Multiple vulnerabilities in Red Hat Integration Camel Extensions for Quarkus 3.8.5
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2024-3653 CVE-2024-8391 |
| CWE-ID | CWE-400 CWE-770 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Red Hat Integration Camel Extensions for Quarkus Server applications / Other server solutions |
| Vendor | Red Hat Inc. |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Resource exhaustion
EUVDB-ID: #VU96051
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-3653
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to incorrect handling of requests within the LearningPushHandler. A remote attacker can send specially crafted requests to the web server and consume available memory, leading to a denial of service.
Successful exploitation of the vulnerability requires that the learning-push handler is enabled (disabled by default).
Install updates from vendor's website.
Red Hat Integration Camel Extensions for Quarkus: before 3.8.5.SP1
CPE2.3 External linkshttp://access.redhat.com/errata/RHSA-2024:6437
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Allocation of Resources Without Limits or Throttling
EUVDB-ID: #VU97683
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-8391
CWE-ID:
CWE-770 - Allocation of Resources Without Limits or Throttling
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the gRPC server does not limit the maximum length of message payload. A remote attacker can send multiple extremely large messages to the application and perform a denial of service (DoS) attack.
Install updates from vendor's website.
Red Hat Integration Camel Extensions for Quarkus: before 3.8.5.SP1
CPE2.3 External linkshttp://access.redhat.com/errata/RHSA-2024:6437
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
