - } - }, - { - "category": "product_name", - "name": "Red Hat Integration Service Registry", - "product": { - "name": "Red Hat Integration Service Registry", - "product_id": "red_hat_integration_service_registry", - "product_identification_helper": { - "cpe": "cpe:/a:redhat:service_registry:2" - } - } - }, - { - "category": "product_name", - "name": "Red Hat JBoss Enterprise Application Platform 7", - "product": { - "name": "Red Hat JBoss Enterprise Application Platform 7", - "product_id": "red_hat_jboss_enterprise_application_platform_7", - "product_identification_helper": { - "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7" - } - } - }, - { - "category": "product_name", - "name": "Red Hat JBoss Enterprise Application Platform Expansion Pack", - "product": { - "name": "Red Hat JBoss Enterprise Application Platform Expansion Pack", - "product_id": "red_hat_jboss_enterprise_application_platform_expansion_pack", - "product_identification_helper": { - "cpe": "cpe:/a:redhat:jbosseapxp" - } - } - }, - { - "category": "product_name", - "name": "Red Hat JBoss Fuse 7", - "product": { - "name": "Red Hat JBoss Fuse 7", - "product_id": "red_hat_jboss_fuse_7", - "product_identification_helper": { - "cpe": "cpe:/a:redhat:jboss_fuse:7" - } - } - }, - { - "category": "product_name", - "name": "Red Hat Process Automation 7", - "product": { - "name": "Red Hat Process Automation 7", - "product_id": "red_hat_process_automation_7", - "product_identification_helper": { - "cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" - } - } - }, - { - "branches": [ - { - "category": "product_name", - "name": "Red Hat build of Quarkus 2.7.7", - "product": { - "name": "Red Hat build of Quarkus 2.7.7", - "product_id": "Red Hat build of Quarkus 2.7.7", - "product_identification_helper": { - "cpe": "cpe:/a:redhat:quarkus:2.7" - } - } - } - ], - "category": "product_family", - "name": "Red Hat build of Quarkus" - }, - { - "branches": [ - { - "category": "product_name", - "name": "Red Hat build of Quarkus", - "product": { - "name": "Red Hat build of Quarkus", - "product_id": "Red Hat build of Quarkus", - "product_identification_helper": { - "cpe": "cpe:/a:redhat:quarkus:2.13" - } - } - } - ], - "category": "product_family", - "name": "Red Hat build of Quarkus" - }, - { - "category": "product_version", - "name": "quarkus-vertx-http", - "product": { - "name": "quarkus-vertx-http", - "product_id": "quarkus-vertx-http" - } - }, - { - "category": "product_version", - "name": "io.quarkus/quarkus-vertx-http", - "product": { - "name": "io.quarkus/quarkus-vertx-http", - "product_id": "io.quarkus/quarkus-vertx-http" - } - } - ], - "category": "vendor", - "name": "Red Hat" - } - ], - "relationships": [ - { - "category": "default_component_of", - "full_product_name": { - "name": "quarkus-vertx-http as a component of A-MQ Clients 2", - "product_id": "a-mq_clients_2:quarkus-vertx-http" - }, - "product_reference": "quarkus-vertx-http", - "relates_to_product_reference": "a-mq_clients_2" - }, - { - "category": "default_component_of", - "full_product_name": { - "name": "io.quarkus/quarkus-vertx-http as a component of Red Hat build of Quarkus", - "product_id": "red_hat_build_of_quarkus:io.quarkus/quarkus-vertx-http" - }, - "product_reference": "io.quarkus/quarkus-vertx-http", - "relates_to_product_reference": "red_hat_build_of_quarkus" - }, - { - "category": "default_component_of", - "full_product_name": { - "name": "quarkus-vertx-http as a component of Red Hat Integration Camel K", - "product_id": "red_hat_integration_camel_k:quarkus-vertx-http" - }, - "product_reference": "quarkus-vertx-http", - "relates_to_product_reference": "red_hat_integration_camel_k" - }, - { - "category": "default_component_of", - "full_product_name": { - "name": "quarkus-vertx-http as a component of Red Hat Integration Camel Quarkus", - "product_id": "red_hat_integration_camel_quarkus:quarkus-vertx-http" - }, - "product_reference": "quarkus-vertx-http", - "relates_to_product_reference": "red_hat_integration_camel_quarkus" - }, - { - "category": "default_component_of", - "full_product_name": { - "name": "quarkus-vertx-http as a component of Red Hat Integration Change Data Capture", - "product_id": "red_hat_integration_change_data_capture:quarkus-vertx-http" - }, - "product_reference": "quarkus-vertx-http", - "relates_to_product_reference": "red_hat_integration_change_data_capture" - }, - { - "category": "default_component_of", - "full_product_name": { - "name": "quarkus-vertx-http as a component of Red Hat Integration Service Registry", - "product_id": "red_hat_integration_service_registry:quarkus-vertx-http" - }, - "product_reference": "quarkus-vertx-http", - "relates_to_product_reference": "red_hat_integration_service_registry" - }, - { - "category": "default_component_of", - "full_product_name": { - "name": "quarkus-vertx-http as a component of Red Hat JBoss Enterprise Application Platform 7", - "product_id": "red_hat_jboss_enterprise_application_platform_7:quarkus-vertx-http" - }, - "product_reference": "quarkus-vertx-http", - "relates_to_product_reference": "red_hat_jboss_enterprise_application_platform_7" - }, - { - "category": "default_component_of", - "full_product_name": { - "name": "quarkus-vertx-http as a component of Red Hat JBoss Enterprise Application Platform Expansion Pack", - "product_id": "red_hat_jboss_enterprise_application_platform_expansion_pack:quarkus-vertx-http" - }, - "product_reference": "quarkus-vertx-http", - "relates_to_product_reference": "red_hat_jboss_enterprise_application_platform_expansion_pack" - }, - { - "category": "default_component_of", - "full_product_name": { - "name": "quarkus-vertx-http as a component of Red Hat JBoss Fuse 7", - "product_id": "red_hat_jboss_fuse_7:quarkus-vertx-http" - }, - "product_reference": "quarkus-vertx-http", - "relates_to_product_reference": "red_hat_jboss_fuse_7" - }, - { - "category": "default_component_of", - "full_product_name": { - "name": "quarkus-vertx-http as a component of Red Hat Process Automation 7", - "product_id": "red_hat_process_automation_7:quarkus-vertx-http" - }, - "product_reference": "quarkus-vertx-http", - "relates_to_product_reference": "red_hat_process_automation_7" - } - ] - }, - "vulnerabilities": [ - { - "acknowledgments": [ - { - "names": [ - "Paulo Lopes" - ], - "organization": "Red Hat", - "summary": "This issue was discovered by Red Hat." - } - ], - "cve": "CVE-2023-0044", - "discovery_date": "2023-01-04T00:00:00+00:00", - "flags": [ - { - "label": "vulnerable_code_not_present", - "product_ids": [ - "a-mq_clients_2:quarkus-vertx-http", - "red_hat_integration_camel_k:quarkus-vertx-http", - "red_hat_integration_camel_quarkus:quarkus-vertx-http", - "red_hat_integration_change_data_capture:quarkus-vertx-http", - "red_hat_integration_service_registry:quarkus-vertx-http", - "red_hat_jboss_enterprise_application_platform_7:quarkus-vertx-http", - "red_hat_jboss_enterprise_application_platform_expansion_pack:quarkus-vertx-http", - "red_hat_jboss_fuse_7:quarkus-vertx-http", - "red_hat_process_automation_7:quarkus-vertx-http" - ] - } - ], - "ids": [ - { - "system_name": "Red Hat Bugzilla ID", - "text": "2158081" - } - ], - "notes": [ - { - "category": "description", - "text": "A flaw was found in Quarkus. If the Quarkus Form Authentication session cookie Path attribute is set to `/`, then a cross-site attack may be initiated, which might lead to information disclosure.", - "title": "Vulnerability description" - }, - { - "category": "summary", - "text": "quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure", - "title": "Vulnerability summary" - }, - { - "category": "general", - "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", - "title": "CVSS score applicability" - } - ], - "product_status": { - "fixed": [ - "Red Hat build of Quarkus", - "Red Hat build of Quarkus 2.7.7" - ], - "known_affected": [ - "red_hat_build_of_quarkus:io.quarkus/quarkus-vertx-http" - ], - "known_not_affected": [ - "a-mq_clients_2:quarkus-vertx-http", - "red_hat_integration_camel_k:quarkus-vertx-http", - "red_hat_integration_camel_quarkus:quarkus-vertx-http", - "red_hat_integration_change_data_capture:quarkus-vertx-http", - "red_hat_integration_service_registry:quarkus-vertx-http", - "red_hat_jboss_enterprise_application_platform_7:quarkus-vertx-http", - "red_hat_jboss_enterprise_application_platform_expansion_pack:quarkus-vertx-http", - "red_hat_jboss_fuse_7:quarkus-vertx-http", - "red_hat_process_automation_7:quarkus-vertx-http" - ] - }, - "references": [ - { - "category": "self", - "summary": "Canonical URL", - "url": "https://access.redhat.com/security/cve/CVE-2023-0044" - }, - { - "category": "external", - "summary": "RHBZ#2158081", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158081" - }, - { - "category": "external", - "summary": "https://www.cve.org/CVERecord?id=CVE-2023-0044", - "url": "https://www.cve.org/CVERecord?id=CVE-2023-0044" - }, - { - "category": "external", - "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0044", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0044" - } - ], - "release_date": "2023-01-04T00:00:00+00:00", - "remediations": [ - { - "category": "vendor_fix", - "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", - "product_ids": [ - "Red Hat build of Quarkus 2.7.7" - ], - "url": "https://access.redhat.com/errata/RHSA-2023:1006" - }, - { - "category": "vendor_fix", - "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", - "product_ids": [ - "Red Hat build of Quarkus" - ], - "url": "https://access.redhat.com/errata/RHSA-2023:0758" - }, - { - "category": "workaround", - "details": "This attack can be prevented with the Quarkus CSRF Prevention feature.", - "product_ids": [ - "Red Hat build of Quarkus", - "Red Hat build of Quarkus 2.7.7", - "a-mq_clients_2:quarkus-vertx-http", - "red_hat_build_of_quarkus:io.quarkus/quarkus-vertx-http", - "red_hat_integration_camel_k:quarkus-vertx-http", - "red_hat_integration_camel_quarkus:quarkus-vertx-http", - "red_hat_integration_change_data_capture:quarkus-vertx-http", - "red_hat_integration_service_registry:quarkus-vertx-http", - "red_hat_jboss_enterprise_application_platform_7:quarkus-vertx-http", - "red_hat_jboss_enterprise_application_platform_expansion_pack:quarkus-vertx-http", - "red_hat_jboss_fuse_7:quarkus-vertx-http", - "red_hat_process_automation_7:quarkus-vertx-http" - ] - }, - { - "category": "none_available", - "details": "Affected", - "product_ids": [ - "red_hat_build_of_quarkus:io.quarkus/quarkus-vertx-http" - ] - } - ], - "scores": [ - { - "cvss_v3": { - "attackComplexity": "LOW", - "attackVector": "NETWORK", - "availabilityImpact": "NONE", - "baseScore": 5.3, - "baseSeverity": "MEDIUM", - "confidentialityImpact": "LOW", - "integrityImpact": "NONE", - "privilegesRequired": "NONE", - "scope": "UNCHANGED", - "userInteraction": "NONE", - "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", - "version": "3.1" - }, - "products": [ - "Red Hat build of Quarkus", - "Red Hat build of Quarkus 2.7.7", - "red_hat_build_of_quarkus:io.quarkus/quarkus-vertx-http" - ] - } - ], - "threats": [ - { - "category": "impact", - "details": "Low", - "product_ids": [ - "Red Hat build of Quarkus", - "Red Hat build of Quarkus 2.7.7", - "red_hat_build_of_quarkus:io.quarkus/quarkus-vertx-http" - ] - } - ], - "title": "quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure" - } - ] -} \ No newline at end of file