Product:

Quarkus

(Quarkus)
Repositories

Unknown:

This might be proprietary software.

#Vulnerabilities 16
Date Id Summary Products Score Patch Annotated
2020-12-02 CVE-2020-13956 Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution. Drill, Httpclient, Data_integrator, Nosql_database, Peoplesoft_enterprise_pt_peopletools, Primavera_unifier, Spatial_studio, Sql_developer, Quarkus 5.3
2021-02-08 CVE-2021-21290 Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary... Debian_linux, Netty, Nosql_database, Quarkus 5.5
2021-03-09 CVE-2021-21295 Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as... Kudu, Debian_linux, Oncommand_api_services, Oncommand_workflow_automation, Netty, Quarkus 5.9
2020-12-03 CVE-2020-25649 A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity. Jackson\-Databind, Fedora, Oncommand_api_services, Oncommand_workflow_automation, Service_level_manager, Quarkus 7.5
2020-07-06 CVE-2019-14900 A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. Hibernate_orm, Quarkus, Decision_manager, Jboss_data_grid, Openstack 6.5
2020-12-02 CVE-2020-25638 A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity. Debian_linux, Hibernate_orm, Quarkus 7.4
2020-12-10 CVE-2020-8908 A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers,... Guava, Quarkus 3.3
2020-05-06 CVE-2020-10693 A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages. Websphere_application_server, Quarkus, Hibernate_validator, Jboss_enterprise_application_platform, Satellite, Satellite_capsule 5.3
2021-05-26 CVE-2020-25724 A flaw was found in RESTEasy, where an incorrect response to an HTTP request is provided. This flaw allows an attacker to gain access to privileged information. The highest threat from this vulnerability is to confidentiality and integrity. Versions before resteasy 2.0.0.Alpha3 are affected. Quarkus, Resteasy 4.3
2019-12-12 CVE-2017-18640 The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564. Fedora, Quarkus, Snakeyaml 7.5