{
  "GSD": {
    "alias": "CVE-2023-50728",
    "id": "GSD-2023-50728"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-50728"
      ],
      "details": "octokit/webhooks is a GitHub webhook events toolset for Node.js. Starting in 9.26.0 and prior to 9.26.3, 10.9.2, 11.1.2, and 12.0.4, there is a problem caused by an issue with error handling in the @octokit/webhooks library because the error can be undefined in some cases. The resulting request was found to cause an uncaught exception that ends the nodejs process.  The bug is fixed in octokit/webhooks.js 9.26.3, 10.9.2, 11.1.2, and 12.0.4, app.js 14.02, octokit.js 3.1.2, and Protobot 12.3.3.",
      "id": "GSD-2023-50728",
      "modified": "2023-12-13T01:20:31.430436Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-50728",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "webhooks.js",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 9.26.0, \u003c 9.26.3"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 10.9.0, \u003c 10.9.2"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 11.1.0, \u003c 11.1.2"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 12.0.0, \u003c 12.0.4"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "octokit"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "octokit/webhooks is a GitHub webhook events toolset for Node.js. Starting in 9.26.0 and prior to 9.26.3, 10.9.2, 11.1.2, and 12.0.4, there is a problem caused by an issue with error handling in the @octokit/webhooks library because the error can be undefined in some cases. The resulting request was found to cause an uncaught exception that ends the nodejs process.  The bug is fixed in octokit/webhooks.js 9.26.3, 10.9.2, 11.1.2, and 12.0.4, app.js 14.02, octokit.js 3.1.2, and Protobot 12.3.3."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "HIGH",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-755",
                "lang": "eng",
                "value": "CWE-755: Improper Handling of Exceptional Conditions"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/octokit/webhooks.js/security/advisories/GHSA-pwfr-8pq7-x9qv",
            "refsource": "MISC",
            "url": "https://github.com/octokit/webhooks.js/security/advisories/GHSA-pwfr-8pq7-x9qv"
          },
          {
            "name": "https://github.com/octokit/app.js/releases/tag/v14.0.2",
            "refsource": "MISC",
            "url": "https://github.com/octokit/app.js/releases/tag/v14.0.2"
          },
          {
            "name": "https://github.com/octokit/octokit.js/releases/tag/v3.1.2",
            "refsource": "MISC",
            "url": "https://github.com/octokit/octokit.js/releases/tag/v3.1.2"
          },
          {
            "name": "https://github.com/octokit/webhooks.js/releases/tag/v10.9.2",
            "refsource": "MISC",
            "url": "https://github.com/octokit/webhooks.js/releases/tag/v10.9.2"
          },
          {
            "name": "https://github.com/octokit/webhooks.js/releases/tag/v11.1.2",
            "refsource": "MISC",
            "url": "https://github.com/octokit/webhooks.js/releases/tag/v11.1.2"
          },
          {
            "name": "https://github.com/octokit/webhooks.js/releases/tag/v12.0.4",
            "refsource": "MISC",
            "url": "https://github.com/octokit/webhooks.js/releases/tag/v12.0.4"
          },
          {
            "name": "https://github.com/octokit/webhooks.js/releases/tag/v9.26.3",
            "refsource": "MISC",
            "url": "https://github.com/octokit/webhooks.js/releases/tag/v9.26.3"
          },
          {
            "name": "https://github.com/probot/probot/releases/tag/v12.3.3",
            "refsource": "MISC",
            "url": "https://github.com/probot/probot/releases/tag/v12.3.3"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-pwfr-8pq7-x9qv",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:octokit:app:14.0.1:*:*:*:*:node.js:*:*",
                    "matchCriteriaId": "6D8BE8ED-7684-4F25-AE87-1739F1432742",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:octokit:octokit:*:*:*:*:*:node.js:*:*",
                    "matchCriteriaId": "A734E79A-E7A2-4A97-B875-DCCBCBB226F6",
                    "versionEndExcluding": "3.1.2",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:octokit:webhooks:*:*:*:*:*:node.js:*:*",
                    "matchCriteriaId": "57318B95-09DC-4A5B-AA66-F8911722138D",
                    "versionEndExcluding": "9.26.3",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:octokit:webhooks:*:*:*:*:*:node.js:*:*",
                    "matchCriteriaId": "718FA3E2-34B9-4AB7-86E2-ED91BCDB5FEC",
                    "versionEndExcluding": "10.9.2",
                    "versionStartIncluding": "10.0.0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:octokit:webhooks:*:*:*:*:*:node.js:*:*",
                    "matchCriteriaId": "4B6206DA-B77A-47EB-98AE-B5B5D2B56E5A",
                    "versionEndExcluding": "11.1.2",
                    "versionStartIncluding": "11.0.0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:octokit:webhooks:*:*:*:*:*:node.js:*:*",
                    "matchCriteriaId": "0F1F07B3-C4E0-4E7E-934A-A0C57EA8A246",
                    "versionEndExcluding": "12.0.4",
                    "versionStartIncluding": "12.0.0",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:probot:probot:*:*:*:*:*:node.js:*:*",
                    "matchCriteriaId": "84995A76-C69A-400C-B668-87394E5BE7B9",
                    "versionEndExcluding": "12.3.3",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "octokit/webhooks is a GitHub webhook events toolset for Node.js. Starting in 9.26.0 and prior to 9.26.3, 10.9.2, 11.1.2, and 12.0.4, there is a problem caused by an issue with error handling in the @octokit/webhooks library because the error can be undefined in some cases. The resulting request was found to cause an uncaught exception that ends the nodejs process.  The bug is fixed in octokit/webhooks.js 9.26.3, 10.9.2, 11.1.2, and 12.0.4, app.js 14.02, octokit.js 3.1.2, and Protobot 12.3.3."
          },
          {
            "lang": "es",
            "value": "octokit/webhooks es un conjunto de herramientas de eventos de webhook de GitHub para Node.js. A partir de 9.26.0 y anteriores a 9.26.3, 10.9.2, 11.1.2 y 12.0.4, hay un problema causado por un problema con el manejo de errores en la librer\u00eda @octokit/webhooks porque el error puede no estar definido en algunos casos. Se descubri\u00f3 que la solicitud resultante provoca una excepci\u00f3n no detectada que finaliza el proceso de nodejs. El error se solucion\u00f3 en octokit/webhooks.js 9.26.3, 10.9.2, 11.1.2 y 12.0.4, app.js 14.02, octokit.js 3.1.2 y Protobot 12.3.3."
          }
        ],
        "id": "CVE-2023-50728",
        "lastModified": "2023-12-19T20:43:55.837",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 3.6,
              "source": "nvd@nist.gov",
              "type": "Primary"
            },
            {
              "cvssData": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 1.2,
              "impactScore": 4.2,
              "source": "security-advisories@github.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2023-12-15T22:15:07.160",
        "references": [
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Release Notes"
            ],
            "url": "https://github.com/octokit/app.js/releases/tag/v14.0.2"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Release Notes"
            ],
            "url": "https://github.com/octokit/octokit.js/releases/tag/v3.1.2"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Release Notes"
            ],
            "url": "https://github.com/octokit/webhooks.js/releases/tag/v10.9.2"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Release Notes"
            ],
            "url": "https://github.com/octokit/webhooks.js/releases/tag/v11.1.2"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Release Notes"
            ],
            "url": "https://github.com/octokit/webhooks.js/releases/tag/v12.0.4"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Release Notes"
            ],
            "url": "https://github.com/octokit/webhooks.js/releases/tag/v9.26.3"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Vendor Advisory"
            ],
            "url": "https://github.com/octokit/webhooks.js/security/advisories/GHSA-pwfr-8pq7-x9qv"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Release Notes"
            ],
            "url": "https://github.com/probot/probot/releases/tag/v12.3.3"
          }
        ],
        "sourceIdentifier": "security-advisories@github.com",
        "vulnStatus": "Analyzed",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-755"
              }
            ],
            "source": "security-advisories@github.com",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:octokit:app:14.0.1:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "6D8BE8ED-7684-4F25-AE87-1739F1432742",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:octokit:octokit:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "A734E79A-E7A2-4A97-B875-DCCBCBB226F6",
              "versionEndExcluding": "3.1.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:octokit:webhooks:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "57318B95-09DC-4A5B-AA66-F8911722138D",
              "versionEndExcluding": "9.26.3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:octokit:webhooks:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "718FA3E2-34B9-4AB7-86E2-ED91BCDB5FEC",
              "versionEndExcluding": "10.9.2",
              "versionStartIncluding": "10.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:octokit:webhooks:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "4B6206DA-B77A-47EB-98AE-B5B5D2B56E5A",
              "versionEndExcluding": "11.1.2",
              "versionStartIncluding": "11.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:octokit:webhooks:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "0F1F07B3-C4E0-4E7E-934A-A0C57EA8A246",
              "versionEndExcluding": "12.0.4",
              "versionStartIncluding": "12.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:probot:probot:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "84995A76-C69A-400C-B668-87394E5BE7B9",
              "versionEndExcluding": "12.3.3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "octokit/webhooks is a GitHub webhook events toolset for Node.js. Starting in 9.26.0 and prior to 9.26.3, 10.9.2, 11.1.2, and 12.0.4, there is a problem caused by an issue with error handling in the @octokit/webhooks library because the error can be undefined in some cases. The resulting request was found to cause an uncaught exception that ends the nodejs process.  The bug is fixed in octokit/webhooks.js 9.26.3, 10.9.2, 11.1.2, and 12.0.4, app.js 14.02, octokit.js 3.1.2, and Protobot 12.3.3."
    },
    {
      "lang": "es",
      "value": "octokit/webhooks es un conjunto de herramientas de eventos de webhook de GitHub para Node.js. A partir de 9.26.0 y anteriores a 9.26.3, 10.9.2, 11.1.2 y 12.0.4, hay un problema causado por un problema con el manejo de errores en la librer\u00eda @octokit/webhooks porque el error puede no estar definido en algunos casos. Se descubri\u00f3 que la solicitud resultante provoca una excepci\u00f3n no detectada que finaliza el proceso de nodejs. El error se solucion\u00f3 en octokit/webhooks.js 9.26.3, 10.9.2, 11.1.2 y 12.0.4, app.js 14.02, octokit.js 3.1.2 y Protobot 12.3.3."
    }
  ],
  "id": "CVE-2023-50728",
  "lastModified": "2024-11-21T08:37:13.543",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 4.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-12-15T22:15:07.160",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/octokit/app.js/releases/tag/v14.0.2"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/octokit/octokit.js/releases/tag/v3.1.2"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/octokit/webhooks.js/releases/tag/v10.9.2"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/octokit/webhooks.js/releases/tag/v11.1.2"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/octokit/webhooks.js/releases/tag/v12.0.4"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/octokit/webhooks.js/releases/tag/v9.26.3"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/octokit/webhooks.js/security/advisories/GHSA-pwfr-8pq7-x9qv"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/probot/probot/releases/tag/v12.3.3"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/octokit/app.js/releases/tag/v14.0.2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/octokit/octokit.js/releases/tag/v3.1.2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/octokit/webhooks.js/releases/tag/v10.9.2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/octokit/webhooks.js/releases/tag/v11.1.2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/octokit/webhooks.js/releases/tag/v12.0.4"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/octokit/webhooks.js/releases/tag/v9.26.3"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/octokit/webhooks.js/security/advisories/GHSA-pwfr-8pq7-x9qv"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/probot/probot/releases/tag/v12.3.3"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-755"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Red Hat Developer Hub 1.1 has been released.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat Developer Hub (RHDH) is Red Hat\u0027s enterprise-grade, self-managed, customizable developer portal based on Backstage.io.  RHDH is supported on OpenShift and other major Kubernetes clusters (AKS, EKS, GKE). The core features of RHDH include a single pane of glass, a centralized software catalog, self-service via golden path templates, and Tech Docs. RHDH is extensible by plugins.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHEA-2024:1366",
        "url": "https://access.redhat.com/errata/RHEA-2024:1366"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en-us/red_hat_developer_hub/1.1",
        "url": "https://access.redhat.com/documentation/en-us/red_hat_developer_hub/1.1"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhea-2024_1366.json"
      }
    ],
    "title": "Red Hat Enhancement Advisory: Red Hat Developer Hub 1.1 release",
    "tracking": {
      "current_release_date": "2025-09-30T07:32:10+00:00",
      "generator": {
        "date": "2025-09-30T07:32:10+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.8"
        }
      },
      "id": "RHEA-2024:1366",
      "initial_release_date": "2024-03-18T18:49:30+00:00",
      "revision_history": [
        {
          "date": "2024-03-18T18:49:30+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2024-03-18T18:49:30+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-09-30T07:32:10+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "RHDH 1.1 for RHEL 9",
                "product": {
                  "name": "RHDH 1.1 for RHEL 9",
                  "product_id": "9Base-RHDH-1.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:rhdh:1.1::el9"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Developer Hub"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rhdh/rhdh-hub-rhel9@sha256:e0c7256ce83aae60c9be3cbe8ab8d8b8cffea65533d56cb859ac66fa9d9cb44b_amd64",
                "product": {
                  "name": "rhdh/rhdh-hub-rhel9@sha256:e0c7256ce83aae60c9be3cbe8ab8d8b8cffea65533d56cb859ac66fa9d9cb44b_amd64",
                  "product_id": "rhdh/rhdh-hub-rhel9@sha256:e0c7256ce83aae60c9be3cbe8ab8d8b8cffea65533d56cb859ac66fa9d9cb44b_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhdh-hub-rhel9@sha256:e0c7256ce83aae60c9be3cbe8ab8d8b8cffea65533d56cb859ac66fa9d9cb44b?arch=amd64\u0026repository_url=registry.redhat.io/rhdh/rhdh-hub-rhel9\u0026tag=1.1-97"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhdh/rhdh-operator-bundle@sha256:2abaeacfa8fd744579e44e4b320086a8678094dd92eb24825c05f43617384529_amd64",
                "product": {
                  "name": "rhdh/rhdh-operator-bundle@sha256:2abaeacfa8fd744579e44e4b320086a8678094dd92eb24825c05f43617384529_amd64",
                  "product_id": "rhdh/rhdh-operator-bundle@sha256:2abaeacfa8fd744579e44e4b320086a8678094dd92eb24825c05f43617384529_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhdh-operator-bundle@sha256:2abaeacfa8fd744579e44e4b320086a8678094dd92eb24825c05f43617384529?arch=amd64\u0026repository_url=registry.redhat.io/rhdh/rhdh-operator-bundle\u0026tag=1.1-118"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhdh/rhdh-rhel9-operator@sha256:e7dcfc544c17a330f85d4c4d9b5139cb879fcc92b75368d460c28dfba976509c_amd64",
                "product": {
                  "name": "rhdh/rhdh-rhel9-operator@sha256:e7dcfc544c17a330f85d4c4d9b5139cb879fcc92b75368d460c28dfba976509c_amd64",
                  "product_id": "rhdh/rhdh-rhel9-operator@sha256:e7dcfc544c17a330f85d4c4d9b5139cb879fcc92b75368d460c28dfba976509c_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhdh-rhel9-operator@sha256:e7dcfc544c17a330f85d4c4d9b5139cb879fcc92b75368d460c28dfba976509c?arch=amd64\u0026repository_url=registry.redhat.io/rhdh/rhdh-rhel9-operator\u0026tag=1.1-85"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhdh/rhdh-hub-rhel9@sha256:e0c7256ce83aae60c9be3cbe8ab8d8b8cffea65533d56cb859ac66fa9d9cb44b_amd64 as a component of RHDH 1.1 for RHEL 9",
          "product_id": "9Base-RHDH-1.1:rhdh/rhdh-hub-rhel9@sha256:e0c7256ce83aae60c9be3cbe8ab8d8b8cffea65533d56cb859ac66fa9d9cb44b_amd64"
        },
        "product_reference": "rhdh/rhdh-hub-rhel9@sha256:e0c7256ce83aae60c9be3cbe8ab8d8b8cffea65533d56cb859ac66fa9d9cb44b_amd64",
        "relates_to_product_reference": "9Base-RHDH-1.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhdh/rhdh-operator-bundle@sha256:2abaeacfa8fd744579e44e4b320086a8678094dd92eb24825c05f43617384529_amd64 as a component of RHDH 1.1 for RHEL 9",
          "product_id": "9Base-RHDH-1.1:rhdh/rhdh-operator-bundle@sha256:2abaeacfa8fd744579e44e4b320086a8678094dd92eb24825c05f43617384529_amd64"
        },
        "product_reference": "rhdh/rhdh-operator-bundle@sha256:2abaeacfa8fd744579e44e4b320086a8678094dd92eb24825c05f43617384529_amd64",
        "relates_to_product_reference": "9Base-RHDH-1.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhdh/rhdh-rhel9-operator@sha256:e7dcfc544c17a330f85d4c4d9b5139cb879fcc92b75368d460c28dfba976509c_amd64 as a component of RHDH 1.1 for RHEL 9",
          "product_id": "9Base-RHDH-1.1:rhdh/rhdh-rhel9-operator@sha256:e7dcfc544c17a330f85d4c4d9b5139cb879fcc92b75368d460c28dfba976509c_amd64"
        },
        "product_reference": "rhdh/rhdh-rhel9-operator@sha256:e7dcfc544c17a330f85d4c4d9b5139cb879fcc92b75368d460c28dfba976509c_amd64",
        "relates_to_product_reference": "9Base-RHDH-1.1"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-26159",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "discovery_date": "2024-01-02T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "9Base-RHDH-1.1:rhdh/rhdh-operator-bundle@sha256:2abaeacfa8fd744579e44e4b320086a8678094dd92eb24825c05f43617384529_amd64",
            "9Base-RHDH-1.1:rhdh/rhdh-rhel9-operator@sha256:e7dcfc544c17a330f85d4c4d9b5139cb879fcc92b75368d460c28dfba976509c_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2256413"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "An Improper Input Validation flaw was found in follow-redirects due to the improper handling of URLs by the url.parse() function. When a new URL() throws an error, it can be manipulated to misinterpret the hostname. This issue could allow an attacker to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "follow-redirects: Improper Input Validation due to the improper handling of URLs by the url.parse()",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "follow-redirects is a transitive dependency of Grafana, and does not affect Red Hat Enterprise Linux 8.\n\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-20: Improper Input Validation vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nRed Hat enforces the principle of least functionality, ensuring that only essential features, services, and ports are enabled. This minimizes the number of components that could be affected by input validation vulnerabilities. Security testing and evaluation standards are implemented within the environment to rigorously test input validation mechanisms during the development lifecycle, while static code analysis identifies potential input validation vulnerabilities by default. Process isolation ensures that processes handling potentially malicious or unvalidated inputs run in isolated environments by separating execution domains for each process. Malicious code protections, such as IPS/IDS and antimalware solutions, help detect and mitigate malicious payloads stemming from input validation vulnerabilities. Finally, robust input validation and error-handling mechanisms ensure all user inputs are thoroughly validated, preventing improperly validated inputs from causing system instability, exposing sensitive data, or escalating risks further.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "9Base-RHDH-1.1:rhdh/rhdh-hub-rhel9@sha256:e0c7256ce83aae60c9be3cbe8ab8d8b8cffea65533d56cb859ac66fa9d9cb44b_amd64"
        ],
        "known_not_affected": [
          "9Base-RHDH-1.1:rhdh/rhdh-operator-bundle@sha256:2abaeacfa8fd744579e44e4b320086a8678094dd92eb24825c05f43617384529_amd64",
          "9Base-RHDH-1.1:rhdh/rhdh-rhel9-operator@sha256:e7dcfc544c17a330f85d4c4d9b5139cb879fcc92b75368d460c28dfba976509c_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-26159"
        },
        {
          "category": "external",
          "summary": "RHBZ#2256413",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2256413"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-26159",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-26159"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-26159",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26159"
        }
      ],
      "release_date": "2024-01-02T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-03-18T18:49:30+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "9Base-RHDH-1.1:rhdh/rhdh-hub-rhel9@sha256:e0c7256ce83aae60c9be3cbe8ab8d8b8cffea65533d56cb859ac66fa9d9cb44b_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHEA-2024:1366"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "9Base-RHDH-1.1:rhdh/rhdh-hub-rhel9@sha256:e0c7256ce83aae60c9be3cbe8ab8d8b8cffea65533d56cb859ac66fa9d9cb44b_amd64",
            "9Base-RHDH-1.1:rhdh/rhdh-operator-bundle@sha256:2abaeacfa8fd744579e44e4b320086a8678094dd92eb24825c05f43617384529_amd64",
            "9Base-RHDH-1.1:rhdh/rhdh-rhel9-operator@sha256:e7dcfc544c17a330f85d4c4d9b5139cb879fcc92b75368d460c28dfba976509c_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "9Base-RHDH-1.1:rhdh/rhdh-hub-rhel9@sha256:e0c7256ce83aae60c9be3cbe8ab8d8b8cffea65533d56cb859ac66fa9d9cb44b_amd64",
            "9Base-RHDH-1.1:rhdh/rhdh-operator-bundle@sha256:2abaeacfa8fd744579e44e4b320086a8678094dd92eb24825c05f43617384529_amd64",
            "9Base-RHDH-1.1:rhdh/rhdh-rhel9-operator@sha256:e7dcfc544c17a330f85d4c4d9b5139cb879fcc92b75368d460c28dfba976509c_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "follow-redirects: Improper Input Validation due to the improper handling of URLs by the url.parse()"
    },
    {
      "cve": "CVE-2023-39325",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2023-10-10T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "9Base-RHDH-1.1:rhdh/rhdh-operator-bundle@sha256:2abaeacfa8fd744579e44e4b320086a8678094dd92eb24825c05f43617384529_amd64",
            "9Base-RHDH-1.1:rhdh/rhdh-rhel9-operator@sha256:e7dcfc544c17a330f85d4c4d9b5139cb879fcc92b75368d460c28dfba976509c_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2243296"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. Red Hat has rated the severity of this flaw as \u0027Important\u0027 as the US Cybersecurity and Infrastructure Security Agency (CISA) declared this vulnerability an active exploit.\r\n\r\nCVE-2023-39325 was assigned for the `Rapid Reset Attack` in the Go language packages.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This CVE is related to CVE-2023-44487.\n\nThe majority of RHEL utilities are not long-running applications; instead, they are command-line tools. These tools utilize Golang package as build-time dependency, which is why they are classified as having a \"Moderate\" level of impact.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "9Base-RHDH-1.1:rhdh/rhdh-hub-rhel9@sha256:e0c7256ce83aae60c9be3cbe8ab8d8b8cffea65533d56cb859ac66fa9d9cb44b_amd64"
        ],
        "known_not_affected": [
          "9Base-RHDH-1.1:rhdh/rhdh-operator-bundle@sha256:2abaeacfa8fd744579e44e4b320086a8678094dd92eb24825c05f43617384529_amd64",
          "9Base-RHDH-1.1:rhdh/rhdh-rhel9-operator@sha256:e7dcfc544c17a330f85d4c4d9b5139cb879fcc92b75368d460c28dfba976509c_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-39325"
        },
        {
          "category": "external",
          "summary": "RHBZ#2243296",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243296"
        },
        {
          "category": "external",
          "summary": "RHSB-2023-003",
          "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-003"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-39325",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-39325"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-39325",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39325"
        },
        {
          "category": "external",
          "summary": "https://access.redhat.com/security/cve/CVE-2023-44487",
          "url": "https://access.redhat.com/security/cve/CVE-2023-44487"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/63417",
          "url": "https://go.dev/issue/63417"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2023-2102",
          "url": "https://pkg.go.dev/vuln/GO-2023-2102"
        },
        {
          "category": "external",
          "summary": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487",
          "url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487"
        }
      ],
      "release_date": "2023-10-10T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-03-18T18:49:30+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "9Base-RHDH-1.1:rhdh/rhdh-hub-rhel9@sha256:e0c7256ce83aae60c9be3cbe8ab8d8b8cffea65533d56cb859ac66fa9d9cb44b_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHEA-2024:1366"
        },
        {
          "category": "workaround",
          "details": "The default stream concurrency limit in golang is 250 streams (requests) per HTTP/2 connection. This value may be adjusted in the golang.org/x/net/http2 package using the Server.MaxConcurrentStreams setting and the ConfigureServer function which are available in golang.org/x/net/http2.",
          "product_ids": [
            "9Base-RHDH-1.1:rhdh/rhdh-hub-rhel9@sha256:e0c7256ce83aae60c9be3cbe8ab8d8b8cffea65533d56cb859ac66fa9d9cb44b_amd64",
            "9Base-RHDH-1.1:rhdh/rhdh-operator-bundle@sha256:2abaeacfa8fd744579e44e4b320086a8678094dd92eb24825c05f43617384529_amd64",
            "9Base-RHDH-1.1:rhdh/rhdh-rhel9-operator@sha256:e7dcfc544c17a330f85d4c4d9b5139cb879fcc92b75368d460c28dfba976509c_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "9Base-RHDH-1.1:rhdh/rhdh-hub-rhel9@sha256:e0c7256ce83aae60c9be3cbe8ab8d8b8cffea65533d56cb859ac66fa9d9cb44b_amd64",
            "9Base-RHDH-1.1:rhdh/rhdh-operator-bundle@sha256:2abaeacfa8fd744579e44e4b320086a8678094dd92eb24825c05f43617384529_amd64",
            "9Base-RHDH-1.1:rhdh/rhdh-rhel9-operator@sha256:e7dcfc544c17a330f85d4c4d9b5139cb879fcc92b75368d460c28dfba976509c_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)"
    },
    {
      "cve": "CVE-2023-42282",
      "cwe": {
        "id": "CWE-918",
        "name": "Server-Side Request Forgery (SSRF)"
      },
      "discovery_date": "2024-02-20T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "9Base-RHDH-1.1:rhdh/rhdh-operator-bundle@sha256:2abaeacfa8fd744579e44e4b320086a8678094dd92eb24825c05f43617384529_amd64",
            "9Base-RHDH-1.1:rhdh/rhdh-rhel9-operator@sha256:e7dcfc544c17a330f85d4c4d9b5139cb879fcc92b75368d460c28dfba976509c_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2265161"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability was found in the NPM IP Package. This flaw allows an attacker to perform arbitrary code execution and obtain sensitive information via the isPublic() function by inducing a Server-Side Request Forgery (SSRF) attack and obtaining access to normally inaccessible resources.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "nodejs-ip: arbitrary code execution via the isPublic() function",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "It appears that npm does not utilize the bundled code therefore Red Hat Enterprise Linux is not affected by this vulnerability.\n\nWhile the vulnerability in the NPM IP Package presents a significant security concern, it\u0027s categorized as important rather than critical due to several factors. Firstly, the misclassification of the private IP address 0x7f.1 as public by the isPublic() function does not directly lead to remote code execution or unauthorized access to critical systems. Instead, it facilitates SSRF attacks, which typically require additional conditions to fully exploit, such as the ability to influence server-side requests and responses. Additionally, the impact of SSRF attacks can vary depending on the specific environment and configuration of the affected system. While SSRF attacks can potentially lead to data exposure, service disruption, or lateral movement within a network, their severity is often mitigated by factors such as network segmentation, access controls, and the availability of sensitive resources.\n\nRed Hat Developer Hub contains a fix in 1.1-91 version.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "9Base-RHDH-1.1:rhdh/rhdh-hub-rhel9@sha256:e0c7256ce83aae60c9be3cbe8ab8d8b8cffea65533d56cb859ac66fa9d9cb44b_amd64"
        ],
        "known_not_affected": [
          "9Base-RHDH-1.1:rhdh/rhdh-operator-bundle@sha256:2abaeacfa8fd744579e44e4b320086a8678094dd92eb24825c05f43617384529_amd64",
          "9Base-RHDH-1.1:rhdh/rhdh-rhel9-operator@sha256:e7dcfc544c17a330f85d4c4d9b5139cb879fcc92b75368d460c28dfba976509c_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-42282"
        },
        {
          "category": "external",
          "summary": "RHBZ#2265161",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2265161"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-42282",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-42282"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-42282",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42282"
        },
        {
          "category": "external",
          "summary": "https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html",
          "url": "https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html"
        }
      ],
      "release_date": "2024-02-08T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-03-18T18:49:30+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "9Base-RHDH-1.1:rhdh/rhdh-hub-rhel9@sha256:e0c7256ce83aae60c9be3cbe8ab8d8b8cffea65533d56cb859ac66fa9d9cb44b_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHEA-2024:1366"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "9Base-RHDH-1.1:rhdh/rhdh-hub-rhel9@sha256:e0c7256ce83aae60c9be3cbe8ab8d8b8cffea65533d56cb859ac66fa9d9cb44b_amd64",
            "9Base-RHDH-1.1:rhdh/rhdh-operator-bundle@sha256:2abaeacfa8fd744579e44e4b320086a8678094dd92eb24825c05f43617384529_amd64",
            "9Base-RHDH-1.1:rhdh/rhdh-rhel9-operator@sha256:e7dcfc544c17a330f85d4c4d9b5139cb879fcc92b75368d460c28dfba976509c_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "9Base-RHDH-1.1:rhdh/rhdh-hub-rhel9@sha256:e0c7256ce83aae60c9be3cbe8ab8d8b8cffea65533d56cb859ac66fa9d9cb44b_amd64",
            "9Base-RHDH-1.1:rhdh/rhdh-operator-bundle@sha256:2abaeacfa8fd744579e44e4b320086a8678094dd92eb24825c05f43617384529_amd64",
            "9Base-RHDH-1.1:rhdh/rhdh-rhel9-operator@sha256:e7dcfc544c17a330f85d4c4d9b5139cb879fcc92b75368d460c28dfba976509c_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "nodejs-ip: arbitrary code execution via the isPublic() function"
    },
    {
      "cve": "CVE-2023-44487",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2023-10-09T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "9Base-RHDH-1.1:rhdh/rhdh-operator-bundle@sha256:2abaeacfa8fd744579e44e4b320086a8678094dd92eb24825c05f43617384529_amd64",
            "9Base-RHDH-1.1:rhdh/rhdh-rhel9-operator@sha256:e7dcfc544c17a330f85d4c4d9b5139cb879fcc92b75368d460c28dfba976509c_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2242803"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. Red Hat has rated the severity of this flaw as \u0027Important\u0027 as the US Cybersecurity and Infrastructure Security Agency (CISA) declared this vulnerability an active exploit.\r\n\r\nCVE-2023-39325 was assigned for the Rapid Reset Attack in the Go language packages.\r\n\r\nSecurity Bulletin\r\nhttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "NGINX has been marked as Moderate Impact because, for performance and resource consumption reasons, NGINX limits the number of concurrent streams to a default of 128. In addition, to optimally balance network and server performance, NGINX allows the client to persist HTTP connections for up to 1000 requests by default using an HTTP keepalive.\n\nThe majority of RHEL utilities are not long-running applications; instead, they are command-line tools. These tools utilize Golang package as build-time dependency, which is why they are classified as having a \"Moderate\" level of impact.\n\nrhc component is no longer impacted by CVE-2023-44487 \u0026 CVE-2023-39325.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "9Base-RHDH-1.1:rhdh/rhdh-hub-rhel9@sha256:e0c7256ce83aae60c9be3cbe8ab8d8b8cffea65533d56cb859ac66fa9d9cb44b_amd64"
        ],
        "known_not_affected": [
          "9Base-RHDH-1.1:rhdh/rhdh-operator-bundle@sha256:2abaeacfa8fd744579e44e4b320086a8678094dd92eb24825c05f43617384529_amd64",
          "9Base-RHDH-1.1:rhdh/rhdh-rhel9-operator@sha256:e7dcfc544c17a330f85d4c4d9b5139cb879fcc92b75368d460c28dfba976509c_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-44487"
        },
        {
          "category": "external",
          "summary": "RHBZ#2242803",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803"
        },
        {
          "category": "external",
          "summary": "RHSB-2023-003",
          "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-003"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-44487",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-44487"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487"
        },
        {
          "category": "external",
          "summary": "https://github.com/dotnet/announcements/issues/277",
          "url": "https://github.com/dotnet/announcements/issues/277"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2023-2102",
          "url": "https://pkg.go.dev/vuln/GO-2023-2102"
        },
        {
          "category": "external",
          "summary": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487",
          "url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487"
        },
        {
          "category": "external",
          "summary": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/",
          "url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/"
        },
        {
          "category": "external",
          "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
          "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
        }
      ],
      "release_date": "2023-10-10T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-03-18T18:49:30+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "9Base-RHDH-1.1:rhdh/rhdh-hub-rhel9@sha256:e0c7256ce83aae60c9be3cbe8ab8d8b8cffea65533d56cb859ac66fa9d9cb44b_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHEA-2024:1366"
        },
        {
          "category": "workaround",
          "details": "Users are strongly urged to update their software as soon as fixes are available. \nThere are several mitigation approaches for this flaw. \n\n1. If circumstances permit, users may disable http2 endpoints to circumvent the flaw altogether until a fix is available.\n2. IP-based blocking or flood protection and rate control tools may be used at network endpoints to filter incoming traffic.\n3. Several package specific mitigations are also available. \n     a. nginx: https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/\n     b. netty: https://github.com/netty/netty/security/advisories/GHSA-xpw8-rcwv-8f8p\n     c. haproxy: https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487\n     d. nghttp2: https://github.com/nghttp2/nghttp2/security/advisories/GHSA-vx74-f528-fxqg\n     e. golang: The default stream concurrency limit in golang is 250 streams (requests) per HTTP/2 connection. This value may be adjusted in the golang.org/x/net/http2 package using the Server.MaxConcurrentStreams setting and the ConfigureServer function which are available in golang.org/x/net/http2.",
          "product_ids": [
            "9Base-RHDH-1.1:rhdh/rhdh-hub-rhel9@sha256:e0c7256ce83aae60c9be3cbe8ab8d8b8cffea65533d56cb859ac66fa9d9cb44b_amd64",
            "9Base-RHDH-1.1:rhdh/rhdh-operator-bundle@sha256:2abaeacfa8fd744579e44e4b320086a8678094dd92eb24825c05f43617384529_amd64",
            "9Base-RHDH-1.1:rhdh/rhdh-rhel9-operator@sha256:e7dcfc544c17a330f85d4c4d9b5139cb879fcc92b75368d460c28dfba976509c_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "9Base-RHDH-1.1:rhdh/rhdh-hub-rhel9@sha256:e0c7256ce83aae60c9be3cbe8ab8d8b8cffea65533d56cb859ac66fa9d9cb44b_amd64",
            "9Base-RHDH-1.1:rhdh/rhdh-operator-bundle@sha256:2abaeacfa8fd744579e44e4b320086a8678094dd92eb24825c05f43617384529_amd64",
            "9Base-RHDH-1.1:rhdh/rhdh-rhel9-operator@sha256:e7dcfc544c17a330f85d4c4d9b5139cb879fcc92b75368d460c28dfba976509c_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "exploit_status",
          "date": "2023-10-10T00:00:00+00:00",
          "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
        },
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)"
    },
    {
      "cve": "CVE-2023-45143",
      "cwe": {
        "id": "CWE-200",
        "name": "Exposure of Sensitive Information to an Unauthorized Actor"
      },
      "discovery_date": "2023-10-13T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "9Base-RHDH-1.1:rhdh/rhdh-operator-bundle@sha256:2abaeacfa8fd744579e44e4b320086a8678094dd92eb24825c05f43617384529_amd64",
            "9Base-RHDH-1.1:rhdh/rhdh-rhel9-operator@sha256:e7dcfc544c17a330f85d4c4d9b5139cb879fcc92b75368d460c28dfba976509c_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2244104"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the Undici node package due to the occurrence of Cross-origin requests, possibly leading to a cookie header leakage. By default, cookie headers are forbidden request headers, and they must be enabled. This flaw allows a malicious user to access this leaked cookie if they have control of the redirection.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "node-undici: cookie leakage",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Since this requires a non-standard configuration, as well as control of the redirection, Red Hat rates this as having a Low impact.\n\nRed Hat Developer Hub has included a fix for this.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "9Base-RHDH-1.1:rhdh/rhdh-hub-rhel9@sha256:e0c7256ce83aae60c9be3cbe8ab8d8b8cffea65533d56cb859ac66fa9d9cb44b_amd64"
        ],
        "known_not_affected": [
          "9Base-RHDH-1.1:rhdh/rhdh-operator-bundle@sha256:2abaeacfa8fd744579e44e4b320086a8678094dd92eb24825c05f43617384529_amd64",
          "9Base-RHDH-1.1:rhdh/rhdh-rhel9-operator@sha256:e7dcfc544c17a330f85d4c4d9b5139cb879fcc92b75368d460c28dfba976509c_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-45143"
        },
        {
          "category": "external",
          "summary": "RHBZ#2244104",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2244104"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-45143",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-45143"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-45143",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45143"
        },
        {
          "category": "external",
          "summary": "https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g",
          "url": "https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g"
        }
      ],
      "release_date": "2023-10-12T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-03-18T18:49:30+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "9Base-RHDH-1.1:rhdh/rhdh-hub-rhel9@sha256:e0c7256ce83aae60c9be3cbe8ab8d8b8cffea65533d56cb859ac66fa9d9cb44b_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHEA-2024:1366"
        },
        {
          "category": "workaround",
          "details": "No current mitigation is available.",
          "product_ids": [
            "9Base-RHDH-1.1:rhdh/rhdh-hub-rhel9@sha256:e0c7256ce83aae60c9be3cbe8ab8d8b8cffea65533d56cb859ac66fa9d9cb44b_amd64",
            "9Base-RHDH-1.1:rhdh/rhdh-operator-bundle@sha256:2abaeacfa8fd744579e44e4b320086a8678094dd92eb24825c05f43617384529_amd64",
            "9Base-RHDH-1.1:rhdh/rhdh-rhel9-operator@sha256:e7dcfc544c17a330f85d4c4d9b5139cb879fcc92b75368d460c28dfba976509c_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 3.9,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "9Base-RHDH-1.1:rhdh/rhdh-hub-rhel9@sha256:e0c7256ce83aae60c9be3cbe8ab8d8b8cffea65533d56cb859ac66fa9d9cb44b_amd64",
            "9Base-RHDH-1.1:rhdh/rhdh-operator-bundle@sha256:2abaeacfa8fd744579e44e4b320086a8678094dd92eb24825c05f43617384529_amd64",
            "9Base-RHDH-1.1:rhdh/rhdh-rhel9-operator@sha256:e7dcfc544c17a330f85d4c4d9b5139cb879fcc92b75368d460c28dfba976509c_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "node-undici: cookie leakage"
    },
    {
      "cve": "CVE-2023-48631",
      "cwe": {
        "id": "CWE-1333",
        "name": "Inefficient Regular Expression Complexity"
      },
      "discovery_date": "2023-12-14T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "9Base-RHDH-1.1:rhdh/rhdh-operator-bundle@sha256:2abaeacfa8fd744579e44e4b320086a8678094dd92eb24825c05f43617384529_amd64",
            "9Base-RHDH-1.1:rhdh/rhdh-rhel9-operator@sha256:e7dcfc544c17a330f85d4c4d9b5139cb879fcc92b75368d460c28dfba976509c_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2254559"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A Regular Expression Denial of Service (ReDoS) vulnerability was found in Adobe\u0027s css-tools when parsing CSS. This issue occurs due to improper input validation and may allow an attacker to use a carefully crafted input string to cause a denial of service, especially when attempting to parse CSS.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "css-tools: regular expression denial of service (ReDoS) when parsing CSS",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "The Regular Expression Denial of Service (ReDoS) vulnerability in css-tools, triggered by improper input validation when parsing CSS, is considered of moderate severity. While it can lead to a denial of service by causing the application to become unresponsive, the impact is limited to scenarios where an attacker can provide crafted input. Additionally, the absence of evidence of active exploitation in the wild and contextual factors, such as the software\u0027s usage, contribute to the moderate severity rating.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "9Base-RHDH-1.1:rhdh/rhdh-hub-rhel9@sha256:e0c7256ce83aae60c9be3cbe8ab8d8b8cffea65533d56cb859ac66fa9d9cb44b_amd64"
        ],
        "known_not_affected": [
          "9Base-RHDH-1.1:rhdh/rhdh-operator-bundle@sha256:2abaeacfa8fd744579e44e4b320086a8678094dd92eb24825c05f43617384529_amd64",
          "9Base-RHDH-1.1:rhdh/rhdh-rhel9-operator@sha256:e7dcfc544c17a330f85d4c4d9b5139cb879fcc92b75368d460c28dfba976509c_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-48631"
        },
        {
          "category": "external",
          "summary": "RHBZ#2254559",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254559"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-48631",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-48631"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-48631",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48631"
        },
        {
          "category": "external",
          "summary": "https://github.com/adobe/css-tools/security/advisories/GHSA-prr3-c3m5-p7q2",
          "url": "https://github.com/adobe/css-tools/security/advisories/GHSA-prr3-c3m5-p7q2"
        }
      ],
      "release_date": "2023-12-14T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-03-18T18:49:30+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "9Base-RHDH-1.1:rhdh/rhdh-hub-rhel9@sha256:e0c7256ce83aae60c9be3cbe8ab8d8b8cffea65533d56cb859ac66fa9d9cb44b_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHEA-2024:1366"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "9Base-RHDH-1.1:rhdh/rhdh-hub-rhel9@sha256:e0c7256ce83aae60c9be3cbe8ab8d8b8cffea65533d56cb859ac66fa9d9cb44b_amd64",
            "9Base-RHDH-1.1:rhdh/rhdh-operator-bundle@sha256:2abaeacfa8fd744579e44e4b320086a8678094dd92eb24825c05f43617384529_amd64",
            "9Base-RHDH-1.1:rhdh/rhdh-rhel9-operator@sha256:e7dcfc544c17a330f85d4c4d9b5139cb879fcc92b75368d460c28dfba976509c_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "9Base-RHDH-1.1:rhdh/rhdh-hub-rhel9@sha256:e0c7256ce83aae60c9be3cbe8ab8d8b8cffea65533d56cb859ac66fa9d9cb44b_amd64",
            "9Base-RHDH-1.1:rhdh/rhdh-operator-bundle@sha256:2abaeacfa8fd744579e44e4b320086a8678094dd92eb24825c05f43617384529_amd64",
            "9Base-RHDH-1.1:rhdh/rhdh-rhel9-operator@sha256:e7dcfc544c17a330f85d4c4d9b5139cb879fcc92b75368d460c28dfba976509c_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "css-tools: regular expression denial of service (ReDoS) when parsing CSS"
    },
    {
      "cve": "CVE-2023-50728",
      "cwe": {
        "id": "CWE-755",
        "name": "Improper Handling of Exceptional Conditions"
      },
      "discovery_date": "2023-12-17T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2254872"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "An uncaught exception vulnerability was found in octokit webhooks. An error may be undefined in some cases, and the resulting request can cause an uncaught exception that ends the nodejs process.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "octopost/webhooks: uncaught exception",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "The uncaught exception vulnerability in Octokit webhooks presents a moderate severity issue due to its potential to cause service disruptions and expose applications to unexpected behavior. In technical terms, the absence of proper error handling for undefined errors can lead to unhandled exceptions, ultimately resulting in the termination of the Node.js process. This can impact the availability and reliability of the affected service, affecting its ability to handle incoming requests and potentially leading to downtime.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "9Base-RHDH-1.1:rhdh/rhdh-hub-rhel9@sha256:e0c7256ce83aae60c9be3cbe8ab8d8b8cffea65533d56cb859ac66fa9d9cb44b_amd64",
          "9Base-RHDH-1.1:rhdh/rhdh-operator-bundle@sha256:2abaeacfa8fd744579e44e4b320086a8678094dd92eb24825c05f43617384529_amd64",
          "9Base-RHDH-1.1:rhdh/rhdh-rhel9-operator@sha256:e7dcfc544c17a330f85d4c4d9b5139cb879fcc92b75368d460c28dfba976509c_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-50728"
        },
        {
          "category": "external",
          "summary": "RHBZ#2254872",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254872"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-50728",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-50728"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-50728",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50728"
        },
        {
          "category": "external",
          "summary": "https://github.com/octokit/webhooks.js/releases/tag/v10.9.2",
          "url": "https://github.com/octokit/webhooks.js/releases/tag/v10.9.2"
        },
        {
          "category": "external",
          "summary": "https://github.com/octokit/webhooks.js/releases/tag/v11.1.2",
          "url": "https://github.com/octokit/webhooks.js/releases/tag/v11.1.2"
        },
        {
          "category": "external",
          "summary": "https://github.com/octokit/webhooks.js/releases/tag/v12.0.4",
          "url": "https://github.com/octokit/webhooks.js/releases/tag/v12.0.4"
        },
        {
          "category": "external",
          "summary": "https://github.com/octokit/webhooks.js/releases/tag/v9.26.3",
          "url": "https://github.com/octokit/webhooks.js/releases/tag/v9.26.3"
        },
        {
          "category": "external",
          "summary": "https://github.com/octokit/webhooks.js/security/advisories/GHSA-pwfr-8pq7-x9qv",
          "url": "https://github.com/octokit/webhooks.js/security/advisories/GHSA-pwfr-8pq7-x9qv"
        }
      ],
      "release_date": "2023-12-15T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-03-18T18:49:30+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "9Base-RHDH-1.1:rhdh/rhdh-hub-rhel9@sha256:e0c7256ce83aae60c9be3cbe8ab8d8b8cffea65533d56cb859ac66fa9d9cb44b_amd64",
            "9Base-RHDH-1.1:rhdh/rhdh-operator-bundle@sha256:2abaeacfa8fd744579e44e4b320086a8678094dd92eb24825c05f43617384529_amd64",
            "9Base-RHDH-1.1:rhdh/rhdh-rhel9-operator@sha256:e7dcfc544c17a330f85d4c4d9b5139cb879fcc92b75368d460c28dfba976509c_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHEA-2024:1366"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "9Base-RHDH-1.1:rhdh/rhdh-hub-rhel9@sha256:e0c7256ce83aae60c9be3cbe8ab8d8b8cffea65533d56cb859ac66fa9d9cb44b_amd64",
            "9Base-RHDH-1.1:rhdh/rhdh-operator-bundle@sha256:2abaeacfa8fd744579e44e4b320086a8678094dd92eb24825c05f43617384529_amd64",
            "9Base-RHDH-1.1:rhdh/rhdh-rhel9-operator@sha256:e7dcfc544c17a330f85d4c4d9b5139cb879fcc92b75368d460c28dfba976509c_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "octopost/webhooks: uncaught exception"
    }
  ]
}

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@octokit/webhooks"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.26.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@octokit/webhooks"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.9.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@octokit/webhooks"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0"
            },
            {
              "fixed": "11.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@octokit/webhooks"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "12.0.0"
            },
            {
              "fixed": "12.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@octokit/app"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.0.1"
            },
            {
              "fixed": "14.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "14.0.1"
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "octokit"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "probot"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "12.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-50728"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-755"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-16T00:52:19Z",
    "nvd_published_at": "2023-12-15T22:15:07Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nVersions [v9.26.0](https://github.com/octokit/webhooks.js/releases/tag/v9.26.0), [v10.9.x](https://github.com/octokit/webhooks.js/releases/tag/v10.9.1)), [v11.1.x](https://github.com/octokit/webhooks.js/releases/tag/v11.1.1), [v12.0.x](https://github.com/octokit/webhooks.js/releases/tag/v12.0.3) all contained the code that would throw the error.\n\nSpecifically, during a pentest we encountered a bug in the octokit/webhooks library (a dependency of Probot, a framework for building Github Apps). The resulting request was found to cause an uncaught exception that ends the nodejs process.\n\nThe problem is caused by an issue with error handling in the @octokit/webhooks library because the error can be undefined in some cases.\n\nCredit goes to @pb82 (for the early analysis) and @rh-tguittet (for discovery). \n\n### Patches\n\nMaintenance releases for the Error being thrown by the verify method in [octokit/webhooks.js](https://github.com/octokit/webhooks.js)\n* v12 - [v12.0.4](https://github.com/octokit/webhooks.js/releases/tag/v12.0.4)\n* v11 - [v11.1.2](https://github.com/octokit/webhooks.js/releases/tag/v11.1.2)\n* v10 -[v10.9.2](https://github.com/octokit/webhooks.js/releases/tag/v10.9.2)\n* v9 - [v9.26.3](https://github.com/octokit/webhooks.js/releases/tag/v9.26.3)\n\nMaintenance release for the reference for [octokit/webhooks.js](https://github.com/octokit/webhooks.js) in [app.js](https://github.com/octokit/app.js)\n* [v14.0.2](https://github.com/octokit/app.js/releases/tag/v14.0.2)\n\nMaintenance release for the reference for [octokit/webhooks.js](https://github.com/octokit/webhooks.js) in [octokit.js](https://github.com/octokit/octokit.js)\n* [v3.1.2](https://github.com/octokit/octokit.js/releases/tag/v3.1.2)\n\nMaintenance release for the reference for [octokit/webhooks.js](https://github.com/octokit/webhooks.js) in [Protobot](https://github.com/probot/probot)\n* [v12.3.3](https://github.com/probot/probot/releases/tag/v12.3.3)\n\n\n### Workarounds\nIt is recommend that all users upgrade to the latest version of  [octokit/webhooks.js](https://github.com/octokit/webhooks.js) or use one of the updated back ported versions.\n\n",
  "id": "GHSA-pwfr-8pq7-x9qv",
  "modified": "2023-12-16T00:52:19Z",
  "published": "2023-12-16T00:52:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/octokit/webhooks.js/security/advisories/GHSA-pwfr-8pq7-x9qv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50728"
    },
    {
      "type": "WEB",
      "url": "https://github.com/octokit/app.js/releases/tag/v14.0.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/octokit/octokit.js/releases/tag/v3.1.2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/octokit/webhooks.js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/octokit/webhooks.js/releases/tag/v10.9.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/octokit/webhooks.js/releases/tag/v11.1.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/octokit/webhooks.js/releases/tag/v12.0.4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/octokit/webhooks.js/releases/tag/v9.26.3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/probot/probot/releases/tag/v12.3.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Unauthenticated Denial of Service in the octokit/webhooks library"
}