rhba-2024:7523
Vulnerability from csaf_redhat
Published
2024-10-02 15:29
Modified
2025-09-10 13:33
Summary
Red Hat Bug Fix Advisory: Red Hat Developer Hub 1.3.0 release
Notes
Topic
Red Hat Developer Hub 1.3.0 has been released.
Details
Red Hat Developer Hub (RHDH) is Red Hat's enterprise-grade, self-managed,
customizable developer portal based on Backstage.io. RHDH is supported on
OpenShift and other major Kubernetes clusters (AKS, EKS, GKE). The core features
of RHDH include a single pane of glass, a centralized software catalog,
self-service via golden path templates, and Tech Docs. RHDH is extensible by
plugins.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat Developer Hub 1.3.0 has been released.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Developer Hub (RHDH) is Red Hat\u0027s enterprise-grade, self-managed,\ncustomizable developer portal based on Backstage.io. RHDH is supported on\nOpenShift and other major Kubernetes clusters (AKS, EKS, GKE). The core features\nof RHDH include a single pane of glass, a centralized software catalog,\nself-service via golden path templates, and Tech Docs. RHDH is extensible by\nplugins.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHBA-2024:7523",
"url": "https://access.redhat.com/errata/RHBA-2024:7523"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_developer_hub/1.3",
"url": "https://docs.redhat.com/en/documentation/red_hat_developer_hub/1.3"
},
{
"category": "external",
"summary": "RHIDP-3725",
"url": "https://issues.redhat.com/browse/RHIDP-3725"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhba-2024_7523.json"
}
],
"title": "Red Hat Bug Fix Advisory: Red Hat Developer Hub 1.3.0 release",
"tracking": {
"current_release_date": "2025-09-10T13:33:55+00:00",
"generator": {
"date": "2025-09-10T13:33:55+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.7"
}
},
"id": "RHBA-2024:7523",
"initial_release_date": "2024-10-02T15:29:03+00:00",
"revision_history": [
{
"date": "2024-10-02T15:29:03+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2024-10-02T15:29:03+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-09-10T13:33:55+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Developer Hub 1.3 for RHEL 9",
"product": {
"name": "Red Hat Developer Hub 1.3 for RHEL 9",
"product_id": "9Base-RHDH-1.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhdh:1.3::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat Developer Hub"
},
{
"branches": [
{
"category": "product_version",
"name": "rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64",
"product": {
"name": "rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64",
"product_id": "rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436?arch=amd64\u0026repository_url=registry.redhat.io/rhdh/rhdh-hub-rhel9\u0026tag=1.3-100"
}
}
},
{
"category": "product_version",
"name": "rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"product": {
"name": "rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"product_id": "rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3?arch=amd64\u0026repository_url=registry.redhat.io/rhdh/rhdh-operator-bundle\u0026tag=1.3-95"
}
}
},
{
"category": "product_version",
"name": "rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64",
"product": {
"name": "rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64",
"product_id": "rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4?arch=amd64\u0026repository_url=registry.redhat.io/rhdh/rhdh-rhel9-operator\u0026tag=1.3-96"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64 as a component of Red Hat Developer Hub 1.3 for RHEL 9",
"product_id": "9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64"
},
"product_reference": "rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64",
"relates_to_product_reference": "9Base-RHDH-1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64 as a component of Red Hat Developer Hub 1.3 for RHEL 9",
"product_id": "9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64"
},
"product_reference": "rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"relates_to_product_reference": "9Base-RHDH-1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64 as a component of Red Hat Developer Hub 1.3 for RHEL 9",
"product_id": "9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
},
"product_reference": "rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64",
"relates_to_product_reference": "9Base-RHDH-1.3"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-4067",
"cwe": {
"id": "CWE-1333",
"name": "Inefficient Regular Expression Complexity"
},
"discovery_date": "2024-05-14T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2280601"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the NPM package `micromatch` where it is vulnerable to a regular expression denial of service (ReDoS). The issue occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will readily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn\u0027t find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won\u0027t start backtracking the regular expression due to greedy matching.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "micromatch: vulnerable to Regular Expression Denial of Service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64"
],
"known_not_affected": [
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-4067"
},
{
"category": "external",
"summary": "RHBZ#2280601",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2280601"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-4067",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-4067"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-4067",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4067"
},
{
"category": "external",
"summary": "https://devhub.checkmarx.com/cve-details/CVE-2024-4067/",
"url": "https://devhub.checkmarx.com/cve-details/CVE-2024-4067/"
},
{
"category": "external",
"summary": "https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448",
"url": "https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448"
},
{
"category": "external",
"summary": "https://github.com/micromatch/micromatch/issues/243",
"url": "https://github.com/micromatch/micromatch/issues/243"
},
{
"category": "external",
"summary": "https://github.com/micromatch/micromatch/pull/247",
"url": "https://github.com/micromatch/micromatch/pull/247"
}
],
"release_date": "2023-12-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-10-02T15:29:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2024:7523"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "micromatch: vulnerable to Regular Expression Denial of Service"
},
{
"cve": "CVE-2024-4068",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2024-05-14T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2280600"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the NPM package `braces.` It fails to limit the number of characters it can handle, which could lead to memory exhaustion. In `lib/parse.js,` if a malicious user sends \"imbalanced braces\" as input, the parsing will enter a loop, causing the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "braces: fails to limit the number of characters it can handle",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64"
],
"known_not_affected": [
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-4068"
},
{
"category": "external",
"summary": "RHBZ#2280600",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2280600"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-4068",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-4068"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-4068",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4068"
},
{
"category": "external",
"summary": "https://devhub.checkmarx.com/cve-details/CVE-2024-4068/",
"url": "https://devhub.checkmarx.com/cve-details/CVE-2024-4068/"
},
{
"category": "external",
"summary": "https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308",
"url": "https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308"
},
{
"category": "external",
"summary": "https://github.com/micromatch/braces/issues/35",
"url": "https://github.com/micromatch/braces/issues/35"
}
],
"release_date": "2024-03-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-10-02T15:29:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2024:7523"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "braces: fails to limit the number of characters it can handle"
},
{
"cve": "CVE-2024-21529",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2024-09-11T05:20:09.464815+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2311418"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the dset package. Affected versions of this package are vulnerable to Prototype Pollution via the dset function due to improper user input sanitization. This vulnerability allows the attacker to inject a malicious object property using the built-in Object property __proto__, which is recursively assigned to all the objects in the program.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "dset: Prototype Pollution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Prototype Pollution is rated with as Important severity issue because it exploits the fundamental inheritance mechanism of JavaScript objects, allowing an attacker to maliciously alter the global Object.prototype. This can lead to widespread and unpredictable behavior across the entire application, as all objects inherit from this polluted prototype. The consequences can range from denial of service (DoS), where important functions like toString() are rendered unusable, to remote code execution (RCE), where injected properties are executed in privileged contexts.\n\n\nrhdh-hub-container 1.2 include the patch for this vulnerability starting at 1.2.5",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64"
],
"known_not_affected": [
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-21529"
},
{
"category": "external",
"summary": "RHBZ#2311418",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2311418"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-21529",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21529"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-21529",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21529"
},
{
"category": "external",
"summary": "https://github.com/lukeed/dset/commit/16d6154e085bef01e99f01330e5a421a7f098afa",
"url": "https://github.com/lukeed/dset/commit/16d6154e085bef01e99f01330e5a421a7f098afa"
},
{
"category": "external",
"summary": "https://security.snyk.io/vuln/SNYK-JS-DSET-7116691",
"url": "https://security.snyk.io/vuln/SNYK-JS-DSET-7116691"
}
],
"release_date": "2024-09-11T05:15:02.547000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-10-02T15:29:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2024:7523"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
},
"products": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "dset: Prototype Pollution"
},
{
"cve": "CVE-2024-24790",
"cwe": {
"id": "CWE-115",
"name": "Misinterpretation of Input"
},
"discovery_date": "2024-06-17T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2292787"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Go language standard library net/netip. The method Is*() (IsPrivate(), IsPublic(), etc) doesn\u0027t behave properly when working with IPv6 mapped to IPv4 addresses. The unexpected behavior can lead to integrity and confidentiality issues, specifically when these methods are used to control access to resources or data.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This CVE has been marked as moderate as for our products a network-based attack vector is simply impossible when it comes to golang code,apart from that as per CVE flaw analysis reported by golang, this only affects integrity and confidentiality and has no effect on availability, hence CVSS has been marked as such.\n\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-115: Misinterpretation of Input vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nControls such as input validation and error handling mitigate input misinterpretation risks by enforcing strict validation rules and secure error management. Error handling ensures inputs are validated against predefined formats, preventing malformed data from being misinterpreted. Techniques like strong typing, allow listing, and proper encoding reduce the likelihood of injection attacks and unintended code execution. Input validation also ensures that errors do not expose sensitive system details or cause unpredictable behavior. Secure error handling prevents information leakage through detailed error messages while preserving system stability under malformed input conditions. Together, these controls reduce the attack surface by maintaining consistent input processing and preventing exploitable system states, strengthening the overall security posture.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64"
],
"known_not_affected": [
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-24790"
},
{
"category": "external",
"summary": "RHBZ#2292787",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2292787"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-24790",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24790"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-24790",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24790"
}
],
"release_date": "2024-06-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-10-02T15:29:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2024:7523"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses"
},
{
"cve": "CVE-2024-24791",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2024-07-02T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2295310"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Go. The net/http module mishandles specific server responses from HTTP/1.1 client requests. This issue may render a connection invalid and cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "net/http: Denial of service due to improper 100-continue handling in net/http",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "An attacker would need to control a malicious server and induce a client to connect to it, requiring some amount of preparation outside of the attacker\u0027s control. This reduces the severity score of this flaw to Moderate.\n\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-20: Improper Input Validation vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nRed Hat enforces the principle of least functionality, ensuring that only essential features, services, and ports are enabled. This minimizes the number of components that could be affected by input validation vulnerabilities. Security testing and evaluation standards are implemented within the environment to rigorously test input validation mechanisms during the development lifecycle, while static code analysis identifies potential input validation vulnerabilities by default. Process isolation ensures that processes handling potentially malicious or unvalidated inputs run in isolated environments by separating execution domains for each process. Malicious code protections, such as IPS/IDS and antimalware solutions, help detect and mitigate malicious payloads stemming from input validation vulnerabilities. Finally, robust input validation and error-handling mechanisms ensure all user inputs are thoroughly validated, preventing improperly validated inputs from causing system instability, exposing sensitive data, or escalating risks further.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64"
],
"known_not_affected": [
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-24791"
},
{
"category": "external",
"summary": "RHBZ#2295310",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2295310"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-24791",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24791"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-24791",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24791"
},
{
"category": "external",
"summary": "https://go.dev/cl/591255",
"url": "https://go.dev/cl/591255"
},
{
"category": "external",
"summary": "https://go.dev/issue/67555",
"url": "https://go.dev/issue/67555"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-dev/c/t0rK-qHBqzY/m/6MMoAZkMAgAJ",
"url": "https://groups.google.com/g/golang-dev/c/t0rK-qHBqzY/m/6MMoAZkMAgAJ"
}
],
"release_date": "2024-07-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-10-02T15:29:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2024:7523"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "net/http: Denial of service due to improper 100-continue handling in net/http"
},
{
"cve": "CVE-2024-35255",
"cwe": {
"id": "CWE-362",
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
},
"discovery_date": "2024-07-01T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2295081"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Microsoft\u0027s Azure Identity Libraries and the Microsoft Authentication Library (MSAL). The flaw arises from a race condition\u2014a scenario where the timing of events leads to unexpected behavior\u2014during concurrent operations on shared resources. This can result in privilege escalation, allowing attackers to gain unauthorized access to sensitive information. The vulnerability affects multiple versions of these libraries across various programming languages, including Java, .NET, Node.js, Python, JavaScript, C++, and Go. Microsoft has addressed this issue by releasing updated versions of the affected libraries. Users are strongly advised to upgrade to these patched versions to mitigate potential security risks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "azure-identity: Azure Identity Libraries Elevation of Privilege Vulnerability in github.com/Azure/azure-sdk-for-go/sdk/azidentity",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat build of Apache Camel for Spring boot is not affected as 4.4.1 was released containing a fixed version of the Azure Identity Library.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64"
],
"known_not_affected": [
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-35255"
},
{
"category": "external",
"summary": "RHBZ#2295081",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2295081"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-35255",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35255"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-35255",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35255"
},
{
"category": "external",
"summary": "https://github.com/Azure/azure-sdk-for-go/commit/50774cd9709905523136fb05e8c85a50e8984499",
"url": "https://github.com/Azure/azure-sdk-for-go/commit/50774cd9709905523136fb05e8c85a50e8984499"
},
{
"category": "external",
"summary": "https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/4806#issuecomment-2178960340",
"url": "https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/4806#issuecomment-2178960340"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-m5vv-6r4h-3vj9",
"url": "https://github.com/advisories/GHSA-m5vv-6r4h-3vj9"
},
{
"category": "external",
"summary": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255"
}
],
"release_date": "2024-07-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-10-02T15:29:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2024:7523"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "azure-identity: Azure Identity Libraries Elevation of Privilege Vulnerability in github.com/Azure/azure-sdk-for-go/sdk/azidentity"
},
{
"cve": "CVE-2024-37891",
"cwe": {
"id": "CWE-669",
"name": "Incorrect Resource Transfer Between Spheres"
},
"discovery_date": "2024-06-17T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2292788"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in urllib3, an HTTP client library for Python. In certain configurations, urllib3 does not treat the `Proxy-Authorization` HTTP header as one carrying authentication material. This issue results in not stripping the header on cross-origin redirects.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "urllib3: proxy-authorization request header is not stripped during cross-origin redirects",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": ".egg-info packages, like urllib3-1.24.2-py3.6.egg-info, store only metadata such as package version and dependencies and do not contain any affected codebase.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64"
],
"known_not_affected": [
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-37891"
},
{
"category": "external",
"summary": "RHBZ#2292788",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2292788"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-37891",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-37891"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-37891",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37891"
}
],
"release_date": "2024-06-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-10-02T15:29:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2024:7523"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "urllib3: proxy-authorization request header is not stripped during cross-origin redirects"
},
{
"cve": "CVE-2024-39008",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2024-07-01T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2295029"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the fast-loops Node.js package. This flaw allows an attacker to alter the behavior of all objects inheriting from the affected prototype by passing arguments to the objectMergeDeep function crafted with the built-in property: __proto__. This issue can potentially lead to a denial of service, remote code execution, or Cross-site scripting.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "fast-loops: prototype pollution via objectMergeDeep",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64"
],
"known_not_affected": [
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-39008"
},
{
"category": "external",
"summary": "RHBZ#2295029",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2295029"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-39008",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-39008"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-39008",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39008"
},
{
"category": "external",
"summary": "https://gist.github.com/mestrtee/f09a507c8d59fbbb7fd40880cd9b87ed",
"url": "https://gist.github.com/mestrtee/f09a507c8d59fbbb7fd40880cd9b87ed"
}
],
"release_date": "2024-07-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-10-02T15:29:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2024:7523"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"products": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "fast-loops: prototype pollution via objectMergeDeep"
},
{
"cve": "CVE-2024-39249",
"cwe": {
"id": "CWE-1333",
"name": "Inefficient Regular Expression Complexity"
},
"discovery_date": "2024-07-01T20:20:32+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2295035"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the async Node.js package. A Regular expression Denial of Service (ReDoS) attack can potentially be triggered via the autoinject function while parsing specially crafted input.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-async: Regular expression denial of service while parsing function in autoinject",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64"
],
"known_not_affected": [
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-39249"
},
{
"category": "external",
"summary": "RHBZ#2295035",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2295035"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-39249",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-39249"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-39249",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39249"
},
{
"category": "external",
"summary": "https://github.com/caolan/async/blob/v3.2.5/lib/autoInject.js#L41",
"url": "https://github.com/caolan/async/blob/v3.2.5/lib/autoInject.js#L41"
},
{
"category": "external",
"summary": "https://github.com/caolan/async/blob/v3.2.5/lib/autoInject.js#L6",
"url": "https://github.com/caolan/async/blob/v3.2.5/lib/autoInject.js#L6"
},
{
"category": "external",
"summary": "https://github.com/zunak/CVE-2024-39249",
"url": "https://github.com/zunak/CVE-2024-39249"
}
],
"release_date": "2024-07-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-10-02T15:29:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2024:7523"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs-async: Regular expression denial of service while parsing function in autoinject"
},
{
"cve": "CVE-2024-43796",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2024-09-10T15:30:28.106254+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2311152"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Express. This vulnerability allows untrusted code execution via passing untrusted user input to response.redirect(), even if the input is sanitized.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "express: Improper Input Handling in Express Redirects",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64"
],
"known_not_affected": [
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-43796"
},
{
"category": "external",
"summary": "RHBZ#2311152",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2311152"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-43796",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43796"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-43796",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43796"
},
{
"category": "external",
"summary": "https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553",
"url": "https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553"
},
{
"category": "external",
"summary": "https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx",
"url": "https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx"
}
],
"release_date": "2024-09-10T15:15:17.510000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-10-02T15:29:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2024:7523"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "express: Improper Input Handling in Express Redirects"
},
{
"cve": "CVE-2024-43800",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2024-09-10T15:30:33.631718+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2311154"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in serve-static. This issue may allow the execution of untrusted code via passing sanitized yet untrusted user input to redirect().",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "serve-static: Improper Sanitization in serve-static",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "rhdh-hub-container 1.2 and 1.3 have included patches for this vulnerability.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64"
],
"known_not_affected": [
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-43800"
},
{
"category": "external",
"summary": "RHBZ#2311154",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2311154"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-43800",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43800"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-43800",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43800"
},
{
"category": "external",
"summary": "https://github.com/expressjs/serve-static/commit/0c11fad159898cdc69fd9ab63269b72468ecaf6b",
"url": "https://github.com/expressjs/serve-static/commit/0c11fad159898cdc69fd9ab63269b72468ecaf6b"
},
{
"category": "external",
"summary": "https://github.com/expressjs/serve-static/commit/ce730896fddce1588111d9ef6fdf20896de5c6fa",
"url": "https://github.com/expressjs/serve-static/commit/ce730896fddce1588111d9ef6fdf20896de5c6fa"
},
{
"category": "external",
"summary": "https://github.com/expressjs/serve-static/security/advisories/GHSA-cm22-4g7w-348p",
"url": "https://github.com/expressjs/serve-static/security/advisories/GHSA-cm22-4g7w-348p"
}
],
"release_date": "2024-09-10T15:15:17.937000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-10-02T15:29:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2024:7523"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"9Base-RHDH-1.3:rhdh/rhdh-hub-rhel9@sha256:ccc2f05dd6dacbe9b39bbe5b4774ef9d61b872fa7c26e47c0c63d260920ad436_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-operator-bundle@sha256:717ddb1edb2f3ba94fa68d5310dfe2c0b4aa0a3a75747011b1cd4d6956d982e3_amd64",
"9Base-RHDH-1.3:rhdh/rhdh-rhel9-operator@sha256:4984c6cc3d35be00fa8758b2ddbb2712ad0085b557ff1bac9cc885a47bc20bf4_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "serve-static: Improper Sanitization in serve-static"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…