rhea-2024:4071
Vulnerability from csaf_redhat
Published
2024-06-24 19:27
Modified
2025-09-25 11:29
Summary
Red Hat Enhancement Advisory: Red Hat Developer Hub 1.2 release
Notes
Topic
Red Hat Developer Hub 1.2 has been released.
Details
Red Hat Developer Hub (RHDH) is Red Hat's enterprise-grade, self-managed, customizable developer portal based on Backstage.io. RHDH is supported on OpenShift and other major Kubernetes clusters (AKS, EKS, GKE). The core features of RHDH include a single pane of glass, a centralized software catalog, self-service via golden path templates, and Tech Docs. RHDH is extensible by plugins.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat Developer Hub 1.2 has been released.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Developer Hub (RHDH) is Red Hat\u0027s enterprise-grade, self-managed, customizable developer portal based on Backstage.io. RHDH is supported on OpenShift and other major Kubernetes clusters (AKS, EKS, GKE). The core features of RHDH include a single pane of glass, a centralized software catalog, self-service via golden path templates, and Tech Docs. RHDH is extensible by plugins.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHEA-2024:4071",
"url": "https://access.redhat.com/errata/RHEA-2024:4071"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_developer_hub/1.2",
"url": "https://access.redhat.com/documentation/en-us/red_hat_developer_hub/1.2"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhea-2024_4071.json"
}
],
"title": "Red Hat Enhancement Advisory: Red Hat Developer Hub 1.2 release",
"tracking": {
"current_release_date": "2025-09-25T11:29:00+00:00",
"generator": {
"date": "2025-09-25T11:29:00+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.8"
}
},
"id": "RHEA-2024:4071",
"initial_release_date": "2024-06-24T19:27:31+00:00",
"revision_history": [
{
"date": "2024-06-24T19:27:31+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2024-06-24T19:27:31+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-09-25T11:29:00+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Developer Hub 1.2 for RHEL 9",
"product": {
"name": "Red Hat Developer Hub 1.2 for RHEL 9",
"product_id": "9Base-RHDH-1.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhdh:1.2::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat Developer Hub"
},
{
"branches": [
{
"category": "product_version",
"name": "rhdh/rhdh-hub-rhel9@sha256:326bbee170b6e612cb57326e756fa6b40034f0ddc9dd10dc8adbb260f17a3e38_amd64",
"product": {
"name": "rhdh/rhdh-hub-rhel9@sha256:326bbee170b6e612cb57326e756fa6b40034f0ddc9dd10dc8adbb260f17a3e38_amd64",
"product_id": "rhdh/rhdh-hub-rhel9@sha256:326bbee170b6e612cb57326e756fa6b40034f0ddc9dd10dc8adbb260f17a3e38_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhdh-hub-rhel9@sha256:326bbee170b6e612cb57326e756fa6b40034f0ddc9dd10dc8adbb260f17a3e38?arch=amd64\u0026repository_url=registry.redhat.io/rhdh/rhdh-hub-rhel9\u0026tag=1.2-105"
}
}
},
{
"category": "product_version",
"name": "rhdh/rhdh-operator-bundle@sha256:daf5a8a5d8eae173facaa54561f29706b06fe03579bcfc1d1feb8f70061edf6c_amd64",
"product": {
"name": "rhdh/rhdh-operator-bundle@sha256:daf5a8a5d8eae173facaa54561f29706b06fe03579bcfc1d1feb8f70061edf6c_amd64",
"product_id": "rhdh/rhdh-operator-bundle@sha256:daf5a8a5d8eae173facaa54561f29706b06fe03579bcfc1d1feb8f70061edf6c_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhdh-operator-bundle@sha256:daf5a8a5d8eae173facaa54561f29706b06fe03579bcfc1d1feb8f70061edf6c?arch=amd64\u0026repository_url=registry.redhat.io/rhdh/rhdh-operator-bundle\u0026tag=1.2-97"
}
}
},
{
"category": "product_version",
"name": "rhdh/rhdh-rhel9-operator@sha256:6e2abcf60e86bb0671673af301b708956eb711f66842d26df5d55a76e01475cb_amd64",
"product": {
"name": "rhdh/rhdh-rhel9-operator@sha256:6e2abcf60e86bb0671673af301b708956eb711f66842d26df5d55a76e01475cb_amd64",
"product_id": "rhdh/rhdh-rhel9-operator@sha256:6e2abcf60e86bb0671673af301b708956eb711f66842d26df5d55a76e01475cb_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhdh-rhel9-operator@sha256:6e2abcf60e86bb0671673af301b708956eb711f66842d26df5d55a76e01475cb?arch=amd64\u0026repository_url=registry.redhat.io/rhdh/rhdh-rhel9-operator\u0026tag=1.2-103"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rhdh/rhdh-hub-rhel9@sha256:326bbee170b6e612cb57326e756fa6b40034f0ddc9dd10dc8adbb260f17a3e38_amd64 as a component of Red Hat Developer Hub 1.2 for RHEL 9",
"product_id": "9Base-RHDH-1.2:rhdh/rhdh-hub-rhel9@sha256:326bbee170b6e612cb57326e756fa6b40034f0ddc9dd10dc8adbb260f17a3e38_amd64"
},
"product_reference": "rhdh/rhdh-hub-rhel9@sha256:326bbee170b6e612cb57326e756fa6b40034f0ddc9dd10dc8adbb260f17a3e38_amd64",
"relates_to_product_reference": "9Base-RHDH-1.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhdh/rhdh-operator-bundle@sha256:daf5a8a5d8eae173facaa54561f29706b06fe03579bcfc1d1feb8f70061edf6c_amd64 as a component of Red Hat Developer Hub 1.2 for RHEL 9",
"product_id": "9Base-RHDH-1.2:rhdh/rhdh-operator-bundle@sha256:daf5a8a5d8eae173facaa54561f29706b06fe03579bcfc1d1feb8f70061edf6c_amd64"
},
"product_reference": "rhdh/rhdh-operator-bundle@sha256:daf5a8a5d8eae173facaa54561f29706b06fe03579bcfc1d1feb8f70061edf6c_amd64",
"relates_to_product_reference": "9Base-RHDH-1.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhdh/rhdh-rhel9-operator@sha256:6e2abcf60e86bb0671673af301b708956eb711f66842d26df5d55a76e01475cb_amd64 as a component of Red Hat Developer Hub 1.2 for RHEL 9",
"product_id": "9Base-RHDH-1.2:rhdh/rhdh-rhel9-operator@sha256:6e2abcf60e86bb0671673af301b708956eb711f66842d26df5d55a76e01475cb_amd64"
},
"product_reference": "rhdh/rhdh-rhel9-operator@sha256:6e2abcf60e86bb0671673af301b708956eb711f66842d26df5d55a76e01475cb_amd64",
"relates_to_product_reference": "9Base-RHDH-1.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-6345",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"discovery_date": "2024-07-15T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-RHDH-1.2:rhdh/rhdh-operator-bundle@sha256:daf5a8a5d8eae173facaa54561f29706b06fe03579bcfc1d1feb8f70061edf6c_amd64",
"9Base-RHDH-1.2:rhdh/rhdh-rhel9-operator@sha256:6e2abcf60e86bb0671673af301b708956eb711f66842d26df5d55a76e01475cb_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2297771"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the package_index module of pypa/setuptools. Affected versions of this package allow remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "pypa/setuptools: Remote code execution via download functions in the package_index module in pypa/setuptools",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat OpenStack does not include setuptools. The ImcSdk component uses it only during compile time in our build systems, and we do not support recompiling SRPMs. As a result, Red Hat OpenStack is not affected by this flaw.\n\nPython 2.7.18 was marked End of Life on 04/20/2020. No patches for Python 2 would be made available.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHDH-1.2:rhdh/rhdh-hub-rhel9@sha256:326bbee170b6e612cb57326e756fa6b40034f0ddc9dd10dc8adbb260f17a3e38_amd64"
],
"known_not_affected": [
"9Base-RHDH-1.2:rhdh/rhdh-operator-bundle@sha256:daf5a8a5d8eae173facaa54561f29706b06fe03579bcfc1d1feb8f70061edf6c_amd64",
"9Base-RHDH-1.2:rhdh/rhdh-rhel9-operator@sha256:6e2abcf60e86bb0671673af301b708956eb711f66842d26df5d55a76e01475cb_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-6345"
},
{
"category": "external",
"summary": "RHBZ#2297771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2297771"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-6345",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-6345"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-6345",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6345"
},
{
"category": "external",
"summary": "https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0",
"url": "https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0"
},
{
"category": "external",
"summary": "https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5",
"url": "https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5"
}
],
"release_date": "2024-07-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-06-24T19:27:31+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHDH-1.2:rhdh/rhdh-hub-rhel9@sha256:326bbee170b6e612cb57326e756fa6b40034f0ddc9dd10dc8adbb260f17a3e38_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHEA-2024:4071"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-RHDH-1.2:rhdh/rhdh-hub-rhel9@sha256:326bbee170b6e612cb57326e756fa6b40034f0ddc9dd10dc8adbb260f17a3e38_amd64",
"9Base-RHDH-1.2:rhdh/rhdh-operator-bundle@sha256:daf5a8a5d8eae173facaa54561f29706b06fe03579bcfc1d1feb8f70061edf6c_amd64",
"9Base-RHDH-1.2:rhdh/rhdh-rhel9-operator@sha256:6e2abcf60e86bb0671673af301b708956eb711f66842d26df5d55a76e01475cb_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-RHDH-1.2:rhdh/rhdh-hub-rhel9@sha256:326bbee170b6e612cb57326e756fa6b40034f0ddc9dd10dc8adbb260f17a3e38_amd64",
"9Base-RHDH-1.2:rhdh/rhdh-operator-bundle@sha256:daf5a8a5d8eae173facaa54561f29706b06fe03579bcfc1d1feb8f70061edf6c_amd64",
"9Base-RHDH-1.2:rhdh/rhdh-rhel9-operator@sha256:6e2abcf60e86bb0671673af301b708956eb711f66842d26df5d55a76e01475cb_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "pypa/setuptools: Remote code execution via download functions in the package_index module in pypa/setuptools"
},
{
"cve": "CVE-2024-27307",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2024-03-07T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-RHDH-1.2:rhdh/rhdh-operator-bundle@sha256:daf5a8a5d8eae173facaa54561f29706b06fe03579bcfc1d1feb8f70061edf6c_amd64",
"9Base-RHDH-1.2:rhdh/rhdh-rhel9-operator@sha256:6e2abcf60e86bb0671673af301b708956eb711f66842d26df5d55a76e01475cb_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2268370"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in JSONata. A malicious expression can exploit the transform operator to override properties on the Object constructor and prototype. This issue can result in denial of service, remote code execution, or other unforeseen behavior in applications that assess user-provided JSONata expressions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jsonata: malicious expression can pollute the \"Object\" prototype",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects the @roadiehq/scaffolder-backend-module-utils plugin shipped in Red Hat Developer Hub. However, currently, this plugin is in technology preview. For more information, see the link below.\n\nhttps://access.redhat.com/documentation/en-us/red_hat_developer_hub/1.0/html/release_notes_for_red_hat_developer_hub_1.0/con-relnotes-techpreview-features_release-notes-rhdh#plugins-available-in-red-hat-developer-hub",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHDH-1.2:rhdh/rhdh-hub-rhel9@sha256:326bbee170b6e612cb57326e756fa6b40034f0ddc9dd10dc8adbb260f17a3e38_amd64"
],
"known_not_affected": [
"9Base-RHDH-1.2:rhdh/rhdh-operator-bundle@sha256:daf5a8a5d8eae173facaa54561f29706b06fe03579bcfc1d1feb8f70061edf6c_amd64",
"9Base-RHDH-1.2:rhdh/rhdh-rhel9-operator@sha256:6e2abcf60e86bb0671673af301b708956eb711f66842d26df5d55a76e01475cb_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-27307"
},
{
"category": "external",
"summary": "RHBZ#2268370",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268370"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-27307",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27307"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-27307",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27307"
},
{
"category": "external",
"summary": "https://github.com/jsonata-js/jsonata/security/advisories/GHSA-fqg8-vfv7-8fj8",
"url": "https://github.com/jsonata-js/jsonata/security/advisories/GHSA-fqg8-vfv7-8fj8"
}
],
"release_date": "2024-03-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-06-24T19:27:31+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHDH-1.2:rhdh/rhdh-hub-rhel9@sha256:326bbee170b6e612cb57326e756fa6b40034f0ddc9dd10dc8adbb260f17a3e38_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHEA-2024:4071"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L",
"version": "3.1"
},
"products": [
"9Base-RHDH-1.2:rhdh/rhdh-hub-rhel9@sha256:326bbee170b6e612cb57326e756fa6b40034f0ddc9dd10dc8adbb260f17a3e38_amd64",
"9Base-RHDH-1.2:rhdh/rhdh-operator-bundle@sha256:daf5a8a5d8eae173facaa54561f29706b06fe03579bcfc1d1feb8f70061edf6c_amd64",
"9Base-RHDH-1.2:rhdh/rhdh-rhel9-operator@sha256:6e2abcf60e86bb0671673af301b708956eb711f66842d26df5d55a76e01475cb_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jsonata: malicious expression can pollute the \"Object\" prototype"
},
{
"cve": "CVE-2024-34064",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2024-05-07T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-RHDH-1.2:rhdh/rhdh-operator-bundle@sha256:daf5a8a5d8eae173facaa54561f29706b06fe03579bcfc1d1feb8f70061edf6c_amd64",
"9Base-RHDH-1.2:rhdh/rhdh-rhel9-operator@sha256:6e2abcf60e86bb0671673af301b708956eb711f66842d26df5d55a76e01475cb_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2279476"
}
],
"notes": [
{
"category": "description",
"text": "Jinja is an extensible templating engine. The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `\u003e`, or `=`, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for CVE-2024-22195 only addressed spaces but not other characters. Accepting keys as user input is now explicitly considered an unintended use case of the `xmlattr` filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting _values_ as user input continues to be safe. This vulnerability is fixed in 3.1.4.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jinja2: accepts keys containing non-attribute characters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The fix for CVE-2024-22195 only addressed spaces, not other characters. Accepting keys as user input is now explicitly considered an unintended use case of the `xmlattr` filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting _values_ as user input continues to be safe.\n\nFence agents on RHEL 8 has been fixed as a part of https://access.redhat.com/errata/RHBA-2024:4238",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHDH-1.2:rhdh/rhdh-hub-rhel9@sha256:326bbee170b6e612cb57326e756fa6b40034f0ddc9dd10dc8adbb260f17a3e38_amd64"
],
"known_not_affected": [
"9Base-RHDH-1.2:rhdh/rhdh-operator-bundle@sha256:daf5a8a5d8eae173facaa54561f29706b06fe03579bcfc1d1feb8f70061edf6c_amd64",
"9Base-RHDH-1.2:rhdh/rhdh-rhel9-operator@sha256:6e2abcf60e86bb0671673af301b708956eb711f66842d26df5d55a76e01475cb_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-34064"
},
{
"category": "external",
"summary": "RHBZ#2279476",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2279476"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-34064",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-34064"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-34064",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34064"
},
{
"category": "external",
"summary": "https://github.com/pallets/jinja/security/advisories/GHSA-h75v-3vvj-5mfj",
"url": "https://github.com/pallets/jinja/security/advisories/GHSA-h75v-3vvj-5mfj"
}
],
"release_date": "2024-05-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-06-24T19:27:31+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHDH-1.2:rhdh/rhdh-hub-rhel9@sha256:326bbee170b6e612cb57326e756fa6b40034f0ddc9dd10dc8adbb260f17a3e38_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHEA-2024:4071"
},
{
"category": "workaround",
"details": "Do not accept user input as keys to the xmlattr filter without validation. See the statement above for more information.",
"product_ids": [
"9Base-RHDH-1.2:rhdh/rhdh-hub-rhel9@sha256:326bbee170b6e612cb57326e756fa6b40034f0ddc9dd10dc8adbb260f17a3e38_amd64",
"9Base-RHDH-1.2:rhdh/rhdh-operator-bundle@sha256:daf5a8a5d8eae173facaa54561f29706b06fe03579bcfc1d1feb8f70061edf6c_amd64",
"9Base-RHDH-1.2:rhdh/rhdh-rhel9-operator@sha256:6e2abcf60e86bb0671673af301b708956eb711f66842d26df5d55a76e01475cb_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHDH-1.2:rhdh/rhdh-hub-rhel9@sha256:326bbee170b6e612cb57326e756fa6b40034f0ddc9dd10dc8adbb260f17a3e38_amd64",
"9Base-RHDH-1.2:rhdh/rhdh-operator-bundle@sha256:daf5a8a5d8eae173facaa54561f29706b06fe03579bcfc1d1feb8f70061edf6c_amd64",
"9Base-RHDH-1.2:rhdh/rhdh-rhel9-operator@sha256:6e2abcf60e86bb0671673af301b708956eb711f66842d26df5d55a76e01475cb_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jinja2: accepts keys containing non-attribute characters"
},
{
"cve": "CVE-2024-35195",
"cwe": {
"id": "CWE-670",
"name": "Always-Incorrect Control Flow Implementation"
},
"discovery_date": "2024-05-21T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-RHDH-1.2:rhdh/rhdh-operator-bundle@sha256:daf5a8a5d8eae173facaa54561f29706b06fe03579bcfc1d1feb8f70061edf6c_amd64",
"9Base-RHDH-1.2:rhdh/rhdh-rhel9-operator@sha256:6e2abcf60e86bb0671673af301b708956eb711f66842d26df5d55a76e01475cb_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2282114"
}
],
"notes": [
{
"category": "description",
"text": "An incorrect control flow implementation vulnerability was found in Requests. If the first request in a session is made with verify=False, all subsequent requests to the same host will continue to ignore cert verification.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "requests: subsequent requests to the same host ignore cert verification",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-670: Always-Incorrect Control Flow Implementation vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nThe platform\u0027s orchestration features, such as liveness and readiness probes, automated pod restarts, and health monitoring, help to quickly detect and recover from service-level failures resulting from incorrect control flows. Static code analysis and peer code review techniques are used to execute robust input validation and error-handling mechanisms to ensure all user inputs are thoroughly validated, preventing improperly validated inputs from causing system instability, exposing sensitive data, or escalating risks. Additionally, process isolation ensures that component issues are contained within the originating process, preventing them from affecting other processes or the system as a whole.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHDH-1.2:rhdh/rhdh-hub-rhel9@sha256:326bbee170b6e612cb57326e756fa6b40034f0ddc9dd10dc8adbb260f17a3e38_amd64"
],
"known_not_affected": [
"9Base-RHDH-1.2:rhdh/rhdh-operator-bundle@sha256:daf5a8a5d8eae173facaa54561f29706b06fe03579bcfc1d1feb8f70061edf6c_amd64",
"9Base-RHDH-1.2:rhdh/rhdh-rhel9-operator@sha256:6e2abcf60e86bb0671673af301b708956eb711f66842d26df5d55a76e01475cb_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-35195"
},
{
"category": "external",
"summary": "RHBZ#2282114",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2282114"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-35195",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35195"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-35195",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35195"
},
{
"category": "external",
"summary": "https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56",
"url": "https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56"
}
],
"release_date": "2024-05-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-06-24T19:27:31+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHDH-1.2:rhdh/rhdh-hub-rhel9@sha256:326bbee170b6e612cb57326e756fa6b40034f0ddc9dd10dc8adbb260f17a3e38_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHEA-2024:4071"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHDH-1.2:rhdh/rhdh-hub-rhel9@sha256:326bbee170b6e612cb57326e756fa6b40034f0ddc9dd10dc8adbb260f17a3e38_amd64",
"9Base-RHDH-1.2:rhdh/rhdh-operator-bundle@sha256:daf5a8a5d8eae173facaa54561f29706b06fe03579bcfc1d1feb8f70061edf6c_amd64",
"9Base-RHDH-1.2:rhdh/rhdh-rhel9-operator@sha256:6e2abcf60e86bb0671673af301b708956eb711f66842d26df5d55a76e01475cb_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "requests: subsequent requests to the same host ignore cert verification"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…