Multiple vulnerabilities in Red Hat Integration Camel Extensions for Quarkus 2.13

Published: 2023-06-19

Risk	Medium
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2021-37533 CVE-2023-1436
CWE-ID	CWE-345 CWE-674
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	Red Hat Integration Camel Extensions for Quarkus Server applications / Other server solutions
Vendor	Red Hat Inc.

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Insufficient verification of data authenticity

EUVDB-ID: #VU70441

Risk: Low

CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-37533

CWE-ID: CWE-345 - Insufficient Verification of Data Authenticity

Exploit availability: No

Description

The vulnerability allows an attacker to redirect victim to a malicious host.

The vulnerability exists due to the application trusts the host from PASV response by default. A remote attacker can trick the victim into connecting to an attacker controlled FTP server and then redirect the application to another host.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Red Hat Integration Camel Extensions for Quarkus: 2.13.2 - 2.13.2-2

CPE2.3

External links

https://access.redhat.com/errata/RHSA-2023:3667

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Uncontrolled Recursion

EUVDB-ID: #VU75431

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-1436

CWE-ID: CWE-674 - Uncontrolled Recursion