{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright © Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Red Hat Integration Camel Extensions for Quarkus 2.13.3 release and security update is now available. The purpose of this text-only errata is to inform you about the security issues fixed.\n\n Red Hat Product Security has rated this update as having an impact of Important.\n A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "A security update for Camel Extensions for Quarkus 2.13.3 is now available. The purpose of this text-only errata is to inform you about the security issues fixed.\n Red Hat Product Security has rated this update as having an impact of Important.\n\n A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\n Security Fix(es):\n\n  * CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray\n   * CVE-2021-37533 apache-commons-net: FTP client trusts the host from PASV response by default",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2023:3667",
        "url": "https://access.redhat.com/errata/RHSA-2023:3667"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/cve-2023-1436",
        "url": "https://access.redhat.com/security/cve/cve-2023-1436"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/cve-2021-37533",
        "url": "https://access.redhat.com/security/cve/cve-2021-37533"
      },
      {
        "category": "external",
        "summary": "2169924",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2169924"
      },
      {
        "category": "external",
        "summary": "2182788",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2182788"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3667.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Integration Camel Extensions for Quarkus 2.13.3 security update",
    "tracking": {
      "current_release_date": "2026-03-21T01:23:19+00:00",
      "generator": {
        "date": "2026-03-21T01:23:19+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.3"
        }
      },
      "id": "RHSA-2023:3667",
      "initial_release_date": "2023-06-19T16:32:32+00:00",
      "revision_history": [
        {
          "date": "2023-06-19T16:32:32+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2023-06-19T16:32:32+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-03-21T01:23:19+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "RHINT Camel-Q 2.13.3",
                "product": {
                  "name": "RHINT Camel-Q 2.13.3",
                  "product_id": "RHINT Camel-Q 2.13.3",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:camel_quarkus:2.13"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Integration"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-37533",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "discovery_date": "2023-02-15T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2169924"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Apache Commons Net's FTP, where the client trusts the host from PASV response by default. A malicious server could redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This issue could lead to leakage of information about services running on the private network of the client.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "apache-commons-net: FTP client trusts the host from PASV response by default",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "RHINT Camel-Q 2.13.3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2021-37533"
        },
        {
          "category": "external",
          "summary": "RHBZ#2169924",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2169924"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2021-37533",
          "url": "https://www.cve.org/CVERecord?id=CVE-2021-37533"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-37533",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37533"
        }
      ],
      "release_date": "2023-02-15T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-06-19T16:32:32+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "RHINT Camel-Q 2.13.3"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:3667"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "RHINT Camel-Q 2.13.3"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "apache-commons-net: FTP client trusts the host from PASV response by default"
    },
    {
      "cve": "CVE-2023-1436",
      "cwe": {
        "id": "CWE-674",
        "name": "Uncontrolled Recursion"
      },
      "discovery_date": "2023-03-29T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2182788"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Jettison. Infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This issue leads to a StackOverflowError exception being thrown.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jettison: Uncontrolled Recursion in JSONArray",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "RHINT Camel-Q 2.13.3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-1436"
        },
        {
          "category": "external",
          "summary": "RHBZ#2182788",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2182788"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-1436",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-1436"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-1436",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1436"
        },
        {
          "category": "external",
          "summary": "https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911/",
          "url": "https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911/"
        }
      ],
      "release_date": "2023-03-22T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-06-19T16:32:32+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "RHINT Camel-Q 2.13.3"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:3667"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "RHINT Camel-Q 2.13.3"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jettison: Uncontrolled Recursion in JSONArray"
    }
  ]
}