Action not permitted
Modal body text goes here.
CVE-2021-43138
Vulnerability from cvelistv5
Published
2022-04-06 00:00
Modified
2024-08-04 03:47
Severity ?
EPSS score ?
Summary
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T03:47:13.575Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://github.com/caolan/async/blob/master/lib/internal/iterator.js" }, { "tags": [ "x_transferred" ], "url": "https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js" }, { "tags": [ "x_transferred" ], "url": "https://jsfiddle.net/oz5twjd9/" }, { "tags": [ "x_transferred" ], "url": "https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d" }, { "tags": [ "x_transferred" ], "url": "https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264" }, { "tags": [ "x_transferred" ], "url": "https://github.com/caolan/async/pull/1828" }, { "tags": [ "x_transferred" ], "url": "https://github.com/caolan/async/compare/v2.6.3...v2.6.4" }, { "name": "FEDORA-2023-ce8943223c", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/" }, { "name": "FEDORA-2023-18fd476362", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20240621-0006/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2024-06-21T19:07:23.908408", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "url": "https://github.com/caolan/async/blob/master/lib/internal/iterator.js" }, { "url": "https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js" }, { "url": "https://jsfiddle.net/oz5twjd9/" }, { "url": "https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d" }, { "url": "https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264" }, { "url": "https://github.com/caolan/async/pull/1828" }, { "url": "https://github.com/caolan/async/compare/v2.6.3...v2.6.4" }, { "name": "FEDORA-2023-ce8943223c", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/" }, { "name": "FEDORA-2023-18fd476362", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/" }, { "url": "https://security.netapp.com/advisory/ntap-20240621-0006/" } ] } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-43138", "datePublished": "2022-04-06T00:00:00", "dateReserved": "2021-11-01T00:00:00", "dateUpdated": "2024-08-04T03:47:13.575Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2021-43138\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2022-04-06T17:15:08.650\",\"lastModified\":\"2024-11-21T06:28:43.393\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.\"},{\"lang\":\"es\",\"value\":\"En Async antes de la versi\u00f3n 2.6.4 y 3.x antes de la versi\u00f3n 3.2.2, un usuario malicioso puede obtener privilegios a trav\u00e9s del m\u00e9todo mapValues(), tambi\u00e9n conocido como contaminaci\u00f3n del prototipo lib/internal/iterator.js createObjectIterator\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":6.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1321\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:async_project:async:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.6.4\",\"matchCriteriaId\":\"B72E3857-6DDB-46B0-BC63-3D946C7C5022\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:async_project:async:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.0.0\",\"versionEndExcluding\":\"3.2.2\",\"matchCriteriaId\":\"213DEB60-8A87-402F-B27F-7DE272760E8D\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E30D0E6F-4AE8-4284-8716-991DFA48CC5D\"}]}]}],\"references\":[{\"url\":\"https://github.com/caolan/async/blob/master/lib/internal/iterator.js\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264\",\"source\":\"cve@mitre.org\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/caolan/async/compare/v2.6.3...v2.6.4\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/caolan/async/pull/1828\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://jsfiddle.net/oz5twjd9/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20240621-0006/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://github.com/caolan/async/blob/master/lib/internal/iterator.js\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/caolan/async/compare/v2.6.3...v2.6.4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/caolan/async/pull/1828\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://jsfiddle.net/oz5twjd9/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20240621-0006/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}" } }
wid-sec-w-2022-1476
Vulnerability from csaf_certbund
Published
2022-09-19 22:00
Modified
2023-03-02 23:00
Summary
SUSE Manager: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
SUSE Manager basiert auf Spacewalk, welche die Codebase vom Red Hat
Satellite Server nutzt und ermöglicht ein zentrale Systemmanagement von Linux-Umgebungen.
Angriff
Ein entfernter, anonymer oder lokaler Angreifer kann mehrere Schwachstellen in SUSE Manager ausnutzen, um Sicherheitsvorkehrungen zu umgehen, beliebigen Code auszuführen, seine Privilegien zu erweitern und einen Denial-of-Service-Zustand zu verursachen.
Betroffene Betriebssysteme
- UNIX
- Linux
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "SUSE Manager basiert auf Spacewalk, welche die Codebase vom Red Hat\r\nSatellite Server nutzt und erm\u00f6glicht ein zentrale Systemmanagement von Linux-Umgebungen.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein entfernter, anonymer oder lokaler Angreifer kann mehrere Schwachstellen in SUSE Manager ausnutzen, um Sicherheitsvorkehrungen zu umgehen, beliebigen Code auszuf\u00fchren, seine Privilegien zu erweitern und einen Denial-of-Service-Zustand zu verursachen.", "title": "Angriff" }, { "category": "general", "text": "- UNIX\n- Linux", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2022-1476 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2022-1476.json" }, { "category": "self", "summary": "WID-SEC-2022-1476 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1476" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2023:0593-1 vom 2023-03-02", "url": "https://lists.suse.com/pipermail/sle-security-updates/2023-March/013958.html" }, { "category": "external", "summary": "SUSE Security Advisory vom 2022-09-19", "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-September/012289.html" }, { "category": "external", "summary": "SUSE Security Advisory vom 2022-09-19", "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-September/012286.html" }, { "category": "external", "summary": "SUSE Security Advisory vom 2022-09-19", "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-September/012291.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2022:3761-1 vom 2022-10-26", "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-October/012707.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2022:3750-1 vom 2022-10-26", "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-October/012690.html" } ], "source_lang": "en-US", "title": "SUSE Manager: Mehrere Schwachstellen", "tracking": { "current_release_date": "2023-03-02T23:00:00.000+00:00", "generator": { "date": "2024-08-15T17:35:26.337+00:00", "engine": { "name": "BSI-WID", "version": "1.3.5" } }, "id": "WID-SEC-W-2022-1476", "initial_release_date": "2022-09-19T22:00:00.000+00:00", "revision_history": [ { "date": "2022-09-19T22:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2022-10-26T22:00:00.000+00:00", "number": "2", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2023-03-02T23:00:00.000+00:00", "number": "3", "summary": "Neue Updates von SUSE aufgenommen" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_name", "name": "SUSE Linux", "product": { "name": "SUSE Linux", "product_id": "T002207", "product_identification_helper": { "cpe": "cpe:/o:suse:suse_linux:-" } } }, { "category": "product_name", "name": "SUSE Manager \u003c 4.2.9", "product": { "name": "SUSE Manager \u003c 4.2.9", "product_id": "T024662", "product_identification_helper": { "cpe": "cpe:/a:suse:manager:4.2.9" } } } ], "category": "vendor", "name": "SUSE" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-41411", "notes": [ { "category": "description", "text": "Es existiert eine Schwachstelle in SUSE Manager. Der Fehler besteht in der Komponente drools aufgrund einer XML External Entity (XXE) Schwachstelle in KieModuleMarshaller.java. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen." } ], "product_status": { "known_affected": [ "T002207" ] }, "release_date": "2022-09-19T22:00:00.000+00:00", "title": "CVE-2021-41411" }, { "cve": "CVE-2021-42740", "notes": [ { "category": "description", "text": "Es existiert eine Schwachstelle in SUSE Manager. Der Fehler besteht in der Komponente Node.js aufgrund einer Befehlsinjektion. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, indem er durch eine Regex, die f\u00fcr die Unterst\u00fctzung von Windows-Laufwerksbuchstaben entwickelt wurde, uneingescapte Shell-Metazeichen einf\u00fcgt, um beliebigen Code auszuf\u00fchren." } ], "product_status": { "known_affected": [ "T002207" ] }, "release_date": "2022-09-19T22:00:00.000+00:00", "title": "CVE-2021-42740" }, { "cve": "CVE-2021-43138", "notes": [ { "category": "description", "text": "Es existiert eine Schwachstelle in SUSE Manager. Der Fehler besteht in der Komponente Async in der mapValues()-Methode aufgrund einer Prototypenverschmutzung. Ein lokaler Angreifer kann diese Schwachstelle ausnutzen, um seine Privilegien zu erweitern. Zur erfolgreichen Ausnutzung ist eine Benutzeraktion erforderlich." } ], "product_status": { "known_affected": [ "T002207" ] }, "release_date": "2022-09-19T22:00:00.000+00:00", "title": "CVE-2021-43138" }, { "cve": "CVE-2022-31129", "notes": [ { "category": "description", "text": "Es existiert eine Schwachstelle in SUSE Manager. Der Fehler besteht in der Komponente Moment aufgrund eines ineffizienten Parsing-Algorithmus. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, indem er Eingaben mit mehr als 10k Zeichen \u00fcbermittelt, um einen Denial-of-Service-Zustand auszul\u00f6sen." } ], "product_status": { "known_affected": [ "T002207" ] }, "release_date": "2022-09-19T22:00:00.000+00:00", "title": "CVE-2022-31129" } ] }
wid-sec-w-2023-0318
Vulnerability from csaf_certbund
Published
2023-02-08 23:00
Modified
2024-05-21 22:00
Summary
Red Hat Migration Toolkit for Containers: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Red Hat OpenShift ist eine "Platform as a Service" (PaaS) Lösung zur Bereitstellung von Applikationen in der Cloud.
Angriff
Ein entfernter, anonymer oder angemeldeter Angreifer kann mehrere Schwachstellen in Red Hat Migration Toolkit for Containers ausnutzen, um seine Rechte zu erweitern, einen Denial of Service zu verursachen, Sicherheitsvorkehrungen zu umgehen und Informationen offenzulegen.
Betroffene Betriebssysteme
- Linux
{ "document": { "aggregate_severity": { "text": "mittel" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Red Hat OpenShift ist eine \"Platform as a Service\" (PaaS) L\u00f6sung zur Bereitstellung von Applikationen in der Cloud.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein entfernter, anonymer oder angemeldeter Angreifer kann mehrere Schwachstellen in Red Hat Migration Toolkit for Containers ausnutzen, um seine Rechte zu erweitern, einen Denial of Service zu verursachen, Sicherheitsvorkehrungen zu umgehen und Informationen offenzulegen.", "title": "Angriff" }, { "category": "general", "text": "- Linux", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2023-0318 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-0318.json" }, { "category": "self", "summary": "WID-SEC-2023-0318 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0318" }, { "category": "external", "summary": "RedHat Security Advisory vom 2023-02-08", "url": "https://access.redhat.com/errata/RHSA-2023:0693" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2023:0632 vom 2023-02-15", "url": "https://access.redhat.com/errata/RHSA-2023:0632" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2023:0728 vom 2023-02-17", "url": "https://access.redhat.com/errata/RHSA-2023:0728" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2023:0769 vom 2023-02-21", "url": "https://access.redhat.com/errata/RHSA-2023:0769" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2023:0774 vom 2023-02-22", "url": "https://access.redhat.com/errata/RHSA-2023:0774" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2023:2041 vom 2023-04-27", "url": "https://access.redhat.com/errata/RHSA-2023:2041" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2023:3645 vom 2023-06-16", "url": "https://access.redhat.com/errata/RHSA-2023:3645" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2024-0121 vom 2024-01-13", "url": "https://linux.oracle.com/errata/ELSA-2024-0121.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2023:5006 vom 2023-12-30", "url": "https://access.redhat.com/errata/RHSA-2023:5006" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:2988 vom 2024-05-22", "url": "https://access.redhat.com/errata/RHSA-2024:2988" } ], "source_lang": "en-US", "title": "Red Hat Migration Toolkit for Containers: Mehrere Schwachstellen", "tracking": { "current_release_date": "2024-05-21T22:00:00.000+00:00", "generator": { "date": "2024-08-15T17:43:17.931+00:00", "engine": { "name": "BSI-WID", "version": "1.3.5" } }, "id": "WID-SEC-W-2023-0318", "initial_release_date": "2023-02-08T23:00:00.000+00:00", "revision_history": [ { "date": "2023-02-08T23:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2023-02-15T23:00:00.000+00:00", "number": "2", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2023-02-16T23:00:00.000+00:00", "number": "3", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2023-02-20T23:00:00.000+00:00", "number": "4", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2023-02-21T23:00:00.000+00:00", "number": "5", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2023-04-26T22:00:00.000+00:00", "number": "6", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2023-06-15T22:00:00.000+00:00", "number": "7", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2024-01-01T23:00:00.000+00:00", "number": "8", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2024-01-14T23:00:00.000+00:00", "number": "9", "summary": "Neue Updates von Oracle Linux aufgenommen" }, { "date": "2024-05-21T22:00:00.000+00:00", "number": "10", "summary": "Neue Updates von Red Hat aufgenommen" } ], "status": "final", "version": "10" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_name", "name": "Oracle Linux", "product": { "name": "Oracle Linux", "product_id": "T004914", "product_identification_helper": { "cpe": "cpe:/o:oracle:linux:-" } } } ], "category": "vendor", "name": "Oracle" }, { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux", "product": { "name": "Red Hat Enterprise Linux", "product_id": "67646", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:-" } } }, { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift", "product": { "name": "Red Hat OpenShift", "product_id": "T008027", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:-" } } }, { "category": "product_version", "name": "Container Platform 4.11", "product": { "name": "Red Hat OpenShift Container Platform 4.11", "product_id": "T025990", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:container_platform_4.11" } } }, { "category": "product_version_range", "name": "Migration Toolkit for Containers \u003c1.7.7", "product": { "name": "Red Hat OpenShift Migration Toolkit for Containers \u003c1.7.7", "product_id": "T026206" } }, { "category": "product_version", "name": "Container Platform 4.12", "product": { "name": "Red Hat OpenShift Container Platform 4.12", "product_id": "T026435", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:container_platform_4.12" } } }, { "category": "product_version_range", "name": "Container Platform \u003c4.14.0", "product": { "name": "Red Hat OpenShift Container Platform \u003c4.14.0", "product_id": "T031839" } } ], "category": "product_name", "name": "OpenShift" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-43138", "notes": [ { "category": "description", "text": "In Red Hat Migration Toolkit for Containers existieren mehrere Schwachstellen in den Komponenten \"async\" und \"golang\". Ein Angreifer kann dies ausnutzen, um seine Rechte zu erweitern, einen Denial of Service zu verursachen, Sicherheitsvorkehrungen zu umgehen und Informationen offenzulegen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion oder eine Anmeldung erforderlich." } ], "product_status": { "known_affected": [ "T008027", "67646", "T026206", "T026435", "T004914", "T025990", "T031839" ] }, "release_date": "2023-02-08T23:00:00.000+00:00", "title": "CVE-2021-43138" }, { "cve": "CVE-2022-27664", "notes": [ { "category": "description", "text": "In Red Hat Migration Toolkit for Containers existieren mehrere Schwachstellen in den Komponenten \"async\" und \"golang\". Ein Angreifer kann dies ausnutzen, um seine Rechte zu erweitern, einen Denial of Service zu verursachen, Sicherheitsvorkehrungen zu umgehen und Informationen offenzulegen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion oder eine Anmeldung erforderlich." } ], "product_status": { "known_affected": [ "T008027", "67646", "T026206", "T026435", "T004914", "T025990", "T031839" ] }, "release_date": "2023-02-08T23:00:00.000+00:00", "title": "CVE-2022-27664" }, { "cve": "CVE-2022-2879", "notes": [ { "category": "description", "text": "In Red Hat Migration Toolkit for Containers existieren mehrere Schwachstellen in den Komponenten \"async\" und \"golang\". Ein Angreifer kann dies ausnutzen, um seine Rechte zu erweitern, einen Denial of Service zu verursachen, Sicherheitsvorkehrungen zu umgehen und Informationen offenzulegen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion oder eine Anmeldung erforderlich." } ], "product_status": { "known_affected": [ "T008027", "67646", "T026206", "T026435", "T004914", "T025990", "T031839" ] }, "release_date": "2023-02-08T23:00:00.000+00:00", "title": "CVE-2022-2879" }, { "cve": "CVE-2022-2880", "notes": [ { "category": "description", "text": "In Red Hat Migration Toolkit for Containers existieren mehrere Schwachstellen in den Komponenten \"async\" und \"golang\". Ein Angreifer kann dies ausnutzen, um seine Rechte zu erweitern, einen Denial of Service zu verursachen, Sicherheitsvorkehrungen zu umgehen und Informationen offenzulegen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion oder eine Anmeldung erforderlich." } ], "product_status": { "known_affected": [ "T008027", "67646", "T026206", "T026435", "T004914", "T025990", "T031839" ] }, "release_date": "2023-02-08T23:00:00.000+00:00", "title": "CVE-2022-2880" }, { "cve": "CVE-2022-32149", "notes": [ { "category": "description", "text": "In Red Hat Migration Toolkit for Containers existieren mehrere Schwachstellen in den Komponenten \"async\" und \"golang\". Ein Angreifer kann dies ausnutzen, um seine Rechte zu erweitern, einen Denial of Service zu verursachen, Sicherheitsvorkehrungen zu umgehen und Informationen offenzulegen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion oder eine Anmeldung erforderlich." } ], "product_status": { "known_affected": [ "T008027", "67646", "T026206", "T026435", "T004914", "T025990", "T031839" ] }, "release_date": "2023-02-08T23:00:00.000+00:00", "title": "CVE-2022-32149" }, { "cve": "CVE-2022-32189", "notes": [ { "category": "description", "text": "In Red Hat Migration Toolkit for Containers existieren mehrere Schwachstellen in den Komponenten \"async\" und \"golang\". Ein Angreifer kann dies ausnutzen, um seine Rechte zu erweitern, einen Denial of Service zu verursachen, Sicherheitsvorkehrungen zu umgehen und Informationen offenzulegen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion oder eine Anmeldung erforderlich." } ], "product_status": { "known_affected": [ "T008027", "67646", "T026206", "T026435", "T004914", "T025990", "T031839" ] }, "release_date": "2023-02-08T23:00:00.000+00:00", "title": "CVE-2022-32189" }, { "cve": "CVE-2022-32190", "notes": [ { "category": "description", "text": "In Red Hat Migration Toolkit for Containers existieren mehrere Schwachstellen in den Komponenten \"async\" und \"golang\". Ein Angreifer kann dies ausnutzen, um seine Rechte zu erweitern, einen Denial of Service zu verursachen, Sicherheitsvorkehrungen zu umgehen und Informationen offenzulegen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion oder eine Anmeldung erforderlich." } ], "product_status": { "known_affected": [ "T008027", "67646", "T026206", "T026435", "T004914", "T025990", "T031839" ] }, "release_date": "2023-02-08T23:00:00.000+00:00", "title": "CVE-2022-32190" }, { "cve": "CVE-2022-41715", "notes": [ { "category": "description", "text": "In Red Hat Migration Toolkit for Containers existieren mehrere Schwachstellen in den Komponenten \"async\" und \"golang\". Ein Angreifer kann dies ausnutzen, um seine Rechte zu erweitern, einen Denial of Service zu verursachen, Sicherheitsvorkehrungen zu umgehen und Informationen offenzulegen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion oder eine Anmeldung erforderlich." } ], "product_status": { "known_affected": [ "T008027", "67646", "T026206", "T026435", "T004914", "T025990", "T031839" ] }, "release_date": "2023-02-08T23:00:00.000+00:00", "title": "CVE-2022-41715" }, { "cve": "CVE-2022-41717", "notes": [ { "category": "description", "text": "In Red Hat Migration Toolkit for Containers existieren mehrere Schwachstellen in den Komponenten \"async\" und \"golang\". Ein Angreifer kann dies ausnutzen, um seine Rechte zu erweitern, einen Denial of Service zu verursachen, Sicherheitsvorkehrungen zu umgehen und Informationen offenzulegen. Zur erfolgreichen Ausnutzung einiger dieser Schwachstellen ist eine Benutzeraktion oder eine Anmeldung erforderlich." } ], "product_status": { "known_affected": [ "T008027", "67646", "T026206", "T026435", "T004914", "T025990", "T031839" ] }, "release_date": "2023-02-08T23:00:00.000+00:00", "title": "CVE-2022-41717" } ] }
wid-sec-w-2023-1800
Vulnerability from csaf_certbund
Published
2023-07-18 22:00
Modified
2023-07-18 22:00
Summary
HCL BigFix: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
BigFix ist eine Lösung zum Erkennen und Verwalten von physischen und virtuellen Endpunkten.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in HCL BigFix WebUI ausnutzen, um seine Privilegien zu erweitern, Dateien zu manipulieren, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{ "document": { "aggregate_severity": { "text": "mittel" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "BigFix ist eine L\u00f6sung zum Erkennen und Verwalten von physischen und virtuellen Endpunkten.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in HCL BigFix WebUI ausnutzen, um seine Privilegien zu erweitern, Dateien zu manipulieren, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren.", "title": "Angriff" }, { "category": "general", "text": "- UNIX\n- Linux\n- Windows", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2023-1800 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1800.json" }, { "category": "self", "summary": "WID-SEC-2023-1800 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1800" }, { "category": "external", "summary": "HCL Security Advisory vom 2023-07-18", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0106123" } ], "source_lang": "en-US", "title": "HCL BigFix: Mehrere Schwachstellen", "tracking": { "current_release_date": "2023-07-18T22:00:00.000+00:00", "generator": { "date": "2024-08-15T17:55:49.788+00:00", "engine": { "name": "BSI-WID", "version": "1.3.5" } }, "id": "WID-SEC-W-2023-1800", "initial_release_date": "2023-07-18T22:00:00.000+00:00", "revision_history": [ { "date": "2023-07-18T22:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_name", "name": "HCL BigFix WebUI", "product": { "name": "HCL BigFix WebUI", "product_id": "T023767", "product_identification_helper": { "cpe": "cpe:/a:hcltech:bigfix:webui" } } } ], "category": "vendor", "name": "HCL" } ] }, "vulnerabilities": [ { "cve": "CVE-2023-32695", "notes": [ { "category": "description", "text": "In HCL BigFix WebUI existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Komponenten, teilweise von Drittanbietern. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, Dateien zu manipulieren, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T023767" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2023-32695" }, { "cve": "CVE-2023-31125", "notes": [ { "category": "description", "text": "In HCL BigFix WebUI existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Komponenten, teilweise von Drittanbietern. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, Dateien zu manipulieren, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T023767" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2023-31125" }, { "cve": "CVE-2023-30533", "notes": [ { "category": "description", "text": "In HCL BigFix WebUI existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Komponenten, teilweise von Drittanbietern. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, Dateien zu manipulieren, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T023767" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2023-30533" }, { "cve": "CVE-2023-28155", "notes": [ { "category": "description", "text": "In HCL BigFix WebUI existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Komponenten, teilweise von Drittanbietern. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, Dateien zu manipulieren, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T023767" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2023-28155" }, { "cve": "CVE-2023-28023", "notes": [ { "category": "description", "text": "In HCL BigFix WebUI existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Komponenten, teilweise von Drittanbietern. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, Dateien zu manipulieren, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T023767" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2023-28023" }, { "cve": "CVE-2023-28021", "notes": [ { "category": "description", "text": "In HCL BigFix WebUI existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Komponenten, teilweise von Drittanbietern. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, Dateien zu manipulieren, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T023767" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2023-28021" }, { "cve": "CVE-2023-28020", "notes": [ { "category": "description", "text": "In HCL BigFix WebUI existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Komponenten, teilweise von Drittanbietern. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, Dateien zu manipulieren, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T023767" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2023-28020" }, { "cve": "CVE-2023-28019", "notes": [ { "category": "description", "text": "In HCL BigFix WebUI existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Komponenten, teilweise von Drittanbietern. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, Dateien zu manipulieren, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T023767" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2023-28019" }, { "cve": "CVE-2021-43138", "notes": [ { "category": "description", "text": "In HCL BigFix WebUI existieren mehrere Schwachstellen. Diese bestehen in verschiedenen Komponenten, teilweise von Drittanbietern. Ein entfernter, anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, Dateien zu manipulieren, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T023767" ] }, "release_date": "2023-07-18T22:00:00.000+00:00", "title": "CVE-2021-43138" } ] }
rhsa-2023_3645
Vulnerability from csaf_redhat
Published
2023-06-15 20:55
Modified
2024-12-10 17:53
Summary
Red Hat Security Advisory: Red Hat OpenShift Service Mesh 2.2.7 security update
Notes
Topic
Red Hat OpenShift Service Mesh 2.2.7
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation.
This advisory covers the RPM packages for the release.
Security Fix(es):
* mongo-go-driver: specific cstrings input may not be properly validated (CVE-2021-20329)
* async: Prototype Pollution in async (CVE-2021-43138)
* express: "qs" prototype poisoning causes the hang of the node process (CVE-2022-24999)
* terser: insecure use of regular expressions leads to ReDoS (CVE-2022-25858)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat OpenShift Service Mesh 2.2.7\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat OpenShift Service Mesh is Red Hat\u0027s distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation.\n\nThis advisory covers the RPM packages for the release.\n\nSecurity Fix(es):\n\n* mongo-go-driver: specific cstrings input may not be properly validated (CVE-2021-20329)\n* async: Prototype Pollution in async (CVE-2021-43138)\n* express: \"qs\" prototype poisoning causes the hang of the node process (CVE-2022-24999)\n* terser: insecure use of regular expressions leads to ReDoS (CVE-2022-25858)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2023:3645", "url": "https://access.redhat.com/errata/RHSA-2023:3645" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "1971033", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1971033" }, { "category": "external", "summary": "2126276", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126276" }, { "category": "external", "summary": "2126277", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126277" }, { "category": "external", "summary": "2150323", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150323" }, { "category": "external", "summary": "OSSM-3596", "url": "https://issues.redhat.com/browse/OSSM-3596" }, { "category": "external", "summary": "OSSM-3720", "url": "https://issues.redhat.com/browse/OSSM-3720" }, { "category": "external", "summary": "OSSM-3783", "url": "https://issues.redhat.com/browse/OSSM-3783" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3645.json" } ], "title": "Red Hat Security Advisory: Red Hat OpenShift Service Mesh 2.2.7 security update", "tracking": { "current_release_date": "2024-12-10T17:53:19+00:00", "generator": { "date": "2024-12-10T17:53:19+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.3" } }, "id": "RHSA-2023:3645", "initial_release_date": "2023-06-15T20:55:50+00:00", "revision_history": [ { "date": "2023-06-15T20:55:50+00:00", "number": "1", "summary": "Initial version" }, { "date": "2023-06-15T20:55:50+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-12-10T17:53:19+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "RHOSSM 2.2 for RHEL 8", "product": { "name": "RHOSSM 2.2 for RHEL 8", "product_id": "8Base-RHOSSM-2.2", "product_identification_helper": { "cpe": "cpe:/a:redhat:service_mesh:2.2::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Service Mesh" }, { "branches": [ { "category": "product_version", "name": "openshift-service-mesh/istio-cni-rhel8@sha256:3f410cd41ea91e0014d1cf8d7f3decb3bf0e3db5e9aa2612480a76f6797aa3b5_amd64", "product": { "name": "openshift-service-mesh/istio-cni-rhel8@sha256:3f410cd41ea91e0014d1cf8d7f3decb3bf0e3db5e9aa2612480a76f6797aa3b5_amd64", "product_id": "openshift-service-mesh/istio-cni-rhel8@sha256:3f410cd41ea91e0014d1cf8d7f3decb3bf0e3db5e9aa2612480a76f6797aa3b5_amd64", "product_identification_helper": { "purl": "pkg:oci/istio-cni-rhel8@sha256:3f410cd41ea91e0014d1cf8d7f3decb3bf0e3db5e9aa2612480a76f6797aa3b5?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh/istio-cni-rhel8\u0026tag=2.2.7-7" } } }, { "category": "product_version", "name": "openshift-service-mesh/grafana-rhel8@sha256:f496643a0600a632a3ce216d67634cff9e6174aeb4d113743fd0443a40b535d9_amd64", "product": { "name": "openshift-service-mesh/grafana-rhel8@sha256:f496643a0600a632a3ce216d67634cff9e6174aeb4d113743fd0443a40b535d9_amd64", "product_id": "openshift-service-mesh/grafana-rhel8@sha256:f496643a0600a632a3ce216d67634cff9e6174aeb4d113743fd0443a40b535d9_amd64", "product_identification_helper": { "purl": "pkg:oci/grafana-rhel8@sha256:f496643a0600a632a3ce216d67634cff9e6174aeb4d113743fd0443a40b535d9?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh/grafana-rhel8\u0026tag=2.2.7-3" } } }, { "category": "product_version", "name": "openshift-service-mesh/kiali-rhel8@sha256:bee9a86adcd6974536fa31d054a880238a720b8bfcd7efc5d656a0ddd5111d06_amd64", "product": { "name": "openshift-service-mesh/kiali-rhel8@sha256:bee9a86adcd6974536fa31d054a880238a720b8bfcd7efc5d656a0ddd5111d06_amd64", "product_id": "openshift-service-mesh/kiali-rhel8@sha256:bee9a86adcd6974536fa31d054a880238a720b8bfcd7efc5d656a0ddd5111d06_amd64", "product_identification_helper": { "purl": "pkg:oci/kiali-rhel8@sha256:bee9a86adcd6974536fa31d054a880238a720b8bfcd7efc5d656a0ddd5111d06?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel8\u0026tag=1.48.6-1" } } }, { "category": "product_version", "name": "openshift-service-mesh/istio-must-gather-rhel8@sha256:c6cda704d37ed2d233ec225578cb8021429a64d77649c26672c876569a0696b6_amd64", "product": { "name": "openshift-service-mesh/istio-must-gather-rhel8@sha256:c6cda704d37ed2d233ec225578cb8021429a64d77649c26672c876569a0696b6_amd64", "product_id": "openshift-service-mesh/istio-must-gather-rhel8@sha256:c6cda704d37ed2d233ec225578cb8021429a64d77649c26672c876569a0696b6_amd64", "product_identification_helper": { "purl": "pkg:oci/istio-must-gather-rhel8@sha256:c6cda704d37ed2d233ec225578cb8021429a64d77649c26672c876569a0696b6?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel8\u0026tag=2.2.7-7" } } }, { "category": "product_version", "name": "openshift-service-mesh/pilot-rhel8@sha256:a4b7ddd16863e41a6642fc52c566d94069732afafdcbd761385be1e4e04c8521_amd64", "product": { "name": "openshift-service-mesh/pilot-rhel8@sha256:a4b7ddd16863e41a6642fc52c566d94069732afafdcbd761385be1e4e04c8521_amd64", "product_id": "openshift-service-mesh/pilot-rhel8@sha256:a4b7ddd16863e41a6642fc52c566d94069732afafdcbd761385be1e4e04c8521_amd64", "product_identification_helper": { "purl": "pkg:oci/pilot-rhel8@sha256:a4b7ddd16863e41a6642fc52c566d94069732afafdcbd761385be1e4e04c8521?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh/pilot-rhel8\u0026tag=2.2.7-7" } } }, { "category": "product_version", "name": "openshift-service-mesh/prometheus-rhel8@sha256:2371e4effbf6a4846599729701de09a5613a2df29fee9858b0526470d63a5eb7_amd64", "product": { "name": "openshift-service-mesh/prometheus-rhel8@sha256:2371e4effbf6a4846599729701de09a5613a2df29fee9858b0526470d63a5eb7_amd64", "product_id": "openshift-service-mesh/prometheus-rhel8@sha256:2371e4effbf6a4846599729701de09a5613a2df29fee9858b0526470d63a5eb7_amd64", "product_identification_helper": { "purl": "pkg:oci/prometheus-rhel8@sha256:2371e4effbf6a4846599729701de09a5613a2df29fee9858b0526470d63a5eb7?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh/prometheus-rhel8\u0026tag=2.2.7-7" } } }, { "category": "product_version", "name": "openshift-service-mesh/proxyv2-rhel8@sha256:99e0a7f2861823dbd94ed53294a255aab2f710cc0c932dca84ae0681494e029b_amd64", "product": { "name": "openshift-service-mesh/proxyv2-rhel8@sha256:99e0a7f2861823dbd94ed53294a255aab2f710cc0c932dca84ae0681494e029b_amd64", "product_id": "openshift-service-mesh/proxyv2-rhel8@sha256:99e0a7f2861823dbd94ed53294a255aab2f710cc0c932dca84ae0681494e029b_amd64", "product_identification_helper": { "purl": "pkg:oci/proxyv2-rhel8@sha256:99e0a7f2861823dbd94ed53294a255aab2f710cc0c932dca84ae0681494e029b?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh/proxyv2-rhel8\u0026tag=2.2.7-6" } } }, { "category": "product_version", "name": "openshift-service-mesh/ratelimit-rhel8@sha256:8918686da37dad102867ad55788b2b0f7d750cf137b76a4ca51e244367de6375_amd64", "product": { "name": "openshift-service-mesh/ratelimit-rhel8@sha256:8918686da37dad102867ad55788b2b0f7d750cf137b76a4ca51e244367de6375_amd64", "product_id": "openshift-service-mesh/ratelimit-rhel8@sha256:8918686da37dad102867ad55788b2b0f7d750cf137b76a4ca51e244367de6375_amd64", "product_identification_helper": { "purl": "pkg:oci/ratelimit-rhel8@sha256:8918686da37dad102867ad55788b2b0f7d750cf137b76a4ca51e244367de6375?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh/ratelimit-rhel8\u0026tag=2.2.7-4" } } } ], "category": "architecture", "name": "amd64" }, { "branches": [ { "category": "product_version", "name": "openshift-service-mesh/istio-cni-rhel8@sha256:8abbc8a247ff6de3e5b212e6a2b0203600555e1f3f0c8599aaf19c9cdda59abb_ppc64le", "product": { "name": "openshift-service-mesh/istio-cni-rhel8@sha256:8abbc8a247ff6de3e5b212e6a2b0203600555e1f3f0c8599aaf19c9cdda59abb_ppc64le", "product_id": "openshift-service-mesh/istio-cni-rhel8@sha256:8abbc8a247ff6de3e5b212e6a2b0203600555e1f3f0c8599aaf19c9cdda59abb_ppc64le", "product_identification_helper": { "purl": "pkg:oci/istio-cni-rhel8@sha256:8abbc8a247ff6de3e5b212e6a2b0203600555e1f3f0c8599aaf19c9cdda59abb?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh/istio-cni-rhel8\u0026tag=2.2.7-7" } } }, { "category": "product_version", "name": "openshift-service-mesh/grafana-rhel8@sha256:ce4f38fd64e2e1944e037097b3af9d5b8645f7fc5856b74cba00f94a1a60471f_ppc64le", "product": { "name": "openshift-service-mesh/grafana-rhel8@sha256:ce4f38fd64e2e1944e037097b3af9d5b8645f7fc5856b74cba00f94a1a60471f_ppc64le", "product_id": "openshift-service-mesh/grafana-rhel8@sha256:ce4f38fd64e2e1944e037097b3af9d5b8645f7fc5856b74cba00f94a1a60471f_ppc64le", "product_identification_helper": { "purl": "pkg:oci/grafana-rhel8@sha256:ce4f38fd64e2e1944e037097b3af9d5b8645f7fc5856b74cba00f94a1a60471f?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh/grafana-rhel8\u0026tag=2.2.7-3" } } }, { "category": "product_version", "name": "openshift-service-mesh/kiali-rhel8@sha256:eebc6514999806d2726fea70bd7f4979dd71a7b2f2aa220ead6b5a838a0ffbdf_ppc64le", "product": { "name": "openshift-service-mesh/kiali-rhel8@sha256:eebc6514999806d2726fea70bd7f4979dd71a7b2f2aa220ead6b5a838a0ffbdf_ppc64le", "product_id": "openshift-service-mesh/kiali-rhel8@sha256:eebc6514999806d2726fea70bd7f4979dd71a7b2f2aa220ead6b5a838a0ffbdf_ppc64le", "product_identification_helper": { "purl": "pkg:oci/kiali-rhel8@sha256:eebc6514999806d2726fea70bd7f4979dd71a7b2f2aa220ead6b5a838a0ffbdf?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel8\u0026tag=1.48.6-1" } } }, { "category": "product_version", "name": "openshift-service-mesh/istio-must-gather-rhel8@sha256:bbd215d60e43f719ac81025128f30002bb11f1d29fa874f3b8b1ce61a9269628_ppc64le", "product": { "name": "openshift-service-mesh/istio-must-gather-rhel8@sha256:bbd215d60e43f719ac81025128f30002bb11f1d29fa874f3b8b1ce61a9269628_ppc64le", "product_id": "openshift-service-mesh/istio-must-gather-rhel8@sha256:bbd215d60e43f719ac81025128f30002bb11f1d29fa874f3b8b1ce61a9269628_ppc64le", "product_identification_helper": { "purl": "pkg:oci/istio-must-gather-rhel8@sha256:bbd215d60e43f719ac81025128f30002bb11f1d29fa874f3b8b1ce61a9269628?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel8\u0026tag=2.2.7-7" } } }, { "category": "product_version", "name": "openshift-service-mesh/pilot-rhel8@sha256:bc137efedf8eaf278f508b7f652e7db96f3dcfbb1b685e5a9359680c77b1838a_ppc64le", "product": { "name": "openshift-service-mesh/pilot-rhel8@sha256:bc137efedf8eaf278f508b7f652e7db96f3dcfbb1b685e5a9359680c77b1838a_ppc64le", "product_id": "openshift-service-mesh/pilot-rhel8@sha256:bc137efedf8eaf278f508b7f652e7db96f3dcfbb1b685e5a9359680c77b1838a_ppc64le", "product_identification_helper": { "purl": "pkg:oci/pilot-rhel8@sha256:bc137efedf8eaf278f508b7f652e7db96f3dcfbb1b685e5a9359680c77b1838a?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh/pilot-rhel8\u0026tag=2.2.7-7" } } }, { "category": "product_version", "name": "openshift-service-mesh/prometheus-rhel8@sha256:f5d874b252b5fa89e85db384b81096cd84fbfafc593532bb6ea0175f680115c7_ppc64le", "product": { "name": "openshift-service-mesh/prometheus-rhel8@sha256:f5d874b252b5fa89e85db384b81096cd84fbfafc593532bb6ea0175f680115c7_ppc64le", "product_id": "openshift-service-mesh/prometheus-rhel8@sha256:f5d874b252b5fa89e85db384b81096cd84fbfafc593532bb6ea0175f680115c7_ppc64le", "product_identification_helper": { "purl": "pkg:oci/prometheus-rhel8@sha256:f5d874b252b5fa89e85db384b81096cd84fbfafc593532bb6ea0175f680115c7?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh/prometheus-rhel8\u0026tag=2.2.7-7" } } }, { "category": "product_version", "name": "openshift-service-mesh/proxyv2-rhel8@sha256:4ffd0acfd05fa5cab68372121f34901adcef3f94d9c38beee8559f9ad8a0fd5a_ppc64le", "product": { "name": "openshift-service-mesh/proxyv2-rhel8@sha256:4ffd0acfd05fa5cab68372121f34901adcef3f94d9c38beee8559f9ad8a0fd5a_ppc64le", "product_id": "openshift-service-mesh/proxyv2-rhel8@sha256:4ffd0acfd05fa5cab68372121f34901adcef3f94d9c38beee8559f9ad8a0fd5a_ppc64le", "product_identification_helper": { "purl": "pkg:oci/proxyv2-rhel8@sha256:4ffd0acfd05fa5cab68372121f34901adcef3f94d9c38beee8559f9ad8a0fd5a?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh/proxyv2-rhel8\u0026tag=2.2.7-6" } } }, { "category": "product_version", "name": "openshift-service-mesh/ratelimit-rhel8@sha256:0f35f2a716c4a04873d6dfad61f0d8fc262f2190609cd1cc5578da48cd9d0f4d_ppc64le", "product": { "name": "openshift-service-mesh/ratelimit-rhel8@sha256:0f35f2a716c4a04873d6dfad61f0d8fc262f2190609cd1cc5578da48cd9d0f4d_ppc64le", "product_id": "openshift-service-mesh/ratelimit-rhel8@sha256:0f35f2a716c4a04873d6dfad61f0d8fc262f2190609cd1cc5578da48cd9d0f4d_ppc64le", "product_identification_helper": { "purl": "pkg:oci/ratelimit-rhel8@sha256:0f35f2a716c4a04873d6dfad61f0d8fc262f2190609cd1cc5578da48cd9d0f4d?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh/ratelimit-rhel8\u0026tag=2.2.7-4" } } } ], "category": "architecture", "name": "ppc64le" }, { "branches": [ { "category": "product_version", "name": "openshift-service-mesh/istio-cni-rhel8@sha256:47720497b1bb8ee24993260359294eeeafdd888c71ccca6cb12d526e5c3a4a13_s390x", "product": { "name": "openshift-service-mesh/istio-cni-rhel8@sha256:47720497b1bb8ee24993260359294eeeafdd888c71ccca6cb12d526e5c3a4a13_s390x", "product_id": "openshift-service-mesh/istio-cni-rhel8@sha256:47720497b1bb8ee24993260359294eeeafdd888c71ccca6cb12d526e5c3a4a13_s390x", "product_identification_helper": { "purl": "pkg:oci/istio-cni-rhel8@sha256:47720497b1bb8ee24993260359294eeeafdd888c71ccca6cb12d526e5c3a4a13?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh/istio-cni-rhel8\u0026tag=2.2.7-7" } } }, { "category": "product_version", "name": "openshift-service-mesh/grafana-rhel8@sha256:ce1247898969a1865d5d7eb865f659131d6dc58e78aecfc31c59615dc21dd48e_s390x", "product": { "name": "openshift-service-mesh/grafana-rhel8@sha256:ce1247898969a1865d5d7eb865f659131d6dc58e78aecfc31c59615dc21dd48e_s390x", "product_id": "openshift-service-mesh/grafana-rhel8@sha256:ce1247898969a1865d5d7eb865f659131d6dc58e78aecfc31c59615dc21dd48e_s390x", "product_identification_helper": { "purl": "pkg:oci/grafana-rhel8@sha256:ce1247898969a1865d5d7eb865f659131d6dc58e78aecfc31c59615dc21dd48e?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh/grafana-rhel8\u0026tag=2.2.7-3" } } }, { "category": "product_version", "name": "openshift-service-mesh/kiali-rhel8@sha256:351d18f13943b57b5599dc4c2af9970a6add2fbf2cd702f64128e156e4e8a991_s390x", "product": { "name": "openshift-service-mesh/kiali-rhel8@sha256:351d18f13943b57b5599dc4c2af9970a6add2fbf2cd702f64128e156e4e8a991_s390x", "product_id": "openshift-service-mesh/kiali-rhel8@sha256:351d18f13943b57b5599dc4c2af9970a6add2fbf2cd702f64128e156e4e8a991_s390x", "product_identification_helper": { "purl": "pkg:oci/kiali-rhel8@sha256:351d18f13943b57b5599dc4c2af9970a6add2fbf2cd702f64128e156e4e8a991?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh/kiali-rhel8\u0026tag=1.48.6-1" } } }, { "category": "product_version", "name": "openshift-service-mesh/istio-must-gather-rhel8@sha256:a2de7f954c0878842b5e214d809382c7d0428b8d3ed22fa1516e49ec583d7790_s390x", "product": { "name": "openshift-service-mesh/istio-must-gather-rhel8@sha256:a2de7f954c0878842b5e214d809382c7d0428b8d3ed22fa1516e49ec583d7790_s390x", "product_id": "openshift-service-mesh/istio-must-gather-rhel8@sha256:a2de7f954c0878842b5e214d809382c7d0428b8d3ed22fa1516e49ec583d7790_s390x", "product_identification_helper": { "purl": "pkg:oci/istio-must-gather-rhel8@sha256:a2de7f954c0878842b5e214d809382c7d0428b8d3ed22fa1516e49ec583d7790?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel8\u0026tag=2.2.7-7" } } }, { "category": "product_version", "name": "openshift-service-mesh/pilot-rhel8@sha256:7b59f76549db37ee09757d79692c52abf1c01baea84fbc98ce5aabc530232f45_s390x", "product": { "name": "openshift-service-mesh/pilot-rhel8@sha256:7b59f76549db37ee09757d79692c52abf1c01baea84fbc98ce5aabc530232f45_s390x", "product_id": "openshift-service-mesh/pilot-rhel8@sha256:7b59f76549db37ee09757d79692c52abf1c01baea84fbc98ce5aabc530232f45_s390x", "product_identification_helper": { "purl": "pkg:oci/pilot-rhel8@sha256:7b59f76549db37ee09757d79692c52abf1c01baea84fbc98ce5aabc530232f45?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh/pilot-rhel8\u0026tag=2.2.7-7" } } }, { "category": "product_version", "name": "openshift-service-mesh/prometheus-rhel8@sha256:a2e263be450ab7c304d5b9a79d13e8f65a2b82d259034fc34b8f69cfa8029601_s390x", "product": { "name": "openshift-service-mesh/prometheus-rhel8@sha256:a2e263be450ab7c304d5b9a79d13e8f65a2b82d259034fc34b8f69cfa8029601_s390x", "product_id": "openshift-service-mesh/prometheus-rhel8@sha256:a2e263be450ab7c304d5b9a79d13e8f65a2b82d259034fc34b8f69cfa8029601_s390x", "product_identification_helper": { "purl": "pkg:oci/prometheus-rhel8@sha256:a2e263be450ab7c304d5b9a79d13e8f65a2b82d259034fc34b8f69cfa8029601?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh/prometheus-rhel8\u0026tag=2.2.7-7" } } }, { "category": "product_version", "name": "openshift-service-mesh/proxyv2-rhel8@sha256:8c3838d96559d417f8986703803843e77732d399d911097488a554b037e2e446_s390x", "product": { "name": "openshift-service-mesh/proxyv2-rhel8@sha256:8c3838d96559d417f8986703803843e77732d399d911097488a554b037e2e446_s390x", "product_id": "openshift-service-mesh/proxyv2-rhel8@sha256:8c3838d96559d417f8986703803843e77732d399d911097488a554b037e2e446_s390x", "product_identification_helper": { "purl": "pkg:oci/proxyv2-rhel8@sha256:8c3838d96559d417f8986703803843e77732d399d911097488a554b037e2e446?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh/proxyv2-rhel8\u0026tag=2.2.7-6" } } }, { "category": "product_version", "name": "openshift-service-mesh/ratelimit-rhel8@sha256:19821b7b74ed96b78f3322c1b770053c532c27b11b66978731ab4aa257991e81_s390x", "product": { "name": "openshift-service-mesh/ratelimit-rhel8@sha256:19821b7b74ed96b78f3322c1b770053c532c27b11b66978731ab4aa257991e81_s390x", "product_id": "openshift-service-mesh/ratelimit-rhel8@sha256:19821b7b74ed96b78f3322c1b770053c532c27b11b66978731ab4aa257991e81_s390x", "product_identification_helper": { "purl": "pkg:oci/ratelimit-rhel8@sha256:19821b7b74ed96b78f3322c1b770053c532c27b11b66978731ab4aa257991e81?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh/ratelimit-rhel8\u0026tag=2.2.7-4" } } } ], "category": "architecture", "name": "s390x" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openshift-service-mesh/grafana-rhel8@sha256:ce1247898969a1865d5d7eb865f659131d6dc58e78aecfc31c59615dc21dd48e_s390x as a component of RHOSSM 2.2 for RHEL 8", "product_id": "8Base-RHOSSM-2.2:openshift-service-mesh/grafana-rhel8@sha256:ce1247898969a1865d5d7eb865f659131d6dc58e78aecfc31c59615dc21dd48e_s390x" }, "product_reference": "openshift-service-mesh/grafana-rhel8@sha256:ce1247898969a1865d5d7eb865f659131d6dc58e78aecfc31c59615dc21dd48e_s390x", "relates_to_product_reference": "8Base-RHOSSM-2.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-service-mesh/grafana-rhel8@sha256:ce4f38fd64e2e1944e037097b3af9d5b8645f7fc5856b74cba00f94a1a60471f_ppc64le as a component of RHOSSM 2.2 for RHEL 8", "product_id": "8Base-RHOSSM-2.2:openshift-service-mesh/grafana-rhel8@sha256:ce4f38fd64e2e1944e037097b3af9d5b8645f7fc5856b74cba00f94a1a60471f_ppc64le" }, "product_reference": "openshift-service-mesh/grafana-rhel8@sha256:ce4f38fd64e2e1944e037097b3af9d5b8645f7fc5856b74cba00f94a1a60471f_ppc64le", "relates_to_product_reference": "8Base-RHOSSM-2.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-service-mesh/grafana-rhel8@sha256:f496643a0600a632a3ce216d67634cff9e6174aeb4d113743fd0443a40b535d9_amd64 as a component of RHOSSM 2.2 for RHEL 8", "product_id": "8Base-RHOSSM-2.2:openshift-service-mesh/grafana-rhel8@sha256:f496643a0600a632a3ce216d67634cff9e6174aeb4d113743fd0443a40b535d9_amd64" }, "product_reference": "openshift-service-mesh/grafana-rhel8@sha256:f496643a0600a632a3ce216d67634cff9e6174aeb4d113743fd0443a40b535d9_amd64", "relates_to_product_reference": "8Base-RHOSSM-2.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-service-mesh/istio-cni-rhel8@sha256:3f410cd41ea91e0014d1cf8d7f3decb3bf0e3db5e9aa2612480a76f6797aa3b5_amd64 as a component of RHOSSM 2.2 for RHEL 8", "product_id": "8Base-RHOSSM-2.2:openshift-service-mesh/istio-cni-rhel8@sha256:3f410cd41ea91e0014d1cf8d7f3decb3bf0e3db5e9aa2612480a76f6797aa3b5_amd64" }, "product_reference": "openshift-service-mesh/istio-cni-rhel8@sha256:3f410cd41ea91e0014d1cf8d7f3decb3bf0e3db5e9aa2612480a76f6797aa3b5_amd64", "relates_to_product_reference": "8Base-RHOSSM-2.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-service-mesh/istio-cni-rhel8@sha256:47720497b1bb8ee24993260359294eeeafdd888c71ccca6cb12d526e5c3a4a13_s390x as a component of RHOSSM 2.2 for RHEL 8", "product_id": "8Base-RHOSSM-2.2:openshift-service-mesh/istio-cni-rhel8@sha256:47720497b1bb8ee24993260359294eeeafdd888c71ccca6cb12d526e5c3a4a13_s390x" }, "product_reference": "openshift-service-mesh/istio-cni-rhel8@sha256:47720497b1bb8ee24993260359294eeeafdd888c71ccca6cb12d526e5c3a4a13_s390x", "relates_to_product_reference": "8Base-RHOSSM-2.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-service-mesh/istio-cni-rhel8@sha256:8abbc8a247ff6de3e5b212e6a2b0203600555e1f3f0c8599aaf19c9cdda59abb_ppc64le as a component of RHOSSM 2.2 for RHEL 8", "product_id": "8Base-RHOSSM-2.2:openshift-service-mesh/istio-cni-rhel8@sha256:8abbc8a247ff6de3e5b212e6a2b0203600555e1f3f0c8599aaf19c9cdda59abb_ppc64le" }, "product_reference": "openshift-service-mesh/istio-cni-rhel8@sha256:8abbc8a247ff6de3e5b212e6a2b0203600555e1f3f0c8599aaf19c9cdda59abb_ppc64le", "relates_to_product_reference": "8Base-RHOSSM-2.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-service-mesh/istio-must-gather-rhel8@sha256:a2de7f954c0878842b5e214d809382c7d0428b8d3ed22fa1516e49ec583d7790_s390x as a component of RHOSSM 2.2 for RHEL 8", "product_id": "8Base-RHOSSM-2.2:openshift-service-mesh/istio-must-gather-rhel8@sha256:a2de7f954c0878842b5e214d809382c7d0428b8d3ed22fa1516e49ec583d7790_s390x" }, "product_reference": "openshift-service-mesh/istio-must-gather-rhel8@sha256:a2de7f954c0878842b5e214d809382c7d0428b8d3ed22fa1516e49ec583d7790_s390x", "relates_to_product_reference": "8Base-RHOSSM-2.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-service-mesh/istio-must-gather-rhel8@sha256:bbd215d60e43f719ac81025128f30002bb11f1d29fa874f3b8b1ce61a9269628_ppc64le as a component of RHOSSM 2.2 for RHEL 8", "product_id": "8Base-RHOSSM-2.2:openshift-service-mesh/istio-must-gather-rhel8@sha256:bbd215d60e43f719ac81025128f30002bb11f1d29fa874f3b8b1ce61a9269628_ppc64le" }, "product_reference": "openshift-service-mesh/istio-must-gather-rhel8@sha256:bbd215d60e43f719ac81025128f30002bb11f1d29fa874f3b8b1ce61a9269628_ppc64le", "relates_to_product_reference": "8Base-RHOSSM-2.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-service-mesh/istio-must-gather-rhel8@sha256:c6cda704d37ed2d233ec225578cb8021429a64d77649c26672c876569a0696b6_amd64 as a component of RHOSSM 2.2 for RHEL 8", "product_id": "8Base-RHOSSM-2.2:openshift-service-mesh/istio-must-gather-rhel8@sha256:c6cda704d37ed2d233ec225578cb8021429a64d77649c26672c876569a0696b6_amd64" }, "product_reference": "openshift-service-mesh/istio-must-gather-rhel8@sha256:c6cda704d37ed2d233ec225578cb8021429a64d77649c26672c876569a0696b6_amd64", "relates_to_product_reference": "8Base-RHOSSM-2.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-service-mesh/kiali-rhel8@sha256:351d18f13943b57b5599dc4c2af9970a6add2fbf2cd702f64128e156e4e8a991_s390x as a component of RHOSSM 2.2 for RHEL 8", "product_id": "8Base-RHOSSM-2.2:openshift-service-mesh/kiali-rhel8@sha256:351d18f13943b57b5599dc4c2af9970a6add2fbf2cd702f64128e156e4e8a991_s390x" }, "product_reference": "openshift-service-mesh/kiali-rhel8@sha256:351d18f13943b57b5599dc4c2af9970a6add2fbf2cd702f64128e156e4e8a991_s390x", "relates_to_product_reference": "8Base-RHOSSM-2.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-service-mesh/kiali-rhel8@sha256:bee9a86adcd6974536fa31d054a880238a720b8bfcd7efc5d656a0ddd5111d06_amd64 as a component of RHOSSM 2.2 for RHEL 8", "product_id": "8Base-RHOSSM-2.2:openshift-service-mesh/kiali-rhel8@sha256:bee9a86adcd6974536fa31d054a880238a720b8bfcd7efc5d656a0ddd5111d06_amd64" }, "product_reference": "openshift-service-mesh/kiali-rhel8@sha256:bee9a86adcd6974536fa31d054a880238a720b8bfcd7efc5d656a0ddd5111d06_amd64", "relates_to_product_reference": "8Base-RHOSSM-2.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-service-mesh/kiali-rhel8@sha256:eebc6514999806d2726fea70bd7f4979dd71a7b2f2aa220ead6b5a838a0ffbdf_ppc64le as a component of RHOSSM 2.2 for RHEL 8", "product_id": "8Base-RHOSSM-2.2:openshift-service-mesh/kiali-rhel8@sha256:eebc6514999806d2726fea70bd7f4979dd71a7b2f2aa220ead6b5a838a0ffbdf_ppc64le" }, "product_reference": "openshift-service-mesh/kiali-rhel8@sha256:eebc6514999806d2726fea70bd7f4979dd71a7b2f2aa220ead6b5a838a0ffbdf_ppc64le", "relates_to_product_reference": "8Base-RHOSSM-2.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-service-mesh/pilot-rhel8@sha256:7b59f76549db37ee09757d79692c52abf1c01baea84fbc98ce5aabc530232f45_s390x as a component of RHOSSM 2.2 for RHEL 8", "product_id": "8Base-RHOSSM-2.2:openshift-service-mesh/pilot-rhel8@sha256:7b59f76549db37ee09757d79692c52abf1c01baea84fbc98ce5aabc530232f45_s390x" }, "product_reference": "openshift-service-mesh/pilot-rhel8@sha256:7b59f76549db37ee09757d79692c52abf1c01baea84fbc98ce5aabc530232f45_s390x", "relates_to_product_reference": "8Base-RHOSSM-2.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-service-mesh/pilot-rhel8@sha256:a4b7ddd16863e41a6642fc52c566d94069732afafdcbd761385be1e4e04c8521_amd64 as a component of RHOSSM 2.2 for RHEL 8", "product_id": "8Base-RHOSSM-2.2:openshift-service-mesh/pilot-rhel8@sha256:a4b7ddd16863e41a6642fc52c566d94069732afafdcbd761385be1e4e04c8521_amd64" }, "product_reference": "openshift-service-mesh/pilot-rhel8@sha256:a4b7ddd16863e41a6642fc52c566d94069732afafdcbd761385be1e4e04c8521_amd64", "relates_to_product_reference": "8Base-RHOSSM-2.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-service-mesh/pilot-rhel8@sha256:bc137efedf8eaf278f508b7f652e7db96f3dcfbb1b685e5a9359680c77b1838a_ppc64le as a component of RHOSSM 2.2 for RHEL 8", "product_id": "8Base-RHOSSM-2.2:openshift-service-mesh/pilot-rhel8@sha256:bc137efedf8eaf278f508b7f652e7db96f3dcfbb1b685e5a9359680c77b1838a_ppc64le" }, "product_reference": "openshift-service-mesh/pilot-rhel8@sha256:bc137efedf8eaf278f508b7f652e7db96f3dcfbb1b685e5a9359680c77b1838a_ppc64le", "relates_to_product_reference": "8Base-RHOSSM-2.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-service-mesh/prometheus-rhel8@sha256:2371e4effbf6a4846599729701de09a5613a2df29fee9858b0526470d63a5eb7_amd64 as a component of RHOSSM 2.2 for RHEL 8", "product_id": "8Base-RHOSSM-2.2:openshift-service-mesh/prometheus-rhel8@sha256:2371e4effbf6a4846599729701de09a5613a2df29fee9858b0526470d63a5eb7_amd64" }, "product_reference": "openshift-service-mesh/prometheus-rhel8@sha256:2371e4effbf6a4846599729701de09a5613a2df29fee9858b0526470d63a5eb7_amd64", "relates_to_product_reference": "8Base-RHOSSM-2.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-service-mesh/prometheus-rhel8@sha256:a2e263be450ab7c304d5b9a79d13e8f65a2b82d259034fc34b8f69cfa8029601_s390x as a component of RHOSSM 2.2 for RHEL 8", "product_id": "8Base-RHOSSM-2.2:openshift-service-mesh/prometheus-rhel8@sha256:a2e263be450ab7c304d5b9a79d13e8f65a2b82d259034fc34b8f69cfa8029601_s390x" }, "product_reference": "openshift-service-mesh/prometheus-rhel8@sha256:a2e263be450ab7c304d5b9a79d13e8f65a2b82d259034fc34b8f69cfa8029601_s390x", "relates_to_product_reference": "8Base-RHOSSM-2.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-service-mesh/prometheus-rhel8@sha256:f5d874b252b5fa89e85db384b81096cd84fbfafc593532bb6ea0175f680115c7_ppc64le as a component of RHOSSM 2.2 for RHEL 8", "product_id": "8Base-RHOSSM-2.2:openshift-service-mesh/prometheus-rhel8@sha256:f5d874b252b5fa89e85db384b81096cd84fbfafc593532bb6ea0175f680115c7_ppc64le" }, "product_reference": "openshift-service-mesh/prometheus-rhel8@sha256:f5d874b252b5fa89e85db384b81096cd84fbfafc593532bb6ea0175f680115c7_ppc64le", "relates_to_product_reference": "8Base-RHOSSM-2.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-service-mesh/proxyv2-rhel8@sha256:4ffd0acfd05fa5cab68372121f34901adcef3f94d9c38beee8559f9ad8a0fd5a_ppc64le as a component of RHOSSM 2.2 for RHEL 8", "product_id": "8Base-RHOSSM-2.2:openshift-service-mesh/proxyv2-rhel8@sha256:4ffd0acfd05fa5cab68372121f34901adcef3f94d9c38beee8559f9ad8a0fd5a_ppc64le" }, "product_reference": "openshift-service-mesh/proxyv2-rhel8@sha256:4ffd0acfd05fa5cab68372121f34901adcef3f94d9c38beee8559f9ad8a0fd5a_ppc64le", "relates_to_product_reference": "8Base-RHOSSM-2.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-service-mesh/proxyv2-rhel8@sha256:8c3838d96559d417f8986703803843e77732d399d911097488a554b037e2e446_s390x as a component of RHOSSM 2.2 for RHEL 8", "product_id": "8Base-RHOSSM-2.2:openshift-service-mesh/proxyv2-rhel8@sha256:8c3838d96559d417f8986703803843e77732d399d911097488a554b037e2e446_s390x" }, "product_reference": "openshift-service-mesh/proxyv2-rhel8@sha256:8c3838d96559d417f8986703803843e77732d399d911097488a554b037e2e446_s390x", "relates_to_product_reference": "8Base-RHOSSM-2.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-service-mesh/proxyv2-rhel8@sha256:99e0a7f2861823dbd94ed53294a255aab2f710cc0c932dca84ae0681494e029b_amd64 as a component of RHOSSM 2.2 for RHEL 8", "product_id": "8Base-RHOSSM-2.2:openshift-service-mesh/proxyv2-rhel8@sha256:99e0a7f2861823dbd94ed53294a255aab2f710cc0c932dca84ae0681494e029b_amd64" }, "product_reference": "openshift-service-mesh/proxyv2-rhel8@sha256:99e0a7f2861823dbd94ed53294a255aab2f710cc0c932dca84ae0681494e029b_amd64", "relates_to_product_reference": "8Base-RHOSSM-2.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-service-mesh/ratelimit-rhel8@sha256:0f35f2a716c4a04873d6dfad61f0d8fc262f2190609cd1cc5578da48cd9d0f4d_ppc64le as a component of RHOSSM 2.2 for RHEL 8", "product_id": "8Base-RHOSSM-2.2:openshift-service-mesh/ratelimit-rhel8@sha256:0f35f2a716c4a04873d6dfad61f0d8fc262f2190609cd1cc5578da48cd9d0f4d_ppc64le" }, "product_reference": "openshift-service-mesh/ratelimit-rhel8@sha256:0f35f2a716c4a04873d6dfad61f0d8fc262f2190609cd1cc5578da48cd9d0f4d_ppc64le", "relates_to_product_reference": "8Base-RHOSSM-2.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-service-mesh/ratelimit-rhel8@sha256:19821b7b74ed96b78f3322c1b770053c532c27b11b66978731ab4aa257991e81_s390x as a component of RHOSSM 2.2 for RHEL 8", "product_id": "8Base-RHOSSM-2.2:openshift-service-mesh/ratelimit-rhel8@sha256:19821b7b74ed96b78f3322c1b770053c532c27b11b66978731ab4aa257991e81_s390x" }, "product_reference": "openshift-service-mesh/ratelimit-rhel8@sha256:19821b7b74ed96b78f3322c1b770053c532c27b11b66978731ab4aa257991e81_s390x", "relates_to_product_reference": "8Base-RHOSSM-2.2" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-service-mesh/ratelimit-rhel8@sha256:8918686da37dad102867ad55788b2b0f7d750cf137b76a4ca51e244367de6375_amd64 as a component of RHOSSM 2.2 for RHEL 8", "product_id": "8Base-RHOSSM-2.2:openshift-service-mesh/ratelimit-rhel8@sha256:8918686da37dad102867ad55788b2b0f7d750cf137b76a4ca51e244367de6375_amd64" }, "product_reference": "openshift-service-mesh/ratelimit-rhel8@sha256:8918686da37dad102867ad55788b2b0f7d750cf137b76a4ca51e244367de6375_amd64", "relates_to_product_reference": "8Base-RHOSSM-2.2" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-20329", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-06-10T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSSM-2.2:openshift-service-mesh/grafana-rhel8@sha256:ce1247898969a1865d5d7eb865f659131d6dc58e78aecfc31c59615dc21dd48e_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/grafana-rhel8@sha256:ce4f38fd64e2e1944e037097b3af9d5b8645f7fc5856b74cba00f94a1a60471f_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/grafana-rhel8@sha256:f496643a0600a632a3ce216d67634cff9e6174aeb4d113743fd0443a40b535d9_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-cni-rhel8@sha256:3f410cd41ea91e0014d1cf8d7f3decb3bf0e3db5e9aa2612480a76f6797aa3b5_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-cni-rhel8@sha256:47720497b1bb8ee24993260359294eeeafdd888c71ccca6cb12d526e5c3a4a13_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-cni-rhel8@sha256:8abbc8a247ff6de3e5b212e6a2b0203600555e1f3f0c8599aaf19c9cdda59abb_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-must-gather-rhel8@sha256:a2de7f954c0878842b5e214d809382c7d0428b8d3ed22fa1516e49ec583d7790_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-must-gather-rhel8@sha256:bbd215d60e43f719ac81025128f30002bb11f1d29fa874f3b8b1ce61a9269628_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-must-gather-rhel8@sha256:c6cda704d37ed2d233ec225578cb8021429a64d77649c26672c876569a0696b6_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/kiali-rhel8@sha256:351d18f13943b57b5599dc4c2af9970a6add2fbf2cd702f64128e156e4e8a991_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/kiali-rhel8@sha256:bee9a86adcd6974536fa31d054a880238a720b8bfcd7efc5d656a0ddd5111d06_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/kiali-rhel8@sha256:eebc6514999806d2726fea70bd7f4979dd71a7b2f2aa220ead6b5a838a0ffbdf_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/pilot-rhel8@sha256:7b59f76549db37ee09757d79692c52abf1c01baea84fbc98ce5aabc530232f45_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/pilot-rhel8@sha256:a4b7ddd16863e41a6642fc52c566d94069732afafdcbd761385be1e4e04c8521_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/pilot-rhel8@sha256:bc137efedf8eaf278f508b7f652e7db96f3dcfbb1b685e5a9359680c77b1838a_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/proxyv2-rhel8@sha256:4ffd0acfd05fa5cab68372121f34901adcef3f94d9c38beee8559f9ad8a0fd5a_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/proxyv2-rhel8@sha256:8c3838d96559d417f8986703803843e77732d399d911097488a554b037e2e446_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/proxyv2-rhel8@sha256:99e0a7f2861823dbd94ed53294a255aab2f710cc0c932dca84ae0681494e029b_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/ratelimit-rhel8@sha256:0f35f2a716c4a04873d6dfad61f0d8fc262f2190609cd1cc5578da48cd9d0f4d_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/ratelimit-rhel8@sha256:19821b7b74ed96b78f3322c1b770053c532c27b11b66978731ab4aa257991e81_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/ratelimit-rhel8@sha256:8918686da37dad102867ad55788b2b0f7d750cf137b76a4ca51e244367de6375_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1971033" } ], "notes": [ { "category": "description", "text": "A flaw was found in Mongo. Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshaling Go objects into BSON. This flaw allows a malicious user to use a Go object with a specific string to inject additional fields into marshaled documents.", "title": "Vulnerability description" }, { "category": "summary", "text": "mongo-go-driver: specific cstrings input may not be properly validated", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSSM-2.2:openshift-service-mesh/prometheus-rhel8@sha256:2371e4effbf6a4846599729701de09a5613a2df29fee9858b0526470d63a5eb7_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/prometheus-rhel8@sha256:a2e263be450ab7c304d5b9a79d13e8f65a2b82d259034fc34b8f69cfa8029601_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/prometheus-rhel8@sha256:f5d874b252b5fa89e85db384b81096cd84fbfafc593532bb6ea0175f680115c7_ppc64le" ], "known_not_affected": [ "8Base-RHOSSM-2.2:openshift-service-mesh/grafana-rhel8@sha256:ce1247898969a1865d5d7eb865f659131d6dc58e78aecfc31c59615dc21dd48e_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/grafana-rhel8@sha256:ce4f38fd64e2e1944e037097b3af9d5b8645f7fc5856b74cba00f94a1a60471f_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/grafana-rhel8@sha256:f496643a0600a632a3ce216d67634cff9e6174aeb4d113743fd0443a40b535d9_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-cni-rhel8@sha256:3f410cd41ea91e0014d1cf8d7f3decb3bf0e3db5e9aa2612480a76f6797aa3b5_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-cni-rhel8@sha256:47720497b1bb8ee24993260359294eeeafdd888c71ccca6cb12d526e5c3a4a13_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-cni-rhel8@sha256:8abbc8a247ff6de3e5b212e6a2b0203600555e1f3f0c8599aaf19c9cdda59abb_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-must-gather-rhel8@sha256:a2de7f954c0878842b5e214d809382c7d0428b8d3ed22fa1516e49ec583d7790_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-must-gather-rhel8@sha256:bbd215d60e43f719ac81025128f30002bb11f1d29fa874f3b8b1ce61a9269628_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-must-gather-rhel8@sha256:c6cda704d37ed2d233ec225578cb8021429a64d77649c26672c876569a0696b6_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/kiali-rhel8@sha256:351d18f13943b57b5599dc4c2af9970a6add2fbf2cd702f64128e156e4e8a991_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/kiali-rhel8@sha256:bee9a86adcd6974536fa31d054a880238a720b8bfcd7efc5d656a0ddd5111d06_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/kiali-rhel8@sha256:eebc6514999806d2726fea70bd7f4979dd71a7b2f2aa220ead6b5a838a0ffbdf_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/pilot-rhel8@sha256:7b59f76549db37ee09757d79692c52abf1c01baea84fbc98ce5aabc530232f45_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/pilot-rhel8@sha256:a4b7ddd16863e41a6642fc52c566d94069732afafdcbd761385be1e4e04c8521_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/pilot-rhel8@sha256:bc137efedf8eaf278f508b7f652e7db96f3dcfbb1b685e5a9359680c77b1838a_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/proxyv2-rhel8@sha256:4ffd0acfd05fa5cab68372121f34901adcef3f94d9c38beee8559f9ad8a0fd5a_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/proxyv2-rhel8@sha256:8c3838d96559d417f8986703803843e77732d399d911097488a554b037e2e446_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/proxyv2-rhel8@sha256:99e0a7f2861823dbd94ed53294a255aab2f710cc0c932dca84ae0681494e029b_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/ratelimit-rhel8@sha256:0f35f2a716c4a04873d6dfad61f0d8fc262f2190609cd1cc5578da48cd9d0f4d_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/ratelimit-rhel8@sha256:19821b7b74ed96b78f3322c1b770053c532c27b11b66978731ab4aa257991e81_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/ratelimit-rhel8@sha256:8918686da37dad102867ad55788b2b0f7d750cf137b76a4ca51e244367de6375_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-20329" }, { "category": "external", "summary": "RHBZ#1971033", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1971033" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-20329", "url": "https://www.cve.org/CVERecord?id=CVE-2021-20329" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-20329", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20329" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-f6mq-5m25-4r72", "url": "https://github.com/advisories/GHSA-f6mq-5m25-4r72" }, { "category": "external", "summary": "https://github.com/mongodb/mongo-go-driver/releases/tag/v1.5.1", "url": "https://github.com/mongodb/mongo-go-driver/releases/tag/v1.5.1" } ], "release_date": "2021-03-30T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-06-15T20:55:50+00:00", "details": "For details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSSM-2.2:openshift-service-mesh/prometheus-rhel8@sha256:2371e4effbf6a4846599729701de09a5613a2df29fee9858b0526470d63a5eb7_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/prometheus-rhel8@sha256:a2e263be450ab7c304d5b9a79d13e8f65a2b82d259034fc34b8f69cfa8029601_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/prometheus-rhel8@sha256:f5d874b252b5fa89e85db384b81096cd84fbfafc593532bb6ea0175f680115c7_ppc64le" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:3645" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "8Base-RHOSSM-2.2:openshift-service-mesh/grafana-rhel8@sha256:ce1247898969a1865d5d7eb865f659131d6dc58e78aecfc31c59615dc21dd48e_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/grafana-rhel8@sha256:ce4f38fd64e2e1944e037097b3af9d5b8645f7fc5856b74cba00f94a1a60471f_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/grafana-rhel8@sha256:f496643a0600a632a3ce216d67634cff9e6174aeb4d113743fd0443a40b535d9_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-cni-rhel8@sha256:3f410cd41ea91e0014d1cf8d7f3decb3bf0e3db5e9aa2612480a76f6797aa3b5_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-cni-rhel8@sha256:47720497b1bb8ee24993260359294eeeafdd888c71ccca6cb12d526e5c3a4a13_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-cni-rhel8@sha256:8abbc8a247ff6de3e5b212e6a2b0203600555e1f3f0c8599aaf19c9cdda59abb_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-must-gather-rhel8@sha256:a2de7f954c0878842b5e214d809382c7d0428b8d3ed22fa1516e49ec583d7790_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-must-gather-rhel8@sha256:bbd215d60e43f719ac81025128f30002bb11f1d29fa874f3b8b1ce61a9269628_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-must-gather-rhel8@sha256:c6cda704d37ed2d233ec225578cb8021429a64d77649c26672c876569a0696b6_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/kiali-rhel8@sha256:351d18f13943b57b5599dc4c2af9970a6add2fbf2cd702f64128e156e4e8a991_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/kiali-rhel8@sha256:bee9a86adcd6974536fa31d054a880238a720b8bfcd7efc5d656a0ddd5111d06_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/kiali-rhel8@sha256:eebc6514999806d2726fea70bd7f4979dd71a7b2f2aa220ead6b5a838a0ffbdf_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/pilot-rhel8@sha256:7b59f76549db37ee09757d79692c52abf1c01baea84fbc98ce5aabc530232f45_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/pilot-rhel8@sha256:a4b7ddd16863e41a6642fc52c566d94069732afafdcbd761385be1e4e04c8521_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/pilot-rhel8@sha256:bc137efedf8eaf278f508b7f652e7db96f3dcfbb1b685e5a9359680c77b1838a_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/prometheus-rhel8@sha256:2371e4effbf6a4846599729701de09a5613a2df29fee9858b0526470d63a5eb7_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/prometheus-rhel8@sha256:a2e263be450ab7c304d5b9a79d13e8f65a2b82d259034fc34b8f69cfa8029601_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/prometheus-rhel8@sha256:f5d874b252b5fa89e85db384b81096cd84fbfafc593532bb6ea0175f680115c7_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/proxyv2-rhel8@sha256:4ffd0acfd05fa5cab68372121f34901adcef3f94d9c38beee8559f9ad8a0fd5a_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/proxyv2-rhel8@sha256:8c3838d96559d417f8986703803843e77732d399d911097488a554b037e2e446_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/proxyv2-rhel8@sha256:99e0a7f2861823dbd94ed53294a255aab2f710cc0c932dca84ae0681494e029b_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/ratelimit-rhel8@sha256:0f35f2a716c4a04873d6dfad61f0d8fc262f2190609cd1cc5578da48cd9d0f4d_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/ratelimit-rhel8@sha256:19821b7b74ed96b78f3322c1b770053c532c27b11b66978731ab4aa257991e81_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/ratelimit-rhel8@sha256:8918686da37dad102867ad55788b2b0f7d750cf137b76a4ca51e244367de6375_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "mongo-go-driver: specific cstrings input may not be properly validated" }, { "cve": "CVE-2021-43138", "cwe": { "id": "CWE-1321", "name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)" }, "discovery_date": "2022-09-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSSM-2.2:openshift-service-mesh/grafana-rhel8@sha256:ce1247898969a1865d5d7eb865f659131d6dc58e78aecfc31c59615dc21dd48e_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/grafana-rhel8@sha256:ce4f38fd64e2e1944e037097b3af9d5b8645f7fc5856b74cba00f94a1a60471f_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/grafana-rhel8@sha256:f496643a0600a632a3ce216d67634cff9e6174aeb4d113743fd0443a40b535d9_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-cni-rhel8@sha256:3f410cd41ea91e0014d1cf8d7f3decb3bf0e3db5e9aa2612480a76f6797aa3b5_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-cni-rhel8@sha256:47720497b1bb8ee24993260359294eeeafdd888c71ccca6cb12d526e5c3a4a13_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-cni-rhel8@sha256:8abbc8a247ff6de3e5b212e6a2b0203600555e1f3f0c8599aaf19c9cdda59abb_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-must-gather-rhel8@sha256:a2de7f954c0878842b5e214d809382c7d0428b8d3ed22fa1516e49ec583d7790_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-must-gather-rhel8@sha256:bbd215d60e43f719ac81025128f30002bb11f1d29fa874f3b8b1ce61a9269628_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-must-gather-rhel8@sha256:c6cda704d37ed2d233ec225578cb8021429a64d77649c26672c876569a0696b6_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/kiali-rhel8@sha256:351d18f13943b57b5599dc4c2af9970a6add2fbf2cd702f64128e156e4e8a991_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/kiali-rhel8@sha256:bee9a86adcd6974536fa31d054a880238a720b8bfcd7efc5d656a0ddd5111d06_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/kiali-rhel8@sha256:eebc6514999806d2726fea70bd7f4979dd71a7b2f2aa220ead6b5a838a0ffbdf_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/pilot-rhel8@sha256:7b59f76549db37ee09757d79692c52abf1c01baea84fbc98ce5aabc530232f45_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/pilot-rhel8@sha256:a4b7ddd16863e41a6642fc52c566d94069732afafdcbd761385be1e4e04c8521_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/pilot-rhel8@sha256:bc137efedf8eaf278f508b7f652e7db96f3dcfbb1b685e5a9359680c77b1838a_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/proxyv2-rhel8@sha256:4ffd0acfd05fa5cab68372121f34901adcef3f94d9c38beee8559f9ad8a0fd5a_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/proxyv2-rhel8@sha256:8c3838d96559d417f8986703803843e77732d399d911097488a554b037e2e446_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/proxyv2-rhel8@sha256:99e0a7f2861823dbd94ed53294a255aab2f710cc0c932dca84ae0681494e029b_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/ratelimit-rhel8@sha256:0f35f2a716c4a04873d6dfad61f0d8fc262f2190609cd1cc5578da48cd9d0f4d_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/ratelimit-rhel8@sha256:19821b7b74ed96b78f3322c1b770053c532c27b11b66978731ab4aa257991e81_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/ratelimit-rhel8@sha256:8918686da37dad102867ad55788b2b0f7d750cf137b76a4ca51e244367de6375_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2126276" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in the async package. This flaw allows a malicious user to obtain privileges via the mapValues() method.", "title": "Vulnerability description" }, { "category": "summary", "text": "async: Prototype Pollution in async", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSSM-2.2:openshift-service-mesh/prometheus-rhel8@sha256:2371e4effbf6a4846599729701de09a5613a2df29fee9858b0526470d63a5eb7_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/prometheus-rhel8@sha256:a2e263be450ab7c304d5b9a79d13e8f65a2b82d259034fc34b8f69cfa8029601_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/prometheus-rhel8@sha256:f5d874b252b5fa89e85db384b81096cd84fbfafc593532bb6ea0175f680115c7_ppc64le" ], "known_not_affected": [ "8Base-RHOSSM-2.2:openshift-service-mesh/grafana-rhel8@sha256:ce1247898969a1865d5d7eb865f659131d6dc58e78aecfc31c59615dc21dd48e_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/grafana-rhel8@sha256:ce4f38fd64e2e1944e037097b3af9d5b8645f7fc5856b74cba00f94a1a60471f_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/grafana-rhel8@sha256:f496643a0600a632a3ce216d67634cff9e6174aeb4d113743fd0443a40b535d9_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-cni-rhel8@sha256:3f410cd41ea91e0014d1cf8d7f3decb3bf0e3db5e9aa2612480a76f6797aa3b5_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-cni-rhel8@sha256:47720497b1bb8ee24993260359294eeeafdd888c71ccca6cb12d526e5c3a4a13_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-cni-rhel8@sha256:8abbc8a247ff6de3e5b212e6a2b0203600555e1f3f0c8599aaf19c9cdda59abb_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-must-gather-rhel8@sha256:a2de7f954c0878842b5e214d809382c7d0428b8d3ed22fa1516e49ec583d7790_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-must-gather-rhel8@sha256:bbd215d60e43f719ac81025128f30002bb11f1d29fa874f3b8b1ce61a9269628_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-must-gather-rhel8@sha256:c6cda704d37ed2d233ec225578cb8021429a64d77649c26672c876569a0696b6_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/kiali-rhel8@sha256:351d18f13943b57b5599dc4c2af9970a6add2fbf2cd702f64128e156e4e8a991_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/kiali-rhel8@sha256:bee9a86adcd6974536fa31d054a880238a720b8bfcd7efc5d656a0ddd5111d06_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/kiali-rhel8@sha256:eebc6514999806d2726fea70bd7f4979dd71a7b2f2aa220ead6b5a838a0ffbdf_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/pilot-rhel8@sha256:7b59f76549db37ee09757d79692c52abf1c01baea84fbc98ce5aabc530232f45_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/pilot-rhel8@sha256:a4b7ddd16863e41a6642fc52c566d94069732afafdcbd761385be1e4e04c8521_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/pilot-rhel8@sha256:bc137efedf8eaf278f508b7f652e7db96f3dcfbb1b685e5a9359680c77b1838a_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/proxyv2-rhel8@sha256:4ffd0acfd05fa5cab68372121f34901adcef3f94d9c38beee8559f9ad8a0fd5a_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/proxyv2-rhel8@sha256:8c3838d96559d417f8986703803843e77732d399d911097488a554b037e2e446_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/proxyv2-rhel8@sha256:99e0a7f2861823dbd94ed53294a255aab2f710cc0c932dca84ae0681494e029b_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/ratelimit-rhel8@sha256:0f35f2a716c4a04873d6dfad61f0d8fc262f2190609cd1cc5578da48cd9d0f4d_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/ratelimit-rhel8@sha256:19821b7b74ed96b78f3322c1b770053c532c27b11b66978731ab4aa257991e81_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/ratelimit-rhel8@sha256:8918686da37dad102867ad55788b2b0f7d750cf137b76a4ca51e244367de6375_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-43138" }, { "category": "external", "summary": "RHBZ#2126276", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126276" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-43138", "url": "https://www.cve.org/CVERecord?id=CVE-2021-43138" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-43138", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43138" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-fwr7-v2mv-hh25", "url": "https://github.com/advisories/GHSA-fwr7-v2mv-hh25" } ], "release_date": "2022-04-07T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-06-15T20:55:50+00:00", "details": "For details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSSM-2.2:openshift-service-mesh/prometheus-rhel8@sha256:2371e4effbf6a4846599729701de09a5613a2df29fee9858b0526470d63a5eb7_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/prometheus-rhel8@sha256:a2e263be450ab7c304d5b9a79d13e8f65a2b82d259034fc34b8f69cfa8029601_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/prometheus-rhel8@sha256:f5d874b252b5fa89e85db384b81096cd84fbfafc593532bb6ea0175f680115c7_ppc64le" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:3645" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSSM-2.2:openshift-service-mesh/grafana-rhel8@sha256:ce1247898969a1865d5d7eb865f659131d6dc58e78aecfc31c59615dc21dd48e_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/grafana-rhel8@sha256:ce4f38fd64e2e1944e037097b3af9d5b8645f7fc5856b74cba00f94a1a60471f_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/grafana-rhel8@sha256:f496643a0600a632a3ce216d67634cff9e6174aeb4d113743fd0443a40b535d9_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-cni-rhel8@sha256:3f410cd41ea91e0014d1cf8d7f3decb3bf0e3db5e9aa2612480a76f6797aa3b5_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-cni-rhel8@sha256:47720497b1bb8ee24993260359294eeeafdd888c71ccca6cb12d526e5c3a4a13_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-cni-rhel8@sha256:8abbc8a247ff6de3e5b212e6a2b0203600555e1f3f0c8599aaf19c9cdda59abb_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-must-gather-rhel8@sha256:a2de7f954c0878842b5e214d809382c7d0428b8d3ed22fa1516e49ec583d7790_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-must-gather-rhel8@sha256:bbd215d60e43f719ac81025128f30002bb11f1d29fa874f3b8b1ce61a9269628_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-must-gather-rhel8@sha256:c6cda704d37ed2d233ec225578cb8021429a64d77649c26672c876569a0696b6_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/kiali-rhel8@sha256:351d18f13943b57b5599dc4c2af9970a6add2fbf2cd702f64128e156e4e8a991_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/kiali-rhel8@sha256:bee9a86adcd6974536fa31d054a880238a720b8bfcd7efc5d656a0ddd5111d06_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/kiali-rhel8@sha256:eebc6514999806d2726fea70bd7f4979dd71a7b2f2aa220ead6b5a838a0ffbdf_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/pilot-rhel8@sha256:7b59f76549db37ee09757d79692c52abf1c01baea84fbc98ce5aabc530232f45_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/pilot-rhel8@sha256:a4b7ddd16863e41a6642fc52c566d94069732afafdcbd761385be1e4e04c8521_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/pilot-rhel8@sha256:bc137efedf8eaf278f508b7f652e7db96f3dcfbb1b685e5a9359680c77b1838a_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/prometheus-rhel8@sha256:2371e4effbf6a4846599729701de09a5613a2df29fee9858b0526470d63a5eb7_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/prometheus-rhel8@sha256:a2e263be450ab7c304d5b9a79d13e8f65a2b82d259034fc34b8f69cfa8029601_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/prometheus-rhel8@sha256:f5d874b252b5fa89e85db384b81096cd84fbfafc593532bb6ea0175f680115c7_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/proxyv2-rhel8@sha256:4ffd0acfd05fa5cab68372121f34901adcef3f94d9c38beee8559f9ad8a0fd5a_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/proxyv2-rhel8@sha256:8c3838d96559d417f8986703803843e77732d399d911097488a554b037e2e446_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/proxyv2-rhel8@sha256:99e0a7f2861823dbd94ed53294a255aab2f710cc0c932dca84ae0681494e029b_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/ratelimit-rhel8@sha256:0f35f2a716c4a04873d6dfad61f0d8fc262f2190609cd1cc5578da48cd9d0f4d_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/ratelimit-rhel8@sha256:19821b7b74ed96b78f3322c1b770053c532c27b11b66978731ab4aa257991e81_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/ratelimit-rhel8@sha256:8918686da37dad102867ad55788b2b0f7d750cf137b76a4ca51e244367de6375_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "async: Prototype Pollution in async" }, { "cve": "CVE-2022-24999", "cwe": { "id": "CWE-1321", "name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)" }, "discovery_date": "2022-12-02T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSSM-2.2:openshift-service-mesh/grafana-rhel8@sha256:ce1247898969a1865d5d7eb865f659131d6dc58e78aecfc31c59615dc21dd48e_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/grafana-rhel8@sha256:ce4f38fd64e2e1944e037097b3af9d5b8645f7fc5856b74cba00f94a1a60471f_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/grafana-rhel8@sha256:f496643a0600a632a3ce216d67634cff9e6174aeb4d113743fd0443a40b535d9_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-cni-rhel8@sha256:3f410cd41ea91e0014d1cf8d7f3decb3bf0e3db5e9aa2612480a76f6797aa3b5_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-cni-rhel8@sha256:47720497b1bb8ee24993260359294eeeafdd888c71ccca6cb12d526e5c3a4a13_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-cni-rhel8@sha256:8abbc8a247ff6de3e5b212e6a2b0203600555e1f3f0c8599aaf19c9cdda59abb_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-must-gather-rhel8@sha256:a2de7f954c0878842b5e214d809382c7d0428b8d3ed22fa1516e49ec583d7790_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-must-gather-rhel8@sha256:bbd215d60e43f719ac81025128f30002bb11f1d29fa874f3b8b1ce61a9269628_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-must-gather-rhel8@sha256:c6cda704d37ed2d233ec225578cb8021429a64d77649c26672c876569a0696b6_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/kiali-rhel8@sha256:351d18f13943b57b5599dc4c2af9970a6add2fbf2cd702f64128e156e4e8a991_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/kiali-rhel8@sha256:bee9a86adcd6974536fa31d054a880238a720b8bfcd7efc5d656a0ddd5111d06_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/kiali-rhel8@sha256:eebc6514999806d2726fea70bd7f4979dd71a7b2f2aa220ead6b5a838a0ffbdf_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/pilot-rhel8@sha256:7b59f76549db37ee09757d79692c52abf1c01baea84fbc98ce5aabc530232f45_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/pilot-rhel8@sha256:a4b7ddd16863e41a6642fc52c566d94069732afafdcbd761385be1e4e04c8521_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/pilot-rhel8@sha256:bc137efedf8eaf278f508b7f652e7db96f3dcfbb1b685e5a9359680c77b1838a_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/proxyv2-rhel8@sha256:4ffd0acfd05fa5cab68372121f34901adcef3f94d9c38beee8559f9ad8a0fd5a_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/proxyv2-rhel8@sha256:8c3838d96559d417f8986703803843e77732d399d911097488a554b037e2e446_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/proxyv2-rhel8@sha256:99e0a7f2861823dbd94ed53294a255aab2f710cc0c932dca84ae0681494e029b_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/ratelimit-rhel8@sha256:0f35f2a716c4a04873d6dfad61f0d8fc262f2190609cd1cc5578da48cd9d0f4d_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/ratelimit-rhel8@sha256:19821b7b74ed96b78f3322c1b770053c532c27b11b66978731ab4aa257991e81_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/ratelimit-rhel8@sha256:8918686da37dad102867ad55788b2b0f7d750cf137b76a4ca51e244367de6375_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2150323" } ], "notes": [ { "category": "description", "text": "A flaw was found in the express.js npm package of nodejs:14 module stream. Express.js Express is vulnerable to a denial of service caused by a prototype pollution flaw in qs. By adding or modifying properties of Object.prototype using a __proto__ or constructor payload, a remote attacker can cause a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "express: \"qs\" prototype poisoning causes the hang of the node process", "title": "Vulnerability summary" }, { "category": "other", "text": "- The qs and express Package is not used by the OpenShift Container Platform console directly and is only a third-party package dependency. Hence, it is marked as wontfix. \nAs a result, any services that depend on Openshift for their use of qs and express are marked won\u0027t fix. \n- In OpenShift Service Mesh, \u0027qs\u0027 is hoisted from storybook and node-sass, both are dev dependencies, and the vulnerability is not exposed to end users. Hence marked as wontfix.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSSM-2.2:openshift-service-mesh/prometheus-rhel8@sha256:2371e4effbf6a4846599729701de09a5613a2df29fee9858b0526470d63a5eb7_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/prometheus-rhel8@sha256:a2e263be450ab7c304d5b9a79d13e8f65a2b82d259034fc34b8f69cfa8029601_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/prometheus-rhel8@sha256:f5d874b252b5fa89e85db384b81096cd84fbfafc593532bb6ea0175f680115c7_ppc64le" ], "known_not_affected": [ "8Base-RHOSSM-2.2:openshift-service-mesh/grafana-rhel8@sha256:ce1247898969a1865d5d7eb865f659131d6dc58e78aecfc31c59615dc21dd48e_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/grafana-rhel8@sha256:ce4f38fd64e2e1944e037097b3af9d5b8645f7fc5856b74cba00f94a1a60471f_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/grafana-rhel8@sha256:f496643a0600a632a3ce216d67634cff9e6174aeb4d113743fd0443a40b535d9_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-cni-rhel8@sha256:3f410cd41ea91e0014d1cf8d7f3decb3bf0e3db5e9aa2612480a76f6797aa3b5_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-cni-rhel8@sha256:47720497b1bb8ee24993260359294eeeafdd888c71ccca6cb12d526e5c3a4a13_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-cni-rhel8@sha256:8abbc8a247ff6de3e5b212e6a2b0203600555e1f3f0c8599aaf19c9cdda59abb_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-must-gather-rhel8@sha256:a2de7f954c0878842b5e214d809382c7d0428b8d3ed22fa1516e49ec583d7790_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-must-gather-rhel8@sha256:bbd215d60e43f719ac81025128f30002bb11f1d29fa874f3b8b1ce61a9269628_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-must-gather-rhel8@sha256:c6cda704d37ed2d233ec225578cb8021429a64d77649c26672c876569a0696b6_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/kiali-rhel8@sha256:351d18f13943b57b5599dc4c2af9970a6add2fbf2cd702f64128e156e4e8a991_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/kiali-rhel8@sha256:bee9a86adcd6974536fa31d054a880238a720b8bfcd7efc5d656a0ddd5111d06_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/kiali-rhel8@sha256:eebc6514999806d2726fea70bd7f4979dd71a7b2f2aa220ead6b5a838a0ffbdf_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/pilot-rhel8@sha256:7b59f76549db37ee09757d79692c52abf1c01baea84fbc98ce5aabc530232f45_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/pilot-rhel8@sha256:a4b7ddd16863e41a6642fc52c566d94069732afafdcbd761385be1e4e04c8521_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/pilot-rhel8@sha256:bc137efedf8eaf278f508b7f652e7db96f3dcfbb1b685e5a9359680c77b1838a_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/proxyv2-rhel8@sha256:4ffd0acfd05fa5cab68372121f34901adcef3f94d9c38beee8559f9ad8a0fd5a_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/proxyv2-rhel8@sha256:8c3838d96559d417f8986703803843e77732d399d911097488a554b037e2e446_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/proxyv2-rhel8@sha256:99e0a7f2861823dbd94ed53294a255aab2f710cc0c932dca84ae0681494e029b_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/ratelimit-rhel8@sha256:0f35f2a716c4a04873d6dfad61f0d8fc262f2190609cd1cc5578da48cd9d0f4d_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/ratelimit-rhel8@sha256:19821b7b74ed96b78f3322c1b770053c532c27b11b66978731ab4aa257991e81_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/ratelimit-rhel8@sha256:8918686da37dad102867ad55788b2b0f7d750cf137b76a4ca51e244367de6375_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-24999" }, { "category": "external", "summary": "RHBZ#2150323", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150323" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-24999", "url": "https://www.cve.org/CVERecord?id=CVE-2022-24999" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24999", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24999" }, { "category": "external", "summary": "https://github.com/expressjs/express/releases/tag/4.17.3", "url": "https://github.com/expressjs/express/releases/tag/4.17.3" }, { "category": "external", "summary": "https://github.com/ljharb/qs/pull/428", "url": "https://github.com/ljharb/qs/pull/428" }, { "category": "external", "summary": "https://github.com/n8tz/CVE-2022-24999", "url": "https://github.com/n8tz/CVE-2022-24999" } ], "release_date": "2022-11-26T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-06-15T20:55:50+00:00", "details": "For details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSSM-2.2:openshift-service-mesh/prometheus-rhel8@sha256:2371e4effbf6a4846599729701de09a5613a2df29fee9858b0526470d63a5eb7_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/prometheus-rhel8@sha256:a2e263be450ab7c304d5b9a79d13e8f65a2b82d259034fc34b8f69cfa8029601_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/prometheus-rhel8@sha256:f5d874b252b5fa89e85db384b81096cd84fbfafc593532bb6ea0175f680115c7_ppc64le" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:3645" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHOSSM-2.2:openshift-service-mesh/grafana-rhel8@sha256:ce1247898969a1865d5d7eb865f659131d6dc58e78aecfc31c59615dc21dd48e_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/grafana-rhel8@sha256:ce4f38fd64e2e1944e037097b3af9d5b8645f7fc5856b74cba00f94a1a60471f_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/grafana-rhel8@sha256:f496643a0600a632a3ce216d67634cff9e6174aeb4d113743fd0443a40b535d9_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-cni-rhel8@sha256:3f410cd41ea91e0014d1cf8d7f3decb3bf0e3db5e9aa2612480a76f6797aa3b5_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-cni-rhel8@sha256:47720497b1bb8ee24993260359294eeeafdd888c71ccca6cb12d526e5c3a4a13_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-cni-rhel8@sha256:8abbc8a247ff6de3e5b212e6a2b0203600555e1f3f0c8599aaf19c9cdda59abb_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-must-gather-rhel8@sha256:a2de7f954c0878842b5e214d809382c7d0428b8d3ed22fa1516e49ec583d7790_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-must-gather-rhel8@sha256:bbd215d60e43f719ac81025128f30002bb11f1d29fa874f3b8b1ce61a9269628_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-must-gather-rhel8@sha256:c6cda704d37ed2d233ec225578cb8021429a64d77649c26672c876569a0696b6_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/kiali-rhel8@sha256:351d18f13943b57b5599dc4c2af9970a6add2fbf2cd702f64128e156e4e8a991_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/kiali-rhel8@sha256:bee9a86adcd6974536fa31d054a880238a720b8bfcd7efc5d656a0ddd5111d06_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/kiali-rhel8@sha256:eebc6514999806d2726fea70bd7f4979dd71a7b2f2aa220ead6b5a838a0ffbdf_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/pilot-rhel8@sha256:7b59f76549db37ee09757d79692c52abf1c01baea84fbc98ce5aabc530232f45_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/pilot-rhel8@sha256:a4b7ddd16863e41a6642fc52c566d94069732afafdcbd761385be1e4e04c8521_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/pilot-rhel8@sha256:bc137efedf8eaf278f508b7f652e7db96f3dcfbb1b685e5a9359680c77b1838a_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/prometheus-rhel8@sha256:2371e4effbf6a4846599729701de09a5613a2df29fee9858b0526470d63a5eb7_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/prometheus-rhel8@sha256:a2e263be450ab7c304d5b9a79d13e8f65a2b82d259034fc34b8f69cfa8029601_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/prometheus-rhel8@sha256:f5d874b252b5fa89e85db384b81096cd84fbfafc593532bb6ea0175f680115c7_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/proxyv2-rhel8@sha256:4ffd0acfd05fa5cab68372121f34901adcef3f94d9c38beee8559f9ad8a0fd5a_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/proxyv2-rhel8@sha256:8c3838d96559d417f8986703803843e77732d399d911097488a554b037e2e446_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/proxyv2-rhel8@sha256:99e0a7f2861823dbd94ed53294a255aab2f710cc0c932dca84ae0681494e029b_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/ratelimit-rhel8@sha256:0f35f2a716c4a04873d6dfad61f0d8fc262f2190609cd1cc5578da48cd9d0f4d_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/ratelimit-rhel8@sha256:19821b7b74ed96b78f3322c1b770053c532c27b11b66978731ab4aa257991e81_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/ratelimit-rhel8@sha256:8918686da37dad102867ad55788b2b0f7d750cf137b76a4ca51e244367de6375_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "express: \"qs\" prototype poisoning causes the hang of the node process" }, { "cve": "CVE-2022-25858", "discovery_date": "2022-09-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSSM-2.2:openshift-service-mesh/grafana-rhel8@sha256:ce1247898969a1865d5d7eb865f659131d6dc58e78aecfc31c59615dc21dd48e_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/grafana-rhel8@sha256:ce4f38fd64e2e1944e037097b3af9d5b8645f7fc5856b74cba00f94a1a60471f_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/grafana-rhel8@sha256:f496643a0600a632a3ce216d67634cff9e6174aeb4d113743fd0443a40b535d9_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-cni-rhel8@sha256:3f410cd41ea91e0014d1cf8d7f3decb3bf0e3db5e9aa2612480a76f6797aa3b5_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-cni-rhel8@sha256:47720497b1bb8ee24993260359294eeeafdd888c71ccca6cb12d526e5c3a4a13_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-cni-rhel8@sha256:8abbc8a247ff6de3e5b212e6a2b0203600555e1f3f0c8599aaf19c9cdda59abb_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-must-gather-rhel8@sha256:a2de7f954c0878842b5e214d809382c7d0428b8d3ed22fa1516e49ec583d7790_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-must-gather-rhel8@sha256:bbd215d60e43f719ac81025128f30002bb11f1d29fa874f3b8b1ce61a9269628_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-must-gather-rhel8@sha256:c6cda704d37ed2d233ec225578cb8021429a64d77649c26672c876569a0696b6_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/kiali-rhel8@sha256:351d18f13943b57b5599dc4c2af9970a6add2fbf2cd702f64128e156e4e8a991_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/kiali-rhel8@sha256:bee9a86adcd6974536fa31d054a880238a720b8bfcd7efc5d656a0ddd5111d06_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/kiali-rhel8@sha256:eebc6514999806d2726fea70bd7f4979dd71a7b2f2aa220ead6b5a838a0ffbdf_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/pilot-rhel8@sha256:7b59f76549db37ee09757d79692c52abf1c01baea84fbc98ce5aabc530232f45_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/pilot-rhel8@sha256:a4b7ddd16863e41a6642fc52c566d94069732afafdcbd761385be1e4e04c8521_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/pilot-rhel8@sha256:bc137efedf8eaf278f508b7f652e7db96f3dcfbb1b685e5a9359680c77b1838a_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/proxyv2-rhel8@sha256:4ffd0acfd05fa5cab68372121f34901adcef3f94d9c38beee8559f9ad8a0fd5a_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/proxyv2-rhel8@sha256:8c3838d96559d417f8986703803843e77732d399d911097488a554b037e2e446_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/proxyv2-rhel8@sha256:99e0a7f2861823dbd94ed53294a255aab2f710cc0c932dca84ae0681494e029b_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/ratelimit-rhel8@sha256:0f35f2a716c4a04873d6dfad61f0d8fc262f2190609cd1cc5578da48cd9d0f4d_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/ratelimit-rhel8@sha256:19821b7b74ed96b78f3322c1b770053c532c27b11b66978731ab4aa257991e81_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/ratelimit-rhel8@sha256:8918686da37dad102867ad55788b2b0f7d750cf137b76a4ca51e244367de6375_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2126277" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in the terser package. Affected versions of this package are vulnerable to Regular expression denial of service (ReDoS) attacks, affecting system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "terser: insecure use of regular expressions leads to ReDoS", "title": "Vulnerability summary" }, { "category": "other", "text": "For OpenShift Do (odo) product terser is shipped only for using in static page generators for upstream, thus this represents no security risk.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSSM-2.2:openshift-service-mesh/prometheus-rhel8@sha256:2371e4effbf6a4846599729701de09a5613a2df29fee9858b0526470d63a5eb7_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/prometheus-rhel8@sha256:a2e263be450ab7c304d5b9a79d13e8f65a2b82d259034fc34b8f69cfa8029601_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/prometheus-rhel8@sha256:f5d874b252b5fa89e85db384b81096cd84fbfafc593532bb6ea0175f680115c7_ppc64le" ], "known_not_affected": [ "8Base-RHOSSM-2.2:openshift-service-mesh/grafana-rhel8@sha256:ce1247898969a1865d5d7eb865f659131d6dc58e78aecfc31c59615dc21dd48e_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/grafana-rhel8@sha256:ce4f38fd64e2e1944e037097b3af9d5b8645f7fc5856b74cba00f94a1a60471f_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/grafana-rhel8@sha256:f496643a0600a632a3ce216d67634cff9e6174aeb4d113743fd0443a40b535d9_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-cni-rhel8@sha256:3f410cd41ea91e0014d1cf8d7f3decb3bf0e3db5e9aa2612480a76f6797aa3b5_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-cni-rhel8@sha256:47720497b1bb8ee24993260359294eeeafdd888c71ccca6cb12d526e5c3a4a13_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-cni-rhel8@sha256:8abbc8a247ff6de3e5b212e6a2b0203600555e1f3f0c8599aaf19c9cdda59abb_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-must-gather-rhel8@sha256:a2de7f954c0878842b5e214d809382c7d0428b8d3ed22fa1516e49ec583d7790_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-must-gather-rhel8@sha256:bbd215d60e43f719ac81025128f30002bb11f1d29fa874f3b8b1ce61a9269628_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-must-gather-rhel8@sha256:c6cda704d37ed2d233ec225578cb8021429a64d77649c26672c876569a0696b6_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/kiali-rhel8@sha256:351d18f13943b57b5599dc4c2af9970a6add2fbf2cd702f64128e156e4e8a991_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/kiali-rhel8@sha256:bee9a86adcd6974536fa31d054a880238a720b8bfcd7efc5d656a0ddd5111d06_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/kiali-rhel8@sha256:eebc6514999806d2726fea70bd7f4979dd71a7b2f2aa220ead6b5a838a0ffbdf_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/pilot-rhel8@sha256:7b59f76549db37ee09757d79692c52abf1c01baea84fbc98ce5aabc530232f45_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/pilot-rhel8@sha256:a4b7ddd16863e41a6642fc52c566d94069732afafdcbd761385be1e4e04c8521_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/pilot-rhel8@sha256:bc137efedf8eaf278f508b7f652e7db96f3dcfbb1b685e5a9359680c77b1838a_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/proxyv2-rhel8@sha256:4ffd0acfd05fa5cab68372121f34901adcef3f94d9c38beee8559f9ad8a0fd5a_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/proxyv2-rhel8@sha256:8c3838d96559d417f8986703803843e77732d399d911097488a554b037e2e446_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/proxyv2-rhel8@sha256:99e0a7f2861823dbd94ed53294a255aab2f710cc0c932dca84ae0681494e029b_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/ratelimit-rhel8@sha256:0f35f2a716c4a04873d6dfad61f0d8fc262f2190609cd1cc5578da48cd9d0f4d_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/ratelimit-rhel8@sha256:19821b7b74ed96b78f3322c1b770053c532c27b11b66978731ab4aa257991e81_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/ratelimit-rhel8@sha256:8918686da37dad102867ad55788b2b0f7d750cf137b76a4ca51e244367de6375_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-25858" }, { "category": "external", "summary": "RHBZ#2126277", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126277" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-25858", "url": "https://www.cve.org/CVERecord?id=CVE-2022-25858" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-25858", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25858" } ], "release_date": "2022-07-15T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-06-15T20:55:50+00:00", "details": "For details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSSM-2.2:openshift-service-mesh/prometheus-rhel8@sha256:2371e4effbf6a4846599729701de09a5613a2df29fee9858b0526470d63a5eb7_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/prometheus-rhel8@sha256:a2e263be450ab7c304d5b9a79d13e8f65a2b82d259034fc34b8f69cfa8029601_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/prometheus-rhel8@sha256:f5d874b252b5fa89e85db384b81096cd84fbfafc593532bb6ea0175f680115c7_ppc64le" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:3645" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHOSSM-2.2:openshift-service-mesh/grafana-rhel8@sha256:ce1247898969a1865d5d7eb865f659131d6dc58e78aecfc31c59615dc21dd48e_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/grafana-rhel8@sha256:ce4f38fd64e2e1944e037097b3af9d5b8645f7fc5856b74cba00f94a1a60471f_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/grafana-rhel8@sha256:f496643a0600a632a3ce216d67634cff9e6174aeb4d113743fd0443a40b535d9_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-cni-rhel8@sha256:3f410cd41ea91e0014d1cf8d7f3decb3bf0e3db5e9aa2612480a76f6797aa3b5_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-cni-rhel8@sha256:47720497b1bb8ee24993260359294eeeafdd888c71ccca6cb12d526e5c3a4a13_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-cni-rhel8@sha256:8abbc8a247ff6de3e5b212e6a2b0203600555e1f3f0c8599aaf19c9cdda59abb_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-must-gather-rhel8@sha256:a2de7f954c0878842b5e214d809382c7d0428b8d3ed22fa1516e49ec583d7790_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-must-gather-rhel8@sha256:bbd215d60e43f719ac81025128f30002bb11f1d29fa874f3b8b1ce61a9269628_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/istio-must-gather-rhel8@sha256:c6cda704d37ed2d233ec225578cb8021429a64d77649c26672c876569a0696b6_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/kiali-rhel8@sha256:351d18f13943b57b5599dc4c2af9970a6add2fbf2cd702f64128e156e4e8a991_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/kiali-rhel8@sha256:bee9a86adcd6974536fa31d054a880238a720b8bfcd7efc5d656a0ddd5111d06_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/kiali-rhel8@sha256:eebc6514999806d2726fea70bd7f4979dd71a7b2f2aa220ead6b5a838a0ffbdf_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/pilot-rhel8@sha256:7b59f76549db37ee09757d79692c52abf1c01baea84fbc98ce5aabc530232f45_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/pilot-rhel8@sha256:a4b7ddd16863e41a6642fc52c566d94069732afafdcbd761385be1e4e04c8521_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/pilot-rhel8@sha256:bc137efedf8eaf278f508b7f652e7db96f3dcfbb1b685e5a9359680c77b1838a_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/prometheus-rhel8@sha256:2371e4effbf6a4846599729701de09a5613a2df29fee9858b0526470d63a5eb7_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/prometheus-rhel8@sha256:a2e263be450ab7c304d5b9a79d13e8f65a2b82d259034fc34b8f69cfa8029601_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/prometheus-rhel8@sha256:f5d874b252b5fa89e85db384b81096cd84fbfafc593532bb6ea0175f680115c7_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/proxyv2-rhel8@sha256:4ffd0acfd05fa5cab68372121f34901adcef3f94d9c38beee8559f9ad8a0fd5a_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/proxyv2-rhel8@sha256:8c3838d96559d417f8986703803843e77732d399d911097488a554b037e2e446_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/proxyv2-rhel8@sha256:99e0a7f2861823dbd94ed53294a255aab2f710cc0c932dca84ae0681494e029b_amd64", "8Base-RHOSSM-2.2:openshift-service-mesh/ratelimit-rhel8@sha256:0f35f2a716c4a04873d6dfad61f0d8fc262f2190609cd1cc5578da48cd9d0f4d_ppc64le", "8Base-RHOSSM-2.2:openshift-service-mesh/ratelimit-rhel8@sha256:19821b7b74ed96b78f3322c1b770053c532c27b11b66978731ab4aa257991e81_s390x", "8Base-RHOSSM-2.2:openshift-service-mesh/ratelimit-rhel8@sha256:8918686da37dad102867ad55788b2b0f7d750cf137b76a4ca51e244367de6375_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "terser: insecure use of regular expressions leads to ReDoS" } ] }
rhsa-2023_0693
Vulnerability from csaf_redhat
Published
2023-02-09 02:17
Modified
2024-12-10 17:43
Summary
Red Hat Security Advisory: Migration Toolkit for Containers (MTC) 1.7.7 security and bug fix update
Notes
Topic
The Migration Toolkit for Containers (MTC) 1.7.7 is now available.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
The Migration Toolkit for Containers (MTC) enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API.
Security Fix(es) from Bugzilla:
* async: Prototype Pollution in async (CVE-2021-43138)
* golang: archive/tar: unbounded memory consumption when reading headers (CVE-2022-2879)
* golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)
* golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)
* golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags (CVE-2022-32149)
* golang: net/url: JoinPath does not strip relative path components in all circumstances (CVE-2022-32190)
* golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)
* golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)
* golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "The Migration Toolkit for Containers (MTC) 1.7.7 is now available.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "The Migration Toolkit for Containers (MTC) enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API.\n\nSecurity Fix(es) from Bugzilla:\n\n* async: Prototype Pollution in async (CVE-2021-43138)\n\n* golang: archive/tar: unbounded memory consumption when reading headers (CVE-2022-2879)\n\n* golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)\n\n* golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)\n\n* golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags (CVE-2022-32149)\n\n* golang: net/url: JoinPath does not strip relative path components in all circumstances (CVE-2022-32190)\n\n* golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)\n\n* golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)\n\n* golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2023:0693", "url": "https://access.redhat.com/errata/RHSA-2023:0693" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "2113814", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2113814" }, { "category": "external", "summary": "2124668", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124668" }, { "category": "external", "summary": "2124669", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124669" }, { "category": "external", "summary": "2126276", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126276" }, { "category": "external", "summary": "2132867", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132867" }, { "category": "external", "summary": "2132868", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132868" }, { "category": "external", "summary": "2132872", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132872" }, { "category": "external", "summary": "2134010", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134010" }, { "category": "external", "summary": "2160662", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160662" }, { "category": "external", "summary": "2161274", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161274" }, { "category": "external", "summary": "MIG-1275", "url": "https://issues.redhat.com/browse/MIG-1275" }, { "category": "external", "summary": "MIG-1281", "url": "https://issues.redhat.com/browse/MIG-1281" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_0693.json" } ], "title": "Red Hat Security Advisory: Migration Toolkit for Containers (MTC) 1.7.7 security and bug fix update", "tracking": { "current_release_date": "2024-12-10T17:43:23+00:00", "generator": { "date": "2024-12-10T17:43:23+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.3" } }, "id": "RHSA-2023:0693", "initial_release_date": "2023-02-09T02:17:22+00:00", "revision_history": [ { "date": "2023-02-09T02:17:22+00:00", "number": "1", "summary": "Initial version" }, { "date": "2023-02-09T02:17:22+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-12-10T17:43:23+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "8Base-RHMTC-1.7", "product": { "name": "8Base-RHMTC-1.7", "product_id": "8Base-RHMTC-1.7", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhmt:1.7::el8" } } } ], "category": "product_family", "name": "Red Hat Migration Toolkit" }, { "branches": [ { "category": "product_version", "name": "rhmtc/openshift-migration-controller-rhel8@sha256:362eb32d0d2607f72b4f425dabaea7cde5d292ac41aea0c18c78bc6e408fff9e_amd64", "product": { "name": "rhmtc/openshift-migration-controller-rhel8@sha256:362eb32d0d2607f72b4f425dabaea7cde5d292ac41aea0c18c78bc6e408fff9e_amd64", "product_id": "rhmtc/openshift-migration-controller-rhel8@sha256:362eb32d0d2607f72b4f425dabaea7cde5d292ac41aea0c18c78bc6e408fff9e_amd64", "product_identification_helper": { "purl": "pkg:oci/openshift-migration-controller-rhel8@sha256:362eb32d0d2607f72b4f425dabaea7cde5d292ac41aea0c18c78bc6e408fff9e?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-controller-rhel8\u0026tag=v1.7.7-4" } } }, { "category": "product_version", "name": "rhmtc/openshift-migration-hook-runner-rhel8@sha256:aa63717ac3a4961e774ed0baa3a73f01eda185516e7380579d97b9d25764d10d_amd64", "product": { "name": "rhmtc/openshift-migration-hook-runner-rhel8@sha256:aa63717ac3a4961e774ed0baa3a73f01eda185516e7380579d97b9d25764d10d_amd64", "product_id": "rhmtc/openshift-migration-hook-runner-rhel8@sha256:aa63717ac3a4961e774ed0baa3a73f01eda185516e7380579d97b9d25764d10d_amd64", "product_identification_helper": { "purl": "pkg:oci/openshift-migration-hook-runner-rhel8@sha256:aa63717ac3a4961e774ed0baa3a73f01eda185516e7380579d97b9d25764d10d?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8\u0026tag=v1.7.7-3" } } }, { "category": "product_version", "name": "rhmtc/openshift-migration-legacy-rhel8-operator@sha256:1ac9cdfbdce8f7b6e4ebf5e40013f766b71b6dd604c92f602aca96612a228eda_amd64", "product": { "name": "rhmtc/openshift-migration-legacy-rhel8-operator@sha256:1ac9cdfbdce8f7b6e4ebf5e40013f766b71b6dd604c92f602aca96612a228eda_amd64", "product_id": "rhmtc/openshift-migration-legacy-rhel8-operator@sha256:1ac9cdfbdce8f7b6e4ebf5e40013f766b71b6dd604c92f602aca96612a228eda_amd64", "product_identification_helper": { "purl": "pkg:oci/openshift-migration-legacy-rhel8-operator@sha256:1ac9cdfbdce8f7b6e4ebf5e40013f766b71b6dd604c92f602aca96612a228eda?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-legacy-rhel8-operator\u0026tag=v1.7.7-9" } } }, { "category": "product_version", "name": "rhmtc/openshift-migration-log-reader-rhel8@sha256:d89e9ef65993466d25b26702d0210c14ce191155501774f4d2f1f08dbdad9804_amd64", "product": { "name": "rhmtc/openshift-migration-log-reader-rhel8@sha256:d89e9ef65993466d25b26702d0210c14ce191155501774f4d2f1f08dbdad9804_amd64", "product_id": "rhmtc/openshift-migration-log-reader-rhel8@sha256:d89e9ef65993466d25b26702d0210c14ce191155501774f4d2f1f08dbdad9804_amd64", "product_identification_helper": { "purl": "pkg:oci/openshift-migration-log-reader-rhel8@sha256:d89e9ef65993466d25b26702d0210c14ce191155501774f4d2f1f08dbdad9804?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8\u0026tag=v1.7.7-3" } } }, { "category": "product_version", "name": "rhmtc/openshift-migration-must-gather-rhel8@sha256:5acf34dc4041b694b452d46c2f656db566241773285ca305a79ab7b9dc087b43_amd64", "product": { "name": "rhmtc/openshift-migration-must-gather-rhel8@sha256:5acf34dc4041b694b452d46c2f656db566241773285ca305a79ab7b9dc087b43_amd64", "product_id": "rhmtc/openshift-migration-must-gather-rhel8@sha256:5acf34dc4041b694b452d46c2f656db566241773285ca305a79ab7b9dc087b43_amd64", "product_identification_helper": { "purl": "pkg:oci/openshift-migration-must-gather-rhel8@sha256:5acf34dc4041b694b452d46c2f656db566241773285ca305a79ab7b9dc087b43?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8\u0026tag=v1.7.7-4" } } }, { "category": "product_version", "name": "rhmtc/openshift-migration-openvpn-rhel8@sha256:15df7304827ce49d422554551f08d99cfffa1afc4ffacac145d4399ccb1cbd68_amd64", "product": { "name": "rhmtc/openshift-migration-openvpn-rhel8@sha256:15df7304827ce49d422554551f08d99cfffa1afc4ffacac145d4399ccb1cbd68_amd64", "product_id": "rhmtc/openshift-migration-openvpn-rhel8@sha256:15df7304827ce49d422554551f08d99cfffa1afc4ffacac145d4399ccb1cbd68_amd64", "product_identification_helper": { "purl": "pkg:oci/openshift-migration-openvpn-rhel8@sha256:15df7304827ce49d422554551f08d99cfffa1afc4ffacac145d4399ccb1cbd68?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8\u0026tag=v1.7.7-2" } } }, { "category": "product_version", "name": "rhmtc/openshift-migration-rhel8-operator@sha256:aaaf4f6095294b497889749390f0a3aac04b83131a423799c44b5e367e0b370a_amd64", "product": { "name": "rhmtc/openshift-migration-rhel8-operator@sha256:aaaf4f6095294b497889749390f0a3aac04b83131a423799c44b5e367e0b370a_amd64", "product_id": "rhmtc/openshift-migration-rhel8-operator@sha256:aaaf4f6095294b497889749390f0a3aac04b83131a423799c44b5e367e0b370a_amd64", "product_identification_helper": { "purl": "pkg:oci/openshift-migration-rhel8-operator@sha256:aaaf4f6095294b497889749390f0a3aac04b83131a423799c44b5e367e0b370a?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-rhel8-operator\u0026tag=v1.7.7-9" } } }, { "category": "product_version", "name": "rhmtc/openshift-migration-operator-bundle@sha256:90ed03a5e0cb0b0ffd85f7434cc4eda9bd8fe81cd90b597772d9b7caccd4b80f_amd64", "product": { "name": "rhmtc/openshift-migration-operator-bundle@sha256:90ed03a5e0cb0b0ffd85f7434cc4eda9bd8fe81cd90b597772d9b7caccd4b80f_amd64", "product_id": "rhmtc/openshift-migration-operator-bundle@sha256:90ed03a5e0cb0b0ffd85f7434cc4eda9bd8fe81cd90b597772d9b7caccd4b80f_amd64", "product_identification_helper": { "purl": "pkg:oci/openshift-migration-operator-bundle@sha256:90ed03a5e0cb0b0ffd85f7434cc4eda9bd8fe81cd90b597772d9b7caccd4b80f?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-operator-bundle\u0026tag=v1.7.7-9" } } }, { "category": "product_version", "name": "rhmtc/openshift-migration-registry-rhel8@sha256:aaa03ef0769d38185675db2a7a78454659de14bdebe5ff842614bf2124e5adfe_amd64", "product": { "name": "rhmtc/openshift-migration-registry-rhel8@sha256:aaa03ef0769d38185675db2a7a78454659de14bdebe5ff842614bf2124e5adfe_amd64", "product_id": "rhmtc/openshift-migration-registry-rhel8@sha256:aaa03ef0769d38185675db2a7a78454659de14bdebe5ff842614bf2124e5adfe_amd64", "product_identification_helper": { "purl": "pkg:oci/openshift-migration-registry-rhel8@sha256:aaa03ef0769d38185675db2a7a78454659de14bdebe5ff842614bf2124e5adfe?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-registry-rhel8\u0026tag=v1.7.7-3" } } }, { "category": "product_version", "name": "rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:58bd4ffc3e9599401251ac929cf15c1773ecc03a57177118adbe23ac8d7762af_amd64", "product": { "name": "rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:58bd4ffc3e9599401251ac929cf15c1773ecc03a57177118adbe23ac8d7762af_amd64", "product_id": "rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:58bd4ffc3e9599401251ac929cf15c1773ecc03a57177118adbe23ac8d7762af_amd64", "product_identification_helper": { "purl": "pkg:oci/openshift-migration-rsync-transfer-rhel8@sha256:58bd4ffc3e9599401251ac929cf15c1773ecc03a57177118adbe23ac8d7762af?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8\u0026tag=v1.7.7-2" } } }, { "category": "product_version", "name": "rhmtc/openshift-migration-ui-rhel8@sha256:4141db5099ae659270297eb4aaff695ac43fce67d91fea49dbc76583f419d3a1_amd64", "product": { "name": "rhmtc/openshift-migration-ui-rhel8@sha256:4141db5099ae659270297eb4aaff695ac43fce67d91fea49dbc76583f419d3a1_amd64", "product_id": "rhmtc/openshift-migration-ui-rhel8@sha256:4141db5099ae659270297eb4aaff695ac43fce67d91fea49dbc76583f419d3a1_amd64", "product_identification_helper": { "purl": "pkg:oci/openshift-migration-ui-rhel8@sha256:4141db5099ae659270297eb4aaff695ac43fce67d91fea49dbc76583f419d3a1?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-ui-rhel8\u0026tag=v1.7.7-3" } } }, { "category": "product_version", "name": "rhmtc/openshift-migration-velero-rhel8@sha256:1ca6945c3918f1743a4cee86a507f9f6581c8f8e572b6b8739d79a675a64d1db_amd64", "product": { "name": "rhmtc/openshift-migration-velero-rhel8@sha256:1ca6945c3918f1743a4cee86a507f9f6581c8f8e572b6b8739d79a675a64d1db_amd64", "product_id": "rhmtc/openshift-migration-velero-rhel8@sha256:1ca6945c3918f1743a4cee86a507f9f6581c8f8e572b6b8739d79a675a64d1db_amd64", "product_identification_helper": { "purl": "pkg:oci/openshift-migration-velero-rhel8@sha256:1ca6945c3918f1743a4cee86a507f9f6581c8f8e572b6b8739d79a675a64d1db?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-velero-rhel8\u0026tag=v1.7.7-5" } } }, { "category": "product_version", "name": "rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:633eeb0b6b50e21bbc0fb12fd2262294733fc9ac8b1e9eedcdb9d1433534d88d_amd64", "product": { "name": "rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:633eeb0b6b50e21bbc0fb12fd2262294733fc9ac8b1e9eedcdb9d1433534d88d_amd64", "product_id": "rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:633eeb0b6b50e21bbc0fb12fd2262294733fc9ac8b1e9eedcdb9d1433534d88d_amd64", "product_identification_helper": { "purl": "pkg:oci/openshift-migration-velero-plugin-for-aws-rhel8@sha256:633eeb0b6b50e21bbc0fb12fd2262294733fc9ac8b1e9eedcdb9d1433534d88d?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-aws-rhel8\u0026tag=v1.7.7-3" } } }, { "category": "product_version", "name": "rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:19dbf2bb83f8a0f35079d6ae25f8fcddad970e48ecb21694fd2d4c553313e4aa_amd64", "product": { "name": "rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:19dbf2bb83f8a0f35079d6ae25f8fcddad970e48ecb21694fd2d4c553313e4aa_amd64", "product_id": "rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:19dbf2bb83f8a0f35079d6ae25f8fcddad970e48ecb21694fd2d4c553313e4aa_amd64", "product_identification_helper": { "purl": "pkg:oci/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:19dbf2bb83f8a0f35079d6ae25f8fcddad970e48ecb21694fd2d4c553313e4aa?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8\u0026tag=v1.7.7-3" } } }, { "category": "product_version", "name": "rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:93e95f065eadaa41154b9012dd5ddc824607758e2bce85c4256c2689125b80a4_amd64", "product": { "name": "rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:93e95f065eadaa41154b9012dd5ddc824607758e2bce85c4256c2689125b80a4_amd64", "product_id": "rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:93e95f065eadaa41154b9012dd5ddc824607758e2bce85c4256c2689125b80a4_amd64", "product_identification_helper": { "purl": "pkg:oci/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:93e95f065eadaa41154b9012dd5ddc824607758e2bce85c4256c2689125b80a4?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8\u0026tag=v1.7.7-3" } } }, { "category": "product_version", "name": "rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:70d3d46f54b91538e047df62e7e5b161fabac195a2f2e45cdba78215b4c82a7d_amd64", "product": { "name": "rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:70d3d46f54b91538e047df62e7e5b161fabac195a2f2e45cdba78215b4c82a7d_amd64", "product_id": "rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:70d3d46f54b91538e047df62e7e5b161fabac195a2f2e45cdba78215b4c82a7d_amd64", "product_identification_helper": { "purl": "pkg:oci/openshift-migration-velero-restic-restore-helper-rhel8@sha256:70d3d46f54b91538e047df62e7e5b161fabac195a2f2e45cdba78215b4c82a7d?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-velero-restic-restore-helper-rhel8\u0026tag=v1.7.7-5" } } }, { "category": "product_version", "name": "rhmtc/openshift-velero-plugin-rhel8@sha256:26f8fb5c41ece82626325ba502505ba1ca7986602cc147b492f9857caa0be868_amd64", "product": { "name": "rhmtc/openshift-velero-plugin-rhel8@sha256:26f8fb5c41ece82626325ba502505ba1ca7986602cc147b492f9857caa0be868_amd64", "product_id": "rhmtc/openshift-velero-plugin-rhel8@sha256:26f8fb5c41ece82626325ba502505ba1ca7986602cc147b492f9857caa0be868_amd64", "product_identification_helper": { "purl": "pkg:oci/openshift-velero-plugin-rhel8@sha256:26f8fb5c41ece82626325ba502505ba1ca7986602cc147b492f9857caa0be868?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-velero-plugin-rhel8\u0026tag=v1.7.7-3" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "rhmtc/openshift-migration-controller-rhel8@sha256:362eb32d0d2607f72b4f425dabaea7cde5d292ac41aea0c18c78bc6e408fff9e_amd64 as a component of 8Base-RHMTC-1.7", "product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:362eb32d0d2607f72b4f425dabaea7cde5d292ac41aea0c18c78bc6e408fff9e_amd64" }, "product_reference": "rhmtc/openshift-migration-controller-rhel8@sha256:362eb32d0d2607f72b4f425dabaea7cde5d292ac41aea0c18c78bc6e408fff9e_amd64", "relates_to_product_reference": "8Base-RHMTC-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "rhmtc/openshift-migration-hook-runner-rhel8@sha256:aa63717ac3a4961e774ed0baa3a73f01eda185516e7380579d97b9d25764d10d_amd64 as a component of 8Base-RHMTC-1.7", "product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:aa63717ac3a4961e774ed0baa3a73f01eda185516e7380579d97b9d25764d10d_amd64" }, "product_reference": "rhmtc/openshift-migration-hook-runner-rhel8@sha256:aa63717ac3a4961e774ed0baa3a73f01eda185516e7380579d97b9d25764d10d_amd64", "relates_to_product_reference": "8Base-RHMTC-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "rhmtc/openshift-migration-legacy-rhel8-operator@sha256:1ac9cdfbdce8f7b6e4ebf5e40013f766b71b6dd604c92f602aca96612a228eda_amd64 as a component of 8Base-RHMTC-1.7", "product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:1ac9cdfbdce8f7b6e4ebf5e40013f766b71b6dd604c92f602aca96612a228eda_amd64" }, "product_reference": "rhmtc/openshift-migration-legacy-rhel8-operator@sha256:1ac9cdfbdce8f7b6e4ebf5e40013f766b71b6dd604c92f602aca96612a228eda_amd64", "relates_to_product_reference": "8Base-RHMTC-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "rhmtc/openshift-migration-log-reader-rhel8@sha256:d89e9ef65993466d25b26702d0210c14ce191155501774f4d2f1f08dbdad9804_amd64 as a component of 8Base-RHMTC-1.7", "product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:d89e9ef65993466d25b26702d0210c14ce191155501774f4d2f1f08dbdad9804_amd64" }, "product_reference": "rhmtc/openshift-migration-log-reader-rhel8@sha256:d89e9ef65993466d25b26702d0210c14ce191155501774f4d2f1f08dbdad9804_amd64", "relates_to_product_reference": "8Base-RHMTC-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "rhmtc/openshift-migration-must-gather-rhel8@sha256:5acf34dc4041b694b452d46c2f656db566241773285ca305a79ab7b9dc087b43_amd64 as a component of 8Base-RHMTC-1.7", "product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:5acf34dc4041b694b452d46c2f656db566241773285ca305a79ab7b9dc087b43_amd64" }, "product_reference": "rhmtc/openshift-migration-must-gather-rhel8@sha256:5acf34dc4041b694b452d46c2f656db566241773285ca305a79ab7b9dc087b43_amd64", "relates_to_product_reference": "8Base-RHMTC-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "rhmtc/openshift-migration-openvpn-rhel8@sha256:15df7304827ce49d422554551f08d99cfffa1afc4ffacac145d4399ccb1cbd68_amd64 as a component of 8Base-RHMTC-1.7", "product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:15df7304827ce49d422554551f08d99cfffa1afc4ffacac145d4399ccb1cbd68_amd64" }, "product_reference": "rhmtc/openshift-migration-openvpn-rhel8@sha256:15df7304827ce49d422554551f08d99cfffa1afc4ffacac145d4399ccb1cbd68_amd64", "relates_to_product_reference": "8Base-RHMTC-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "rhmtc/openshift-migration-operator-bundle@sha256:90ed03a5e0cb0b0ffd85f7434cc4eda9bd8fe81cd90b597772d9b7caccd4b80f_amd64 as a component of 8Base-RHMTC-1.7", "product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:90ed03a5e0cb0b0ffd85f7434cc4eda9bd8fe81cd90b597772d9b7caccd4b80f_amd64" }, "product_reference": "rhmtc/openshift-migration-operator-bundle@sha256:90ed03a5e0cb0b0ffd85f7434cc4eda9bd8fe81cd90b597772d9b7caccd4b80f_amd64", "relates_to_product_reference": "8Base-RHMTC-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "rhmtc/openshift-migration-registry-rhel8@sha256:aaa03ef0769d38185675db2a7a78454659de14bdebe5ff842614bf2124e5adfe_amd64 as a component of 8Base-RHMTC-1.7", "product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:aaa03ef0769d38185675db2a7a78454659de14bdebe5ff842614bf2124e5adfe_amd64" }, "product_reference": "rhmtc/openshift-migration-registry-rhel8@sha256:aaa03ef0769d38185675db2a7a78454659de14bdebe5ff842614bf2124e5adfe_amd64", "relates_to_product_reference": "8Base-RHMTC-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "rhmtc/openshift-migration-rhel8-operator@sha256:aaaf4f6095294b497889749390f0a3aac04b83131a423799c44b5e367e0b370a_amd64 as a component of 8Base-RHMTC-1.7", "product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:aaaf4f6095294b497889749390f0a3aac04b83131a423799c44b5e367e0b370a_amd64" }, "product_reference": "rhmtc/openshift-migration-rhel8-operator@sha256:aaaf4f6095294b497889749390f0a3aac04b83131a423799c44b5e367e0b370a_amd64", "relates_to_product_reference": "8Base-RHMTC-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:58bd4ffc3e9599401251ac929cf15c1773ecc03a57177118adbe23ac8d7762af_amd64 as a component of 8Base-RHMTC-1.7", "product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:58bd4ffc3e9599401251ac929cf15c1773ecc03a57177118adbe23ac8d7762af_amd64" }, "product_reference": "rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:58bd4ffc3e9599401251ac929cf15c1773ecc03a57177118adbe23ac8d7762af_amd64", "relates_to_product_reference": "8Base-RHMTC-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "rhmtc/openshift-migration-ui-rhel8@sha256:4141db5099ae659270297eb4aaff695ac43fce67d91fea49dbc76583f419d3a1_amd64 as a component of 8Base-RHMTC-1.7", "product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:4141db5099ae659270297eb4aaff695ac43fce67d91fea49dbc76583f419d3a1_amd64" }, "product_reference": "rhmtc/openshift-migration-ui-rhel8@sha256:4141db5099ae659270297eb4aaff695ac43fce67d91fea49dbc76583f419d3a1_amd64", "relates_to_product_reference": "8Base-RHMTC-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:633eeb0b6b50e21bbc0fb12fd2262294733fc9ac8b1e9eedcdb9d1433534d88d_amd64 as a component of 8Base-RHMTC-1.7", "product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:633eeb0b6b50e21bbc0fb12fd2262294733fc9ac8b1e9eedcdb9d1433534d88d_amd64" }, "product_reference": "rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:633eeb0b6b50e21bbc0fb12fd2262294733fc9ac8b1e9eedcdb9d1433534d88d_amd64", "relates_to_product_reference": "8Base-RHMTC-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:19dbf2bb83f8a0f35079d6ae25f8fcddad970e48ecb21694fd2d4c553313e4aa_amd64 as a component of 8Base-RHMTC-1.7", "product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:19dbf2bb83f8a0f35079d6ae25f8fcddad970e48ecb21694fd2d4c553313e4aa_amd64" }, "product_reference": "rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:19dbf2bb83f8a0f35079d6ae25f8fcddad970e48ecb21694fd2d4c553313e4aa_amd64", "relates_to_product_reference": "8Base-RHMTC-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:93e95f065eadaa41154b9012dd5ddc824607758e2bce85c4256c2689125b80a4_amd64 as a component of 8Base-RHMTC-1.7", "product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:93e95f065eadaa41154b9012dd5ddc824607758e2bce85c4256c2689125b80a4_amd64" }, "product_reference": "rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:93e95f065eadaa41154b9012dd5ddc824607758e2bce85c4256c2689125b80a4_amd64", "relates_to_product_reference": "8Base-RHMTC-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:70d3d46f54b91538e047df62e7e5b161fabac195a2f2e45cdba78215b4c82a7d_amd64 as a component of 8Base-RHMTC-1.7", "product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:70d3d46f54b91538e047df62e7e5b161fabac195a2f2e45cdba78215b4c82a7d_amd64" }, "product_reference": "rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:70d3d46f54b91538e047df62e7e5b161fabac195a2f2e45cdba78215b4c82a7d_amd64", "relates_to_product_reference": "8Base-RHMTC-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "rhmtc/openshift-migration-velero-rhel8@sha256:1ca6945c3918f1743a4cee86a507f9f6581c8f8e572b6b8739d79a675a64d1db_amd64 as a component of 8Base-RHMTC-1.7", "product_id": "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:1ca6945c3918f1743a4cee86a507f9f6581c8f8e572b6b8739d79a675a64d1db_amd64" }, "product_reference": "rhmtc/openshift-migration-velero-rhel8@sha256:1ca6945c3918f1743a4cee86a507f9f6581c8f8e572b6b8739d79a675a64d1db_amd64", "relates_to_product_reference": "8Base-RHMTC-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "rhmtc/openshift-velero-plugin-rhel8@sha256:26f8fb5c41ece82626325ba502505ba1ca7986602cc147b492f9857caa0be868_amd64 as a component of 8Base-RHMTC-1.7", "product_id": "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:26f8fb5c41ece82626325ba502505ba1ca7986602cc147b492f9857caa0be868_amd64" }, "product_reference": "rhmtc/openshift-velero-plugin-rhel8@sha256:26f8fb5c41ece82626325ba502505ba1ca7986602cc147b492f9857caa0be868_amd64", "relates_to_product_reference": "8Base-RHMTC-1.7" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-43138", "cwe": { "id": "CWE-1321", "name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)" }, "discovery_date": "2022-09-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:362eb32d0d2607f72b4f425dabaea7cde5d292ac41aea0c18c78bc6e408fff9e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:aa63717ac3a4961e774ed0baa3a73f01eda185516e7380579d97b9d25764d10d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:1ac9cdfbdce8f7b6e4ebf5e40013f766b71b6dd604c92f602aca96612a228eda_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:d89e9ef65993466d25b26702d0210c14ce191155501774f4d2f1f08dbdad9804_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:5acf34dc4041b694b452d46c2f656db566241773285ca305a79ab7b9dc087b43_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:15df7304827ce49d422554551f08d99cfffa1afc4ffacac145d4399ccb1cbd68_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:90ed03a5e0cb0b0ffd85f7434cc4eda9bd8fe81cd90b597772d9b7caccd4b80f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:aaa03ef0769d38185675db2a7a78454659de14bdebe5ff842614bf2124e5adfe_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:aaaf4f6095294b497889749390f0a3aac04b83131a423799c44b5e367e0b370a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:58bd4ffc3e9599401251ac929cf15c1773ecc03a57177118adbe23ac8d7762af_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:633eeb0b6b50e21bbc0fb12fd2262294733fc9ac8b1e9eedcdb9d1433534d88d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:19dbf2bb83f8a0f35079d6ae25f8fcddad970e48ecb21694fd2d4c553313e4aa_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:93e95f065eadaa41154b9012dd5ddc824607758e2bce85c4256c2689125b80a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:70d3d46f54b91538e047df62e7e5b161fabac195a2f2e45cdba78215b4c82a7d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:1ca6945c3918f1743a4cee86a507f9f6581c8f8e572b6b8739d79a675a64d1db_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:26f8fb5c41ece82626325ba502505ba1ca7986602cc147b492f9857caa0be868_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2126276" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in the async package. This flaw allows a malicious user to obtain privileges via the mapValues() method.", "title": "Vulnerability description" }, { "category": "summary", "text": "async: Prototype Pollution in async", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:4141db5099ae659270297eb4aaff695ac43fce67d91fea49dbc76583f419d3a1_amd64" ], "known_not_affected": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:362eb32d0d2607f72b4f425dabaea7cde5d292ac41aea0c18c78bc6e408fff9e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:aa63717ac3a4961e774ed0baa3a73f01eda185516e7380579d97b9d25764d10d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:1ac9cdfbdce8f7b6e4ebf5e40013f766b71b6dd604c92f602aca96612a228eda_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:d89e9ef65993466d25b26702d0210c14ce191155501774f4d2f1f08dbdad9804_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:5acf34dc4041b694b452d46c2f656db566241773285ca305a79ab7b9dc087b43_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:15df7304827ce49d422554551f08d99cfffa1afc4ffacac145d4399ccb1cbd68_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:90ed03a5e0cb0b0ffd85f7434cc4eda9bd8fe81cd90b597772d9b7caccd4b80f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:aaa03ef0769d38185675db2a7a78454659de14bdebe5ff842614bf2124e5adfe_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:aaaf4f6095294b497889749390f0a3aac04b83131a423799c44b5e367e0b370a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:58bd4ffc3e9599401251ac929cf15c1773ecc03a57177118adbe23ac8d7762af_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:633eeb0b6b50e21bbc0fb12fd2262294733fc9ac8b1e9eedcdb9d1433534d88d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:19dbf2bb83f8a0f35079d6ae25f8fcddad970e48ecb21694fd2d4c553313e4aa_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:93e95f065eadaa41154b9012dd5ddc824607758e2bce85c4256c2689125b80a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:70d3d46f54b91538e047df62e7e5b161fabac195a2f2e45cdba78215b4c82a7d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:1ca6945c3918f1743a4cee86a507f9f6581c8f8e572b6b8739d79a675a64d1db_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:26f8fb5c41ece82626325ba502505ba1ca7986602cc147b492f9857caa0be868_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-43138" }, { "category": "external", "summary": "RHBZ#2126276", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126276" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-43138", "url": "https://www.cve.org/CVERecord?id=CVE-2021-43138" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-43138", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43138" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-fwr7-v2mv-hh25", "url": "https://github.com/advisories/GHSA-fwr7-v2mv-hh25" } ], "release_date": "2022-04-07T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-02-09T02:17:22+00:00", "details": "For details on how to install and use MTC, refer to:\n\nhttps://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html", "product_ids": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:4141db5099ae659270297eb4aaff695ac43fce67d91fea49dbc76583f419d3a1_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0693" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:362eb32d0d2607f72b4f425dabaea7cde5d292ac41aea0c18c78bc6e408fff9e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:aa63717ac3a4961e774ed0baa3a73f01eda185516e7380579d97b9d25764d10d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:1ac9cdfbdce8f7b6e4ebf5e40013f766b71b6dd604c92f602aca96612a228eda_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:d89e9ef65993466d25b26702d0210c14ce191155501774f4d2f1f08dbdad9804_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:5acf34dc4041b694b452d46c2f656db566241773285ca305a79ab7b9dc087b43_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:15df7304827ce49d422554551f08d99cfffa1afc4ffacac145d4399ccb1cbd68_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:90ed03a5e0cb0b0ffd85f7434cc4eda9bd8fe81cd90b597772d9b7caccd4b80f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:aaa03ef0769d38185675db2a7a78454659de14bdebe5ff842614bf2124e5adfe_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:aaaf4f6095294b497889749390f0a3aac04b83131a423799c44b5e367e0b370a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:58bd4ffc3e9599401251ac929cf15c1773ecc03a57177118adbe23ac8d7762af_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:4141db5099ae659270297eb4aaff695ac43fce67d91fea49dbc76583f419d3a1_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:633eeb0b6b50e21bbc0fb12fd2262294733fc9ac8b1e9eedcdb9d1433534d88d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:19dbf2bb83f8a0f35079d6ae25f8fcddad970e48ecb21694fd2d4c553313e4aa_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:93e95f065eadaa41154b9012dd5ddc824607758e2bce85c4256c2689125b80a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:70d3d46f54b91538e047df62e7e5b161fabac195a2f2e45cdba78215b4c82a7d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:1ca6945c3918f1743a4cee86a507f9f6581c8f8e572b6b8739d79a675a64d1db_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:26f8fb5c41ece82626325ba502505ba1ca7986602cc147b492f9857caa0be868_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "async: Prototype Pollution in async" }, { "acknowledgments": [ { "names": [ "Adam Korczynski" ], "organization": "ADA Logics" }, { "names": [ "OSS-Fuzz" ] } ], "cve": "CVE-2022-2879", "cwe": { "id": "CWE-770", "name": "Allocation of Resources Without Limits or Throttling" }, "discovery_date": "2022-10-07T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:362eb32d0d2607f72b4f425dabaea7cde5d292ac41aea0c18c78bc6e408fff9e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:aa63717ac3a4961e774ed0baa3a73f01eda185516e7380579d97b9d25764d10d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:1ac9cdfbdce8f7b6e4ebf5e40013f766b71b6dd604c92f602aca96612a228eda_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:d89e9ef65993466d25b26702d0210c14ce191155501774f4d2f1f08dbdad9804_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:5acf34dc4041b694b452d46c2f656db566241773285ca305a79ab7b9dc087b43_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:15df7304827ce49d422554551f08d99cfffa1afc4ffacac145d4399ccb1cbd68_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:90ed03a5e0cb0b0ffd85f7434cc4eda9bd8fe81cd90b597772d9b7caccd4b80f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:aaa03ef0769d38185675db2a7a78454659de14bdebe5ff842614bf2124e5adfe_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:aaaf4f6095294b497889749390f0a3aac04b83131a423799c44b5e367e0b370a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:58bd4ffc3e9599401251ac929cf15c1773ecc03a57177118adbe23ac8d7762af_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:4141db5099ae659270297eb4aaff695ac43fce67d91fea49dbc76583f419d3a1_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:633eeb0b6b50e21bbc0fb12fd2262294733fc9ac8b1e9eedcdb9d1433534d88d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:19dbf2bb83f8a0f35079d6ae25f8fcddad970e48ecb21694fd2d4c553313e4aa_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:93e95f065eadaa41154b9012dd5ddc824607758e2bce85c4256c2689125b80a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:70d3d46f54b91538e047df62e7e5b161fabac195a2f2e45cdba78215b4c82a7d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:1ca6945c3918f1743a4cee86a507f9f6581c8f8e572b6b8739d79a675a64d1db_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2132867" } ], "notes": [ { "category": "description", "text": "A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw allows a maliciously crafted archive to cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panic.", "title": "Vulnerability description" }, { "category": "summary", "text": "golang: archive/tar: unbounded memory consumption when reading headers", "title": "Vulnerability summary" }, { "category": "other", "text": "The opportunity for a Denial of Service is limited to the golang runtime. In the case of OpenShift Container Platform, this would be restricted within each individual container. There are multiple layers of guide rails (Golang\u2019s Garbage Collector; OpenShift\u2019s resource constraints imposed at the container and cluster levels) which would require a malicious user to continue submitting attacks for there to be any enduring impact. They would also need access to external server resources to be able to send a massive volume of requests to cause a significant impact on server operations.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:26f8fb5c41ece82626325ba502505ba1ca7986602cc147b492f9857caa0be868_amd64" ], "known_not_affected": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:362eb32d0d2607f72b4f425dabaea7cde5d292ac41aea0c18c78bc6e408fff9e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:aa63717ac3a4961e774ed0baa3a73f01eda185516e7380579d97b9d25764d10d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:1ac9cdfbdce8f7b6e4ebf5e40013f766b71b6dd604c92f602aca96612a228eda_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:d89e9ef65993466d25b26702d0210c14ce191155501774f4d2f1f08dbdad9804_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:5acf34dc4041b694b452d46c2f656db566241773285ca305a79ab7b9dc087b43_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:15df7304827ce49d422554551f08d99cfffa1afc4ffacac145d4399ccb1cbd68_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:90ed03a5e0cb0b0ffd85f7434cc4eda9bd8fe81cd90b597772d9b7caccd4b80f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:aaa03ef0769d38185675db2a7a78454659de14bdebe5ff842614bf2124e5adfe_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:aaaf4f6095294b497889749390f0a3aac04b83131a423799c44b5e367e0b370a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:58bd4ffc3e9599401251ac929cf15c1773ecc03a57177118adbe23ac8d7762af_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:4141db5099ae659270297eb4aaff695ac43fce67d91fea49dbc76583f419d3a1_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:633eeb0b6b50e21bbc0fb12fd2262294733fc9ac8b1e9eedcdb9d1433534d88d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:19dbf2bb83f8a0f35079d6ae25f8fcddad970e48ecb21694fd2d4c553313e4aa_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:93e95f065eadaa41154b9012dd5ddc824607758e2bce85c4256c2689125b80a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:70d3d46f54b91538e047df62e7e5b161fabac195a2f2e45cdba78215b4c82a7d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:1ca6945c3918f1743a4cee86a507f9f6581c8f8e572b6b8739d79a675a64d1db_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-2879" }, { "category": "external", "summary": "RHBZ#2132867", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132867" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-2879", "url": "https://www.cve.org/CVERecord?id=CVE-2022-2879" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2879", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2879" }, { "category": "external", "summary": "https://github.com/golang/go/issues/54853", "url": "https://github.com/golang/go/issues/54853" }, { "category": "external", "summary": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1", "url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1" } ], "release_date": "2022-10-04T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-02-09T02:17:22+00:00", "details": "For details on how to install and use MTC, refer to:\n\nhttps://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html", "product_ids": [ "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:26f8fb5c41ece82626325ba502505ba1ca7986602cc147b492f9857caa0be868_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0693" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:362eb32d0d2607f72b4f425dabaea7cde5d292ac41aea0c18c78bc6e408fff9e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:aa63717ac3a4961e774ed0baa3a73f01eda185516e7380579d97b9d25764d10d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:1ac9cdfbdce8f7b6e4ebf5e40013f766b71b6dd604c92f602aca96612a228eda_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:d89e9ef65993466d25b26702d0210c14ce191155501774f4d2f1f08dbdad9804_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:5acf34dc4041b694b452d46c2f656db566241773285ca305a79ab7b9dc087b43_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:15df7304827ce49d422554551f08d99cfffa1afc4ffacac145d4399ccb1cbd68_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:90ed03a5e0cb0b0ffd85f7434cc4eda9bd8fe81cd90b597772d9b7caccd4b80f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:aaa03ef0769d38185675db2a7a78454659de14bdebe5ff842614bf2124e5adfe_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:aaaf4f6095294b497889749390f0a3aac04b83131a423799c44b5e367e0b370a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:58bd4ffc3e9599401251ac929cf15c1773ecc03a57177118adbe23ac8d7762af_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:4141db5099ae659270297eb4aaff695ac43fce67d91fea49dbc76583f419d3a1_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:633eeb0b6b50e21bbc0fb12fd2262294733fc9ac8b1e9eedcdb9d1433534d88d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:19dbf2bb83f8a0f35079d6ae25f8fcddad970e48ecb21694fd2d4c553313e4aa_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:93e95f065eadaa41154b9012dd5ddc824607758e2bce85c4256c2689125b80a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:70d3d46f54b91538e047df62e7e5b161fabac195a2f2e45cdba78215b4c82a7d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:1ca6945c3918f1743a4cee86a507f9f6581c8f8e572b6b8739d79a675a64d1db_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:26f8fb5c41ece82626325ba502505ba1ca7986602cc147b492f9857caa0be868_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "golang: archive/tar: unbounded memory consumption when reading headers" }, { "acknowledgments": [ { "names": [ "Daniel Abeles" ], "organization": "Head of Research, Oxeye" }, { "names": [ "Gal Goldstein" ], "organization": "Security Researcher, Oxeye" } ], "cve": "CVE-2022-2880", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)" }, "discovery_date": "2022-10-07T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:362eb32d0d2607f72b4f425dabaea7cde5d292ac41aea0c18c78bc6e408fff9e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:aa63717ac3a4961e774ed0baa3a73f01eda185516e7380579d97b9d25764d10d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:1ac9cdfbdce8f7b6e4ebf5e40013f766b71b6dd604c92f602aca96612a228eda_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:d89e9ef65993466d25b26702d0210c14ce191155501774f4d2f1f08dbdad9804_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:5acf34dc4041b694b452d46c2f656db566241773285ca305a79ab7b9dc087b43_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:15df7304827ce49d422554551f08d99cfffa1afc4ffacac145d4399ccb1cbd68_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:90ed03a5e0cb0b0ffd85f7434cc4eda9bd8fe81cd90b597772d9b7caccd4b80f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:aaa03ef0769d38185675db2a7a78454659de14bdebe5ff842614bf2124e5adfe_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:aaaf4f6095294b497889749390f0a3aac04b83131a423799c44b5e367e0b370a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:58bd4ffc3e9599401251ac929cf15c1773ecc03a57177118adbe23ac8d7762af_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:4141db5099ae659270297eb4aaff695ac43fce67d91fea49dbc76583f419d3a1_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:633eeb0b6b50e21bbc0fb12fd2262294733fc9ac8b1e9eedcdb9d1433534d88d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:19dbf2bb83f8a0f35079d6ae25f8fcddad970e48ecb21694fd2d4c553313e4aa_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:93e95f065eadaa41154b9012dd5ddc824607758e2bce85c4256c2689125b80a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:70d3d46f54b91538e047df62e7e5b161fabac195a2f2e45cdba78215b4c82a7d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:1ca6945c3918f1743a4cee86a507f9f6581c8f8e572b6b8739d79a675a64d1db_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2132868" } ], "notes": [ { "category": "description", "text": "A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy sanitizes the query parameters in the forwarded query when the outbound request\u0027s form field is set after the reverse proxy. The director function returns, indicating that the proxy has parsed the query parameters. Proxies that do not parse query parameters continue to forward the original query parameters unchanged.", "title": "Vulnerability description" }, { "category": "summary", "text": "golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters", "title": "Vulnerability summary" }, { "category": "other", "text": "The opportunity to exploit this vulnerability is limited to the Golang runtime. In the case of the OpenShift Container Platform, this would be restricted within each individual container. There are multiple layers of guide rails (Golang\u2019s Garbage Collector; OpenShift\u2019s resource constraints imposed at the container and cluster levels) which would require a malicious user to continue submitting attacks for there to be any enduring impact.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:26f8fb5c41ece82626325ba502505ba1ca7986602cc147b492f9857caa0be868_amd64" ], "known_not_affected": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:362eb32d0d2607f72b4f425dabaea7cde5d292ac41aea0c18c78bc6e408fff9e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:aa63717ac3a4961e774ed0baa3a73f01eda185516e7380579d97b9d25764d10d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:1ac9cdfbdce8f7b6e4ebf5e40013f766b71b6dd604c92f602aca96612a228eda_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:d89e9ef65993466d25b26702d0210c14ce191155501774f4d2f1f08dbdad9804_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:5acf34dc4041b694b452d46c2f656db566241773285ca305a79ab7b9dc087b43_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:15df7304827ce49d422554551f08d99cfffa1afc4ffacac145d4399ccb1cbd68_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:90ed03a5e0cb0b0ffd85f7434cc4eda9bd8fe81cd90b597772d9b7caccd4b80f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:aaa03ef0769d38185675db2a7a78454659de14bdebe5ff842614bf2124e5adfe_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:aaaf4f6095294b497889749390f0a3aac04b83131a423799c44b5e367e0b370a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:58bd4ffc3e9599401251ac929cf15c1773ecc03a57177118adbe23ac8d7762af_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:4141db5099ae659270297eb4aaff695ac43fce67d91fea49dbc76583f419d3a1_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:633eeb0b6b50e21bbc0fb12fd2262294733fc9ac8b1e9eedcdb9d1433534d88d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:19dbf2bb83f8a0f35079d6ae25f8fcddad970e48ecb21694fd2d4c553313e4aa_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:93e95f065eadaa41154b9012dd5ddc824607758e2bce85c4256c2689125b80a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:70d3d46f54b91538e047df62e7e5b161fabac195a2f2e45cdba78215b4c82a7d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:1ca6945c3918f1743a4cee86a507f9f6581c8f8e572b6b8739d79a675a64d1db_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-2880" }, { "category": "external", "summary": "RHBZ#2132868", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132868" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-2880", "url": "https://www.cve.org/CVERecord?id=CVE-2022-2880" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2880", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2880" }, { "category": "external", "summary": "https://github.com/golang/go/issues/54663", "url": "https://github.com/golang/go/issues/54663" }, { "category": "external", "summary": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1", "url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1" } ], "release_date": "2022-10-04T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-02-09T02:17:22+00:00", "details": "For details on how to install and use MTC, refer to:\n\nhttps://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html", "product_ids": [ "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:26f8fb5c41ece82626325ba502505ba1ca7986602cc147b492f9857caa0be868_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0693" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:362eb32d0d2607f72b4f425dabaea7cde5d292ac41aea0c18c78bc6e408fff9e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:aa63717ac3a4961e774ed0baa3a73f01eda185516e7380579d97b9d25764d10d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:1ac9cdfbdce8f7b6e4ebf5e40013f766b71b6dd604c92f602aca96612a228eda_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:d89e9ef65993466d25b26702d0210c14ce191155501774f4d2f1f08dbdad9804_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:5acf34dc4041b694b452d46c2f656db566241773285ca305a79ab7b9dc087b43_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:15df7304827ce49d422554551f08d99cfffa1afc4ffacac145d4399ccb1cbd68_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:90ed03a5e0cb0b0ffd85f7434cc4eda9bd8fe81cd90b597772d9b7caccd4b80f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:aaa03ef0769d38185675db2a7a78454659de14bdebe5ff842614bf2124e5adfe_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:aaaf4f6095294b497889749390f0a3aac04b83131a423799c44b5e367e0b370a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:58bd4ffc3e9599401251ac929cf15c1773ecc03a57177118adbe23ac8d7762af_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:4141db5099ae659270297eb4aaff695ac43fce67d91fea49dbc76583f419d3a1_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:633eeb0b6b50e21bbc0fb12fd2262294733fc9ac8b1e9eedcdb9d1433534d88d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:19dbf2bb83f8a0f35079d6ae25f8fcddad970e48ecb21694fd2d4c553313e4aa_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:93e95f065eadaa41154b9012dd5ddc824607758e2bce85c4256c2689125b80a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:70d3d46f54b91538e047df62e7e5b161fabac195a2f2e45cdba78215b4c82a7d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:1ca6945c3918f1743a4cee86a507f9f6581c8f8e572b6b8739d79a675a64d1db_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:26f8fb5c41ece82626325ba502505ba1ca7986602cc147b492f9857caa0be868_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters" }, { "cve": "CVE-2022-27664", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2022-09-06T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:362eb32d0d2607f72b4f425dabaea7cde5d292ac41aea0c18c78bc6e408fff9e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:aa63717ac3a4961e774ed0baa3a73f01eda185516e7380579d97b9d25764d10d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:1ac9cdfbdce8f7b6e4ebf5e40013f766b71b6dd604c92f602aca96612a228eda_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:d89e9ef65993466d25b26702d0210c14ce191155501774f4d2f1f08dbdad9804_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:5acf34dc4041b694b452d46c2f656db566241773285ca305a79ab7b9dc087b43_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:90ed03a5e0cb0b0ffd85f7434cc4eda9bd8fe81cd90b597772d9b7caccd4b80f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:aaa03ef0769d38185675db2a7a78454659de14bdebe5ff842614bf2124e5adfe_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:aaaf4f6095294b497889749390f0a3aac04b83131a423799c44b5e367e0b370a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:58bd4ffc3e9599401251ac929cf15c1773ecc03a57177118adbe23ac8d7762af_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:4141db5099ae659270297eb4aaff695ac43fce67d91fea49dbc76583f419d3a1_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:633eeb0b6b50e21bbc0fb12fd2262294733fc9ac8b1e9eedcdb9d1433534d88d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:19dbf2bb83f8a0f35079d6ae25f8fcddad970e48ecb21694fd2d4c553313e4aa_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:93e95f065eadaa41154b9012dd5ddc824607758e2bce85c4256c2689125b80a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:70d3d46f54b91538e047df62e7e5b161fabac195a2f2e45cdba78215b4c82a7d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:1ca6945c3918f1743a4cee86a507f9f6581c8f8e572b6b8739d79a675a64d1db_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2124669" } ], "notes": [ { "category": "description", "text": "A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown.", "title": "Vulnerability description" }, { "category": "summary", "text": "golang: net/http: handle server errors after sending GOAWAY", "title": "Vulnerability summary" }, { "category": "other", "text": "The opportunity for a Denial of Service is limited to the golang runtime. In the case of OpenShift Container Platform, this would be restricted within each individual container. There are multiple layers of guide rails (Golang\u2019s Garbage Collector; OpenShift\u2019s resource constraints imposed at the container and cluster levels) which would require a malicious user to continue submitting attacks for there to be any enduring impact. They would also need access to external server resources to be able to send a massive volume of requests to cause a significant impact on server operations.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:15df7304827ce49d422554551f08d99cfffa1afc4ffacac145d4399ccb1cbd68_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:26f8fb5c41ece82626325ba502505ba1ca7986602cc147b492f9857caa0be868_amd64" ], "known_not_affected": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:362eb32d0d2607f72b4f425dabaea7cde5d292ac41aea0c18c78bc6e408fff9e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:aa63717ac3a4961e774ed0baa3a73f01eda185516e7380579d97b9d25764d10d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:1ac9cdfbdce8f7b6e4ebf5e40013f766b71b6dd604c92f602aca96612a228eda_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:d89e9ef65993466d25b26702d0210c14ce191155501774f4d2f1f08dbdad9804_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:5acf34dc4041b694b452d46c2f656db566241773285ca305a79ab7b9dc087b43_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:90ed03a5e0cb0b0ffd85f7434cc4eda9bd8fe81cd90b597772d9b7caccd4b80f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:aaa03ef0769d38185675db2a7a78454659de14bdebe5ff842614bf2124e5adfe_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:aaaf4f6095294b497889749390f0a3aac04b83131a423799c44b5e367e0b370a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:58bd4ffc3e9599401251ac929cf15c1773ecc03a57177118adbe23ac8d7762af_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:4141db5099ae659270297eb4aaff695ac43fce67d91fea49dbc76583f419d3a1_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:633eeb0b6b50e21bbc0fb12fd2262294733fc9ac8b1e9eedcdb9d1433534d88d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:19dbf2bb83f8a0f35079d6ae25f8fcddad970e48ecb21694fd2d4c553313e4aa_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:93e95f065eadaa41154b9012dd5ddc824607758e2bce85c4256c2689125b80a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:70d3d46f54b91538e047df62e7e5b161fabac195a2f2e45cdba78215b4c82a7d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:1ca6945c3918f1743a4cee86a507f9f6581c8f8e572b6b8739d79a675a64d1db_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-27664" }, { "category": "external", "summary": "RHBZ#2124669", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124669" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-27664", "url": "https://www.cve.org/CVERecord?id=CVE-2022-27664" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-27664", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27664" }, { "category": "external", "summary": "https://go.dev/issue/54658", "url": "https://go.dev/issue/54658" }, { "category": "external", "summary": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s/m/0tgO0pjiBQAJ", "url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s/m/0tgO0pjiBQAJ" } ], "release_date": "2022-09-06T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-02-09T02:17:22+00:00", "details": "For details on how to install and use MTC, refer to:\n\nhttps://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html", "product_ids": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:15df7304827ce49d422554551f08d99cfffa1afc4ffacac145d4399ccb1cbd68_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:26f8fb5c41ece82626325ba502505ba1ca7986602cc147b492f9857caa0be868_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0693" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:362eb32d0d2607f72b4f425dabaea7cde5d292ac41aea0c18c78bc6e408fff9e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:aa63717ac3a4961e774ed0baa3a73f01eda185516e7380579d97b9d25764d10d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:1ac9cdfbdce8f7b6e4ebf5e40013f766b71b6dd604c92f602aca96612a228eda_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:d89e9ef65993466d25b26702d0210c14ce191155501774f4d2f1f08dbdad9804_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:5acf34dc4041b694b452d46c2f656db566241773285ca305a79ab7b9dc087b43_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:15df7304827ce49d422554551f08d99cfffa1afc4ffacac145d4399ccb1cbd68_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:90ed03a5e0cb0b0ffd85f7434cc4eda9bd8fe81cd90b597772d9b7caccd4b80f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:aaa03ef0769d38185675db2a7a78454659de14bdebe5ff842614bf2124e5adfe_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:aaaf4f6095294b497889749390f0a3aac04b83131a423799c44b5e367e0b370a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:58bd4ffc3e9599401251ac929cf15c1773ecc03a57177118adbe23ac8d7762af_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:4141db5099ae659270297eb4aaff695ac43fce67d91fea49dbc76583f419d3a1_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:633eeb0b6b50e21bbc0fb12fd2262294733fc9ac8b1e9eedcdb9d1433534d88d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:19dbf2bb83f8a0f35079d6ae25f8fcddad970e48ecb21694fd2d4c553313e4aa_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:93e95f065eadaa41154b9012dd5ddc824607758e2bce85c4256c2689125b80a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:70d3d46f54b91538e047df62e7e5b161fabac195a2f2e45cdba78215b4c82a7d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:1ca6945c3918f1743a4cee86a507f9f6581c8f8e572b6b8739d79a675a64d1db_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:26f8fb5c41ece82626325ba502505ba1ca7986602cc147b492f9857caa0be868_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "golang: net/http: handle server errors after sending GOAWAY" }, { "cve": "CVE-2022-32149", "cwe": { "id": "CWE-407", "name": "Inefficient Algorithmic Complexity" }, "discovery_date": "2022-10-12T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:362eb32d0d2607f72b4f425dabaea7cde5d292ac41aea0c18c78bc6e408fff9e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:aa63717ac3a4961e774ed0baa3a73f01eda185516e7380579d97b9d25764d10d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:1ac9cdfbdce8f7b6e4ebf5e40013f766b71b6dd604c92f602aca96612a228eda_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:d89e9ef65993466d25b26702d0210c14ce191155501774f4d2f1f08dbdad9804_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:5acf34dc4041b694b452d46c2f656db566241773285ca305a79ab7b9dc087b43_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:15df7304827ce49d422554551f08d99cfffa1afc4ffacac145d4399ccb1cbd68_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:90ed03a5e0cb0b0ffd85f7434cc4eda9bd8fe81cd90b597772d9b7caccd4b80f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:aaa03ef0769d38185675db2a7a78454659de14bdebe5ff842614bf2124e5adfe_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:aaaf4f6095294b497889749390f0a3aac04b83131a423799c44b5e367e0b370a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:58bd4ffc3e9599401251ac929cf15c1773ecc03a57177118adbe23ac8d7762af_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:4141db5099ae659270297eb4aaff695ac43fce67d91fea49dbc76583f419d3a1_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:633eeb0b6b50e21bbc0fb12fd2262294733fc9ac8b1e9eedcdb9d1433534d88d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:19dbf2bb83f8a0f35079d6ae25f8fcddad970e48ecb21694fd2d4c553313e4aa_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:93e95f065eadaa41154b9012dd5ddc824607758e2bce85c4256c2689125b80a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:70d3d46f54b91538e047df62e7e5b161fabac195a2f2e45cdba78215b4c82a7d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:26f8fb5c41ece82626325ba502505ba1ca7986602cc147b492f9857caa0be868_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2134010" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in the golang.org/x/text/language package. An attacker can craft an Accept-Language header which ParseAcceptLanguage will take significant time to parse. This issue leads to a denial of service, and can impact availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:1ca6945c3918f1743a4cee86a507f9f6581c8f8e572b6b8739d79a675a64d1db_amd64" ], "known_not_affected": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:362eb32d0d2607f72b4f425dabaea7cde5d292ac41aea0c18c78bc6e408fff9e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:aa63717ac3a4961e774ed0baa3a73f01eda185516e7380579d97b9d25764d10d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:1ac9cdfbdce8f7b6e4ebf5e40013f766b71b6dd604c92f602aca96612a228eda_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:d89e9ef65993466d25b26702d0210c14ce191155501774f4d2f1f08dbdad9804_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:5acf34dc4041b694b452d46c2f656db566241773285ca305a79ab7b9dc087b43_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:15df7304827ce49d422554551f08d99cfffa1afc4ffacac145d4399ccb1cbd68_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:90ed03a5e0cb0b0ffd85f7434cc4eda9bd8fe81cd90b597772d9b7caccd4b80f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:aaa03ef0769d38185675db2a7a78454659de14bdebe5ff842614bf2124e5adfe_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:aaaf4f6095294b497889749390f0a3aac04b83131a423799c44b5e367e0b370a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:58bd4ffc3e9599401251ac929cf15c1773ecc03a57177118adbe23ac8d7762af_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:4141db5099ae659270297eb4aaff695ac43fce67d91fea49dbc76583f419d3a1_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:633eeb0b6b50e21bbc0fb12fd2262294733fc9ac8b1e9eedcdb9d1433534d88d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:19dbf2bb83f8a0f35079d6ae25f8fcddad970e48ecb21694fd2d4c553313e4aa_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:93e95f065eadaa41154b9012dd5ddc824607758e2bce85c4256c2689125b80a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:70d3d46f54b91538e047df62e7e5b161fabac195a2f2e45cdba78215b4c82a7d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:26f8fb5c41ece82626325ba502505ba1ca7986602cc147b492f9857caa0be868_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-32149" }, { "category": "external", "summary": "RHBZ#2134010", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134010" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-32149", "url": "https://www.cve.org/CVERecord?id=CVE-2022-32149" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-32149", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32149" }, { "category": "external", "summary": "https://go.dev/issue/56152", "url": "https://go.dev/issue/56152" }, { "category": "external", "summary": "https://groups.google.com/g/golang-dev/c/qfPIly0X7aU", "url": "https://groups.google.com/g/golang-dev/c/qfPIly0X7aU" } ], "release_date": "2022-10-11T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-02-09T02:17:22+00:00", "details": "For details on how to install and use MTC, refer to:\n\nhttps://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html", "product_ids": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:1ca6945c3918f1743a4cee86a507f9f6581c8f8e572b6b8739d79a675a64d1db_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0693" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:362eb32d0d2607f72b4f425dabaea7cde5d292ac41aea0c18c78bc6e408fff9e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:aa63717ac3a4961e774ed0baa3a73f01eda185516e7380579d97b9d25764d10d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:1ac9cdfbdce8f7b6e4ebf5e40013f766b71b6dd604c92f602aca96612a228eda_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:d89e9ef65993466d25b26702d0210c14ce191155501774f4d2f1f08dbdad9804_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:5acf34dc4041b694b452d46c2f656db566241773285ca305a79ab7b9dc087b43_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:15df7304827ce49d422554551f08d99cfffa1afc4ffacac145d4399ccb1cbd68_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:90ed03a5e0cb0b0ffd85f7434cc4eda9bd8fe81cd90b597772d9b7caccd4b80f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:aaa03ef0769d38185675db2a7a78454659de14bdebe5ff842614bf2124e5adfe_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:aaaf4f6095294b497889749390f0a3aac04b83131a423799c44b5e367e0b370a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:58bd4ffc3e9599401251ac929cf15c1773ecc03a57177118adbe23ac8d7762af_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:4141db5099ae659270297eb4aaff695ac43fce67d91fea49dbc76583f419d3a1_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:633eeb0b6b50e21bbc0fb12fd2262294733fc9ac8b1e9eedcdb9d1433534d88d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:19dbf2bb83f8a0f35079d6ae25f8fcddad970e48ecb21694fd2d4c553313e4aa_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:93e95f065eadaa41154b9012dd5ddc824607758e2bce85c4256c2689125b80a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:70d3d46f54b91538e047df62e7e5b161fabac195a2f2e45cdba78215b4c82a7d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:1ca6945c3918f1743a4cee86a507f9f6581c8f8e572b6b8739d79a675a64d1db_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:26f8fb5c41ece82626325ba502505ba1ca7986602cc147b492f9857caa0be868_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags" }, { "cve": "CVE-2022-32189", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2022-08-02T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:362eb32d0d2607f72b4f425dabaea7cde5d292ac41aea0c18c78bc6e408fff9e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:aa63717ac3a4961e774ed0baa3a73f01eda185516e7380579d97b9d25764d10d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:1ac9cdfbdce8f7b6e4ebf5e40013f766b71b6dd604c92f602aca96612a228eda_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:d89e9ef65993466d25b26702d0210c14ce191155501774f4d2f1f08dbdad9804_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:5acf34dc4041b694b452d46c2f656db566241773285ca305a79ab7b9dc087b43_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:15df7304827ce49d422554551f08d99cfffa1afc4ffacac145d4399ccb1cbd68_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:90ed03a5e0cb0b0ffd85f7434cc4eda9bd8fe81cd90b597772d9b7caccd4b80f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:aaa03ef0769d38185675db2a7a78454659de14bdebe5ff842614bf2124e5adfe_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:aaaf4f6095294b497889749390f0a3aac04b83131a423799c44b5e367e0b370a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:58bd4ffc3e9599401251ac929cf15c1773ecc03a57177118adbe23ac8d7762af_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:4141db5099ae659270297eb4aaff695ac43fce67d91fea49dbc76583f419d3a1_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:633eeb0b6b50e21bbc0fb12fd2262294733fc9ac8b1e9eedcdb9d1433534d88d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:19dbf2bb83f8a0f35079d6ae25f8fcddad970e48ecb21694fd2d4c553313e4aa_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:93e95f065eadaa41154b9012dd5ddc824607758e2bce85c4256c2689125b80a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:70d3d46f54b91538e047df62e7e5b161fabac195a2f2e45cdba78215b4c82a7d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:1ca6945c3918f1743a4cee86a507f9f6581c8f8e572b6b8739d79a675a64d1db_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2113814" } ], "notes": [ { "category": "description", "text": "An uncontrolled resource consumption flaw was found in Golang math/big. A too-short encoded message can cause a panic in Float.GobDecode and Rat.GobDecode in math/big in Go, potentially allowing an attacker to create a denial of service, impacting availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service", "title": "Vulnerability summary" }, { "category": "other", "text": "This flaw stems from a particular and specific method (GoBDecode) which isn\u0027t commonly used. There are few components within Red Hat offerings which call this function. In rare cases where this method is called, the component limits possible damage or it is not possible to be triggered by an attacker. For these combined reasons the impact has been downgraded to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:26f8fb5c41ece82626325ba502505ba1ca7986602cc147b492f9857caa0be868_amd64" ], "known_not_affected": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:362eb32d0d2607f72b4f425dabaea7cde5d292ac41aea0c18c78bc6e408fff9e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:aa63717ac3a4961e774ed0baa3a73f01eda185516e7380579d97b9d25764d10d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:1ac9cdfbdce8f7b6e4ebf5e40013f766b71b6dd604c92f602aca96612a228eda_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:d89e9ef65993466d25b26702d0210c14ce191155501774f4d2f1f08dbdad9804_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:5acf34dc4041b694b452d46c2f656db566241773285ca305a79ab7b9dc087b43_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:15df7304827ce49d422554551f08d99cfffa1afc4ffacac145d4399ccb1cbd68_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:90ed03a5e0cb0b0ffd85f7434cc4eda9bd8fe81cd90b597772d9b7caccd4b80f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:aaa03ef0769d38185675db2a7a78454659de14bdebe5ff842614bf2124e5adfe_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:aaaf4f6095294b497889749390f0a3aac04b83131a423799c44b5e367e0b370a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:58bd4ffc3e9599401251ac929cf15c1773ecc03a57177118adbe23ac8d7762af_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:4141db5099ae659270297eb4aaff695ac43fce67d91fea49dbc76583f419d3a1_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:633eeb0b6b50e21bbc0fb12fd2262294733fc9ac8b1e9eedcdb9d1433534d88d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:19dbf2bb83f8a0f35079d6ae25f8fcddad970e48ecb21694fd2d4c553313e4aa_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:93e95f065eadaa41154b9012dd5ddc824607758e2bce85c4256c2689125b80a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:70d3d46f54b91538e047df62e7e5b161fabac195a2f2e45cdba78215b4c82a7d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:1ca6945c3918f1743a4cee86a507f9f6581c8f8e572b6b8739d79a675a64d1db_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-32189" }, { "category": "external", "summary": "RHBZ#2113814", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2113814" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-32189", "url": "https://www.cve.org/CVERecord?id=CVE-2022-32189" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-32189", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32189" }, { "category": "external", "summary": "https://go.dev/issue/53871", "url": "https://go.dev/issue/53871" }, { "category": "external", "summary": "https://groups.google.com/g/golang-nuts/c/DCFSyTGM0wU", "url": "https://groups.google.com/g/golang-nuts/c/DCFSyTGM0wU" } ], "release_date": "2022-08-01T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-02-09T02:17:22+00:00", "details": "For details on how to install and use MTC, refer to:\n\nhttps://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html", "product_ids": [ "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:26f8fb5c41ece82626325ba502505ba1ca7986602cc147b492f9857caa0be868_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0693" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:362eb32d0d2607f72b4f425dabaea7cde5d292ac41aea0c18c78bc6e408fff9e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:aa63717ac3a4961e774ed0baa3a73f01eda185516e7380579d97b9d25764d10d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:1ac9cdfbdce8f7b6e4ebf5e40013f766b71b6dd604c92f602aca96612a228eda_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:d89e9ef65993466d25b26702d0210c14ce191155501774f4d2f1f08dbdad9804_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:5acf34dc4041b694b452d46c2f656db566241773285ca305a79ab7b9dc087b43_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:15df7304827ce49d422554551f08d99cfffa1afc4ffacac145d4399ccb1cbd68_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:90ed03a5e0cb0b0ffd85f7434cc4eda9bd8fe81cd90b597772d9b7caccd4b80f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:aaa03ef0769d38185675db2a7a78454659de14bdebe5ff842614bf2124e5adfe_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:aaaf4f6095294b497889749390f0a3aac04b83131a423799c44b5e367e0b370a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:58bd4ffc3e9599401251ac929cf15c1773ecc03a57177118adbe23ac8d7762af_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:4141db5099ae659270297eb4aaff695ac43fce67d91fea49dbc76583f419d3a1_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:633eeb0b6b50e21bbc0fb12fd2262294733fc9ac8b1e9eedcdb9d1433534d88d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:19dbf2bb83f8a0f35079d6ae25f8fcddad970e48ecb21694fd2d4c553313e4aa_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:93e95f065eadaa41154b9012dd5ddc824607758e2bce85c4256c2689125b80a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:70d3d46f54b91538e047df62e7e5b161fabac195a2f2e45cdba78215b4c82a7d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:1ca6945c3918f1743a4cee86a507f9f6581c8f8e572b6b8739d79a675a64d1db_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:26f8fb5c41ece82626325ba502505ba1ca7986602cc147b492f9857caa0be868_amd64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service" }, { "cve": "CVE-2022-32190", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2022-09-06T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:362eb32d0d2607f72b4f425dabaea7cde5d292ac41aea0c18c78bc6e408fff9e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:aa63717ac3a4961e774ed0baa3a73f01eda185516e7380579d97b9d25764d10d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:1ac9cdfbdce8f7b6e4ebf5e40013f766b71b6dd604c92f602aca96612a228eda_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:d89e9ef65993466d25b26702d0210c14ce191155501774f4d2f1f08dbdad9804_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:5acf34dc4041b694b452d46c2f656db566241773285ca305a79ab7b9dc087b43_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:15df7304827ce49d422554551f08d99cfffa1afc4ffacac145d4399ccb1cbd68_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:90ed03a5e0cb0b0ffd85f7434cc4eda9bd8fe81cd90b597772d9b7caccd4b80f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:aaa03ef0769d38185675db2a7a78454659de14bdebe5ff842614bf2124e5adfe_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:aaaf4f6095294b497889749390f0a3aac04b83131a423799c44b5e367e0b370a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:58bd4ffc3e9599401251ac929cf15c1773ecc03a57177118adbe23ac8d7762af_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:4141db5099ae659270297eb4aaff695ac43fce67d91fea49dbc76583f419d3a1_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:633eeb0b6b50e21bbc0fb12fd2262294733fc9ac8b1e9eedcdb9d1433534d88d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:19dbf2bb83f8a0f35079d6ae25f8fcddad970e48ecb21694fd2d4c553313e4aa_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:93e95f065eadaa41154b9012dd5ddc824607758e2bce85c4256c2689125b80a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:70d3d46f54b91538e047df62e7e5b161fabac195a2f2e45cdba78215b4c82a7d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:1ca6945c3918f1743a4cee86a507f9f6581c8f8e572b6b8739d79a675a64d1db_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2124668" } ], "notes": [ { "category": "description", "text": "A flaw was found in the golang package. The JoinPath doesn\u0027t remove the ../ path components appended to a domain that is not terminated by a slash, possibly leading to a directory traversal attack.", "title": "Vulnerability description" }, { "category": "summary", "text": "golang: net/url: JoinPath does not strip relative path components in all circumstances", "title": "Vulnerability summary" }, { "category": "other", "text": "The vulnerable functions, JoinPath and URL.JoinPath was introduced in upstream go1.19, whereas, RHEL ships go1.17 and go1.18 versions, which does not contain the vulnerable code. Hence, packages shipped with RHEL-8, RHEL-9 are not affected.\n\nAll Y stream releases of OpenShift Container Platform 4 run on RHEL-8 or RHEL-9, so OCP 4 is also not affected.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:26f8fb5c41ece82626325ba502505ba1ca7986602cc147b492f9857caa0be868_amd64" ], "known_not_affected": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:362eb32d0d2607f72b4f425dabaea7cde5d292ac41aea0c18c78bc6e408fff9e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:aa63717ac3a4961e774ed0baa3a73f01eda185516e7380579d97b9d25764d10d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:1ac9cdfbdce8f7b6e4ebf5e40013f766b71b6dd604c92f602aca96612a228eda_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:d89e9ef65993466d25b26702d0210c14ce191155501774f4d2f1f08dbdad9804_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:5acf34dc4041b694b452d46c2f656db566241773285ca305a79ab7b9dc087b43_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:15df7304827ce49d422554551f08d99cfffa1afc4ffacac145d4399ccb1cbd68_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:90ed03a5e0cb0b0ffd85f7434cc4eda9bd8fe81cd90b597772d9b7caccd4b80f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:aaa03ef0769d38185675db2a7a78454659de14bdebe5ff842614bf2124e5adfe_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:aaaf4f6095294b497889749390f0a3aac04b83131a423799c44b5e367e0b370a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:58bd4ffc3e9599401251ac929cf15c1773ecc03a57177118adbe23ac8d7762af_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:4141db5099ae659270297eb4aaff695ac43fce67d91fea49dbc76583f419d3a1_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:633eeb0b6b50e21bbc0fb12fd2262294733fc9ac8b1e9eedcdb9d1433534d88d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:19dbf2bb83f8a0f35079d6ae25f8fcddad970e48ecb21694fd2d4c553313e4aa_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:93e95f065eadaa41154b9012dd5ddc824607758e2bce85c4256c2689125b80a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:70d3d46f54b91538e047df62e7e5b161fabac195a2f2e45cdba78215b4c82a7d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:1ca6945c3918f1743a4cee86a507f9f6581c8f8e572b6b8739d79a675a64d1db_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-32190" }, { "category": "external", "summary": "RHBZ#2124668", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124668" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-32190", "url": "https://www.cve.org/CVERecord?id=CVE-2022-32190" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-32190", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32190" }, { "category": "external", "summary": "https://go.dev/issue/54385", "url": "https://go.dev/issue/54385" }, { "category": "external", "summary": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s/m/0tgO0pjiBQAJ", "url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s/m/0tgO0pjiBQAJ" } ], "release_date": "2022-09-06T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-02-09T02:17:22+00:00", "details": "For details on how to install and use MTC, refer to:\n\nhttps://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html", "product_ids": [ "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:26f8fb5c41ece82626325ba502505ba1ca7986602cc147b492f9857caa0be868_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0693" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:362eb32d0d2607f72b4f425dabaea7cde5d292ac41aea0c18c78bc6e408fff9e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:aa63717ac3a4961e774ed0baa3a73f01eda185516e7380579d97b9d25764d10d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:1ac9cdfbdce8f7b6e4ebf5e40013f766b71b6dd604c92f602aca96612a228eda_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:d89e9ef65993466d25b26702d0210c14ce191155501774f4d2f1f08dbdad9804_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:5acf34dc4041b694b452d46c2f656db566241773285ca305a79ab7b9dc087b43_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:15df7304827ce49d422554551f08d99cfffa1afc4ffacac145d4399ccb1cbd68_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:90ed03a5e0cb0b0ffd85f7434cc4eda9bd8fe81cd90b597772d9b7caccd4b80f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:aaa03ef0769d38185675db2a7a78454659de14bdebe5ff842614bf2124e5adfe_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:aaaf4f6095294b497889749390f0a3aac04b83131a423799c44b5e367e0b370a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:58bd4ffc3e9599401251ac929cf15c1773ecc03a57177118adbe23ac8d7762af_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:4141db5099ae659270297eb4aaff695ac43fce67d91fea49dbc76583f419d3a1_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:633eeb0b6b50e21bbc0fb12fd2262294733fc9ac8b1e9eedcdb9d1433534d88d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:19dbf2bb83f8a0f35079d6ae25f8fcddad970e48ecb21694fd2d4c553313e4aa_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:93e95f065eadaa41154b9012dd5ddc824607758e2bce85c4256c2689125b80a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:70d3d46f54b91538e047df62e7e5b161fabac195a2f2e45cdba78215b4c82a7d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:1ca6945c3918f1743a4cee86a507f9f6581c8f8e572b6b8739d79a675a64d1db_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:26f8fb5c41ece82626325ba502505ba1ca7986602cc147b492f9857caa0be868_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "golang: net/url: JoinPath does not strip relative path components in all circumstances" }, { "acknowledgments": [ { "names": [ "Adam Korczynski" ], "organization": "ADA Logics" }, { "names": [ "OSS-Fuzz" ] } ], "cve": "CVE-2022-41715", "discovery_date": "2022-10-07T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:362eb32d0d2607f72b4f425dabaea7cde5d292ac41aea0c18c78bc6e408fff9e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:aa63717ac3a4961e774ed0baa3a73f01eda185516e7380579d97b9d25764d10d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:1ac9cdfbdce8f7b6e4ebf5e40013f766b71b6dd604c92f602aca96612a228eda_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:d89e9ef65993466d25b26702d0210c14ce191155501774f4d2f1f08dbdad9804_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:5acf34dc4041b694b452d46c2f656db566241773285ca305a79ab7b9dc087b43_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:15df7304827ce49d422554551f08d99cfffa1afc4ffacac145d4399ccb1cbd68_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:90ed03a5e0cb0b0ffd85f7434cc4eda9bd8fe81cd90b597772d9b7caccd4b80f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:aaa03ef0769d38185675db2a7a78454659de14bdebe5ff842614bf2124e5adfe_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:aaaf4f6095294b497889749390f0a3aac04b83131a423799c44b5e367e0b370a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:58bd4ffc3e9599401251ac929cf15c1773ecc03a57177118adbe23ac8d7762af_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:4141db5099ae659270297eb4aaff695ac43fce67d91fea49dbc76583f419d3a1_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:633eeb0b6b50e21bbc0fb12fd2262294733fc9ac8b1e9eedcdb9d1433534d88d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:19dbf2bb83f8a0f35079d6ae25f8fcddad970e48ecb21694fd2d4c553313e4aa_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:93e95f065eadaa41154b9012dd5ddc824607758e2bce85c4256c2689125b80a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:70d3d46f54b91538e047df62e7e5b161fabac195a2f2e45cdba78215b4c82a7d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:1ca6945c3918f1743a4cee86a507f9f6581c8f8e572b6b8739d79a675a64d1db_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2132872" } ], "notes": [ { "category": "description", "text": "A flaw was found in the golang package, where programs that compile regular expressions from untrusted sources are vulnerable to memory exhaustion or a denial of service. The parsed regexp representation is linear in the input size. Still, in some cases, the constant factor can be as high as 40,000, making a relatively small regexp consume larger amounts of memory. After the fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Routine use of regular expressions is unaffected.", "title": "Vulnerability description" }, { "category": "summary", "text": "golang: regexp/syntax: limit memory used by parsing regexps", "title": "Vulnerability summary" }, { "category": "other", "text": "The opportunity for a Denial of Service is limited to the golang runtime. In the case of OpenShift Container Platform, this would be restricted within each individual container. There are multiple layers of guide rails (Golang\u2019s Garbage Collector; OpenShift\u2019s resource constraints imposed at the container and cluster levels) which would require a malicious user to continue submitting attacks for there to be any enduring impact. They would also need access to external server resources to be able to send a massive volume of requests to cause a significant impact on server operations.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:26f8fb5c41ece82626325ba502505ba1ca7986602cc147b492f9857caa0be868_amd64" ], "known_not_affected": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:362eb32d0d2607f72b4f425dabaea7cde5d292ac41aea0c18c78bc6e408fff9e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:aa63717ac3a4961e774ed0baa3a73f01eda185516e7380579d97b9d25764d10d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:1ac9cdfbdce8f7b6e4ebf5e40013f766b71b6dd604c92f602aca96612a228eda_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:d89e9ef65993466d25b26702d0210c14ce191155501774f4d2f1f08dbdad9804_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:5acf34dc4041b694b452d46c2f656db566241773285ca305a79ab7b9dc087b43_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:15df7304827ce49d422554551f08d99cfffa1afc4ffacac145d4399ccb1cbd68_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:90ed03a5e0cb0b0ffd85f7434cc4eda9bd8fe81cd90b597772d9b7caccd4b80f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:aaa03ef0769d38185675db2a7a78454659de14bdebe5ff842614bf2124e5adfe_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:aaaf4f6095294b497889749390f0a3aac04b83131a423799c44b5e367e0b370a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:58bd4ffc3e9599401251ac929cf15c1773ecc03a57177118adbe23ac8d7762af_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:4141db5099ae659270297eb4aaff695ac43fce67d91fea49dbc76583f419d3a1_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:633eeb0b6b50e21bbc0fb12fd2262294733fc9ac8b1e9eedcdb9d1433534d88d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:19dbf2bb83f8a0f35079d6ae25f8fcddad970e48ecb21694fd2d4c553313e4aa_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:93e95f065eadaa41154b9012dd5ddc824607758e2bce85c4256c2689125b80a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:70d3d46f54b91538e047df62e7e5b161fabac195a2f2e45cdba78215b4c82a7d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:1ca6945c3918f1743a4cee86a507f9f6581c8f8e572b6b8739d79a675a64d1db_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-41715" }, { "category": "external", "summary": "RHBZ#2132872", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132872" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-41715", "url": "https://www.cve.org/CVERecord?id=CVE-2022-41715" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41715", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41715" }, { "category": "external", "summary": "https://github.com/golang/go/issues/55949", "url": "https://github.com/golang/go/issues/55949" }, { "category": "external", "summary": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1", "url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1" } ], "release_date": "2022-10-04T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-02-09T02:17:22+00:00", "details": "For details on how to install and use MTC, refer to:\n\nhttps://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html", "product_ids": [ "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:26f8fb5c41ece82626325ba502505ba1ca7986602cc147b492f9857caa0be868_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0693" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:362eb32d0d2607f72b4f425dabaea7cde5d292ac41aea0c18c78bc6e408fff9e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:aa63717ac3a4961e774ed0baa3a73f01eda185516e7380579d97b9d25764d10d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:1ac9cdfbdce8f7b6e4ebf5e40013f766b71b6dd604c92f602aca96612a228eda_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:d89e9ef65993466d25b26702d0210c14ce191155501774f4d2f1f08dbdad9804_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:5acf34dc4041b694b452d46c2f656db566241773285ca305a79ab7b9dc087b43_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:15df7304827ce49d422554551f08d99cfffa1afc4ffacac145d4399ccb1cbd68_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:90ed03a5e0cb0b0ffd85f7434cc4eda9bd8fe81cd90b597772d9b7caccd4b80f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:aaa03ef0769d38185675db2a7a78454659de14bdebe5ff842614bf2124e5adfe_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:aaaf4f6095294b497889749390f0a3aac04b83131a423799c44b5e367e0b370a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:58bd4ffc3e9599401251ac929cf15c1773ecc03a57177118adbe23ac8d7762af_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:4141db5099ae659270297eb4aaff695ac43fce67d91fea49dbc76583f419d3a1_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:633eeb0b6b50e21bbc0fb12fd2262294733fc9ac8b1e9eedcdb9d1433534d88d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:19dbf2bb83f8a0f35079d6ae25f8fcddad970e48ecb21694fd2d4c553313e4aa_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:93e95f065eadaa41154b9012dd5ddc824607758e2bce85c4256c2689125b80a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:70d3d46f54b91538e047df62e7e5b161fabac195a2f2e45cdba78215b4c82a7d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:1ca6945c3918f1743a4cee86a507f9f6581c8f8e572b6b8739d79a675a64d1db_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:26f8fb5c41ece82626325ba502505ba1ca7986602cc147b492f9857caa0be868_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "golang: regexp/syntax: limit memory used by parsing regexps" }, { "cve": "CVE-2022-41717", "cwe": { "id": "CWE-770", "name": "Allocation of Resources Without Limits or Throttling" }, "discovery_date": "2023-01-16T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:aa63717ac3a4961e774ed0baa3a73f01eda185516e7380579d97b9d25764d10d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:1ac9cdfbdce8f7b6e4ebf5e40013f766b71b6dd604c92f602aca96612a228eda_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:d89e9ef65993466d25b26702d0210c14ce191155501774f4d2f1f08dbdad9804_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:15df7304827ce49d422554551f08d99cfffa1afc4ffacac145d4399ccb1cbd68_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:90ed03a5e0cb0b0ffd85f7434cc4eda9bd8fe81cd90b597772d9b7caccd4b80f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:aaaf4f6095294b497889749390f0a3aac04b83131a423799c44b5e367e0b370a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:58bd4ffc3e9599401251ac929cf15c1773ecc03a57177118adbe23ac8d7762af_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:4141db5099ae659270297eb4aaff695ac43fce67d91fea49dbc76583f419d3a1_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2161274" } ], "notes": [ { "category": "description", "text": "A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.", "title": "Vulnerability description" }, { "category": "summary", "text": "golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests", "title": "Vulnerability summary" }, { "category": "other", "text": "Within Red Hat OpenShift Container Platform, the grafana container is listed as will not fix. Since OCP 4.10, Grafana itself is not shipped and the Grafana web server is protected behind an OAuth proxy server.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:362eb32d0d2607f72b4f425dabaea7cde5d292ac41aea0c18c78bc6e408fff9e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:5acf34dc4041b694b452d46c2f656db566241773285ca305a79ab7b9dc087b43_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:aaa03ef0769d38185675db2a7a78454659de14bdebe5ff842614bf2124e5adfe_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:633eeb0b6b50e21bbc0fb12fd2262294733fc9ac8b1e9eedcdb9d1433534d88d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:19dbf2bb83f8a0f35079d6ae25f8fcddad970e48ecb21694fd2d4c553313e4aa_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:93e95f065eadaa41154b9012dd5ddc824607758e2bce85c4256c2689125b80a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:70d3d46f54b91538e047df62e7e5b161fabac195a2f2e45cdba78215b4c82a7d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:1ca6945c3918f1743a4cee86a507f9f6581c8f8e572b6b8739d79a675a64d1db_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:26f8fb5c41ece82626325ba502505ba1ca7986602cc147b492f9857caa0be868_amd64" ], "known_not_affected": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:aa63717ac3a4961e774ed0baa3a73f01eda185516e7380579d97b9d25764d10d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:1ac9cdfbdce8f7b6e4ebf5e40013f766b71b6dd604c92f602aca96612a228eda_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:d89e9ef65993466d25b26702d0210c14ce191155501774f4d2f1f08dbdad9804_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:15df7304827ce49d422554551f08d99cfffa1afc4ffacac145d4399ccb1cbd68_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:90ed03a5e0cb0b0ffd85f7434cc4eda9bd8fe81cd90b597772d9b7caccd4b80f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:aaaf4f6095294b497889749390f0a3aac04b83131a423799c44b5e367e0b370a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:58bd4ffc3e9599401251ac929cf15c1773ecc03a57177118adbe23ac8d7762af_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:4141db5099ae659270297eb4aaff695ac43fce67d91fea49dbc76583f419d3a1_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-41717" }, { "category": "external", "summary": "RHBZ#2161274", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161274" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-41717", "url": "https://www.cve.org/CVERecord?id=CVE-2022-41717" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717" }, { "category": "external", "summary": "https://go.dev/cl/455635", "url": "https://go.dev/cl/455635" }, { "category": "external", "summary": "https://go.dev/cl/455717", "url": "https://go.dev/cl/455717" }, { "category": "external", "summary": "https://go.dev/issue/56350", "url": "https://go.dev/issue/56350" }, { "category": "external", "summary": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ", "url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ" }, { "category": "external", "summary": "https://pkg.go.dev/vuln/GO-2022-1144", "url": "https://pkg.go.dev/vuln/GO-2022-1144" } ], "release_date": "2022-11-30T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-02-09T02:17:22+00:00", "details": "For details on how to install and use MTC, refer to:\n\nhttps://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html", "product_ids": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:362eb32d0d2607f72b4f425dabaea7cde5d292ac41aea0c18c78bc6e408fff9e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:5acf34dc4041b694b452d46c2f656db566241773285ca305a79ab7b9dc087b43_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:aaa03ef0769d38185675db2a7a78454659de14bdebe5ff842614bf2124e5adfe_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:633eeb0b6b50e21bbc0fb12fd2262294733fc9ac8b1e9eedcdb9d1433534d88d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:19dbf2bb83f8a0f35079d6ae25f8fcddad970e48ecb21694fd2d4c553313e4aa_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:93e95f065eadaa41154b9012dd5ddc824607758e2bce85c4256c2689125b80a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:70d3d46f54b91538e047df62e7e5b161fabac195a2f2e45cdba78215b4c82a7d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:1ca6945c3918f1743a4cee86a507f9f6581c8f8e572b6b8739d79a675a64d1db_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:26f8fb5c41ece82626325ba502505ba1ca7986602cc147b492f9857caa0be868_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0693" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" }, "products": [ "8Base-RHMTC-1.7:rhmtc/openshift-migration-controller-rhel8@sha256:362eb32d0d2607f72b4f425dabaea7cde5d292ac41aea0c18c78bc6e408fff9e_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-hook-runner-rhel8@sha256:aa63717ac3a4961e774ed0baa3a73f01eda185516e7380579d97b9d25764d10d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-legacy-rhel8-operator@sha256:1ac9cdfbdce8f7b6e4ebf5e40013f766b71b6dd604c92f602aca96612a228eda_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-log-reader-rhel8@sha256:d89e9ef65993466d25b26702d0210c14ce191155501774f4d2f1f08dbdad9804_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-must-gather-rhel8@sha256:5acf34dc4041b694b452d46c2f656db566241773285ca305a79ab7b9dc087b43_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-openvpn-rhel8@sha256:15df7304827ce49d422554551f08d99cfffa1afc4ffacac145d4399ccb1cbd68_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-operator-bundle@sha256:90ed03a5e0cb0b0ffd85f7434cc4eda9bd8fe81cd90b597772d9b7caccd4b80f_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-registry-rhel8@sha256:aaa03ef0769d38185675db2a7a78454659de14bdebe5ff842614bf2124e5adfe_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rhel8-operator@sha256:aaaf4f6095294b497889749390f0a3aac04b83131a423799c44b5e367e0b370a_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:58bd4ffc3e9599401251ac929cf15c1773ecc03a57177118adbe23ac8d7762af_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-ui-rhel8@sha256:4141db5099ae659270297eb4aaff695ac43fce67d91fea49dbc76583f419d3a1_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:633eeb0b6b50e21bbc0fb12fd2262294733fc9ac8b1e9eedcdb9d1433534d88d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:19dbf2bb83f8a0f35079d6ae25f8fcddad970e48ecb21694fd2d4c553313e4aa_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:93e95f065eadaa41154b9012dd5ddc824607758e2bce85c4256c2689125b80a4_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:70d3d46f54b91538e047df62e7e5b161fabac195a2f2e45cdba78215b4c82a7d_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-migration-velero-rhel8@sha256:1ca6945c3918f1743a4cee86a507f9f6581c8f8e572b6b8739d79a675a64d1db_amd64", "8Base-RHMTC-1.7:rhmtc/openshift-velero-plugin-rhel8@sha256:26f8fb5c41ece82626325ba502505ba1ca7986602cc147b492f9857caa0be868_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests" } ] }
gsd-2021-43138
Vulnerability from gsd
Modified
2023-12-13 01:23
Details
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Aliases
Aliases
{ "GSD": { "alias": "CVE-2021-43138", "description": "A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2) , which could let a malicious user obtain privileges via the mapValues() method.", "id": "GSD-2021-43138", "references": [ "https://www.suse.com/security/cve/CVE-2021-43138.html", "https://access.redhat.com/errata/RHSA-2023:0693" ] }, "gsd": { "metadata": { "exploitCode": "unknown", "remediation": "unknown", "reportConfidence": "confirmed", "type": "vulnerability" }, "osvSchema": { "aliases": [ "CVE-2021-43138" ], "details": "In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.", "id": "GSD-2021-43138", "modified": "2023-12-13T01:23:25.976923Z", "schema_version": "1.4.0" } }, "namespaces": { "cve.org": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-43138", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/caolan/async/blob/master/lib/internal/iterator.js", "refsource": "MISC", "url": "https://github.com/caolan/async/blob/master/lib/internal/iterator.js" }, { "name": "https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js", "refsource": "MISC", "url": "https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js" }, { "name": "https://jsfiddle.net/oz5twjd9/", "refsource": "MISC", "url": "https://jsfiddle.net/oz5twjd9/" }, { "name": "https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d", "refsource": "MISC", "url": "https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d" }, { "name": "https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264", "refsource": "MISC", "url": "https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264" }, { "name": "https://github.com/caolan/async/pull/1828", "refsource": "MISC", "url": "https://github.com/caolan/async/pull/1828" }, { "name": "https://github.com/caolan/async/compare/v2.6.3...v2.6.4", "refsource": "MISC", "url": "https://github.com/caolan/async/compare/v2.6.3...v2.6.4" }, { "name": "FEDORA-2023-ce8943223c", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/" }, { "name": "FEDORA-2023-18fd476362", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/" } ] } }, "gitlab.com": { "advisories": [ { "affected_range": "\u003c2.6.4||\u003e=3.0.0 \u003c3.2.2", "affected_versions": "All versions before 2.6.4, all versions starting from 3.0.0 before 3.2.2", "cvss_v2": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "cvss_v3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "cwe_ids": [ "CWE-1035", "CWE-1321", "CWE-937" ], "date": "2023-02-23", "description": "A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2), which could let a malicious user obtain privileges via the mapValues() method.", "fixed_versions": [ "2.6.4", "3.2.2" ], "identifier": "CVE-2021-43138", "identifiers": [ "CVE-2021-43138", "GHSA-fwr7-v2mv-hh25" ], "not_impacted": "All versions starting from 2.6.4 before 3.0.0, all versions starting from 3.2.2", "package_slug": "npm/async", "pubdate": "2022-04-06", "solution": "Upgrade to versions 2.6.4, 3.2.2 or above.", "title": "Prototype Pollution in async", "urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2021-43138", "https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d", "https://github.com/caolan/async/blob/master/lib/internal/iterator.js", "https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js", "https://jsfiddle.net/oz5twjd9/", "https://github.com/advisories/GHSA-fwr7-v2mv-hh25" ], "uuid": "81b070d9-73e0-4402-93cc-178e7fd015cd" } ] }, "nvd.nist.gov": { "configurations": { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:async_project:async:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2.6.4", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:async_project:async:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "3.2.2", "versionStartIncluding": "3.0.0", "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" } ] }, "cve": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-43138" }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "en", "value": "In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "en", "value": "CWE-1321" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js", "refsource": "MISC", "tags": [ "Third Party Advisory" ], "url": "https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js" }, { "name": "https://jsfiddle.net/oz5twjd9/", "refsource": "MISC", "tags": [ "Exploit", "Third Party Advisory" ], "url": "https://jsfiddle.net/oz5twjd9/" }, { "name": "https://github.com/caolan/async/blob/master/lib/internal/iterator.js", "refsource": "MISC", "tags": [ "Third Party Advisory" ], "url": "https://github.com/caolan/async/blob/master/lib/internal/iterator.js" }, { "name": "https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d", "refsource": "MISC", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d" }, { "name": "https://github.com/caolan/async/pull/1828", "refsource": "MISC", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/caolan/async/pull/1828" }, { "name": "https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264", "refsource": "MISC", "tags": [ "Release Notes", "Third Party Advisory" ], "url": "https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264" }, { "name": "https://github.com/caolan/async/compare/v2.6.3...v2.6.4", "refsource": "MISC", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/caolan/async/compare/v2.6.3...v2.6.4" }, { "name": "FEDORA-2023-ce8943223c", "refsource": "FEDORA", "tags": [ "Mailing List", "Third Party Advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/" }, { "name": "FEDORA-2023-18fd476362", "refsource": "FEDORA", "tags": [ "Mailing List", "Third Party Advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/" } ] } }, "impact": { "baseMetricV2": { "acInsufInfo": false, "cvssV2": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0" }, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true }, "baseMetricV3": { "cvssV3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1" }, "exploitabilityScore": 1.8, "impactScore": 5.9 } }, "lastModifiedDate": "2023-02-23T20:20Z", "publishedDate": "2022-04-06T17:15Z" } } }
ghsa-fwr7-v2mv-hh25
Vulnerability from github
Published
2022-04-07 00:00
Modified
2024-06-24 21:23
Severity ?
Summary
Prototype Pollution in async
Details
A vulnerability exists in Async through 3.2.1 for 3.x and through 2.6.3 for 2.x (fixed in 3.2.2 and 2.6.4), which could let a malicious user obtain privileges via the mapValues()
method.
{ "affected": [ { "package": { "ecosystem": "npm", "name": "async" }, "ranges": [ { "events": [ { "introduced": "3.0.0" }, { "fixed": "3.2.2" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "npm", "name": "async" }, "ranges": [ { "events": [ { "introduced": "2.0.0" }, { "fixed": "2.6.4" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2021-43138" ], "database_specific": { "cwe_ids": [ "CWE-1321" ], "github_reviewed": true, "github_reviewed_at": "2022-04-07T22:13:35Z", "nvd_published_at": "2022-04-06T17:15:00Z", "severity": "HIGH" }, "details": "A vulnerability exists in Async through 3.2.1 for 3.x and through 2.6.3 for 2.x (fixed in 3.2.2 and 2.6.4), which could let a malicious user obtain privileges via the `mapValues()` method.", "id": "GHSA-fwr7-v2mv-hh25", "modified": "2024-06-24T21:23:09Z", "published": "2022-04-07T00:00:17Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43138" }, { "type": "WEB", "url": "https://github.com/caolan/async/pull/1828" }, { "type": "WEB", "url": "https://github.com/caolan/async/commit/8f7f90342a6571ba1c197d747ebed30c368096d2" }, { "type": "WEB", "url": "https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d" }, { "type": "PACKAGE", "url": "https://github.com/caolan/async" }, { "type": "WEB", "url": "https://github.com/caolan/async/blob/master/lib/internal/iterator.js" }, { "type": "WEB", "url": "https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js" }, { "type": "WEB", "url": "https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264" }, { "type": "WEB", "url": "https://github.com/caolan/async/compare/v2.6.3...v2.6.4" }, { "type": "WEB", "url": "https://jsfiddle.net/oz5twjd9" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20240621-0006" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "type": "CVSS_V3" } ], "summary": "Prototype Pollution in async" }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.