SB2019061816 - Red Hat update for pki-deps:10.6
Published: June 18, 2019 Updated: June 18, 2019
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2018-8014)
supportsCredentials for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. A remote attacker can access important data.2) Security restrictions bypass (CVE-ID: CVE-2018-8034)
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The vulnerability exists due to host name verification when using TLS with the WebSocket client was missing. A remote unauthenticated attacker can bypass security restrictions when using TLS.
3) Information disclosure (CVE-ID: CVE-2018-8037)
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The vulnerability exists due to improper handling of connection closures by the non-blocking I/O (NIO) and NIO2 connectors. A remote unauthenticated attacker can send a specially crafted request that submits malicious input, trigger bug in the tracking of connection closures, reuse user sessions in a new connection and access arbitrary data.
4) Open redirect (CVE-ID: CVE-2018-11784)
The vulnerability allows a remote attacker to redirect victims to arbitrary URI.
The vulnerability exists due to improper sanitization of user-supplied data. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary URI.
Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.
Remediation
Install update from vendor's website.