Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2021-41190 (GCVE-0-2021-41190)
Vulnerability from cvelistv5 – Published: 2021-11-17 19:20 – Updated: 2024-08-04 03:08
VLAI
EPSS
Title
Clarify Content-Type handling in OCI spec
Summary
The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both “manifests” and “layers” fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both “manifests” and “layers” fields or “manifests” and “config” fields if they are unable to update to version 1.0.1 of the spec.
Severity
CWE
- CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')
Assigner
References
11 references
| URL | Tags |
|---|---|
| https://github.com/opencontainers/distribution-sp… | x_refsource_CONFIRM |
| https://github.com/opencontainers/distribution-sp… | x_refsource_MISC |
| http://www.openwall.com/lists/oss-security/2021/1… | mailing-listx_refsource_MLIST |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| opencontainers | distribution-spec |
Affected:
< 1.0.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:08:31.262Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/opencontainers/distribution-spec/commit/ac28cac0557bcd3084714ab09f9f2356fe504923"
},
{
"name": "[oss-security] 20211119 CVE-2021-41190 OCI distribution and image spec: \"content-type\" confusion",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/11/19/10"
},
{
"name": "FEDORA-2021-d250fc2622",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A2RRFNTMFYKOTRKD37F5ANMCIO3GGJML/"
},
{
"name": "FEDORA-2021-6dc68dbe4d",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DX63GRWFEI5RVMYV6XLMCG4OHPWZML27/"
},
{
"name": "FEDORA-2021-79ba5abef6",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SQBCYJUIM5GVCMFUPRWKRZNXMMI5EFA4/"
},
{
"name": "FEDORA-2021-eb2742b148",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4OJ764CKKCWCVONHD4YXTGR7HZ7LRUV/"
},
{
"name": "FEDORA-2021-3dda301691",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3TUZNDAH2B26VPBK342UC3BHZNLBUXGX/"
},
{
"name": "FEDORA-2021-aacef7fa15",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RZTO6N55WHKHIZI4IMLY2QFBPMVTAERM/"
},
{
"name": "FEDORA-2021-62352983b4",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4334HT7AZPLWNYHW4ARU6JBUF3VZJPZN/"
},
{
"name": "FEDORA-2021-6789ed60f2",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YIGVQWOA5XXCQXEOOKZX4CDAGLBDRPRX/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "distribution-spec",
"vendor": "opencontainers",
"versions": [
{
"status": "affected",
"version": "\u003c 1.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both \u201cmanifests\u201d and \u201clayers\u201d fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both \u201cmanifests\u201d and \u201clayers\u201d fields or \u201cmanifests\u201d and \u201cconfig\u201d fields if they are unable to update to version 1.0.1 of the spec."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-843",
"description": "CWE-843: Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-10T02:06:12.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/distribution-spec/commit/ac28cac0557bcd3084714ab09f9f2356fe504923"
},
{
"name": "[oss-security] 20211119 CVE-2021-41190 OCI distribution and image spec: \"content-type\" confusion",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/11/19/10"
},
{
"name": "FEDORA-2021-d250fc2622",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A2RRFNTMFYKOTRKD37F5ANMCIO3GGJML/"
},
{
"name": "FEDORA-2021-6dc68dbe4d",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DX63GRWFEI5RVMYV6XLMCG4OHPWZML27/"
},
{
"name": "FEDORA-2021-79ba5abef6",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SQBCYJUIM5GVCMFUPRWKRZNXMMI5EFA4/"
},
{
"name": "FEDORA-2021-eb2742b148",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4OJ764CKKCWCVONHD4YXTGR7HZ7LRUV/"
},
{
"name": "FEDORA-2021-3dda301691",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3TUZNDAH2B26VPBK342UC3BHZNLBUXGX/"
},
{
"name": "FEDORA-2021-aacef7fa15",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RZTO6N55WHKHIZI4IMLY2QFBPMVTAERM/"
},
{
"name": "FEDORA-2021-62352983b4",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4334HT7AZPLWNYHW4ARU6JBUF3VZJPZN/"
},
{
"name": "FEDORA-2021-6789ed60f2",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YIGVQWOA5XXCQXEOOKZX4CDAGLBDRPRX/"
}
],
"source": {
"advisory": "GHSA-mc8v-mgrf-8f4m",
"discovery": "UNKNOWN"
},
"title": "Clarify Content-Type handling in OCI spec",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41190",
"STATE": "PUBLIC",
"TITLE": "Clarify Content-Type handling in OCI spec"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "distribution-spec",
"version": {
"version_data": [
{
"version_value": "\u003c 1.0.1"
}
]
}
}
]
},
"vendor_name": "opencontainers"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both \u201cmanifests\u201d and \u201clayers\u201d fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both \u201cmanifests\u201d and \u201clayers\u201d fields or \u201cmanifests\u201d and \u201cconfig\u201d fields if they are unable to update to version 1.0.1 of the spec."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-843: Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m",
"refsource": "CONFIRM",
"url": "https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m"
},
{
"name": "https://github.com/opencontainers/distribution-spec/commit/ac28cac0557bcd3084714ab09f9f2356fe504923",
"refsource": "MISC",
"url": "https://github.com/opencontainers/distribution-spec/commit/ac28cac0557bcd3084714ab09f9f2356fe504923"
},
{
"name": "[oss-security] 20211119 CVE-2021-41190 OCI distribution and image spec: \"content-type\" confusion",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/11/19/10"
},
{
"name": "FEDORA-2021-d250fc2622",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A2RRFNTMFYKOTRKD37F5ANMCIO3GGJML/"
},
{
"name": "FEDORA-2021-6dc68dbe4d",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DX63GRWFEI5RVMYV6XLMCG4OHPWZML27/"
},
{
"name": "FEDORA-2021-79ba5abef6",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SQBCYJUIM5GVCMFUPRWKRZNXMMI5EFA4/"
},
{
"name": "FEDORA-2021-eb2742b148",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T4OJ764CKKCWCVONHD4YXTGR7HZ7LRUV/"
},
{
"name": "FEDORA-2021-3dda301691",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3TUZNDAH2B26VPBK342UC3BHZNLBUXGX/"
},
{
"name": "FEDORA-2021-aacef7fa15",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RZTO6N55WHKHIZI4IMLY2QFBPMVTAERM/"
},
{
"name": "FEDORA-2021-62352983b4",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4334HT7AZPLWNYHW4ARU6JBUF3VZJPZN/"
},
{
"name": "FEDORA-2021-6789ed60f2",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YIGVQWOA5XXCQXEOOKZX4CDAGLBDRPRX/"
}
]
},
"source": {
"advisory": "GHSA-mc8v-mgrf-8f4m",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41190",
"datePublished": "2021-11-17T19:20:11.000Z",
"dateReserved": "2021-09-15T00:00:00.000Z",
"dateUpdated": "2024-08-04T03:08:31.262Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2021-41190",
"date": "2026-05-25",
"epss": "0.0035",
"percentile": "0.57569"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:linuxfoundation:open_container_initiative_distribution_specification:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"1.0.0\", \"matchCriteriaId\": \"CEA62E19-78AE-4FD8-8888-B347544BB7A9\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:linuxfoundation:open_container_initiative_image_format_specification:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"1.0.1\", \"matchCriteriaId\": \"1355CC51-5D8D-4C5A-AA67-93157ED1ADAE\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A930E247-0B43-43CB-98FF-6CE7B8189835\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"80E516C0-98A4-4ADE-B69F-66A772E2BAAA\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both \\u201cmanifests\\u201d and \\u201clayers\\u201d fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both \\u201cmanifests\\u201d and \\u201clayers\\u201d fields or \\u201cmanifests\\u201d and \\u201cconfig\\u201d fields if they are unable to update to version 1.0.1 of the spec.\"}, {\"lang\": \"es\", \"value\": \"El proyecto OCI Distribution Spec define un protocolo API para facilitar y estandarizar la distribuci\\u00f3n de contenidos. En la versi\\u00f3n 1.0.0 de OCI Distribution Specification y anteriores, se utilizaba \\u00fanicamente la cabecera Content-Type para determinar el tipo de documento durante las operaciones push y pull. Los documentos que conten\\u00edan campos \\\"manifiestos\\\" y \\\"capas\\\" pod\\u00edan interpretarse como un manifiesto o un \\u00edndice en ausencia de una cabecera Content-Type que los acompa\\u00f1ara. Si una cabecera Content-Type cambiaba entre dos pulls del mismo compendio, un cliente podr\\u00eda interpretar el contenido resultante de forma diferente. La especificaci\\u00f3n de distribuci\\u00f3n de la OCI se ha actualizado para exigir que el valor de mediaType presente en un manifiesto o \\u00edndice coincida con la cabecera Content-Type utilizada durante las operaciones push y pull. Los clientes que extraen de un registro pueden desconfiar de la cabecera Content-Type y rechazar un documento ambiguo que contenga campos \\\"manifiestos\\\" y \\\"capas\\\" o campos \\\"manifiestos\\\" y \\\"config\\\" si no pueden actualizarse a la versi\\u00f3n 1.0.1 de la especificaci\\u00f3n\"}]",
"id": "CVE-2021-41190",
"lastModified": "2024-11-21T06:25:43.537",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N\", \"baseScore\": 3.0, \"baseSeverity\": \"LOW\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.3, \"impactScore\": 1.4}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N\", \"baseScore\": 5.0, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.1, \"impactScore\": 1.4}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:S/C:N/I:P/A:N\", \"baseScore\": 4.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2021-11-17T20:15:10.333",
"references": "[{\"url\": \"http://www.openwall.com/lists/oss-security/2021/11/19/10\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/opencontainers/distribution-spec/commit/ac28cac0557bcd3084714ab09f9f2356fe504923\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3TUZNDAH2B26VPBK342UC3BHZNLBUXGX/\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4334HT7AZPLWNYHW4ARU6JBUF3VZJPZN/\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A2RRFNTMFYKOTRKD37F5ANMCIO3GGJML/\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DX63GRWFEI5RVMYV6XLMCG4OHPWZML27/\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RZTO6N55WHKHIZI4IMLY2QFBPMVTAERM/\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SQBCYJUIM5GVCMFUPRWKRZNXMMI5EFA4/\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4OJ764CKKCWCVONHD4YXTGR7HZ7LRUV/\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YIGVQWOA5XXCQXEOOKZX4CDAGLBDRPRX/\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2021/11/19/10\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/opencontainers/distribution-spec/commit/ac28cac0557bcd3084714ab09f9f2356fe504923\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3TUZNDAH2B26VPBK342UC3BHZNLBUXGX/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4334HT7AZPLWNYHW4ARU6JBUF3VZJPZN/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A2RRFNTMFYKOTRKD37F5ANMCIO3GGJML/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DX63GRWFEI5RVMYV6XLMCG4OHPWZML27/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RZTO6N55WHKHIZI4IMLY2QFBPMVTAERM/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SQBCYJUIM5GVCMFUPRWKRZNXMMI5EFA4/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4OJ764CKKCWCVONHD4YXTGR7HZ7LRUV/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YIGVQWOA5XXCQXEOOKZX4CDAGLBDRPRX/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-843\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-843\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2021-41190\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2021-11-17T20:15:10.333\",\"lastModified\":\"2024-11-21T06:25:43.537\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both \u201cmanifests\u201d and \u201clayers\u201d fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both \u201cmanifests\u201d and \u201clayers\u201d fields or \u201cmanifests\u201d and \u201cconfig\u201d fields if they are unable to update to version 1.0.1 of the spec.\"},{\"lang\":\"es\",\"value\":\"El proyecto OCI Distribution Spec define un protocolo API para facilitar y estandarizar la distribuci\u00f3n de contenidos. En la versi\u00f3n 1.0.0 de OCI Distribution Specification y anteriores, se utilizaba \u00fanicamente la cabecera Content-Type para determinar el tipo de documento durante las operaciones push y pull. Los documentos que conten\u00edan campos \\\"manifiestos\\\" y \\\"capas\\\" pod\u00edan interpretarse como un manifiesto o un \u00edndice en ausencia de una cabecera Content-Type que los acompa\u00f1ara. Si una cabecera Content-Type cambiaba entre dos pulls del mismo compendio, un cliente podr\u00eda interpretar el contenido resultante de forma diferente. La especificaci\u00f3n de distribuci\u00f3n de la OCI se ha actualizado para exigir que el valor de mediaType presente en un manifiesto o \u00edndice coincida con la cabecera Content-Type utilizada durante las operaciones push y pull. Los clientes que extraen de un registro pueden desconfiar de la cabecera Content-Type y rechazar un documento ambiguo que contenga campos \\\"manifiestos\\\" y \\\"capas\\\" o campos \\\"manifiestos\\\" y \\\"config\\\" si no pueden actualizarse a la versi\u00f3n 1.0.1 de la especificaci\u00f3n\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N\",\"baseScore\":3.0,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.3,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N\",\"baseScore\":5.0,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.1,\"impactScore\":1.4}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:N/I:P/A:N\",\"baseScore\":4.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-843\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-843\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:linuxfoundation:open_container_initiative_distribution_specification:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1.0.0\",\"matchCriteriaId\":\"CEA62E19-78AE-4FD8-8888-B347544BB7A9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:linuxfoundation:open_container_initiative_image_format_specification:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1.0.1\",\"matchCriteriaId\":\"1355CC51-5D8D-4C5A-AA67-93157ED1ADAE\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A930E247-0B43-43CB-98FF-6CE7B8189835\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"80E516C0-98A4-4ADE-B69F-66A772E2BAAA\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2021/11/19/10\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/opencontainers/distribution-spec/commit/ac28cac0557bcd3084714ab09f9f2356fe504923\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3TUZNDAH2B26VPBK342UC3BHZNLBUXGX/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4334HT7AZPLWNYHW4ARU6JBUF3VZJPZN/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A2RRFNTMFYKOTRKD37F5ANMCIO3GGJML/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DX63GRWFEI5RVMYV6XLMCG4OHPWZML27/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RZTO6N55WHKHIZI4IMLY2QFBPMVTAERM/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SQBCYJUIM5GVCMFUPRWKRZNXMMI5EFA4/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4OJ764CKKCWCVONHD4YXTGR7HZ7LRUV/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YIGVQWOA5XXCQXEOOKZX4CDAGLBDRPRX/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2021/11/19/10\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/opencontainers/distribution-spec/commit/ac28cac0557bcd3084714ab09f9f2356fe504923\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3TUZNDAH2B26VPBK342UC3BHZNLBUXGX/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4334HT7AZPLWNYHW4ARU6JBUF3VZJPZN/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A2RRFNTMFYKOTRKD37F5ANMCIO3GGJML/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DX63GRWFEI5RVMYV6XLMCG4OHPWZML27/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RZTO6N55WHKHIZI4IMLY2QFBPMVTAERM/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SQBCYJUIM5GVCMFUPRWKRZNXMMI5EFA4/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4OJ764CKKCWCVONHD4YXTGR7HZ7LRUV/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YIGVQWOA5XXCQXEOOKZX4CDAGLBDRPRX/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
}
}
CERTFR-2022-AVI-591
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire, un déni de service à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| IBM | Spectrum | IBM Spectrum Protect Plus versions antérieures à 10.1.11 | ||
| IBM | Spectrum | IBM Spectrum Protect Client versions antérieures à 8.1.1.15 | ||
| IBM | N/A | IBM® Db2® et Db2 Warehouse® sur Cloud Pak for Data versions antérieures à 4.5.0 | ||
| IBM | Db2 | IBM® Db2® sur Openshift versions antérieures à 11.5.7.0-cn5 |
References
| Title | Publication Time | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "IBM Spectrum Protect Plus versions ant\u00e9rieures \u00e0 10.1.11",
"product": {
"name": "Spectrum",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Spectrum Protect Client versions ant\u00e9rieures \u00e0 8.1.1.15",
"product": {
"name": "Spectrum",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM\u00ae Db2\u00ae et Db2 Warehouse\u00ae sur Cloud Pak for Data versions ant\u00e9rieures \u00e0 4.5.0",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM\u00ae Db2\u00ae sur Openshift versions ant\u00e9rieures \u00e0 11.5.7.0-cn5",
"product": {
"name": "Db2",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2020-29368",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-29368"
},
{
"name": "CVE-2021-20322",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-20322"
},
{
"name": "CVE-2018-1099",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-1099"
},
{
"name": "CVE-2021-4154",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4154"
},
{
"name": "CVE-2021-45485",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-45485"
},
{
"name": "CVE-2022-27191",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27191"
},
{
"name": "CVE-2021-30465",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-30465"
},
{
"name": "CVE-2019-11249",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11249"
},
{
"name": "CVE-2020-8557",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8557"
},
{
"name": "CVE-2020-7919",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7919"
},
{
"name": "CVE-2019-11247",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11247"
},
{
"name": "CVE-2020-28851",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-28851"
},
{
"name": "CVE-2021-42248",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-42248"
},
{
"name": "CVE-2018-1002105",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-1002105"
},
{
"name": "CVE-2021-31525",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31525"
},
{
"name": "CVE-2020-15112",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-15112"
},
{
"name": "CVE-2021-4203",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4203"
},
{
"name": "CVE-2021-25736",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-25736"
},
{
"name": "CVE-2020-27813",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-27813"
},
{
"name": "CVE-2018-17848",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-17848"
},
{
"name": "CVE-2019-16884",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-16884"
},
{
"name": "CVE-2021-41864",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-41864"
},
{
"name": "CVE-2020-36385",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36385"
},
{
"name": "CVE-2020-25704",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25704"
},
{
"name": "CVE-2021-25735",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-25735"
},
{
"name": "CVE-2017-18367",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-18367"
},
{
"name": "CVE-2020-8564",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8564"
},
{
"name": "CVE-2021-20206",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-20206"
},
{
"name": "CVE-2019-11246",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11246"
},
{
"name": "CVE-2021-31916",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31916"
},
{
"name": "CVE-2020-8565",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8565"
},
{
"name": "CVE-2021-27918",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27918"
},
{
"name": "CVE-2021-3635",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3635"
},
{
"name": "CVE-2021-3573",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3573"
},
{
"name": "CVE-2018-1098",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-1098"
},
{
"name": "CVE-2021-28971",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28971"
},
{
"name": "CVE-2019-11254",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11254"
},
{
"name": "CVE-2022-0286",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0286"
},
{
"name": "CVE-2021-4002",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4002"
},
{
"name": "CVE-2021-4083",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4083"
},
{
"name": "CVE-2021-45486",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-45486"
},
{
"name": "CVE-2020-8551",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8551"
},
{
"name": "CVE-2017-1002101",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-1002101"
},
{
"name": "CVE-2021-4157",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4157"
},
{
"name": "CVE-2020-15106",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-15106"
},
{
"name": "CVE-2021-43784",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-43784"
},
{
"name": "CVE-2021-20321",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-20321"
},
{
"name": "CVE-2018-17142",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-17142"
},
{
"name": "CVE-2022-0185",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0185"
},
{
"name": "CVE-2022-0847",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0847"
},
{
"name": "CVE-2021-41190",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-41190"
},
{
"name": "CVE-2021-44733",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44733"
},
{
"name": "CVE-2020-8552",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8552"
},
{
"name": "CVE-2021-20269",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-20269"
},
{
"name": "CVE-2020-8554",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8554"
},
{
"name": "CVE-2019-11252",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11252"
},
{
"name": "CVE-2021-3121",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3121"
},
{
"name": "CVE-2019-11250",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11250"
},
{
"name": "CVE-2022-22942",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22942"
},
{
"name": "CVE-2022-1011",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1011"
},
{
"name": "CVE-2021-3669",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3669"
},
{
"name": "CVE-2020-8559",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8559"
},
{
"name": "CVE-2020-10752",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10752"
},
{
"name": "CVE-2021-28950",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28950"
},
{
"name": "CVE-2021-29650",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29650"
},
{
"name": "CVE-2020-36322",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36322"
},
{
"name": "CVE-2020-28852",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-28852"
},
{
"name": "CVE-2021-4155",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4155"
},
{
"name": "CVE-2020-15113",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-15113"
},
{
"name": "CVE-2020-29652",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-29652"
},
{
"name": "CVE-2018-17847",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-17847"
},
{
"name": "CVE-2022-0492",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0492"
},
{
"name": "CVE-2020-26160",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-26160"
},
{
"name": "CVE-2022-0778",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0778"
},
{
"name": "CVE-2021-42836",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-42836"
},
{
"name": "CVE-2020-8555",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8555"
},
{
"name": "CVE-2021-44716",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44716"
},
{
"name": "CVE-2018-17143",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-17143"
},
{
"name": "CVE-2019-11841",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11841"
},
{
"name": "CVE-2018-20699",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-20699"
},
{
"name": "CVE-2021-33194",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33194"
},
{
"name": "CVE-2020-14040",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14040"
},
{
"name": "CVE-2021-3764",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3764"
},
{
"name": "CVE-2019-1002101",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-1002101"
},
{
"name": "CVE-2021-38201",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-38201"
},
{
"name": "CVE-2021-21781",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21781"
},
{
"name": "CVE-2022-0850",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0850"
},
{
"name": "CVE-2021-3538",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3538"
},
{
"name": "CVE-2019-11253",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11253"
},
{
"name": "CVE-2021-25737",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-25737"
},
{
"name": "CVE-2018-17846",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-17846"
},
{
"name": "CVE-2021-4028",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4028"
},
{
"name": "CVE-2021-43565",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-43565"
},
{
"name": "CVE-2021-25741",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-25741"
},
{
"name": "CVE-2018-16886",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-16886"
},
{
"name": "CVE-2021-44907",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44907"
},
{
"name": "CVE-2021-4197",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4197"
},
{
"name": "CVE-2020-9283",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9283"
},
{
"name": "CVE-2019-11840",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11840"
},
{
"name": "CVE-2019-11251",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11251"
},
{
"name": "CVE-2020-36067",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36067"
}
],
"links": [],
"reference": "CERTFR-2022-AVI-591",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2022-06-30T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
},
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une\nex\u00e9cution de code arbitraire, un d\u00e9ni de service \u00e0 distance et un\ncontournement de la politique de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6596399 du 29 juin 2022",
"url": "https://www.ibm.com/support/pages/node/6596399"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6596971 du 29 juin 2022",
"url": "https://www.ibm.com/support/pages/node/6596971"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6599703 du 29 juin 2022",
"url": "https://www.ibm.com/support/pages/node/6599703"
}
]
}
CERTFR-2024-AVI-0145
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données, une exécution de code arbitraire à distance et une élévation de privilèges.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| IBM | Db2 | IBM Cloud APM, Advanced Private versions 8.1.4 sans le dernier correctif de sécurité Fixpack cumulatif Db2 | ||
| IBM | QRadar Suite Software | QRadar Suite Software versions 1.10.x.x antérieures à 1.10.18.0 | ||
| IBM | N/A | IBM Db2 sur Cloud Pak pour Data et Db2 Warehouse sur Cloud Pak for Data versions antérieures à v4.8.2 | ||
| IBM | QRadar SIEM | IBM QRadar SIEM versions 7.5.x antérieures à 7.5.0 UP7 IF05 | ||
| IBM | QRadar | IBM QRadar Use Case Manager App versions antérieures à 3.9.0 | ||
| IBM | WebSphere | IBM WebSphere Application Server versions 8.5.x.x sans le SDK version 8 Service Refresh 8 FP20 | ||
| IBM | WebSphere | IBM WebSphere Application Server Liberty sans le SDK version 8 Service Refresh 8 FP20 | ||
| IBM | Sterling Connect:Direct | IBM Sterling Connect:Direct Web Services versions 6.1.x.x antérieures à 6.1.0.23 | ||
| IBM | Sterling Connect:Direct | IBM Sterling Connect:Direct Web Services versions 6.3.x.x antérieures à 6.3.0.6 | ||
| IBM | Sterling Connect:Direct | IBM Sterling Connect:Direct Web Services versions 6.2.x.x antérieures à 6.2.0.22 | ||
| IBM | Db2 | IBM Cloud APM, Base Private versions 8.1.4 sans le dernier correctif de sécurité Fixpack cumulatif Db2 | ||
| IBM | Cloud Pak | IBM Cloud Pak for Security versions 1.10.x.x antérieures à 1.10.18.0 | ||
| IBM | Spectrum | IBM Spectrum Scale versions 5.1.x.x antérieures à 5.1.2.15 | ||
| IBM | WebSphere | IBM WebSphere Application Server versions 9.x sans le SDK version 8 Service Refresh 8 FP20 | ||
| IBM | QRadar WinCollect Agent | IBM QRadar WinCollect Agent versions 10.0.x antérieures à 10.1.9 | ||
| IBM | Spectrum | IBM Spectrum Scale versions 5.1.3.x antérieures à 5.1.9.2 |
References
| Title | Publication Time | Tags | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "IBM Cloud APM, Advanced Private versions 8.1.4 sans le dernier correctif de s\u00e9curit\u00e9 Fixpack cumulatif Db2",
"product": {
"name": "Db2",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "QRadar Suite Software versions 1.10.x.x ant\u00e9rieures \u00e0 1.10.18.0",
"product": {
"name": "QRadar Suite Software",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Db2 sur Cloud Pak pour Data et Db2 Warehouse sur Cloud Pak for Data versions ant\u00e9rieures \u00e0 v4.8.2",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM QRadar SIEM versions 7.5.x ant\u00e9rieures \u00e0 7.5.0 UP7 IF05",
"product": {
"name": "QRadar SIEM",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM QRadar Use Case Manager App versions ant\u00e9rieures \u00e0 3.9.0",
"product": {
"name": "QRadar",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM WebSphere Application Server versions 8.5.x.x sans le SDK version 8 Service Refresh 8 FP20",
"product": {
"name": "WebSphere",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM WebSphere Application Server Liberty sans le SDK version 8 Service Refresh 8 FP20",
"product": {
"name": "WebSphere",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Sterling Connect:Direct Web Services versions 6.1.x.x ant\u00e9rieures \u00e0 6.1.0.23",
"product": {
"name": "Sterling Connect:Direct",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Sterling Connect:Direct Web Services versions 6.3.x.x ant\u00e9rieures \u00e0 6.3.0.6",
"product": {
"name": "Sterling Connect:Direct",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Sterling Connect:Direct Web Services versions 6.2.x.x ant\u00e9rieures \u00e0 6.2.0.22",
"product": {
"name": "Sterling Connect:Direct",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Cloud APM, Base Private versions 8.1.4 sans le dernier correctif de s\u00e9curit\u00e9 Fixpack cumulatif Db2",
"product": {
"name": "Db2",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Cloud Pak for Security versions 1.10.x.x ant\u00e9rieures \u00e0 1.10.18.0",
"product": {
"name": "Cloud Pak",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Spectrum Scale versions 5.1.x.x ant\u00e9rieures \u00e0 5.1.2.15",
"product": {
"name": "Spectrum",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM WebSphere Application Server versions 9.x sans le SDK version 8 Service Refresh 8 FP20",
"product": {
"name": "WebSphere",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM QRadar WinCollect Agent versions 10.0.x ant\u00e9rieures \u00e0 10.1.9",
"product": {
"name": "QRadar WinCollect Agent",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Spectrum Scale versions 5.1.3.x ant\u00e9rieures \u00e0 5.1.9.2",
"product": {
"name": "Spectrum",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2022-35252",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-35252"
},
{
"name": "CVE-2023-21938",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21938"
},
{
"name": "CVE-2022-32189",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32189"
},
{
"name": "CVE-2015-2327",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-2327"
},
{
"name": "CVE-2023-6681",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-6681"
},
{
"name": "CVE-2023-43642",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-43642"
},
{
"name": "CVE-2022-30631",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30631"
},
{
"name": "CVE-2023-46218",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-46218"
},
{
"name": "CVE-2023-49082",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-49082"
},
{
"name": "CVE-2015-8383",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8383"
},
{
"name": "CVE-2023-1370",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1370"
},
{
"name": "CVE-2023-45857",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45857"
},
{
"name": "CVE-2023-45142",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45142"
},
{
"name": "CVE-2023-34053",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34053"
},
{
"name": "CVE-2022-27781",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27781"
},
{
"name": "CVE-2021-22925",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22925"
},
{
"name": "CVE-2023-46308",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-46308"
},
{
"name": "CVE-2023-46234",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-46234"
},
{
"name": "CVE-2023-38546",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38546"
},
{
"name": "CVE-2023-47747",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47747"
},
{
"name": "CVE-2023-47158",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47158"
},
{
"name": "CVE-2022-23529",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23529"
},
{
"name": "CVE-2023-34054",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34054"
},
{
"name": "CVE-2023-30991",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-30991"
},
{
"name": "CVE-2023-29404",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29404"
},
{
"name": "CVE-2023-21954",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21954"
},
{
"name": "CVE-2022-4304",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-4304"
},
{
"name": "CVE-2023-37920",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-37920"
},
{
"name": "CVE-2023-21939",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21939"
},
{
"name": "CVE-2023-46167",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-46167"
},
{
"name": "CVE-2022-24921",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24921"
},
{
"name": "CVE-2023-38740",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38740"
},
{
"name": "CVE-2022-32208",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32208"
},
{
"name": "CVE-2022-28327",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-28327"
},
{
"name": "CVE-2022-1292",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1292"
},
{
"name": "CVE-2021-33196",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33196"
},
{
"name": "CVE-2021-31525",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31525"
},
{
"name": "CVE-2023-38719",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38719"
},
{
"name": "CVE-2023-30987",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-30987"
},
{
"name": "CVE-2023-45178",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45178"
},
{
"name": "CVE-2023-47701",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47701"
},
{
"name": "CVE-2022-41725",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41725"
},
{
"name": "CVE-2023-23936",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-23936"
},
{
"name": "CVE-2023-50308",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-50308"
},
{
"name": "CVE-2021-33198",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33198"
},
{
"name": "CVE-2023-40687",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-40687"
},
{
"name": "CVE-2022-30635",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30635"
},
{
"name": "CVE-2015-8381",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8381"
},
{
"name": "CVE-2022-41715",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41715"
},
{
"name": "CVE-2020-16845",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-16845"
},
{
"name": "CVE-2023-0215",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0215"
},
{
"name": "CVE-2023-0286",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0286"
},
{
"name": "CVE-2022-25883",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25883"
},
{
"name": "CVE-2015-8392",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8392"
},
{
"name": "CVE-2022-3515",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3515"
},
{
"name": "CVE-2023-29403",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29403"
},
{
"name": "CVE-2022-27776",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27776"
},
{
"name": "CVE-2020-28367",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-28367"
},
{
"name": "CVE-2024-20921",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-20921"
},
{
"name": "CVE-2023-4807",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-4807"
},
{
"name": "CVE-2023-44270",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-44270"
},
{
"name": "CVE-2015-8395",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8395"
},
{
"name": "CVE-2023-28322",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28322"
},
{
"name": "CVE-2023-34462",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34462"
},
{
"name": "CVE-2023-29405",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29405"
},
{
"name": "CVE-2021-38297",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-38297"
},
{
"name": "CVE-2015-8393",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8393"
},
{
"name": "CVE-2022-30629",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30629"
},
{
"name": "CVE-2022-23541",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23541"
},
{
"name": "CVE-2023-44487",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-44487"
},
{
"name": "CVE-2023-5363",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-5363"
},
{
"name": "CVE-2023-45133",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45133"
},
{
"name": "CVE-2023-47627",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47627"
},
{
"name": "CVE-2023-26049",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-26049"
},
{
"name": "CVE-2022-2068",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2068"
},
{
"name": "CVE-2023-26115",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-26115"
},
{
"name": "CVE-2023-0466",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0466"
},
{
"name": "CVE-2023-32559",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-32559"
},
{
"name": "CVE-2022-27782",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27782"
},
{
"name": "CVE-2023-4586",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-4586"
},
{
"name": "CVE-2022-32149",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32149"
},
{
"name": "CVE-2023-40373",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-40373"
},
{
"name": "CVE-2023-0465",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0465"
},
{
"name": "CVE-2022-32148",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32148"
},
{
"name": "CVE-2023-22081",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22081"
},
{
"name": "CVE-2023-20569",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-20569"
},
{
"name": "CVE-2023-4206",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-4206"
},
{
"name": "CVE-2023-38728",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38728"
},
{
"name": "CVE-2021-41771",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-41771"
},
{
"name": "CVE-2023-28320",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28320"
},
{
"name": "CVE-2023-3611",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3611"
},
{
"name": "CVE-2021-33197",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33197"
},
{
"name": "CVE-2023-4128",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-4128"
},
{
"name": "CVE-2022-29244",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-29244"
},
{
"name": "CVE-2021-27918",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27918"
},
{
"name": "CVE-2022-30630",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30630"
},
{
"name": "CVE-2023-46219",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-46219"
},
{
"name": "CVE-2021-4160",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4160"
},
{
"name": "CVE-2023-32360",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-32360"
},
{
"name": "CVE-2023-47746",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47746"
},
{
"name": "CVE-2022-43552",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43552"
},
{
"name": "CVE-2022-3786",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3786"
},
{
"name": "CVE-2023-38552",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38552"
},
{
"name": "CVE-2021-22947",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22947"
},
{
"name": "CVE-2023-28319",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28319"
},
{
"name": "CVE-2020-15586",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-15586"
},
{
"name": "CVE-2021-22922",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22922"
},
{
"name": "CVE-2022-23540",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23540"
},
{
"name": "CVE-2022-22576",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22576"
},
{
"name": "CVE-2021-39293",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39293"
},
{
"name": "CVE-2022-1705",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1705"
},
{
"name": "CVE-2023-42795",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-42795"
},
{
"name": "CVE-2023-4207",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-4207"
},
{
"name": "CVE-2022-3510",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3510"
},
{
"name": "CVE-2022-3509",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3509"
},
{
"name": "CVE-2021-22946",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22946"
},
{
"name": "CVE-2023-39318",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39318"
},
{
"name": "CVE-2023-37276",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-37276"
},
{
"name": "CVE-2023-23920",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-23920"
},
{
"name": "CVE-2022-41716",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41716"
},
{
"name": "CVE-2023-20593",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-20593"
},
{
"name": "CVE-2021-3711",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3711"
},
{
"name": "CVE-2023-38720",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38720"
},
{
"name": "CVE-2023-34055",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34055"
},
{
"name": "CVE-2023-0464",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0464"
},
{
"name": "CVE-2022-24999",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24999"
},
{
"name": "CVE-2023-47141",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47141"
},
{
"name": "CVE-2022-30633",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30633"
},
{
"name": "CVE-2023-23918",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-23918"
},
{
"name": "CVE-2015-8388",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8388"
},
{
"name": "CVE-2018-25032",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-25032"
},
{
"name": "CVE-2023-40692",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-40692"
},
{
"name": "CVE-2021-41190",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-41190"
},
{
"name": "CVE-2023-45193",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45193"
},
{
"name": "CVE-2022-30632",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30632"
},
{
"name": "CVE-2023-38003",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38003"
},
{
"name": "CVE-2023-45648",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45648"
},
{
"name": "CVE-2023-45803",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45803"
},
{
"name": "CVE-2023-29406",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29406"
},
{
"name": "CVE-2023-39319",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39319"
},
{
"name": "CVE-2023-47145",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47145"
},
{
"name": "CVE-2022-1962",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1962"
},
{
"name": "CVE-2024-22190",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22190"
},
{
"name": "CVE-2022-41717",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41717"
},
{
"name": "CVE-2023-28321",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28321"
},
{
"name": "CVE-2023-24536",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24536"
},
{
"name": "CVE-2022-32221",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32221"
},
{
"name": "CVE-2022-37434",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37434"
},
{
"name": "CVE-2022-40982",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40982"
},
{
"name": "CVE-2023-39976",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39976"
},
{
"name": "CVE-2022-28131",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-28131"
},
{
"name": "CVE-2023-38325",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38325"
},
{
"name": "CVE-2023-4208",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-4208"
},
{
"name": "CVE-2020-8244",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8244"
},
{
"name": "CVE-2022-24675",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24675"
},
{
"name": "CVE-2022-23806",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23806"
},
{
"name": "CVE-2020-19909",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-19909"
},
{
"name": "CVE-2022-48337",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48337"
},
{
"name": "CVE-2023-3776",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3776"
},
{
"name": "CVE-2021-36221",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-36221"
},
{
"name": "CVE-2023-44981",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-44981"
},
{
"name": "CVE-2022-2880",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2880"
},
{
"name": "CVE-2023-21937",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21937"
},
{
"name": "CVE-2022-23773",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23773"
},
{
"name": "CVE-2023-24539",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24539"
},
{
"name": "CVE-2021-34558",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-34558"
},
{
"name": "CVE-2022-23539",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23539"
},
{
"name": "CVE-2022-4450",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-4450"
},
{
"name": "CVE-2023-33850",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-33850"
},
{
"name": "CVE-2023-2650",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-2650"
},
{
"name": "CVE-2015-8385",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8385"
},
{
"name": "CVE-2015-8394",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8394"
},
{
"name": "CVE-2020-29510",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-29510"
},
{
"name": "CVE-2022-2879",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2879"
},
{
"name": "CVE-2023-24532",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24532"
},
{
"name": "CVE-2015-8391",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8391"
},
{
"name": "CVE-2015-8386",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8386"
},
{
"name": "CVE-2022-23772",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23772"
},
{
"name": "CVE-2023-2597",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-2597"
},
{
"name": "CVE-2021-41772",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-41772"
},
{
"name": "CVE-2024-0727",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-0727"
},
{
"name": "CVE-2023-6129",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-6129"
},
{
"name": "CVE-2022-48339",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48339"
},
{
"name": "CVE-2015-8387",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8387"
},
{
"name": "CVE-2023-49081",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-49081"
},
{
"name": "CVE-2021-3114",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3114"
},
{
"name": "CVE-2023-29400",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29400"
},
{
"name": "CVE-2022-25881",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25881"
},
{
"name": "CVE-2022-43548",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43548"
},
{
"name": "CVE-2023-38727",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38727"
},
{
"name": "CVE-2021-29923",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29923"
},
{
"name": "CVE-2022-0778",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0778"
},
{
"name": "CVE-2022-41724",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41724"
},
{
"name": "CVE-2023-23919",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-23919"
},
{
"name": "CVE-2020-24553",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-24553"
},
{
"name": "CVE-2023-29258",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29258"
},
{
"name": "CVE-2021-44716",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44716"
},
{
"name": "CVE-2023-34062",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34062"
},
{
"name": "CVE-2020-28362",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-28362"
},
{
"name": "CVE-2023-5676",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-5676"
},
{
"name": "CVE-2022-36046",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36046"
},
{
"name": "CVE-2022-2097",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2097"
},
{
"name": "CVE-2021-33194",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33194"
},
{
"name": "CVE-2023-24540",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24540"
},
{
"name": "CVE-2022-32206",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32206"
},
{
"name": "CVE-2002-0059",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-0059"
},
{
"name": "CVE-2023-43020",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-43020"
},
{
"name": "CVE-2021-3712",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3712"
},
{
"name": "CVE-2023-21968",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21968"
},
{
"name": "CVE-2023-24537",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24537"
},
{
"name": "CVE-2023-27859",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-27859"
},
{
"name": "CVE-2023-32731",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-32731"
},
{
"name": "CVE-2023-21930",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21930"
},
{
"name": "CVE-2021-22926",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22926"
},
{
"name": "CVE-2015-2328",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-2328"
},
{
"name": "CVE-2024-20918",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-20918"
},
{
"name": "CVE-2022-30580",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30580"
},
{
"name": "CVE-2023-32006",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-32006"
},
{
"name": "CVE-2023-24538",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24538"
},
{
"name": "CVE-2020-14155",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14155"
},
{
"name": "CVE-2022-3602",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3602"
},
{
"name": "CVE-2023-2976",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-2976"
},
{
"name": "CVE-2023-36665",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-36665"
},
{
"name": "CVE-2023-46158",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-46158"
},
{
"name": "CVE-2021-22923",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22923"
},
{
"name": "CVE-2022-41723",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41723"
},
{
"name": "CVE-2023-40374",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-40374"
},
{
"name": "CVE-2015-8390",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8390"
},
{
"name": "CVE-2023-46589",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-46589"
},
{
"name": "CVE-2023-39323",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39323"
},
{
"name": "CVE-2023-29402",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29402"
},
{
"name": "CVE-2023-26048",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-26048"
},
{
"name": "CVE-2023-39331",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39331"
},
{
"name": "CVE-2023-29409",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29409"
},
{
"name": "CVE-2023-32681",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-32681"
},
{
"name": "CVE-2024-20945",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-20945"
},
{
"name": "CVE-2023-24534",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24534"
},
{
"name": "CVE-2023-3446",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3446"
},
{
"name": "CVE-2022-3171",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3171"
},
{
"name": "CVE-2023-39332",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39332"
},
{
"name": "CVE-2023-21967",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21967"
},
{
"name": "CVE-2020-14039",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14039"
},
{
"name": "CVE-2023-40372",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-40372"
},
{
"name": "CVE-2023-26159",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-26159"
},
{
"name": "CVE-2023-5678",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-5678"
},
{
"name": "CVE-2023-47152",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47152"
},
{
"name": "CVE-2023-32002",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-32002"
},
{
"name": "CVE-2020-28366",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-28366"
},
{
"name": "CVE-2024-20952",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-20952"
},
{
"name": "CVE-2021-33195",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33195"
},
{
"name": "CVE-2022-27664",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27664"
},
{
"name": "CVE-2023-38545",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38545"
},
{
"name": "CVE-2023-23916",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-23916"
}
],
"links": [],
"reference": "CERTFR-2024-AVI-0145",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-02-16T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "D\u00e9ni de service"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans \u003cspan\nclass=\"textit\"\u003eles produits IBM\u003c/span\u003e. Certaines d\u0027entre elles\npermettent \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9\ndes donn\u00e9es, une ex\u00e9cution de code arbitraire \u00e0 distance et une\n\u00e9l\u00e9vation de privil\u00e8ges.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7117872 du 14 f\u00e9vrier 2024",
"url": "https://www.ibm.com/support/pages/node/7117872"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7118592 du 16 f\u00e9vrier 2024",
"url": "https://www.ibm.com/support/pages/node/7118592"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7117873 du 14 f\u00e9vrier 2024",
"url": "https://www.ibm.com/support/pages/node/7117873"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7118289 du 15 f\u00e9vrier 2024",
"url": "https://www.ibm.com/support/pages/node/7118289"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7118351 du 15 f\u00e9vrier 2024",
"url": "https://www.ibm.com/support/pages/node/7118351"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7117821 du 14 f\u00e9vrier 2024",
"url": "https://www.ibm.com/support/pages/node/7117821"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7117883 du 14 f\u00e9vrier 2024",
"url": "https://www.ibm.com/support/pages/node/7117883"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7117881 du 14 f\u00e9vrier 2024",
"url": "https://www.ibm.com/support/pages/node/7117881"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7117884 du 14 f\u00e9vrier 2024",
"url": "https://www.ibm.com/support/pages/node/7117884"
}
]
}
CERTFR-2022-AVI-591
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire, un déni de service à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| IBM | Spectrum | IBM Spectrum Protect Plus versions antérieures à 10.1.11 | ||
| IBM | Spectrum | IBM Spectrum Protect Client versions antérieures à 8.1.1.15 | ||
| IBM | N/A | IBM® Db2® et Db2 Warehouse® sur Cloud Pak for Data versions antérieures à 4.5.0 | ||
| IBM | Db2 | IBM® Db2® sur Openshift versions antérieures à 11.5.7.0-cn5 |
References
| Title | Publication Time | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "IBM Spectrum Protect Plus versions ant\u00e9rieures \u00e0 10.1.11",
"product": {
"name": "Spectrum",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Spectrum Protect Client versions ant\u00e9rieures \u00e0 8.1.1.15",
"product": {
"name": "Spectrum",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM\u00ae Db2\u00ae et Db2 Warehouse\u00ae sur Cloud Pak for Data versions ant\u00e9rieures \u00e0 4.5.0",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM\u00ae Db2\u00ae sur Openshift versions ant\u00e9rieures \u00e0 11.5.7.0-cn5",
"product": {
"name": "Db2",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2020-29368",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-29368"
},
{
"name": "CVE-2021-20322",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-20322"
},
{
"name": "CVE-2018-1099",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-1099"
},
{
"name": "CVE-2021-4154",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4154"
},
{
"name": "CVE-2021-45485",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-45485"
},
{
"name": "CVE-2022-27191",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27191"
},
{
"name": "CVE-2021-30465",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-30465"
},
{
"name": "CVE-2019-11249",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11249"
},
{
"name": "CVE-2020-8557",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8557"
},
{
"name": "CVE-2020-7919",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7919"
},
{
"name": "CVE-2019-11247",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11247"
},
{
"name": "CVE-2020-28851",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-28851"
},
{
"name": "CVE-2021-42248",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-42248"
},
{
"name": "CVE-2018-1002105",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-1002105"
},
{
"name": "CVE-2021-31525",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31525"
},
{
"name": "CVE-2020-15112",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-15112"
},
{
"name": "CVE-2021-4203",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4203"
},
{
"name": "CVE-2021-25736",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-25736"
},
{
"name": "CVE-2020-27813",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-27813"
},
{
"name": "CVE-2018-17848",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-17848"
},
{
"name": "CVE-2019-16884",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-16884"
},
{
"name": "CVE-2021-41864",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-41864"
},
{
"name": "CVE-2020-36385",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36385"
},
{
"name": "CVE-2020-25704",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25704"
},
{
"name": "CVE-2021-25735",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-25735"
},
{
"name": "CVE-2017-18367",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-18367"
},
{
"name": "CVE-2020-8564",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8564"
},
{
"name": "CVE-2021-20206",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-20206"
},
{
"name": "CVE-2019-11246",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11246"
},
{
"name": "CVE-2021-31916",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31916"
},
{
"name": "CVE-2020-8565",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8565"
},
{
"name": "CVE-2021-27918",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27918"
},
{
"name": "CVE-2021-3635",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3635"
},
{
"name": "CVE-2021-3573",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3573"
},
{
"name": "CVE-2018-1098",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-1098"
},
{
"name": "CVE-2021-28971",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28971"
},
{
"name": "CVE-2019-11254",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11254"
},
{
"name": "CVE-2022-0286",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0286"
},
{
"name": "CVE-2021-4002",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4002"
},
{
"name": "CVE-2021-4083",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4083"
},
{
"name": "CVE-2021-45486",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-45486"
},
{
"name": "CVE-2020-8551",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8551"
},
{
"name": "CVE-2017-1002101",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-1002101"
},
{
"name": "CVE-2021-4157",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4157"
},
{
"name": "CVE-2020-15106",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-15106"
},
{
"name": "CVE-2021-43784",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-43784"
},
{
"name": "CVE-2021-20321",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-20321"
},
{
"name": "CVE-2018-17142",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-17142"
},
{
"name": "CVE-2022-0185",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0185"
},
{
"name": "CVE-2022-0847",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0847"
},
{
"name": "CVE-2021-41190",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-41190"
},
{
"name": "CVE-2021-44733",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44733"
},
{
"name": "CVE-2020-8552",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8552"
},
{
"name": "CVE-2021-20269",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-20269"
},
{
"name": "CVE-2020-8554",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8554"
},
{
"name": "CVE-2019-11252",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11252"
},
{
"name": "CVE-2021-3121",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3121"
},
{
"name": "CVE-2019-11250",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11250"
},
{
"name": "CVE-2022-22942",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22942"
},
{
"name": "CVE-2022-1011",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1011"
},
{
"name": "CVE-2021-3669",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3669"
},
{
"name": "CVE-2020-8559",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8559"
},
{
"name": "CVE-2020-10752",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10752"
},
{
"name": "CVE-2021-28950",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28950"
},
{
"name": "CVE-2021-29650",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29650"
},
{
"name": "CVE-2020-36322",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36322"
},
{
"name": "CVE-2020-28852",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-28852"
},
{
"name": "CVE-2021-4155",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4155"
},
{
"name": "CVE-2020-15113",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-15113"
},
{
"name": "CVE-2020-29652",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-29652"
},
{
"name": "CVE-2018-17847",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-17847"
},
{
"name": "CVE-2022-0492",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0492"
},
{
"name": "CVE-2020-26160",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-26160"
},
{
"name": "CVE-2022-0778",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0778"
},
{
"name": "CVE-2021-42836",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-42836"
},
{
"name": "CVE-2020-8555",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8555"
},
{
"name": "CVE-2021-44716",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44716"
},
{
"name": "CVE-2018-17143",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-17143"
},
{
"name": "CVE-2019-11841",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11841"
},
{
"name": "CVE-2018-20699",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-20699"
},
{
"name": "CVE-2021-33194",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33194"
},
{
"name": "CVE-2020-14040",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14040"
},
{
"name": "CVE-2021-3764",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3764"
},
{
"name": "CVE-2019-1002101",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-1002101"
},
{
"name": "CVE-2021-38201",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-38201"
},
{
"name": "CVE-2021-21781",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21781"
},
{
"name": "CVE-2022-0850",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0850"
},
{
"name": "CVE-2021-3538",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3538"
},
{
"name": "CVE-2019-11253",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11253"
},
{
"name": "CVE-2021-25737",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-25737"
},
{
"name": "CVE-2018-17846",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-17846"
},
{
"name": "CVE-2021-4028",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4028"
},
{
"name": "CVE-2021-43565",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-43565"
},
{
"name": "CVE-2021-25741",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-25741"
},
{
"name": "CVE-2018-16886",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-16886"
},
{
"name": "CVE-2021-44907",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44907"
},
{
"name": "CVE-2021-4197",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4197"
},
{
"name": "CVE-2020-9283",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9283"
},
{
"name": "CVE-2019-11840",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11840"
},
{
"name": "CVE-2019-11251",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11251"
},
{
"name": "CVE-2020-36067",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36067"
}
],
"links": [],
"reference": "CERTFR-2022-AVI-591",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2022-06-30T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
},
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une\nex\u00e9cution de code arbitraire, un d\u00e9ni de service \u00e0 distance et un\ncontournement de la politique de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6596399 du 29 juin 2022",
"url": "https://www.ibm.com/support/pages/node/6596399"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6596971 du 29 juin 2022",
"url": "https://www.ibm.com/support/pages/node/6596971"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6599703 du 29 juin 2022",
"url": "https://www.ibm.com/support/pages/node/6599703"
}
]
}
CERTFR-2024-AVI-0145
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données, une exécution de code arbitraire à distance et une élévation de privilèges.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| IBM | Db2 | IBM Cloud APM, Advanced Private versions 8.1.4 sans le dernier correctif de sécurité Fixpack cumulatif Db2 | ||
| IBM | QRadar Suite Software | QRadar Suite Software versions 1.10.x.x antérieures à 1.10.18.0 | ||
| IBM | N/A | IBM Db2 sur Cloud Pak pour Data et Db2 Warehouse sur Cloud Pak for Data versions antérieures à v4.8.2 | ||
| IBM | QRadar SIEM | IBM QRadar SIEM versions 7.5.x antérieures à 7.5.0 UP7 IF05 | ||
| IBM | QRadar | IBM QRadar Use Case Manager App versions antérieures à 3.9.0 | ||
| IBM | WebSphere | IBM WebSphere Application Server versions 8.5.x.x sans le SDK version 8 Service Refresh 8 FP20 | ||
| IBM | WebSphere | IBM WebSphere Application Server Liberty sans le SDK version 8 Service Refresh 8 FP20 | ||
| IBM | Sterling Connect:Direct | IBM Sterling Connect:Direct Web Services versions 6.1.x.x antérieures à 6.1.0.23 | ||
| IBM | Sterling Connect:Direct | IBM Sterling Connect:Direct Web Services versions 6.3.x.x antérieures à 6.3.0.6 | ||
| IBM | Sterling Connect:Direct | IBM Sterling Connect:Direct Web Services versions 6.2.x.x antérieures à 6.2.0.22 | ||
| IBM | Db2 | IBM Cloud APM, Base Private versions 8.1.4 sans le dernier correctif de sécurité Fixpack cumulatif Db2 | ||
| IBM | Cloud Pak | IBM Cloud Pak for Security versions 1.10.x.x antérieures à 1.10.18.0 | ||
| IBM | Spectrum | IBM Spectrum Scale versions 5.1.x.x antérieures à 5.1.2.15 | ||
| IBM | WebSphere | IBM WebSphere Application Server versions 9.x sans le SDK version 8 Service Refresh 8 FP20 | ||
| IBM | QRadar WinCollect Agent | IBM QRadar WinCollect Agent versions 10.0.x antérieures à 10.1.9 | ||
| IBM | Spectrum | IBM Spectrum Scale versions 5.1.3.x antérieures à 5.1.9.2 |
References
| Title | Publication Time | Tags | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "IBM Cloud APM, Advanced Private versions 8.1.4 sans le dernier correctif de s\u00e9curit\u00e9 Fixpack cumulatif Db2",
"product": {
"name": "Db2",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "QRadar Suite Software versions 1.10.x.x ant\u00e9rieures \u00e0 1.10.18.0",
"product": {
"name": "QRadar Suite Software",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Db2 sur Cloud Pak pour Data et Db2 Warehouse sur Cloud Pak for Data versions ant\u00e9rieures \u00e0 v4.8.2",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM QRadar SIEM versions 7.5.x ant\u00e9rieures \u00e0 7.5.0 UP7 IF05",
"product": {
"name": "QRadar SIEM",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM QRadar Use Case Manager App versions ant\u00e9rieures \u00e0 3.9.0",
"product": {
"name": "QRadar",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM WebSphere Application Server versions 8.5.x.x sans le SDK version 8 Service Refresh 8 FP20",
"product": {
"name": "WebSphere",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM WebSphere Application Server Liberty sans le SDK version 8 Service Refresh 8 FP20",
"product": {
"name": "WebSphere",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Sterling Connect:Direct Web Services versions 6.1.x.x ant\u00e9rieures \u00e0 6.1.0.23",
"product": {
"name": "Sterling Connect:Direct",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Sterling Connect:Direct Web Services versions 6.3.x.x ant\u00e9rieures \u00e0 6.3.0.6",
"product": {
"name": "Sterling Connect:Direct",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Sterling Connect:Direct Web Services versions 6.2.x.x ant\u00e9rieures \u00e0 6.2.0.22",
"product": {
"name": "Sterling Connect:Direct",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Cloud APM, Base Private versions 8.1.4 sans le dernier correctif de s\u00e9curit\u00e9 Fixpack cumulatif Db2",
"product": {
"name": "Db2",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Cloud Pak for Security versions 1.10.x.x ant\u00e9rieures \u00e0 1.10.18.0",
"product": {
"name": "Cloud Pak",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Spectrum Scale versions 5.1.x.x ant\u00e9rieures \u00e0 5.1.2.15",
"product": {
"name": "Spectrum",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM WebSphere Application Server versions 9.x sans le SDK version 8 Service Refresh 8 FP20",
"product": {
"name": "WebSphere",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM QRadar WinCollect Agent versions 10.0.x ant\u00e9rieures \u00e0 10.1.9",
"product": {
"name": "QRadar WinCollect Agent",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Spectrum Scale versions 5.1.3.x ant\u00e9rieures \u00e0 5.1.9.2",
"product": {
"name": "Spectrum",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2022-35252",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-35252"
},
{
"name": "CVE-2023-21938",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21938"
},
{
"name": "CVE-2022-32189",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32189"
},
{
"name": "CVE-2015-2327",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-2327"
},
{
"name": "CVE-2023-6681",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-6681"
},
{
"name": "CVE-2023-43642",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-43642"
},
{
"name": "CVE-2022-30631",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30631"
},
{
"name": "CVE-2023-46218",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-46218"
},
{
"name": "CVE-2023-49082",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-49082"
},
{
"name": "CVE-2015-8383",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8383"
},
{
"name": "CVE-2023-1370",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1370"
},
{
"name": "CVE-2023-45857",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45857"
},
{
"name": "CVE-2023-45142",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45142"
},
{
"name": "CVE-2023-34053",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34053"
},
{
"name": "CVE-2022-27781",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27781"
},
{
"name": "CVE-2021-22925",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22925"
},
{
"name": "CVE-2023-46308",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-46308"
},
{
"name": "CVE-2023-46234",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-46234"
},
{
"name": "CVE-2023-38546",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38546"
},
{
"name": "CVE-2023-47747",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47747"
},
{
"name": "CVE-2023-47158",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47158"
},
{
"name": "CVE-2022-23529",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23529"
},
{
"name": "CVE-2023-34054",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34054"
},
{
"name": "CVE-2023-30991",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-30991"
},
{
"name": "CVE-2023-29404",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29404"
},
{
"name": "CVE-2023-21954",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21954"
},
{
"name": "CVE-2022-4304",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-4304"
},
{
"name": "CVE-2023-37920",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-37920"
},
{
"name": "CVE-2023-21939",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21939"
},
{
"name": "CVE-2023-46167",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-46167"
},
{
"name": "CVE-2022-24921",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24921"
},
{
"name": "CVE-2023-38740",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38740"
},
{
"name": "CVE-2022-32208",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32208"
},
{
"name": "CVE-2022-28327",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-28327"
},
{
"name": "CVE-2022-1292",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1292"
},
{
"name": "CVE-2021-33196",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33196"
},
{
"name": "CVE-2021-31525",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31525"
},
{
"name": "CVE-2023-38719",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38719"
},
{
"name": "CVE-2023-30987",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-30987"
},
{
"name": "CVE-2023-45178",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45178"
},
{
"name": "CVE-2023-47701",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47701"
},
{
"name": "CVE-2022-41725",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41725"
},
{
"name": "CVE-2023-23936",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-23936"
},
{
"name": "CVE-2023-50308",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-50308"
},
{
"name": "CVE-2021-33198",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33198"
},
{
"name": "CVE-2023-40687",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-40687"
},
{
"name": "CVE-2022-30635",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30635"
},
{
"name": "CVE-2015-8381",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8381"
},
{
"name": "CVE-2022-41715",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41715"
},
{
"name": "CVE-2020-16845",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-16845"
},
{
"name": "CVE-2023-0215",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0215"
},
{
"name": "CVE-2023-0286",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0286"
},
{
"name": "CVE-2022-25883",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25883"
},
{
"name": "CVE-2015-8392",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8392"
},
{
"name": "CVE-2022-3515",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3515"
},
{
"name": "CVE-2023-29403",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29403"
},
{
"name": "CVE-2022-27776",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27776"
},
{
"name": "CVE-2020-28367",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-28367"
},
{
"name": "CVE-2024-20921",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-20921"
},
{
"name": "CVE-2023-4807",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-4807"
},
{
"name": "CVE-2023-44270",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-44270"
},
{
"name": "CVE-2015-8395",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8395"
},
{
"name": "CVE-2023-28322",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28322"
},
{
"name": "CVE-2023-34462",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34462"
},
{
"name": "CVE-2023-29405",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29405"
},
{
"name": "CVE-2021-38297",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-38297"
},
{
"name": "CVE-2015-8393",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8393"
},
{
"name": "CVE-2022-30629",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30629"
},
{
"name": "CVE-2022-23541",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23541"
},
{
"name": "CVE-2023-44487",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-44487"
},
{
"name": "CVE-2023-5363",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-5363"
},
{
"name": "CVE-2023-45133",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45133"
},
{
"name": "CVE-2023-47627",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47627"
},
{
"name": "CVE-2023-26049",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-26049"
},
{
"name": "CVE-2022-2068",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2068"
},
{
"name": "CVE-2023-26115",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-26115"
},
{
"name": "CVE-2023-0466",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0466"
},
{
"name": "CVE-2023-32559",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-32559"
},
{
"name": "CVE-2022-27782",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27782"
},
{
"name": "CVE-2023-4586",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-4586"
},
{
"name": "CVE-2022-32149",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32149"
},
{
"name": "CVE-2023-40373",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-40373"
},
{
"name": "CVE-2023-0465",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0465"
},
{
"name": "CVE-2022-32148",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32148"
},
{
"name": "CVE-2023-22081",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22081"
},
{
"name": "CVE-2023-20569",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-20569"
},
{
"name": "CVE-2023-4206",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-4206"
},
{
"name": "CVE-2023-38728",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38728"
},
{
"name": "CVE-2021-41771",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-41771"
},
{
"name": "CVE-2023-28320",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28320"
},
{
"name": "CVE-2023-3611",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3611"
},
{
"name": "CVE-2021-33197",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33197"
},
{
"name": "CVE-2023-4128",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-4128"
},
{
"name": "CVE-2022-29244",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-29244"
},
{
"name": "CVE-2021-27918",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27918"
},
{
"name": "CVE-2022-30630",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30630"
},
{
"name": "CVE-2023-46219",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-46219"
},
{
"name": "CVE-2021-4160",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4160"
},
{
"name": "CVE-2023-32360",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-32360"
},
{
"name": "CVE-2023-47746",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47746"
},
{
"name": "CVE-2022-43552",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43552"
},
{
"name": "CVE-2022-3786",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3786"
},
{
"name": "CVE-2023-38552",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38552"
},
{
"name": "CVE-2021-22947",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22947"
},
{
"name": "CVE-2023-28319",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28319"
},
{
"name": "CVE-2020-15586",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-15586"
},
{
"name": "CVE-2021-22922",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22922"
},
{
"name": "CVE-2022-23540",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23540"
},
{
"name": "CVE-2022-22576",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22576"
},
{
"name": "CVE-2021-39293",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39293"
},
{
"name": "CVE-2022-1705",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1705"
},
{
"name": "CVE-2023-42795",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-42795"
},
{
"name": "CVE-2023-4207",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-4207"
},
{
"name": "CVE-2022-3510",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3510"
},
{
"name": "CVE-2022-3509",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3509"
},
{
"name": "CVE-2021-22946",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22946"
},
{
"name": "CVE-2023-39318",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39318"
},
{
"name": "CVE-2023-37276",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-37276"
},
{
"name": "CVE-2023-23920",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-23920"
},
{
"name": "CVE-2022-41716",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41716"
},
{
"name": "CVE-2023-20593",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-20593"
},
{
"name": "CVE-2021-3711",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3711"
},
{
"name": "CVE-2023-38720",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38720"
},
{
"name": "CVE-2023-34055",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34055"
},
{
"name": "CVE-2023-0464",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0464"
},
{
"name": "CVE-2022-24999",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24999"
},
{
"name": "CVE-2023-47141",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47141"
},
{
"name": "CVE-2022-30633",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30633"
},
{
"name": "CVE-2023-23918",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-23918"
},
{
"name": "CVE-2015-8388",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8388"
},
{
"name": "CVE-2018-25032",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-25032"
},
{
"name": "CVE-2023-40692",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-40692"
},
{
"name": "CVE-2021-41190",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-41190"
},
{
"name": "CVE-2023-45193",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45193"
},
{
"name": "CVE-2022-30632",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30632"
},
{
"name": "CVE-2023-38003",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38003"
},
{
"name": "CVE-2023-45648",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45648"
},
{
"name": "CVE-2023-45803",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45803"
},
{
"name": "CVE-2023-29406",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29406"
},
{
"name": "CVE-2023-39319",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39319"
},
{
"name": "CVE-2023-47145",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47145"
},
{
"name": "CVE-2022-1962",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1962"
},
{
"name": "CVE-2024-22190",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22190"
},
{
"name": "CVE-2022-41717",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41717"
},
{
"name": "CVE-2023-28321",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28321"
},
{
"name": "CVE-2023-24536",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24536"
},
{
"name": "CVE-2022-32221",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32221"
},
{
"name": "CVE-2022-37434",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37434"
},
{
"name": "CVE-2022-40982",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40982"
},
{
"name": "CVE-2023-39976",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39976"
},
{
"name": "CVE-2022-28131",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-28131"
},
{
"name": "CVE-2023-38325",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38325"
},
{
"name": "CVE-2023-4208",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-4208"
},
{
"name": "CVE-2020-8244",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8244"
},
{
"name": "CVE-2022-24675",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24675"
},
{
"name": "CVE-2022-23806",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23806"
},
{
"name": "CVE-2020-19909",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-19909"
},
{
"name": "CVE-2022-48337",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48337"
},
{
"name": "CVE-2023-3776",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3776"
},
{
"name": "CVE-2021-36221",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-36221"
},
{
"name": "CVE-2023-44981",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-44981"
},
{
"name": "CVE-2022-2880",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2880"
},
{
"name": "CVE-2023-21937",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21937"
},
{
"name": "CVE-2022-23773",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23773"
},
{
"name": "CVE-2023-24539",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24539"
},
{
"name": "CVE-2021-34558",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-34558"
},
{
"name": "CVE-2022-23539",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23539"
},
{
"name": "CVE-2022-4450",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-4450"
},
{
"name": "CVE-2023-33850",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-33850"
},
{
"name": "CVE-2023-2650",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-2650"
},
{
"name": "CVE-2015-8385",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8385"
},
{
"name": "CVE-2015-8394",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8394"
},
{
"name": "CVE-2020-29510",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-29510"
},
{
"name": "CVE-2022-2879",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2879"
},
{
"name": "CVE-2023-24532",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24532"
},
{
"name": "CVE-2015-8391",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8391"
},
{
"name": "CVE-2015-8386",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8386"
},
{
"name": "CVE-2022-23772",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23772"
},
{
"name": "CVE-2023-2597",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-2597"
},
{
"name": "CVE-2021-41772",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-41772"
},
{
"name": "CVE-2024-0727",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-0727"
},
{
"name": "CVE-2023-6129",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-6129"
},
{
"name": "CVE-2022-48339",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48339"
},
{
"name": "CVE-2015-8387",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8387"
},
{
"name": "CVE-2023-49081",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-49081"
},
{
"name": "CVE-2021-3114",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3114"
},
{
"name": "CVE-2023-29400",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29400"
},
{
"name": "CVE-2022-25881",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25881"
},
{
"name": "CVE-2022-43548",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43548"
},
{
"name": "CVE-2023-38727",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38727"
},
{
"name": "CVE-2021-29923",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29923"
},
{
"name": "CVE-2022-0778",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0778"
},
{
"name": "CVE-2022-41724",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41724"
},
{
"name": "CVE-2023-23919",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-23919"
},
{
"name": "CVE-2020-24553",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-24553"
},
{
"name": "CVE-2023-29258",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29258"
},
{
"name": "CVE-2021-44716",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44716"
},
{
"name": "CVE-2023-34062",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34062"
},
{
"name": "CVE-2020-28362",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-28362"
},
{
"name": "CVE-2023-5676",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-5676"
},
{
"name": "CVE-2022-36046",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36046"
},
{
"name": "CVE-2022-2097",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2097"
},
{
"name": "CVE-2021-33194",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33194"
},
{
"name": "CVE-2023-24540",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24540"
},
{
"name": "CVE-2022-32206",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32206"
},
{
"name": "CVE-2002-0059",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-0059"
},
{
"name": "CVE-2023-43020",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-43020"
},
{
"name": "CVE-2021-3712",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3712"
},
{
"name": "CVE-2023-21968",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21968"
},
{
"name": "CVE-2023-24537",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24537"
},
{
"name": "CVE-2023-27859",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-27859"
},
{
"name": "CVE-2023-32731",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-32731"
},
{
"name": "CVE-2023-21930",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21930"
},
{
"name": "CVE-2021-22926",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22926"
},
{
"name": "CVE-2015-2328",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-2328"
},
{
"name": "CVE-2024-20918",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-20918"
},
{
"name": "CVE-2022-30580",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30580"
},
{
"name": "CVE-2023-32006",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-32006"
},
{
"name": "CVE-2023-24538",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24538"
},
{
"name": "CVE-2020-14155",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14155"
},
{
"name": "CVE-2022-3602",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3602"
},
{
"name": "CVE-2023-2976",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-2976"
},
{
"name": "CVE-2023-36665",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-36665"
},
{
"name": "CVE-2023-46158",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-46158"
},
{
"name": "CVE-2021-22923",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22923"
},
{
"name": "CVE-2022-41723",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41723"
},
{
"name": "CVE-2023-40374",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-40374"
},
{
"name": "CVE-2015-8390",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8390"
},
{
"name": "CVE-2023-46589",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-46589"
},
{
"name": "CVE-2023-39323",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39323"
},
{
"name": "CVE-2023-29402",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29402"
},
{
"name": "CVE-2023-26048",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-26048"
},
{
"name": "CVE-2023-39331",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39331"
},
{
"name": "CVE-2023-29409",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29409"
},
{
"name": "CVE-2023-32681",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-32681"
},
{
"name": "CVE-2024-20945",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-20945"
},
{
"name": "CVE-2023-24534",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24534"
},
{
"name": "CVE-2023-3446",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3446"
},
{
"name": "CVE-2022-3171",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3171"
},
{
"name": "CVE-2023-39332",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39332"
},
{
"name": "CVE-2023-21967",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21967"
},
{
"name": "CVE-2020-14039",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14039"
},
{
"name": "CVE-2023-40372",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-40372"
},
{
"name": "CVE-2023-26159",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-26159"
},
{
"name": "CVE-2023-5678",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-5678"
},
{
"name": "CVE-2023-47152",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47152"
},
{
"name": "CVE-2023-32002",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-32002"
},
{
"name": "CVE-2020-28366",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-28366"
},
{
"name": "CVE-2024-20952",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-20952"
},
{
"name": "CVE-2021-33195",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33195"
},
{
"name": "CVE-2022-27664",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27664"
},
{
"name": "CVE-2023-38545",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38545"
},
{
"name": "CVE-2023-23916",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-23916"
}
],
"links": [],
"reference": "CERTFR-2024-AVI-0145",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-02-16T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "D\u00e9ni de service"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans \u003cspan\nclass=\"textit\"\u003eles produits IBM\u003c/span\u003e. Certaines d\u0027entre elles\npermettent \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9\ndes donn\u00e9es, une ex\u00e9cution de code arbitraire \u00e0 distance et une\n\u00e9l\u00e9vation de privil\u00e8ges.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7117872 du 14 f\u00e9vrier 2024",
"url": "https://www.ibm.com/support/pages/node/7117872"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7118592 du 16 f\u00e9vrier 2024",
"url": "https://www.ibm.com/support/pages/node/7118592"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7117873 du 14 f\u00e9vrier 2024",
"url": "https://www.ibm.com/support/pages/node/7117873"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7118289 du 15 f\u00e9vrier 2024",
"url": "https://www.ibm.com/support/pages/node/7118289"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7118351 du 15 f\u00e9vrier 2024",
"url": "https://www.ibm.com/support/pages/node/7118351"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7117821 du 14 f\u00e9vrier 2024",
"url": "https://www.ibm.com/support/pages/node/7117821"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7117883 du 14 f\u00e9vrier 2024",
"url": "https://www.ibm.com/support/pages/node/7117883"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7117881 du 14 f\u00e9vrier 2024",
"url": "https://www.ibm.com/support/pages/node/7117881"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7117884 du 14 f\u00e9vrier 2024",
"url": "https://www.ibm.com/support/pages/node/7117884"
}
]
}
BDU:2023-03675
Vulnerability from fstec - Published: 17.11.2021
VLAI
Title
Уязвимость приложения для упрощения и стандартизации распространения содержимого контейнеров Open Container Initiative Distribution Specification (OCI Distribution Specification), связанная с ошибкой смешения типов, позволяющая нарушителю оказать воздействие на целостность защищаемой информации
Description
Уязвимость приложения для упрощения и стандартизации распространения содержимого контейнеров Open Container Initiative Distribution Specification (OCI Distribution Specification) связана с ошибкой смешения типов при обработке заголовка Content-Type, содержащего поля «manifests» и «layers» или «manifests» и «config» в процессе выполнения операций push и pull. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, оказать воздействие на целостность защищаемой информации
Severity
Vendor
Red Hat Inc., Fedora Project, ООО «Ред Софт», АО «ИВК», IBM Corp., Сообщество свободного программного обеспечения, Cloud Native Computing Foundation, Moby Project
Software Name
Red Hat Enterprise Linux, Fedora, РЕД ОС (запись в едином реестре российских программ №3751), Альт 8 СП (запись в едином реестре российских программ №4305), Red Hat OpenShift Container Platform, Red Hat Advanced Cluster Security (RHACS) for Kubernetes, Red Hat Advanced Cluster Management for Kubernetes, IBM CICS TX Advanced, Red Hat Migration Toolkit for Containers, Podman, Open Container Initiative Distribution Specification, OCI Image Format Specification, Containerd, Moby
Software Version
8 (Red Hat Enterprise Linux), 34 (Fedora), 35 (Fedora), 7.3 (РЕД ОС), - (Альт 8 СП), 4 (Red Hat OpenShift Container Platform), 9 (Red Hat Enterprise Linux), 4.10 (Red Hat OpenShift Container Platform), 3.70 (Red Hat Advanced Cluster Security (RHACS) for Kubernetes), 2.5 (Red Hat Advanced Cluster Management for Kubernetes), 11.1 (IBM CICS TX Advanced), 1.7 (Red Hat Migration Toolkit for Containers), до 3.4.3 (Podman), до 1.0.0 включительно (Open Container Initiative Distribution Specification), до 1.0.1 включительно (OCI Image Format Specification), до 1.4.12 (Containerd), от 1.5.0 до 1.5.8 (Containerd), до 20.10.11 (Moby), 4.11 (Red Hat OpenShift Container Platform)
Possible Mitigations
Использование рекомендаций:
Для Open Container Initiative Distribution Specification:
https://github.com/opencontainers/distribution-spec/commit/ac28cac0557bcd3084714ab09f9f2356fe504923
https://github.com/opencontainers/distribution-spec/releases/tag/v1.0.1
Для OCI Image Format Specification:
https://github.com/opencontainers/image-spec/releases/tag/v1.0.2
https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh
Для Podman:
https://github.com/containers/podman/releases/tag/v3.4.3
Для Containerd:
https://github.com/containerd/containerd/releases/tag/v1.4.12
https://github.com/containerd/containerd/releases/tag/v1.5.8
Для Moby:
https://github.com/moby/moby/releases/tag/v20.10.11
Для РедОС:
http://repo.red-soft.ru/redos/7.3c/x86_64/updates/
Для продуктов Red Hat Inc.:
https://access.redhat.com/security/cve/cve-2021-41190
Для Fedora:
ttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3TUZNDAH2B26VPBK342UC3BHZNLBUXGX/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4334HT7AZPLWNYHW4ARU6JBUF3VZJPZN/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A2RRFNTMFYKOTRKD37F5ANMCIO3GGJML/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DX63GRWFEI5RVMYV6XLMCG4OHPWZML27/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RZTO6N55WHKHIZI4IMLY2QFBPMVTAERM/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SQBCYJUIM5GVCMFUPRWKRZNXMMI5EFA4/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T4OJ764CKKCWCVONHD4YXTGR7HZ7LRUV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YIGVQWOA5XXCQXEOOKZX4CDAGLBDRPRX/
Для IBM CICS TX Advanced:
https://www.ibm.com/support/pages/security-bulletin-ibm-cics-tx-advanced-vulnerable-open-container-initiative-distribution-specification-vulnerability-cve-2021-41190
Компенсирующие меры:
При извлечении данных из реестра рекомендуется проверять данные с заголовком Content-Type, содержащие поля «manifests» и «layers» или «manifests» и «config» и отклонять такие документы.
Для ОС Альт 8 СП: установка обновления из публичного репозитория программного средства
Reference
https://redos.red-soft.ru/support/secure/uyazvimosti/mnozhestvennye-uyazvimosti-podman-cve-2023-0778-cve-2022-27649-cve-2021-41190-cve-2021-4024-cve-2022/
https://www.ibm.com/support/pages/security-bulletin-ibm-cics-tx-advanced-vulnerable-open-container-initiative-distribution-specification-vulnerability-cve-2021-41190
https://access.redhat.com/security/cve/cve-2021-41190
ttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3TUZNDAH2B26VPBK342UC3BHZNLBUXGX/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4334HT7AZPLWNYHW4ARU6JBUF3VZJPZN/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A2RRFNTMFYKOTRKD37F5ANMCIO3GGJML/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DX63GRWFEI5RVMYV6XLMCG4OHPWZML27/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RZTO6N55WHKHIZI4IMLY2QFBPMVTAERM/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SQBCYJUIM5GVCMFUPRWKRZNXMMI5EFA4/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T4OJ764CKKCWCVONHD4YXTGR7HZ7LRUV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YIGVQWOA5XXCQXEOOKZX4CDAGLBDRPRX/
https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m
https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh
https://www.openwall.com/lists/oss-security/2021/11/19/10
https://security-tracker.debian.org/tracker/CVE-2021-41190
https://github.com/moby/moby/pull/43025/files
https://github.com/moby/moby/security/advisories/GHSA-xmmx-7jpf-fx42
https://bugzilla.redhat.com/show_bug.cgi?id=2024938
https://altsp.su/obnovleniya-bezopasnosti/
CWE
CWE-843
{
"CVSS 2.0": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"CVSS 3.0": "AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Red Hat Inc., Fedora Project, \u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb, \u0410\u041e \u00ab\u0418\u0412\u041a\u00bb, IBM Corp., \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f, Cloud Native Computing Foundation, Moby Project",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "8 (Red Hat Enterprise Linux), 34 (Fedora), 35 (Fedora), 7.3 (\u0420\u0415\u0414 \u041e\u0421), - (\u0410\u043b\u044c\u0442 8 \u0421\u041f), 4 (Red Hat OpenShift Container Platform), 9 (Red Hat Enterprise Linux), 4.10 (Red Hat OpenShift Container Platform), 3.70 (Red Hat Advanced Cluster Security (RHACS) for Kubernetes), 2.5 (Red Hat Advanced Cluster Management for Kubernetes), 11.1 (IBM CICS TX Advanced), 1.7 (Red Hat Migration Toolkit for Containers), \u0434\u043e 3.4.3 (Podman), \u0434\u043e 1.0.0 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Open Container Initiative Distribution Specification), \u0434\u043e 1.0.1 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (OCI Image Format Specification), \u0434\u043e 1.4.12 (Containerd), \u043e\u0442 1.5.0 \u0434\u043e 1.5.8 (Containerd), \u0434\u043e 20.10.11 (Moby), 4.11 (Red Hat OpenShift Container Platform)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\u0414\u043b\u044f Open Container Initiative Distribution Specification:\nhttps://github.com/opencontainers/distribution-spec/commit/ac28cac0557bcd3084714ab09f9f2356fe504923\nhttps://github.com/opencontainers/distribution-spec/releases/tag/v1.0.1\n\n\u0414\u043b\u044f OCI Image Format Specification:\nhttps://github.com/opencontainers/image-spec/releases/tag/v1.0.2\nhttps://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh\n\n\u0414\u043b\u044f Podman:\nhttps://github.com/containers/podman/releases/tag/v3.4.3\n\n\u0414\u043b\u044f Containerd:\nhttps://github.com/containerd/containerd/releases/tag/v1.4.12\nhttps://github.com/containerd/containerd/releases/tag/v1.5.8\n\n\u0414\u043b\u044f Moby:\nhttps://github.com/moby/moby/releases/tag/v20.10.11\n\n\u0414\u043b\u044f \u0420\u0435\u0434\u041e\u0421: \nhttp://repo.red-soft.ru/redos/7.3c/x86_64/updates/\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Red Hat Inc.:\nhttps://access.redhat.com/security/cve/cve-2021-41190\n\n\u0414\u043b\u044f Fedora:\nttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3TUZNDAH2B26VPBK342UC3BHZNLBUXGX/ \nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4334HT7AZPLWNYHW4ARU6JBUF3VZJPZN/ \nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A2RRFNTMFYKOTRKD37F5ANMCIO3GGJML/ \nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DX63GRWFEI5RVMYV6XLMCG4OHPWZML27/ \nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RZTO6N55WHKHIZI4IMLY2QFBPMVTAERM/ \nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SQBCYJUIM5GVCMFUPRWKRZNXMMI5EFA4/ \nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T4OJ764CKKCWCVONHD4YXTGR7HZ7LRUV/ \nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YIGVQWOA5XXCQXEOOKZX4CDAGLBDRPRX/\n\n\u0414\u043b\u044f IBM CICS TX Advanced:\nhttps://www.ibm.com/support/pages/security-bulletin-ibm-cics-tx-advanced-vulnerable-open-container-initiative-distribution-specification-vulnerability-cve-2021-41190\n\n\u041a\u043e\u043c\u043f\u0435\u043d\u0441\u0438\u0440\u0443\u044e\u0449\u0438\u0435 \u043c\u0435\u0440\u044b:\n\u041f\u0440\u0438 \u0438\u0437\u0432\u043b\u0435\u0447\u0435\u043d\u0438\u0438 \u0434\u0430\u043d\u043d\u044b\u0445 \u0438\u0437 \u0440\u0435\u0435\u0441\u0442\u0440\u0430 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0443\u0435\u0442\u0441\u044f \u043f\u0440\u043e\u0432\u0435\u0440\u044f\u0442\u044c \u0434\u0430\u043d\u043d\u044b\u0435 \u0441 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u043e\u043c Content-Type, \u0441\u043e\u0434\u0435\u0440\u0436\u0430\u0449\u0438\u0435 \u043f\u043e\u043b\u044f \u00abmanifests\u00bb \u0438 \u00ablayers\u00bb \u0438\u043b\u0438 \u00abmanifests\u00bb \u0438 \u00abconfig\u00bb \u0438 \u043e\u0442\u043a\u043b\u043e\u043d\u044f\u0442\u044c \u0442\u0430\u043a\u0438\u0435 \u0434\u043e\u043a\u0443\u043c\u0435\u043d\u0442\u044b.\n\n\u0414\u043b\u044f \u041e\u0421 \u0410\u043b\u044c\u0442 8 \u0421\u041f: \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0430 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u0438\u0437 \u043f\u0443\u0431\u043b\u0438\u0447\u043d\u043e\u0433\u043e \u0440\u0435\u043f\u043e\u0437\u0438\u0442\u043e\u0440\u0438\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "17.11.2021",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "08.08.2023",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "13.07.2023",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2023-03675",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2021-41190",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Red Hat Enterprise Linux, Fedora, \u0420\u0415\u0414 \u041e\u0421 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), \u0410\u043b\u044c\u0442 8 \u0421\u041f (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21164305), Red Hat OpenShift Container Platform, Red Hat Advanced Cluster Security (RHACS) for Kubernetes, Red Hat Advanced Cluster Management for Kubernetes, IBM CICS TX Advanced, Red Hat Migration Toolkit for Containers, Podman, Open Container Initiative Distribution Specification, OCI Image Format Specification, Containerd, Moby",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "Red Hat Inc. Red Hat Enterprise Linux 8 , Fedora Project Fedora 34 , Fedora Project Fedora 35 , \u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb \u0420\u0415\u0414 \u041e\u0421 7.3 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), \u0410\u041e \u00ab\u0418\u0412\u041a\u00bb \u0410\u043b\u044c\u0442 8 \u0421\u041f - (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21164305), Red Hat Inc. Red Hat Enterprise Linux 9 ",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f \u0434\u043b\u044f \u0443\u043f\u0440\u043e\u0449\u0435\u043d\u0438\u044f \u0438 \u0441\u0442\u0430\u043d\u0434\u0430\u0440\u0442\u0438\u0437\u0430\u0446\u0438\u0438 \u0440\u0430\u0441\u043f\u0440\u043e\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u043e\u0433\u043e \u043a\u043e\u043d\u0442\u0435\u0439\u043d\u0435\u0440\u043e\u0432 Open Container Initiative Distribution Specification (OCI Distribution Specification), \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043e\u0448\u0438\u0431\u043a\u043e\u0439 \u0441\u043c\u0435\u0448\u0435\u043d\u0438\u044f \u0442\u0438\u043f\u043e\u0432, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043e\u043a\u0430\u0437\u0430\u0442\u044c \u0432\u043e\u0437\u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0435 \u043d\u0430 \u0446\u0435\u043b\u043e\u0441\u0442\u043d\u043e\u0441\u0442\u044c \u0437\u0430\u0449\u0438\u0449\u0430\u0435\u043c\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u0414\u043e\u0441\u0442\u0443\u043f \u043a \u0440\u0435\u0441\u0443\u0440\u0441\u0443 \u0447\u0435\u0440\u0435\u0437 \u043d\u0435\u0441\u043e\u0432\u043c\u0435\u0441\u0442\u0438\u043c\u044b\u0435 \u0442\u0438\u043f\u044b (CWE-843)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f \u0434\u043b\u044f \u0443\u043f\u0440\u043e\u0449\u0435\u043d\u0438\u044f \u0438 \u0441\u0442\u0430\u043d\u0434\u0430\u0440\u0442\u0438\u0437\u0430\u0446\u0438\u0438 \u0440\u0430\u0441\u043f\u0440\u043e\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u043e\u0433\u043e \u043a\u043e\u043d\u0442\u0435\u0439\u043d\u0435\u0440\u043e\u0432 Open Container Initiative Distribution Specification (OCI Distribution Specification) \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043e\u0448\u0438\u0431\u043a\u043e\u0439 \u0441\u043c\u0435\u0448\u0435\u043d\u0438\u044f \u0442\u0438\u043f\u043e\u0432 \u043f\u0440\u0438 \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u043a\u0435 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0430 Content-Type, \u0441\u043e\u0434\u0435\u0440\u0436\u0430\u0449\u0435\u0433\u043e \u043f\u043e\u043b\u044f \u00abmanifests\u00bb \u0438 \u00ablayers\u00bb \u0438\u043b\u0438 \u00abmanifests\u00bb \u0438 \u00abconfig\u00bb \u0432 \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0435 \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u0439 push \u0438 pull. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u043e\u043a\u0430\u0437\u0430\u0442\u044c \u0432\u043e\u0437\u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0435 \u043d\u0430 \u0446\u0435\u043b\u043e\u0441\u0442\u043d\u043e\u0441\u0442\u044c \u0437\u0430\u0449\u0438\u0449\u0430\u0435\u043c\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u0430\u043c\u0438 \u0434\u0430\u043d\u043d\u044b\u0445",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://redos.red-soft.ru/support/secure/uyazvimosti/mnozhestvennye-uyazvimosti-podman-cve-2023-0778-cve-2022-27649-cve-2021-41190-cve-2021-4024-cve-2022/\nhttps://www.ibm.com/support/pages/security-bulletin-ibm-cics-tx-advanced-vulnerable-open-container-initiative-distribution-specification-vulnerability-cve-2021-41190\nhttps://access.redhat.com/security/cve/cve-2021-41190\nttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3TUZNDAH2B26VPBK342UC3BHZNLBUXGX/ \nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4334HT7AZPLWNYHW4ARU6JBUF3VZJPZN/ \nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A2RRFNTMFYKOTRKD37F5ANMCIO3GGJML/ \nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DX63GRWFEI5RVMYV6XLMCG4OHPWZML27/ \nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RZTO6N55WHKHIZI4IMLY2QFBPMVTAERM/ \nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SQBCYJUIM5GVCMFUPRWKRZNXMMI5EFA4/ \nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T4OJ764CKKCWCVONHD4YXTGR7HZ7LRUV/ \nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YIGVQWOA5XXCQXEOOKZX4CDAGLBDRPRX/\nhttps://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m\nhttps://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh\nhttps://www.openwall.com/lists/oss-security/2021/11/19/10\nhttps://security-tracker.debian.org/tracker/CVE-2021-41190\nhttps://github.com/moby/moby/pull/43025/files\nhttps://github.com/moby/moby/security/advisories/GHSA-xmmx-7jpf-fx42\nhttps://bugzilla.redhat.com/show_bug.cgi?id=2024938\nhttps://altsp.su/obnovleniya-bezopasnosti/",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c, \u0421\u0440\u0435\u0434\u0441\u0442\u0432\u043e \u0437\u0430\u0449\u0438\u0442\u044b, \u041f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e \u0437\u0430\u0449\u0438\u0442\u044b, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e, \u041f\u041e \u0434\u043b\u044f \u0440\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u043a\u0438 \u0418\u0418",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-843",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 4)\n\u041d\u0438\u0437\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 3)"
}
FKIE_CVE-2021-41190
Vulnerability from fkie_nvd - Published: 2021-11-17 20:15 - Updated: 2024-11-21 06:25
Severity
3.0 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N
5.0 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
5.0 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
Summary
The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both “manifests” and “layers” fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both “manifests” and “layers” fields or “manifests” and “config” fields if they are unable to update to version 1.0.1 of the spec.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:linuxfoundation:open_container_initiative_distribution_specification:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CEA62E19-78AE-4FD8-8888-B347544BB7A9",
"versionEndIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:linuxfoundation:open_container_initiative_image_format_specification:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1355CC51-5D8D-4C5A-AA67-93157ED1ADAE",
"versionEndIncluding": "1.0.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
"matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
"matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both \u201cmanifests\u201d and \u201clayers\u201d fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both \u201cmanifests\u201d and \u201clayers\u201d fields or \u201cmanifests\u201d and \u201cconfig\u201d fields if they are unable to update to version 1.0.1 of the spec."
},
{
"lang": "es",
"value": "El proyecto OCI Distribution Spec define un protocolo API para facilitar y estandarizar la distribuci\u00f3n de contenidos. En la versi\u00f3n 1.0.0 de OCI Distribution Specification y anteriores, se utilizaba \u00fanicamente la cabecera Content-Type para determinar el tipo de documento durante las operaciones push y pull. Los documentos que conten\u00edan campos \"manifiestos\" y \"capas\" pod\u00edan interpretarse como un manifiesto o un \u00edndice en ausencia de una cabecera Content-Type que los acompa\u00f1ara. Si una cabecera Content-Type cambiaba entre dos pulls del mismo compendio, un cliente podr\u00eda interpretar el contenido resultante de forma diferente. La especificaci\u00f3n de distribuci\u00f3n de la OCI se ha actualizado para exigir que el valor de mediaType presente en un manifiesto o \u00edndice coincida con la cabecera Content-Type utilizada durante las operaciones push y pull. Los clientes que extraen de un registro pueden desconfiar de la cabecera Content-Type y rechazar un documento ambiguo que contenga campos \"manifiestos\" y \"capas\" o campos \"manifiestos\" y \"config\" si no pueden actualizarse a la versi\u00f3n 1.0.1 de la especificaci\u00f3n"
}
],
"id": "CVE-2021-41190",
"lastModified": "2024-11-21T06:25:43.537",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.0,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-11-17T20:15:10.333",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/11/19/10"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/opencontainers/distribution-spec/commit/ac28cac0557bcd3084714ab09f9f2356fe504923"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3TUZNDAH2B26VPBK342UC3BHZNLBUXGX/"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4334HT7AZPLWNYHW4ARU6JBUF3VZJPZN/"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A2RRFNTMFYKOTRKD37F5ANMCIO3GGJML/"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DX63GRWFEI5RVMYV6XLMCG4OHPWZML27/"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RZTO6N55WHKHIZI4IMLY2QFBPMVTAERM/"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SQBCYJUIM5GVCMFUPRWKRZNXMMI5EFA4/"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4OJ764CKKCWCVONHD4YXTGR7HZ7LRUV/"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YIGVQWOA5XXCQXEOOKZX4CDAGLBDRPRX/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/11/19/10"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/opencontainers/distribution-spec/commit/ac28cac0557bcd3084714ab09f9f2356fe504923"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3TUZNDAH2B26VPBK342UC3BHZNLBUXGX/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4334HT7AZPLWNYHW4ARU6JBUF3VZJPZN/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A2RRFNTMFYKOTRKD37F5ANMCIO3GGJML/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DX63GRWFEI5RVMYV6XLMCG4OHPWZML27/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RZTO6N55WHKHIZI4IMLY2QFBPMVTAERM/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SQBCYJUIM5GVCMFUPRWKRZNXMMI5EFA4/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4OJ764CKKCWCVONHD4YXTGR7HZ7LRUV/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YIGVQWOA5XXCQXEOOKZX4CDAGLBDRPRX/"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-843"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-843"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-MC8V-MGRF-8F4M
Vulnerability from github – Published: 2021-11-18 16:13 – Updated: 2021-12-13 13:12
VLAI
Summary
Clarify Content-Type handling
Details
Impact
In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both “manifests” and “layers” fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently.
Patches
The OCI Distribution Specification will be updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations.
Workarounds
Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both “manifests” and “layers” fields or “manifests” and “config” fields.
References
https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh
For more information
If you have any questions or comments about this advisory: * Open an issue in https://github.com/opencontainers/distribution-spec/ * Email us at security@opencontainers.org
Severity
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/opencontainers/distribution-spec"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-41190"
],
"database_specific": {
"cwe_ids": [
"CWE-843"
],
"github_reviewed": true,
"github_reviewed_at": "2021-11-17T23:13:37Z",
"nvd_published_at": "2021-11-17T20:15:00Z",
"severity": "LOW"
},
"details": "### Impact\nIn the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both \u201cmanifests\u201d and \u201clayers\u201d fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently.\n\n### Patches\nThe OCI Distribution Specification will be updated to require that a `mediaType` value present in a manifest or index match the Content-Type header used during the push and pull operations.\n\n### Workarounds\nClients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both \u201cmanifests\u201d and \u201clayers\u201d fields or \u201cmanifests\u201d and \u201cconfig\u201d fields.\n\n### References\nhttps://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in https://github.com/opencontainers/distribution-spec/\n* Email us at security@opencontainers.org\n",
"id": "GHSA-mc8v-mgrf-8f4m",
"modified": "2021-12-13T13:12:02Z",
"published": "2021-11-18T16:13:08Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41190"
},
{
"type": "WEB",
"url": "https://github.com/opencontainers/distribution-spec/commit/ac28cac0557bcd3084714ab09f9f2356fe504923"
},
{
"type": "PACKAGE",
"url": "https://github.com/opencontainers/distribution-spec"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3TUZNDAH2B26VPBK342UC3BHZNLBUXGX"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4334HT7AZPLWNYHW4ARU6JBUF3VZJPZN"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A2RRFNTMFYKOTRKD37F5ANMCIO3GGJML"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DX63GRWFEI5RVMYV6XLMCG4OHPWZML27"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RZTO6N55WHKHIZI4IMLY2QFBPMVTAERM"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SQBCYJUIM5GVCMFUPRWKRZNXMMI5EFA4"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T4OJ764CKKCWCVONHD4YXTGR7HZ7LRUV"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YIGVQWOA5XXCQXEOOKZX4CDAGLBDRPRX"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/11/19/10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Clarify Content-Type handling"
}
GSD-2021-41190
Vulnerability from gsd - Updated: 2023-12-13 01:23Details
The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both “manifests” and “layers” fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both “manifests” and “layers” fields or “manifests” and “config” fields if they are unable to update to version 1.0.1 of the spec.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2021-41190",
"description": "The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both \u201cmanifests\u201d and \u201clayers\u201d fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both \u201cmanifests\u201d and \u201clayers\u201d fields or \u201cmanifests\u201d and \u201cconfig\u201d fields if they are unable to update to version 1.0.1 of the spec.",
"id": "GSD-2021-41190",
"references": [
"https://www.suse.com/security/cve/CVE-2021-41190.html",
"https://access.redhat.com/errata/RHSA-2022:0687",
"https://access.redhat.com/errata/RHSA-2022:0055",
"https://advisories.mageia.org/CVE-2021-41190.html",
"https://security.archlinux.org/CVE-2021-41190",
"https://access.redhat.com/errata/RHSA-2022:1476",
"https://alas.aws.amazon.com/cve/html/CVE-2021-41190.html",
"https://access.redhat.com/errata/RHSA-2022:1734",
"https://access.redhat.com/errata/RHSA-2022:4668",
"https://access.redhat.com/errata/RHSA-2022:4880",
"https://access.redhat.com/errata/RHSA-2022:4956",
"https://access.redhat.com/errata/RHSA-2022:5069",
"https://access.redhat.com/errata/RHSA-2022:7457"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2021-41190"
],
"details": "The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both \u201cmanifests\u201d and \u201clayers\u201d fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both \u201cmanifests\u201d and \u201clayers\u201d fields or \u201cmanifests\u201d and \u201cconfig\u201d fields if they are unable to update to version 1.0.1 of the spec.",
"id": "GSD-2021-41190",
"modified": "2023-12-13T01:23:27.230076Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41190",
"STATE": "PUBLIC",
"TITLE": "Clarify Content-Type handling in OCI spec"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "distribution-spec",
"version": {
"version_data": [
{
"version_value": "\u003c 1.0.1"
}
]
}
}
]
},
"vendor_name": "opencontainers"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both \u201cmanifests\u201d and \u201clayers\u201d fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both \u201cmanifests\u201d and \u201clayers\u201d fields or \u201cmanifests\u201d and \u201cconfig\u201d fields if they are unable to update to version 1.0.1 of the spec."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.0,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-843: Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m",
"refsource": "CONFIRM",
"url": "https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m"
},
{
"name": "https://github.com/opencontainers/distribution-spec/commit/ac28cac0557bcd3084714ab09f9f2356fe504923",
"refsource": "MISC",
"url": "https://github.com/opencontainers/distribution-spec/commit/ac28cac0557bcd3084714ab09f9f2356fe504923"
},
{
"name": "[oss-security] 20211119 CVE-2021-41190 OCI distribution and image spec: \"content-type\" confusion",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/11/19/10"
},
{
"name": "FEDORA-2021-d250fc2622",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A2RRFNTMFYKOTRKD37F5ANMCIO3GGJML/"
},
{
"name": "FEDORA-2021-6dc68dbe4d",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DX63GRWFEI5RVMYV6XLMCG4OHPWZML27/"
},
{
"name": "FEDORA-2021-79ba5abef6",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SQBCYJUIM5GVCMFUPRWKRZNXMMI5EFA4/"
},
{
"name": "FEDORA-2021-eb2742b148",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T4OJ764CKKCWCVONHD4YXTGR7HZ7LRUV/"
},
{
"name": "FEDORA-2021-3dda301691",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3TUZNDAH2B26VPBK342UC3BHZNLBUXGX/"
},
{
"name": "FEDORA-2021-aacef7fa15",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RZTO6N55WHKHIZI4IMLY2QFBPMVTAERM/"
},
{
"name": "FEDORA-2021-62352983b4",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4334HT7AZPLWNYHW4ARU6JBUF3VZJPZN/"
},
{
"name": "FEDORA-2021-6789ed60f2",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YIGVQWOA5XXCQXEOOKZX4CDAGLBDRPRX/"
}
]
},
"source": {
"advisory": "GHSA-mc8v-mgrf-8f4m",
"discovery": "UNKNOWN"
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c1.0.1",
"affected_versions": "All versions before 1.0.1",
"cvss_v2": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-843",
"CWE-937"
],
"date": "2023-07-18",
"description": "This advisory has been marked as False Positive and moved to go/github.com/opencontainers/distribution-spec/specs-go",
"fixed_versions": [
"1.0.1"
],
"identifier": "CVE-2021-41190",
"identifiers": [
"GHSA-mc8v-mgrf-8f4m",
"CVE-2021-41190"
],
"not_impacted": "All versions starting from 1.0.1",
"package_slug": "go/github.com/opencontainers/distribution-spec",
"pubdate": "2021-11-18",
"solution": "Upgrade to version 1.0.1 or above.",
"title": "False Positive",
"urls": [
"https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m",
"https://github.com/opencontainers/distribution-spec/commit/ac28cac0557bcd3084714ab09f9f2356fe504923",
"https://nvd.nist.gov/vuln/detail/CVE-2021-41190",
"https://github.com/advisories/GHSA-mc8v-mgrf-8f4m"
],
"uuid": "fba76e5a-5a91-4341-8ed1-f4285ef66367"
},
{
"affected_range": "\u003c1.0.1",
"affected_versions": "All versions before 1.0.1",
"cvss_v2": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-843",
"CWE-937"
],
"date": "2023-07-18",
"description": "The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both \u201cmanifests\u201d and \u201clayers\u201d fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both \u201cmanifests\u201d and \u201clayers\u201d fields or \u201cmanifests\u201d and \u201cconfig\u201d fields if they are unable to update to version 1.0.1 of the spec.",
"fixed_versions": [
"1.0.1"
],
"identifier": "CVE-2021-41190",
"identifiers": [
"GHSA-mc8v-mgrf-8f4m",
"CVE-2021-41190"
],
"not_impacted": "All versions starting from 1.0.1",
"package_slug": "go/github.com/opencontainers/distribution-spec/specs-go",
"pubdate": "2021-11-18",
"solution": "Upgrade to version 1.0.1 or above.",
"title": "Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)",
"urls": [
"https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m",
"https://github.com/opencontainers/distribution-spec/commit/ac28cac0557bcd3084714ab09f9f2356fe504923",
"https://nvd.nist.gov/vuln/detail/CVE-2021-41190",
"https://github.com/advisories/GHSA-mc8v-mgrf-8f4m"
],
"uuid": "02778e3a-45a4-486c-a169-c1cd382dba16"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:linuxfoundation:open_container_initiative_distribution_specification:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:linuxfoundation:open_container_initiative_image_format_specification:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.0.1",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41190"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both \u201cmanifests\u201d and \u201clayers\u201d fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both \u201cmanifests\u201d and \u201clayers\u201d fields or \u201cmanifests\u201d and \u201cconfig\u201d fields if they are unable to update to version 1.0.1 of the spec."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-843"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m"
},
{
"name": "https://github.com/opencontainers/distribution-spec/commit/ac28cac0557bcd3084714ab09f9f2356fe504923",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/opencontainers/distribution-spec/commit/ac28cac0557bcd3084714ab09f9f2356fe504923"
},
{
"name": "[oss-security] 20211119 CVE-2021-41190 OCI distribution and image spec: \"content-type\" confusion",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/11/19/10"
},
{
"name": "FEDORA-2021-d250fc2622",
"refsource": "FEDORA",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A2RRFNTMFYKOTRKD37F5ANMCIO3GGJML/"
},
{
"name": "FEDORA-2021-6dc68dbe4d",
"refsource": "FEDORA",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DX63GRWFEI5RVMYV6XLMCG4OHPWZML27/"
},
{
"name": "FEDORA-2021-79ba5abef6",
"refsource": "FEDORA",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SQBCYJUIM5GVCMFUPRWKRZNXMMI5EFA4/"
},
{
"name": "FEDORA-2021-eb2742b148",
"refsource": "FEDORA",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T4OJ764CKKCWCVONHD4YXTGR7HZ7LRUV/"
},
{
"name": "FEDORA-2021-3dda301691",
"refsource": "FEDORA",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3TUZNDAH2B26VPBK342UC3BHZNLBUXGX/"
},
{
"name": "FEDORA-2021-aacef7fa15",
"refsource": "FEDORA",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RZTO6N55WHKHIZI4IMLY2QFBPMVTAERM/"
},
{
"name": "FEDORA-2021-6789ed60f2",
"refsource": "FEDORA",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YIGVQWOA5XXCQXEOOKZX4CDAGLBDRPRX/"
},
{
"name": "FEDORA-2021-62352983b4",
"refsource": "FEDORA",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4334HT7AZPLWNYHW4ARU6JBUF3VZJPZN/"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 1.4
}
},
"lastModifiedDate": "2021-12-10T17:08Z",
"publishedDate": "2021-11-17T20:15Z"
}
}
}
OPENSUSE-SU-2021:1525-1
Vulnerability from csaf_opensuse - Published: 2021-12-04 13:06 - Updated: 2021-12-04 13:06Summary
Security update for singularity
Severity
Moderate
Notes
Title of the patch: Security update for singularity
Description of the patch: This update for singularity fixes the following issues:
Update to 3.8.5:
- CVE-2021-41190: Fixed OCI manifest and index parsing confusion (boo#1193273).
- Building Singularity from source requires go greater or equal 1.16. We now aim
to support the two most recent stable versions of Go. This
corresponds to the Go Release Maintenance Policy
- Sourcing a script based on PATH is now permitted, fixing a
regression introduced in 3.6.0.
- Environment variables in container definition files are
properly scoped, fixing a regression introduced in 3.8.0.
- Fix the oras contexts to avoid hangs upon failed pushes to
Harbor registry.
Patchnames: openSUSE-2021-1525
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5 (Medium)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 15 SP3:singularity-3.8.5-bp153.2.10.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP3:singularity-3.8.5-bp153.2.10.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP3:singularity-3.8.5-bp153.2.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP3:singularity-3.8.5-bp153.2.10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:singularity-3.8.5-bp153.2.10.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:singularity-3.8.5-bp153.2.10.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:singularity-3.8.5-bp153.2.10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:singularity-3.8.5-bp153.2.10.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for singularity",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for singularity fixes the following issues:\n\nUpdate to 3.8.5:\n\n- CVE-2021-41190: Fixed OCI manifest and index parsing confusion (boo#1193273).\n- Building Singularity from source requires go greater or equal 1.16. We now aim\n to support the two most recent stable versions of Go. This\n corresponds to the Go Release Maintenance Policy\n- Sourcing a script based on PATH is now permitted, fixing a\n regression introduced in 3.6.0.\n- Environment variables in container definition files are\n properly scoped, fixing a regression introduced in 3.8.0.\n- Fix the oras contexts to avoid hangs upon failed pushes to \n Harbor registry.\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2021-1525",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2021_1525-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2021:1525-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/L3AGIEOXZIUUEYYMWKJCJCQI7V235UTR/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2021:1525-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/L3AGIEOXZIUUEYYMWKJCJCQI7V235UTR/"
},
{
"category": "self",
"summary": "SUSE Bug 1193273",
"url": "https://bugzilla.suse.com/1193273"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-41190 page",
"url": "https://www.suse.com/security/cve/CVE-2021-41190/"
}
],
"title": "Security update for singularity",
"tracking": {
"current_release_date": "2021-12-04T13:06:13Z",
"generator": {
"date": "2021-12-04T13:06:13Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2021:1525-1",
"initial_release_date": "2021-12-04T13:06:13Z",
"revision_history": [
{
"date": "2021-12-04T13:06:13Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "singularity-3.8.5-bp153.2.10.1.aarch64",
"product": {
"name": "singularity-3.8.5-bp153.2.10.1.aarch64",
"product_id": "singularity-3.8.5-bp153.2.10.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "singularity-3.8.5-bp153.2.10.1.i586",
"product": {
"name": "singularity-3.8.5-bp153.2.10.1.i586",
"product_id": "singularity-3.8.5-bp153.2.10.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "singularity-3.8.5-bp153.2.10.1.s390x",
"product": {
"name": "singularity-3.8.5-bp153.2.10.1.s390x",
"product_id": "singularity-3.8.5-bp153.2.10.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "singularity-3.8.5-bp153.2.10.1.x86_64",
"product": {
"name": "singularity-3.8.5-bp153.2.10.1.x86_64",
"product_id": "singularity-3.8.5-bp153.2.10.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Package Hub 15 SP3",
"product": {
"name": "SUSE Package Hub 15 SP3",
"product_id": "SUSE Package Hub 15 SP3"
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.3",
"product": {
"name": "openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.3"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "singularity-3.8.5-bp153.2.10.1.aarch64 as component of SUSE Package Hub 15 SP3",
"product_id": "SUSE Package Hub 15 SP3:singularity-3.8.5-bp153.2.10.1.aarch64"
},
"product_reference": "singularity-3.8.5-bp153.2.10.1.aarch64",
"relates_to_product_reference": "SUSE Package Hub 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "singularity-3.8.5-bp153.2.10.1.i586 as component of SUSE Package Hub 15 SP3",
"product_id": "SUSE Package Hub 15 SP3:singularity-3.8.5-bp153.2.10.1.i586"
},
"product_reference": "singularity-3.8.5-bp153.2.10.1.i586",
"relates_to_product_reference": "SUSE Package Hub 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "singularity-3.8.5-bp153.2.10.1.s390x as component of SUSE Package Hub 15 SP3",
"product_id": "SUSE Package Hub 15 SP3:singularity-3.8.5-bp153.2.10.1.s390x"
},
"product_reference": "singularity-3.8.5-bp153.2.10.1.s390x",
"relates_to_product_reference": "SUSE Package Hub 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "singularity-3.8.5-bp153.2.10.1.x86_64 as component of SUSE Package Hub 15 SP3",
"product_id": "SUSE Package Hub 15 SP3:singularity-3.8.5-bp153.2.10.1.x86_64"
},
"product_reference": "singularity-3.8.5-bp153.2.10.1.x86_64",
"relates_to_product_reference": "SUSE Package Hub 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "singularity-3.8.5-bp153.2.10.1.aarch64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:singularity-3.8.5-bp153.2.10.1.aarch64"
},
"product_reference": "singularity-3.8.5-bp153.2.10.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "singularity-3.8.5-bp153.2.10.1.i586 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:singularity-3.8.5-bp153.2.10.1.i586"
},
"product_reference": "singularity-3.8.5-bp153.2.10.1.i586",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "singularity-3.8.5-bp153.2.10.1.s390x as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:singularity-3.8.5-bp153.2.10.1.s390x"
},
"product_reference": "singularity-3.8.5-bp153.2.10.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "singularity-3.8.5-bp153.2.10.1.x86_64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:singularity-3.8.5-bp153.2.10.1.x86_64"
},
"product_reference": "singularity-3.8.5-bp153.2.10.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.3"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-41190",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-41190"
}
],
"notes": [
{
"category": "general",
"text": "The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both \"manifests\" and \"layers\" fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both \"manifests\" and \"layers\" fields or \"manifests\" and \"config\" fields if they are unable to update to version 1.0.1 of the spec.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP3:singularity-3.8.5-bp153.2.10.1.aarch64",
"SUSE Package Hub 15 SP3:singularity-3.8.5-bp153.2.10.1.i586",
"SUSE Package Hub 15 SP3:singularity-3.8.5-bp153.2.10.1.s390x",
"SUSE Package Hub 15 SP3:singularity-3.8.5-bp153.2.10.1.x86_64",
"openSUSE Leap 15.3:singularity-3.8.5-bp153.2.10.1.aarch64",
"openSUSE Leap 15.3:singularity-3.8.5-bp153.2.10.1.i586",
"openSUSE Leap 15.3:singularity-3.8.5-bp153.2.10.1.s390x",
"openSUSE Leap 15.3:singularity-3.8.5-bp153.2.10.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-41190",
"url": "https://www.suse.com/security/cve/CVE-2021-41190"
},
{
"category": "external",
"summary": "SUSE Bug 1193273 for CVE-2021-41190",
"url": "https://bugzilla.suse.com/1193273"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP3:singularity-3.8.5-bp153.2.10.1.aarch64",
"SUSE Package Hub 15 SP3:singularity-3.8.5-bp153.2.10.1.i586",
"SUSE Package Hub 15 SP3:singularity-3.8.5-bp153.2.10.1.s390x",
"SUSE Package Hub 15 SP3:singularity-3.8.5-bp153.2.10.1.x86_64",
"openSUSE Leap 15.3:singularity-3.8.5-bp153.2.10.1.aarch64",
"openSUSE Leap 15.3:singularity-3.8.5-bp153.2.10.1.i586",
"openSUSE Leap 15.3:singularity-3.8.5-bp153.2.10.1.s390x",
"openSUSE Leap 15.3:singularity-3.8.5-bp153.2.10.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP3:singularity-3.8.5-bp153.2.10.1.aarch64",
"SUSE Package Hub 15 SP3:singularity-3.8.5-bp153.2.10.1.i586",
"SUSE Package Hub 15 SP3:singularity-3.8.5-bp153.2.10.1.s390x",
"SUSE Package Hub 15 SP3:singularity-3.8.5-bp153.2.10.1.x86_64",
"openSUSE Leap 15.3:singularity-3.8.5-bp153.2.10.1.aarch64",
"openSUSE Leap 15.3:singularity-3.8.5-bp153.2.10.1.i586",
"openSUSE Leap 15.3:singularity-3.8.5-bp153.2.10.1.s390x",
"openSUSE Leap 15.3:singularity-3.8.5-bp153.2.10.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-12-04T13:06:13Z",
"details": "moderate"
}
],
"title": "CVE-2021-41190"
}
]
}
OPENSUSE-SU-2022:0334-1
Vulnerability from csaf_opensuse - Published: 2022-02-04 08:31 - Updated: 2022-02-04 08:31Summary
Security update for containerd, docker
Severity
Moderate
Notes
Title of the patch: Security update for containerd, docker
Description of the patch: This update for containerd, docker fixes the following issues:
- CVE-2021-41089: Fixed 'cp' can chmod host files (bsc#1191015).
- CVE-2021-41091: Fixed flaw that could lead to data directory traversal in moby (bsc#1191434).
- CVE-2021-41092: Fixed exposed user credentials with a misconfigured configuration file (bsc#1191334).
- CVE-2021-41103: Fixed file access to local users in containerd (bsc#1191121).
- CVE-2021-41190: Fixed OCI manifest and index parsing confusion (bsc#1193273).
Patchnames: openSUSE-SLE-15.3-2022-334
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Recommended
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.3:containerd-1.4.12-60.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:containerd-1.4.12-60.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:containerd-1.4.12-60.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:containerd-1.4.12-60.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-20.10.12_ce-159.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-20.10.12_ce-159.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-20.10.12_ce-159.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-20.10.12_ce-159.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-bash-completion-20.10.12_ce-159.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-fish-completion-20.10.12_ce-159.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-bash-completion-20.10.12_ce-159.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-fish-completion-20.10.12_ce-159.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-zsh-completion-20.10.12_ce-159.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-zsh-completion-20.10.12_ce-159.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
6.3 (Medium)
Affected products
Recommended
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.3:containerd-1.4.12-60.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:containerd-1.4.12-60.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:containerd-1.4.12-60.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:containerd-1.4.12-60.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-20.10.12_ce-159.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-20.10.12_ce-159.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-20.10.12_ce-159.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-20.10.12_ce-159.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-bash-completion-20.10.12_ce-159.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-fish-completion-20.10.12_ce-159.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-bash-completion-20.10.12_ce-159.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-fish-completion-20.10.12_ce-159.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-zsh-completion-20.10.12_ce-159.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-zsh-completion-20.10.12_ce-159.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
5.4 (Medium)
Affected products
Recommended
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.3:containerd-1.4.12-60.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:containerd-1.4.12-60.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:containerd-1.4.12-60.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:containerd-1.4.12-60.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-20.10.12_ce-159.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-20.10.12_ce-159.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-20.10.12_ce-159.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-20.10.12_ce-159.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-bash-completion-20.10.12_ce-159.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-fish-completion-20.10.12_ce-159.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-bash-completion-20.10.12_ce-159.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-fish-completion-20.10.12_ce-159.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-zsh-completion-20.10.12_ce-159.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-zsh-completion-20.10.12_ce-159.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
5.9 (Medium)
Affected products
Recommended
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.3:containerd-1.4.12-60.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:containerd-1.4.12-60.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:containerd-1.4.12-60.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:containerd-1.4.12-60.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-20.10.12_ce-159.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-20.10.12_ce-159.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-20.10.12_ce-159.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-20.10.12_ce-159.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-bash-completion-20.10.12_ce-159.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-fish-completion-20.10.12_ce-159.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-bash-completion-20.10.12_ce-159.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-fish-completion-20.10.12_ce-159.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-zsh-completion-20.10.12_ce-159.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-zsh-completion-20.10.12_ce-159.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
5 (Medium)
Affected products
Recommended
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.3:containerd-1.4.12-60.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:containerd-1.4.12-60.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:containerd-1.4.12-60.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:containerd-1.4.12-60.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-20.10.12_ce-159.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-20.10.12_ce-159.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-20.10.12_ce-159.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-20.10.12_ce-159.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-bash-completion-20.10.12_ce-159.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-fish-completion-20.10.12_ce-159.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-bash-completion-20.10.12_ce-159.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-fish-completion-20.10.12_ce-159.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-kubic-zsh-completion-20.10.12_ce-159.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:docker-zsh-completion-20.10.12_ce-159.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
References
28 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for containerd, docker",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for containerd, docker fixes the following issues:\n\n- CVE-2021-41089: Fixed \u0027cp\u0027 can chmod host files (bsc#1191015).\n- CVE-2021-41091: Fixed flaw that could lead to data directory traversal in moby (bsc#1191434).\n- CVE-2021-41092: Fixed exposed user credentials with a misconfigured configuration file (bsc#1191334).\n- CVE-2021-41103: Fixed file access to local users in containerd (bsc#1191121).\n- CVE-2021-41190: Fixed OCI manifest and index parsing confusion (bsc#1193273).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-SLE-15.3-2022-334",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2022_0334-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2022:0334-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ULRUJXC3YBVKDKJAERWLY6BKJ7U3246G/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2022:0334-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ULRUJXC3YBVKDKJAERWLY6BKJ7U3246G/"
},
{
"category": "self",
"summary": "SUSE Bug 1191015",
"url": "https://bugzilla.suse.com/1191015"
},
{
"category": "self",
"summary": "SUSE Bug 1191121",
"url": "https://bugzilla.suse.com/1191121"
},
{
"category": "self",
"summary": "SUSE Bug 1191334",
"url": "https://bugzilla.suse.com/1191334"
},
{
"category": "self",
"summary": "SUSE Bug 1191434",
"url": "https://bugzilla.suse.com/1191434"
},
{
"category": "self",
"summary": "SUSE Bug 1193273",
"url": "https://bugzilla.suse.com/1193273"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-41089 page",
"url": "https://www.suse.com/security/cve/CVE-2021-41089/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-41091 page",
"url": "https://www.suse.com/security/cve/CVE-2021-41091/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-41092 page",
"url": "https://www.suse.com/security/cve/CVE-2021-41092/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-41103 page",
"url": "https://www.suse.com/security/cve/CVE-2021-41103/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-41190 page",
"url": "https://www.suse.com/security/cve/CVE-2021-41190/"
}
],
"title": "Security update for containerd, docker",
"tracking": {
"current_release_date": "2022-02-04T08:31:13Z",
"generator": {
"date": "2022-02-04T08:31:13Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2022:0334-1",
"initial_release_date": "2022-02-04T08:31:13Z",
"revision_history": [
{
"date": "2022-02-04T08:31:13Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "containerd-1.4.12-60.1.aarch64",
"product": {
"name": "containerd-1.4.12-60.1.aarch64",
"product_id": "containerd-1.4.12-60.1.aarch64"
}
},
{
"category": "product_version",
"name": "containerd-ctr-1.4.12-60.1.aarch64",
"product": {
"name": "containerd-ctr-1.4.12-60.1.aarch64",
"product_id": "containerd-ctr-1.4.12-60.1.aarch64"
}
},
{
"category": "product_version",
"name": "docker-20.10.12_ce-159.1.aarch64",
"product": {
"name": "docker-20.10.12_ce-159.1.aarch64",
"product_id": "docker-20.10.12_ce-159.1.aarch64"
}
},
{
"category": "product_version",
"name": "docker-kubic-20.10.12_ce-159.1.aarch64",
"product": {
"name": "docker-kubic-20.10.12_ce-159.1.aarch64",
"product_id": "docker-kubic-20.10.12_ce-159.1.aarch64"
}
},
{
"category": "product_version",
"name": "docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.aarch64",
"product": {
"name": "docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.aarch64",
"product_id": "docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "docker-bash-completion-20.10.12_ce-159.1.noarch",
"product": {
"name": "docker-bash-completion-20.10.12_ce-159.1.noarch",
"product_id": "docker-bash-completion-20.10.12_ce-159.1.noarch"
}
},
{
"category": "product_version",
"name": "docker-fish-completion-20.10.12_ce-159.1.noarch",
"product": {
"name": "docker-fish-completion-20.10.12_ce-159.1.noarch",
"product_id": "docker-fish-completion-20.10.12_ce-159.1.noarch"
}
},
{
"category": "product_version",
"name": "docker-kubic-bash-completion-20.10.12_ce-159.1.noarch",
"product": {
"name": "docker-kubic-bash-completion-20.10.12_ce-159.1.noarch",
"product_id": "docker-kubic-bash-completion-20.10.12_ce-159.1.noarch"
}
},
{
"category": "product_version",
"name": "docker-kubic-fish-completion-20.10.12_ce-159.1.noarch",
"product": {
"name": "docker-kubic-fish-completion-20.10.12_ce-159.1.noarch",
"product_id": "docker-kubic-fish-completion-20.10.12_ce-159.1.noarch"
}
},
{
"category": "product_version",
"name": "docker-kubic-zsh-completion-20.10.12_ce-159.1.noarch",
"product": {
"name": "docker-kubic-zsh-completion-20.10.12_ce-159.1.noarch",
"product_id": "docker-kubic-zsh-completion-20.10.12_ce-159.1.noarch"
}
},
{
"category": "product_version",
"name": "docker-zsh-completion-20.10.12_ce-159.1.noarch",
"product": {
"name": "docker-zsh-completion-20.10.12_ce-159.1.noarch",
"product_id": "docker-zsh-completion-20.10.12_ce-159.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "containerd-1.4.12-60.1.ppc64le",
"product": {
"name": "containerd-1.4.12-60.1.ppc64le",
"product_id": "containerd-1.4.12-60.1.ppc64le"
}
},
{
"category": "product_version",
"name": "containerd-ctr-1.4.12-60.1.ppc64le",
"product": {
"name": "containerd-ctr-1.4.12-60.1.ppc64le",
"product_id": "containerd-ctr-1.4.12-60.1.ppc64le"
}
},
{
"category": "product_version",
"name": "docker-20.10.12_ce-159.1.ppc64le",
"product": {
"name": "docker-20.10.12_ce-159.1.ppc64le",
"product_id": "docker-20.10.12_ce-159.1.ppc64le"
}
},
{
"category": "product_version",
"name": "docker-kubic-20.10.12_ce-159.1.ppc64le",
"product": {
"name": "docker-kubic-20.10.12_ce-159.1.ppc64le",
"product_id": "docker-kubic-20.10.12_ce-159.1.ppc64le"
}
},
{
"category": "product_version",
"name": "docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.ppc64le",
"product": {
"name": "docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.ppc64le",
"product_id": "docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "containerd-1.4.12-60.1.s390x",
"product": {
"name": "containerd-1.4.12-60.1.s390x",
"product_id": "containerd-1.4.12-60.1.s390x"
}
},
{
"category": "product_version",
"name": "containerd-ctr-1.4.12-60.1.s390x",
"product": {
"name": "containerd-ctr-1.4.12-60.1.s390x",
"product_id": "containerd-ctr-1.4.12-60.1.s390x"
}
},
{
"category": "product_version",
"name": "docker-20.10.12_ce-159.1.s390x",
"product": {
"name": "docker-20.10.12_ce-159.1.s390x",
"product_id": "docker-20.10.12_ce-159.1.s390x"
}
},
{
"category": "product_version",
"name": "docker-kubic-20.10.12_ce-159.1.s390x",
"product": {
"name": "docker-kubic-20.10.12_ce-159.1.s390x",
"product_id": "docker-kubic-20.10.12_ce-159.1.s390x"
}
},
{
"category": "product_version",
"name": "docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.s390x",
"product": {
"name": "docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.s390x",
"product_id": "docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "containerd-1.4.12-60.1.x86_64",
"product": {
"name": "containerd-1.4.12-60.1.x86_64",
"product_id": "containerd-1.4.12-60.1.x86_64"
}
},
{
"category": "product_version",
"name": "containerd-ctr-1.4.12-60.1.x86_64",
"product": {
"name": "containerd-ctr-1.4.12-60.1.x86_64",
"product_id": "containerd-ctr-1.4.12-60.1.x86_64"
}
},
{
"category": "product_version",
"name": "docker-20.10.12_ce-159.1.x86_64",
"product": {
"name": "docker-20.10.12_ce-159.1.x86_64",
"product_id": "docker-20.10.12_ce-159.1.x86_64"
}
},
{
"category": "product_version",
"name": "docker-kubic-20.10.12_ce-159.1.x86_64",
"product": {
"name": "docker-kubic-20.10.12_ce-159.1.x86_64",
"product_id": "docker-kubic-20.10.12_ce-159.1.x86_64"
}
},
{
"category": "product_version",
"name": "docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.x86_64",
"product": {
"name": "docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.x86_64",
"product_id": "docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.3",
"product": {
"name": "openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.3"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "containerd-1.4.12-60.1.aarch64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:containerd-1.4.12-60.1.aarch64"
},
"product_reference": "containerd-1.4.12-60.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containerd-1.4.12-60.1.ppc64le as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:containerd-1.4.12-60.1.ppc64le"
},
"product_reference": "containerd-1.4.12-60.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containerd-1.4.12-60.1.s390x as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:containerd-1.4.12-60.1.s390x"
},
"product_reference": "containerd-1.4.12-60.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containerd-1.4.12-60.1.x86_64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:containerd-1.4.12-60.1.x86_64"
},
"product_reference": "containerd-1.4.12-60.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containerd-ctr-1.4.12-60.1.aarch64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.aarch64"
},
"product_reference": "containerd-ctr-1.4.12-60.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containerd-ctr-1.4.12-60.1.ppc64le as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.ppc64le"
},
"product_reference": "containerd-ctr-1.4.12-60.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containerd-ctr-1.4.12-60.1.s390x as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.s390x"
},
"product_reference": "containerd-ctr-1.4.12-60.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containerd-ctr-1.4.12-60.1.x86_64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.x86_64"
},
"product_reference": "containerd-ctr-1.4.12-60.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-20.10.12_ce-159.1.aarch64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:docker-20.10.12_ce-159.1.aarch64"
},
"product_reference": "docker-20.10.12_ce-159.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-20.10.12_ce-159.1.ppc64le as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:docker-20.10.12_ce-159.1.ppc64le"
},
"product_reference": "docker-20.10.12_ce-159.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-20.10.12_ce-159.1.s390x as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:docker-20.10.12_ce-159.1.s390x"
},
"product_reference": "docker-20.10.12_ce-159.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-20.10.12_ce-159.1.x86_64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:docker-20.10.12_ce-159.1.x86_64"
},
"product_reference": "docker-20.10.12_ce-159.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-bash-completion-20.10.12_ce-159.1.noarch as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:docker-bash-completion-20.10.12_ce-159.1.noarch"
},
"product_reference": "docker-bash-completion-20.10.12_ce-159.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-fish-completion-20.10.12_ce-159.1.noarch as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:docker-fish-completion-20.10.12_ce-159.1.noarch"
},
"product_reference": "docker-fish-completion-20.10.12_ce-159.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-kubic-20.10.12_ce-159.1.aarch64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.aarch64"
},
"product_reference": "docker-kubic-20.10.12_ce-159.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-kubic-20.10.12_ce-159.1.ppc64le as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.ppc64le"
},
"product_reference": "docker-kubic-20.10.12_ce-159.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-kubic-20.10.12_ce-159.1.s390x as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.s390x"
},
"product_reference": "docker-kubic-20.10.12_ce-159.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-kubic-20.10.12_ce-159.1.x86_64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.x86_64"
},
"product_reference": "docker-kubic-20.10.12_ce-159.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-kubic-bash-completion-20.10.12_ce-159.1.noarch as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:docker-kubic-bash-completion-20.10.12_ce-159.1.noarch"
},
"product_reference": "docker-kubic-bash-completion-20.10.12_ce-159.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-kubic-fish-completion-20.10.12_ce-159.1.noarch as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:docker-kubic-fish-completion-20.10.12_ce-159.1.noarch"
},
"product_reference": "docker-kubic-fish-completion-20.10.12_ce-159.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.aarch64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.aarch64"
},
"product_reference": "docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.ppc64le as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.ppc64le"
},
"product_reference": "docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.s390x as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.s390x"
},
"product_reference": "docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.x86_64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.x86_64"
},
"product_reference": "docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-kubic-zsh-completion-20.10.12_ce-159.1.noarch as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:docker-kubic-zsh-completion-20.10.12_ce-159.1.noarch"
},
"product_reference": "docker-kubic-zsh-completion-20.10.12_ce-159.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-zsh-completion-20.10.12_ce-159.1.noarch as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:docker-zsh-completion-20.10.12_ce-159.1.noarch"
},
"product_reference": "docker-zsh-completion-20.10.12_ce-159.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.3"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-41089",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-41089"
}
],
"notes": [
{
"category": "general",
"text": "Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the host\u0027s filesystem, widening access to others. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers do not need to be restarted.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.3:containerd-1.4.12-60.1.aarch64",
"openSUSE Leap 15.3:containerd-1.4.12-60.1.ppc64le",
"openSUSE Leap 15.3:containerd-1.4.12-60.1.s390x",
"openSUSE Leap 15.3:containerd-1.4.12-60.1.x86_64",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.aarch64",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.ppc64le",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.s390x",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.x86_64",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.aarch64",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.ppc64le",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.s390x",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.x86_64",
"openSUSE Leap 15.3:docker-bash-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-fish-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.aarch64",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.ppc64le",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.s390x",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.x86_64",
"openSUSE Leap 15.3:docker-kubic-bash-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-kubic-fish-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.aarch64",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.ppc64le",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.s390x",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.x86_64",
"openSUSE Leap 15.3:docker-kubic-zsh-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-zsh-completion-20.10.12_ce-159.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-41089",
"url": "https://www.suse.com/security/cve/CVE-2021-41089"
},
{
"category": "external",
"summary": "SUSE Bug 1191015 for CVE-2021-41089",
"url": "https://bugzilla.suse.com/1191015"
},
{
"category": "external",
"summary": "SUSE Bug 1191355 for CVE-2021-41089",
"url": "https://bugzilla.suse.com/1191355"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.3:containerd-1.4.12-60.1.aarch64",
"openSUSE Leap 15.3:containerd-1.4.12-60.1.ppc64le",
"openSUSE Leap 15.3:containerd-1.4.12-60.1.s390x",
"openSUSE Leap 15.3:containerd-1.4.12-60.1.x86_64",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.aarch64",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.ppc64le",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.s390x",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.x86_64",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.aarch64",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.ppc64le",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.s390x",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.x86_64",
"openSUSE Leap 15.3:docker-bash-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-fish-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.aarch64",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.ppc64le",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.s390x",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.x86_64",
"openSUSE Leap 15.3:docker-kubic-bash-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-kubic-fish-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.aarch64",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.ppc64le",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.s390x",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.x86_64",
"openSUSE Leap 15.3:docker-kubic-zsh-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-zsh-completion-20.10.12_ce-159.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.6,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.3:containerd-1.4.12-60.1.aarch64",
"openSUSE Leap 15.3:containerd-1.4.12-60.1.ppc64le",
"openSUSE Leap 15.3:containerd-1.4.12-60.1.s390x",
"openSUSE Leap 15.3:containerd-1.4.12-60.1.x86_64",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.aarch64",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.ppc64le",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.s390x",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.x86_64",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.aarch64",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.ppc64le",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.s390x",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.x86_64",
"openSUSE Leap 15.3:docker-bash-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-fish-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.aarch64",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.ppc64le",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.s390x",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.x86_64",
"openSUSE Leap 15.3:docker-kubic-bash-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-kubic-fish-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.aarch64",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.ppc64le",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.s390x",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.x86_64",
"openSUSE Leap 15.3:docker-kubic-zsh-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-zsh-completion-20.10.12_ce-159.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-02-04T08:31:13Z",
"details": "moderate"
}
],
"title": "CVE-2021-41089"
},
{
"cve": "CVE-2021-41091",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-41091"
}
],
"notes": [
{
"category": "general",
"text": "Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where the data directory (typically `/var/lib/docker`) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as `setuid`), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade limit access to the host to trusted users. Limit access to host volumes to trusted containers.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.3:containerd-1.4.12-60.1.aarch64",
"openSUSE Leap 15.3:containerd-1.4.12-60.1.ppc64le",
"openSUSE Leap 15.3:containerd-1.4.12-60.1.s390x",
"openSUSE Leap 15.3:containerd-1.4.12-60.1.x86_64",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.aarch64",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.ppc64le",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.s390x",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.x86_64",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.aarch64",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.ppc64le",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.s390x",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.x86_64",
"openSUSE Leap 15.3:docker-bash-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-fish-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.aarch64",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.ppc64le",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.s390x",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.x86_64",
"openSUSE Leap 15.3:docker-kubic-bash-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-kubic-fish-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.aarch64",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.ppc64le",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.s390x",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.x86_64",
"openSUSE Leap 15.3:docker-kubic-zsh-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-zsh-completion-20.10.12_ce-159.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-41091",
"url": "https://www.suse.com/security/cve/CVE-2021-41091"
},
{
"category": "external",
"summary": "SUSE Bug 1191355 for CVE-2021-41091",
"url": "https://bugzilla.suse.com/1191355"
},
{
"category": "external",
"summary": "SUSE Bug 1191434 for CVE-2021-41091",
"url": "https://bugzilla.suse.com/1191434"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.3:containerd-1.4.12-60.1.aarch64",
"openSUSE Leap 15.3:containerd-1.4.12-60.1.ppc64le",
"openSUSE Leap 15.3:containerd-1.4.12-60.1.s390x",
"openSUSE Leap 15.3:containerd-1.4.12-60.1.x86_64",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.aarch64",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.ppc64le",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.s390x",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.x86_64",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.aarch64",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.ppc64le",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.s390x",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.x86_64",
"openSUSE Leap 15.3:docker-bash-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-fish-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.aarch64",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.ppc64le",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.s390x",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.x86_64",
"openSUSE Leap 15.3:docker-kubic-bash-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-kubic-fish-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.aarch64",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.ppc64le",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.s390x",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.x86_64",
"openSUSE Leap 15.3:docker-kubic-zsh-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-zsh-completion-20.10.12_ce-159.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.3:containerd-1.4.12-60.1.aarch64",
"openSUSE Leap 15.3:containerd-1.4.12-60.1.ppc64le",
"openSUSE Leap 15.3:containerd-1.4.12-60.1.s390x",
"openSUSE Leap 15.3:containerd-1.4.12-60.1.x86_64",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.aarch64",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.ppc64le",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.s390x",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.x86_64",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.aarch64",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.ppc64le",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.s390x",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.x86_64",
"openSUSE Leap 15.3:docker-bash-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-fish-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.aarch64",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.ppc64le",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.s390x",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.x86_64",
"openSUSE Leap 15.3:docker-kubic-bash-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-kubic-fish-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.aarch64",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.ppc64le",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.s390x",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.x86_64",
"openSUSE Leap 15.3:docker-kubic-zsh-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-zsh-completion-20.10.12_ce-159.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-02-04T08:31:13Z",
"details": "moderate"
}
],
"title": "CVE-2021-41091"
},
{
"cve": "CVE-2021-41092",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-41092"
}
],
"notes": [
{
"category": "general",
"text": "Docker CLI is the command line interface for the docker container runtime. A bug was found in the Docker CLI where running `docker login my-private-registry.example.com` with a misconfigured configuration file (typically `~/.docker/config.json`) listing a `credsStore` or `credHelpers` that could not be executed would result in any provided credentials being sent to `registry-1.docker.io` rather than the intended private registry. This bug has been fixed in Docker CLI 20.10.9. Users should update to this version as soon as possible. For users unable to update ensure that any configured credsStore or credHelpers entries in the configuration file reference an installed credential helper that is executable and on the PATH.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.3:containerd-1.4.12-60.1.aarch64",
"openSUSE Leap 15.3:containerd-1.4.12-60.1.ppc64le",
"openSUSE Leap 15.3:containerd-1.4.12-60.1.s390x",
"openSUSE Leap 15.3:containerd-1.4.12-60.1.x86_64",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.aarch64",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.ppc64le",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.s390x",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.x86_64",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.aarch64",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.ppc64le",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.s390x",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.x86_64",
"openSUSE Leap 15.3:docker-bash-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-fish-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.aarch64",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.ppc64le",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.s390x",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.x86_64",
"openSUSE Leap 15.3:docker-kubic-bash-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-kubic-fish-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.aarch64",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.ppc64le",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.s390x",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.x86_64",
"openSUSE Leap 15.3:docker-kubic-zsh-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-zsh-completion-20.10.12_ce-159.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-41092",
"url": "https://www.suse.com/security/cve/CVE-2021-41092"
},
{
"category": "external",
"summary": "SUSE Bug 1191334 for CVE-2021-41092",
"url": "https://bugzilla.suse.com/1191334"
},
{
"category": "external",
"summary": "SUSE Bug 1191355 for CVE-2021-41092",
"url": "https://bugzilla.suse.com/1191355"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.3:containerd-1.4.12-60.1.aarch64",
"openSUSE Leap 15.3:containerd-1.4.12-60.1.ppc64le",
"openSUSE Leap 15.3:containerd-1.4.12-60.1.s390x",
"openSUSE Leap 15.3:containerd-1.4.12-60.1.x86_64",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.aarch64",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.ppc64le",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.s390x",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.x86_64",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.aarch64",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.ppc64le",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.s390x",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.x86_64",
"openSUSE Leap 15.3:docker-bash-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-fish-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.aarch64",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.ppc64le",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.s390x",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.x86_64",
"openSUSE Leap 15.3:docker-kubic-bash-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-kubic-fish-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.aarch64",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.ppc64le",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.s390x",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.x86_64",
"openSUSE Leap 15.3:docker-kubic-zsh-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-zsh-completion-20.10.12_ce-159.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.3:containerd-1.4.12-60.1.aarch64",
"openSUSE Leap 15.3:containerd-1.4.12-60.1.ppc64le",
"openSUSE Leap 15.3:containerd-1.4.12-60.1.s390x",
"openSUSE Leap 15.3:containerd-1.4.12-60.1.x86_64",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.aarch64",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.ppc64le",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.s390x",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.x86_64",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.aarch64",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.ppc64le",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.s390x",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.x86_64",
"openSUSE Leap 15.3:docker-bash-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-fish-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.aarch64",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.ppc64le",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.s390x",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.x86_64",
"openSUSE Leap 15.3:docker-kubic-bash-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-kubic-fish-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.aarch64",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.ppc64le",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.s390x",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.x86_64",
"openSUSE Leap 15.3:docker-kubic-zsh-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-zsh-completion-20.10.12_ce-159.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-02-04T08:31:13Z",
"details": "moderate"
}
],
"title": "CVE-2021-41092"
},
{
"cve": "CVE-2021-41103",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-41103"
}
],
"notes": [
{
"category": "general",
"text": "containerd is an open source container runtime with an emphasis on simplicity, robustness and portability. A bug was found in containerd where container root directories and some plugins had insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as setuid), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. This vulnerability has been fixed in containerd 1.4.11 and containerd 1.5.7. Users should update to these version when they are released and may restart containers or update directory permissions to mitigate the vulnerability. Users unable to update should limit access to the host to trusted users. Update directory permission on container bundles directories.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.3:containerd-1.4.12-60.1.aarch64",
"openSUSE Leap 15.3:containerd-1.4.12-60.1.ppc64le",
"openSUSE Leap 15.3:containerd-1.4.12-60.1.s390x",
"openSUSE Leap 15.3:containerd-1.4.12-60.1.x86_64",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.aarch64",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.ppc64le",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.s390x",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.x86_64",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.aarch64",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.ppc64le",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.s390x",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.x86_64",
"openSUSE Leap 15.3:docker-bash-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-fish-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.aarch64",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.ppc64le",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.s390x",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.x86_64",
"openSUSE Leap 15.3:docker-kubic-bash-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-kubic-fish-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.aarch64",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.ppc64le",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.s390x",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.x86_64",
"openSUSE Leap 15.3:docker-kubic-zsh-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-zsh-completion-20.10.12_ce-159.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-41103",
"url": "https://www.suse.com/security/cve/CVE-2021-41103"
},
{
"category": "external",
"summary": "SUSE Bug 1191121 for CVE-2021-41103",
"url": "https://bugzilla.suse.com/1191121"
},
{
"category": "external",
"summary": "SUSE Bug 1191355 for CVE-2021-41103",
"url": "https://bugzilla.suse.com/1191355"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.3:containerd-1.4.12-60.1.aarch64",
"openSUSE Leap 15.3:containerd-1.4.12-60.1.ppc64le",
"openSUSE Leap 15.3:containerd-1.4.12-60.1.s390x",
"openSUSE Leap 15.3:containerd-1.4.12-60.1.x86_64",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.aarch64",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.ppc64le",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.s390x",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.x86_64",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.aarch64",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.ppc64le",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.s390x",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.x86_64",
"openSUSE Leap 15.3:docker-bash-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-fish-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.aarch64",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.ppc64le",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.s390x",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.x86_64",
"openSUSE Leap 15.3:docker-kubic-bash-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-kubic-fish-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.aarch64",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.ppc64le",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.s390x",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.x86_64",
"openSUSE Leap 15.3:docker-kubic-zsh-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-zsh-completion-20.10.12_ce-159.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.3:containerd-1.4.12-60.1.aarch64",
"openSUSE Leap 15.3:containerd-1.4.12-60.1.ppc64le",
"openSUSE Leap 15.3:containerd-1.4.12-60.1.s390x",
"openSUSE Leap 15.3:containerd-1.4.12-60.1.x86_64",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.aarch64",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.ppc64le",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.s390x",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.x86_64",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.aarch64",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.ppc64le",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.s390x",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.x86_64",
"openSUSE Leap 15.3:docker-bash-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-fish-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.aarch64",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.ppc64le",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.s390x",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.x86_64",
"openSUSE Leap 15.3:docker-kubic-bash-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-kubic-fish-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.aarch64",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.ppc64le",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.s390x",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.x86_64",
"openSUSE Leap 15.3:docker-kubic-zsh-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-zsh-completion-20.10.12_ce-159.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-02-04T08:31:13Z",
"details": "moderate"
}
],
"title": "CVE-2021-41103"
},
{
"cve": "CVE-2021-41190",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-41190"
}
],
"notes": [
{
"category": "general",
"text": "The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both \"manifests\" and \"layers\" fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both \"manifests\" and \"layers\" fields or \"manifests\" and \"config\" fields if they are unable to update to version 1.0.1 of the spec.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.3:containerd-1.4.12-60.1.aarch64",
"openSUSE Leap 15.3:containerd-1.4.12-60.1.ppc64le",
"openSUSE Leap 15.3:containerd-1.4.12-60.1.s390x",
"openSUSE Leap 15.3:containerd-1.4.12-60.1.x86_64",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.aarch64",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.ppc64le",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.s390x",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.x86_64",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.aarch64",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.ppc64le",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.s390x",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.x86_64",
"openSUSE Leap 15.3:docker-bash-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-fish-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.aarch64",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.ppc64le",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.s390x",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.x86_64",
"openSUSE Leap 15.3:docker-kubic-bash-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-kubic-fish-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.aarch64",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.ppc64le",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.s390x",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.x86_64",
"openSUSE Leap 15.3:docker-kubic-zsh-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-zsh-completion-20.10.12_ce-159.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-41190",
"url": "https://www.suse.com/security/cve/CVE-2021-41190"
},
{
"category": "external",
"summary": "SUSE Bug 1193273 for CVE-2021-41190",
"url": "https://bugzilla.suse.com/1193273"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.3:containerd-1.4.12-60.1.aarch64",
"openSUSE Leap 15.3:containerd-1.4.12-60.1.ppc64le",
"openSUSE Leap 15.3:containerd-1.4.12-60.1.s390x",
"openSUSE Leap 15.3:containerd-1.4.12-60.1.x86_64",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.aarch64",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.ppc64le",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.s390x",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.x86_64",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.aarch64",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.ppc64le",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.s390x",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.x86_64",
"openSUSE Leap 15.3:docker-bash-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-fish-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.aarch64",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.ppc64le",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.s390x",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.x86_64",
"openSUSE Leap 15.3:docker-kubic-bash-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-kubic-fish-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.aarch64",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.ppc64le",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.s390x",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.x86_64",
"openSUSE Leap 15.3:docker-kubic-zsh-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-zsh-completion-20.10.12_ce-159.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.3:containerd-1.4.12-60.1.aarch64",
"openSUSE Leap 15.3:containerd-1.4.12-60.1.ppc64le",
"openSUSE Leap 15.3:containerd-1.4.12-60.1.s390x",
"openSUSE Leap 15.3:containerd-1.4.12-60.1.x86_64",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.aarch64",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.ppc64le",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.s390x",
"openSUSE Leap 15.3:containerd-ctr-1.4.12-60.1.x86_64",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.aarch64",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.ppc64le",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.s390x",
"openSUSE Leap 15.3:docker-20.10.12_ce-159.1.x86_64",
"openSUSE Leap 15.3:docker-bash-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-fish-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.aarch64",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.ppc64le",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.s390x",
"openSUSE Leap 15.3:docker-kubic-20.10.12_ce-159.1.x86_64",
"openSUSE Leap 15.3:docker-kubic-bash-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-kubic-fish-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.aarch64",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.ppc64le",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.s390x",
"openSUSE Leap 15.3:docker-kubic-kubeadm-criconfig-20.10.12_ce-159.1.x86_64",
"openSUSE Leap 15.3:docker-kubic-zsh-completion-20.10.12_ce-159.1.noarch",
"openSUSE Leap 15.3:docker-zsh-completion-20.10.12_ce-159.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-02-04T08:31:13Z",
"details": "moderate"
}
],
"title": "CVE-2021-41190"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…