Vulnerability-Lookup

RHSA-2026:5645

Vulnerability from csaf_redhat - Published: 2026-03-24 15:38 - Updated: 2026-03-29 13:43

Summary

Red Hat Security Advisory: cert-manager Operator for Red Hat OpenShift 1.17.1

Severity

Important

Notes

Topic: cert-manager Operator for Red Hat OpenShift 1.17.1

Details: The cert-manager Operator for Red Hat OpenShift builds on top of Kubernetes, introducing certificate authorities and certificates as first-class resource types in the Kubernetes API. This makes it possible to provide certificates-as-a-service to developers working within your Kubernetes cluster.

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2025-47907

A flaw was found in database/sql. Concurrent queries can produce unexpected results when a query is cancelled during a Scan method call on returned Rows, creating a race condition. This vulnerability allows an attacker who can initiate and cancel queries to trigger this condition, possibly leading to inconsistent data being returned to the application.

7.0 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L

CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Vendor Fix Before applying this update, make sure all previously released errata relevant to your system have been applied. The steps to apply the upgraded images are different depending on the installation plan approval policy you used when installing the cert-manager Operator for Red Hat OpenShift. - If the approval policy is set to `Automatic`, then the Operator will be upgraded automatically when there is a new version of the Operator. No further action is required to upgrade. This is the default setting. - If you changed the approval policy to `Manual`, then you must manually approve the upgrade to the Operator. See https://docs.openshift.com/container-platform/latest/security/cert_manager_operator/index.html for additional information. https://access.redhat.com/errata/RHSA-2026:5645

CVE-2025-58183

A flaw was found in the archive/tar package in the Go standard library. tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A specially crafted tar archive with a pax header indicating a big number of sparse regions can cause a Go program to try to allocate a large amount of memory, causing an out-of-memory condition and resulting in a denial of service.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Workaround Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

CVE-2025-61726

A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted HTTP request containing a massive number of query parameters will cause the application to consume an excessive amount of memory, eventually causing the application to crash or become unresponsive, resulting in a denial of service.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Workaround Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.

CVE-2025-61728

A flaw was found in the archive/zip package in the Go standard library. A super-linear file name indexing algorithm is used in the first time a file in an archive is opened. A crafted zip archive containing a specific arrangement of file names can cause an excessive CPU and memory consumption. A Go application processing a malicious archive can become unresponsive or crash, resulting in a denial of service.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Workaround To mitigate this vulnerability, implement a timeout in your archive/zip processing logic to abort the operation if it exceeds a few seconds, preventing the application from consuming an excessive amount of resources.

CVE-2025-61729

A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the `HostnameError.Error()` function. This flaw, caused by unbounded string concatenation, leads to excessive resource consumption. Successful exploitation can result in a denial of service (DoS) for the affected system.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-1050 - Excessive Platform Resource Consumption within a Loop

CVE-2025-68121

During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.

7.4 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

References

URL

Category

	https://access.redhat.com/errata/RHSA-2026:5645	self
	https://access.redhat.com/security/cve/CVE-2025-47907	external
	https://access.redhat.com/security/cve/CVE-2025-58183	external
	https://access.redhat.com/security/cve/CVE-2025-61726	external
	https://access.redhat.com/security/cve/CVE-2025-61728	external
	https://access.redhat.com/security/cve/CVE-2025-61729	external
	https://access.redhat.com/security/cve/CVE-2025-68121	external
	https://access.redhat.com/security/updates/classi…	external
	https://docs.openshift.com/container-platform/lat…	external
	https://security.access.redhat.com/data/csaf/v2/a…	self
	https://access.redhat.com/security/cve/CVE-2025-47907	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2387083	external
	https://www.cve.org/CVERecord?id=CVE-2025-47907	external
	https://nvd.nist.gov/vuln/detail/CVE-2025-47907	external
	https://go.dev/cl/693735	external
	https://go.dev/issue/74831	external
	https://groups.google.com/g/golang-announce/c/x5M…	external
	https://pkg.go.dev/vuln/GO-2025-3849	external
	https://access.redhat.com/security/cve/CVE-2025-58183	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2407258	external
	https://www.cve.org/CVERecord?id=CVE-2025-58183	external
	https://nvd.nist.gov/vuln/detail/CVE-2025-58183	external
	https://go.dev/cl/709861	external
	https://go.dev/issue/75677	external
	https://groups.google.com/g/golang-announce/c/4Em…	external
	https://pkg.go.dev/vuln/GO-2025-4014	external
	https://access.redhat.com/security/cve/CVE-2025-61726	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2434432	external
	https://www.cve.org/CVERecord?id=CVE-2025-61726	external
	https://nvd.nist.gov/vuln/detail/CVE-2025-61726	external
	https://go.dev/cl/736712	external
	https://go.dev/issue/77101	external
	https://groups.google.com/g/golang-announce/c/Vd2…	external
	https://pkg.go.dev/vuln/GO-2026-4341	external
	https://access.redhat.com/security/cve/CVE-2025-61728	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2434431	external
	https://www.cve.org/CVERecord?id=CVE-2025-61728	external
	https://nvd.nist.gov/vuln/detail/CVE-2025-61728	external
	https://go.dev/cl/736713	external
	https://go.dev/issue/77102	external
	https://pkg.go.dev/vuln/GO-2026-4342	external
	https://access.redhat.com/security/cve/CVE-2025-61729	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2418462	external
	https://www.cve.org/CVERecord?id=CVE-2025-61729	external
	https://nvd.nist.gov/vuln/detail/CVE-2025-61729	external
	https://go.dev/cl/725920	external
	https://go.dev/issue/76445	external
	https://groups.google.com/g/golang-announce/c/8FJ…	external
	https://pkg.go.dev/vuln/GO-2025-4155	external
	https://access.redhat.com/security/cve/CVE-2025-68121	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2437111	external
	https://www.cve.org/CVERecord?id=CVE-2025-68121	external
	https://nvd.nist.gov/vuln/detail/CVE-2025-68121	external
	https://go.dev/cl/737700	external
	https://go.dev/issue/77217	external
	https://groups.google.com/g/golang-announce/c/K09…	external
	https://pkg.go.dev/vuln/GO-2026-4337	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "cert-manager Operator for Red Hat OpenShift 1.17.1",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "The cert-manager Operator for Red Hat OpenShift builds on top of Kubernetes, introducing certificate authorities\nand certificates as first-class resource types in the Kubernetes API. This makes it possible to provide\ncertificates-as-a-service to developers working within your Kubernetes cluster.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:5645",
        "url": "https://access.redhat.com/errata/RHSA-2026:5645"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-47907",
        "url": "https://access.redhat.com/security/cve/CVE-2025-47907"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-58183",
        "url": "https://access.redhat.com/security/cve/CVE-2025-58183"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-61726",
        "url": "https://access.redhat.com/security/cve/CVE-2025-61726"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-61728",
        "url": "https://access.redhat.com/security/cve/CVE-2025-61728"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-61729",
        "url": "https://access.redhat.com/security/cve/CVE-2025-61729"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-68121",
        "url": "https://access.redhat.com/security/cve/CVE-2025-68121"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/",
        "url": "https://access.redhat.com/security/updates/classification/"
      },
      {
        "category": "external",
        "summary": "https://docs.openshift.com/container-platform/latest/security/cert_manager_operator/index.html",
        "url": "https://docs.openshift.com/container-platform/latest/security/cert_manager_operator/index.html"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_5645.json"
      }
    ],
    "title": "Red Hat Security Advisory: cert-manager Operator for Red Hat OpenShift 1.17.1",
    "tracking": {
      "current_release_date": "2026-03-29T13:43:13+00:00",
      "generator": {
        "date": "2026-03-29T13:43:13+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.4"
        }
      },
      "id": "RHSA-2026:5645",
      "initial_release_date": "2026-03-24T15:38:55+00:00",
      "revision_history": [
        {
          "date": "2026-03-24T15:38:55+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-03-24T15:39:00+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-03-29T13:43:13+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Cert Manager support for Red Hat OpenShift release 1.17",
                "product": {
                  "name": "Cert Manager support for Red Hat OpenShift release 1.17",
                  "product_id": "Cert Manager support for Red Hat OpenShift release 1.17",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:cert_manager:1.17::el9"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Cert Manager support for Red Hat OpenShift release"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:9011ffee4064e0f466d6bc27c54f60ec2e1f041d1240548101d9ed9e0254df12_amd64",
                "product": {
                  "name": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:9011ffee4064e0f466d6bc27c54f60ec2e1f041d1240548101d9ed9e0254df12_amd64",
                  "product_id": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:9011ffee4064e0f466d6bc27c54f60ec2e1f041d1240548101d9ed9e0254df12_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/jetstack-cert-manager-rhel9@sha256%3A9011ffee4064e0f466d6bc27c54f60ec2e1f041d1240548101d9ed9e0254df12?arch=amd64\u0026repository_url=registry.redhat.io/cert-manager\u0026tag=1774341716"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:abcdf8c79fe663805d3bd5e43ac73b0472b5dab8c9dd80c90e1cf54ff161f41f_amd64",
                "product": {
                  "name": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:abcdf8c79fe663805d3bd5e43ac73b0472b5dab8c9dd80c90e1cf54ff161f41f_amd64",
                  "product_id": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:abcdf8c79fe663805d3bd5e43ac73b0472b5dab8c9dd80c90e1cf54ff161f41f_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/jetstack-cert-manager-acmesolver-rhel9@sha256%3Aabcdf8c79fe663805d3bd5e43ac73b0472b5dab8c9dd80c90e1cf54ff161f41f?arch=amd64\u0026repository_url=registry.redhat.io/cert-manager\u0026tag=1774342146"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1bfde47d53ed34e899229870228ce35230fa216ade3e348befd9b77c2c7ceea_s390x",
                "product": {
                  "name": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1bfde47d53ed34e899229870228ce35230fa216ade3e348befd9b77c2c7ceea_s390x",
                  "product_id": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1bfde47d53ed34e899229870228ce35230fa216ade3e348befd9b77c2c7ceea_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/jetstack-cert-manager-rhel9@sha256%3Aa1bfde47d53ed34e899229870228ce35230fa216ade3e348befd9b77c2c7ceea?arch=s390x\u0026repository_url=registry.redhat.io/cert-manager\u0026tag=1774341716"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4974faad72c7c67e6d55f7bf8c9c2d752af17a2f48ef63153fe226b080d36132_s390x",
                "product": {
                  "name": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4974faad72c7c67e6d55f7bf8c9c2d752af17a2f48ef63153fe226b080d36132_s390x",
                  "product_id": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4974faad72c7c67e6d55f7bf8c9c2d752af17a2f48ef63153fe226b080d36132_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/jetstack-cert-manager-acmesolver-rhel9@sha256%3A4974faad72c7c67e6d55f7bf8c9c2d752af17a2f48ef63153fe226b080d36132?arch=s390x\u0026repository_url=registry.redhat.io/cert-manager\u0026tag=1774342146"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:c73275043cc2caad071a88cb63f3745471fae11a953291b3dd93db4d752b1b13_ppc64le",
                "product": {
                  "name": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:c73275043cc2caad071a88cb63f3745471fae11a953291b3dd93db4d752b1b13_ppc64le",
                  "product_id": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:c73275043cc2caad071a88cb63f3745471fae11a953291b3dd93db4d752b1b13_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/jetstack-cert-manager-rhel9@sha256%3Ac73275043cc2caad071a88cb63f3745471fae11a953291b3dd93db4d752b1b13?arch=ppc64le\u0026repository_url=registry.redhat.io/cert-manager\u0026tag=1774341716"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:42f78dae41109753d076a75c14a9bc16096575cfdea102fdeda252665ff0381f_ppc64le",
                "product": {
                  "name": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:42f78dae41109753d076a75c14a9bc16096575cfdea102fdeda252665ff0381f_ppc64le",
                  "product_id": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:42f78dae41109753d076a75c14a9bc16096575cfdea102fdeda252665ff0381f_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/jetstack-cert-manager-acmesolver-rhel9@sha256%3A42f78dae41109753d076a75c14a9bc16096575cfdea102fdeda252665ff0381f?arch=ppc64le\u0026repository_url=registry.redhat.io/cert-manager\u0026tag=1774342146"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:6a2828505d9760b9d4f27d5eafa05db0d025b45787828bc5e125b7c75d1f329f_arm64",
                "product": {
                  "name": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:6a2828505d9760b9d4f27d5eafa05db0d025b45787828bc5e125b7c75d1f329f_arm64",
                  "product_id": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:6a2828505d9760b9d4f27d5eafa05db0d025b45787828bc5e125b7c75d1f329f_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/jetstack-cert-manager-rhel9@sha256%3A6a2828505d9760b9d4f27d5eafa05db0d025b45787828bc5e125b7c75d1f329f?arch=arm64\u0026repository_url=registry.redhat.io/cert-manager\u0026tag=1774341716"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:3a01605ba6dd883043f622596c54bfdfc938cdab48f4c32638e6cad807c57e9a_arm64",
                "product": {
                  "name": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:3a01605ba6dd883043f622596c54bfdfc938cdab48f4c32638e6cad807c57e9a_arm64",
                  "product_id": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:3a01605ba6dd883043f622596c54bfdfc938cdab48f4c32638e6cad807c57e9a_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/jetstack-cert-manager-acmesolver-rhel9@sha256%3A3a01605ba6dd883043f622596c54bfdfc938cdab48f4c32638e6cad807c57e9a?arch=arm64\u0026repository_url=registry.redhat.io/cert-manager\u0026tag=1774342146"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "arm64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:3a01605ba6dd883043f622596c54bfdfc938cdab48f4c32638e6cad807c57e9a_arm64 as a component of Cert Manager support for Red Hat OpenShift release 1.17",
          "product_id": "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:3a01605ba6dd883043f622596c54bfdfc938cdab48f4c32638e6cad807c57e9a_arm64"
        },
        "product_reference": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:3a01605ba6dd883043f622596c54bfdfc938cdab48f4c32638e6cad807c57e9a_arm64",
        "relates_to_product_reference": "Cert Manager support for Red Hat OpenShift release 1.17"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:42f78dae41109753d076a75c14a9bc16096575cfdea102fdeda252665ff0381f_ppc64le as a component of Cert Manager support for Red Hat OpenShift release 1.17",
          "product_id": "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:42f78dae41109753d076a75c14a9bc16096575cfdea102fdeda252665ff0381f_ppc64le"
        },
        "product_reference": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:42f78dae41109753d076a75c14a9bc16096575cfdea102fdeda252665ff0381f_ppc64le",
        "relates_to_product_reference": "Cert Manager support for Red Hat OpenShift release 1.17"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4974faad72c7c67e6d55f7bf8c9c2d752af17a2f48ef63153fe226b080d36132_s390x as a component of Cert Manager support for Red Hat OpenShift release 1.17",
          "product_id": "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4974faad72c7c67e6d55f7bf8c9c2d752af17a2f48ef63153fe226b080d36132_s390x"
        },
        "product_reference": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4974faad72c7c67e6d55f7bf8c9c2d752af17a2f48ef63153fe226b080d36132_s390x",
        "relates_to_product_reference": "Cert Manager support for Red Hat OpenShift release 1.17"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:abcdf8c79fe663805d3bd5e43ac73b0472b5dab8c9dd80c90e1cf54ff161f41f_amd64 as a component of Cert Manager support for Red Hat OpenShift release 1.17",
          "product_id": "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:abcdf8c79fe663805d3bd5e43ac73b0472b5dab8c9dd80c90e1cf54ff161f41f_amd64"
        },
        "product_reference": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:abcdf8c79fe663805d3bd5e43ac73b0472b5dab8c9dd80c90e1cf54ff161f41f_amd64",
        "relates_to_product_reference": "Cert Manager support for Red Hat OpenShift release 1.17"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:6a2828505d9760b9d4f27d5eafa05db0d025b45787828bc5e125b7c75d1f329f_arm64 as a component of Cert Manager support for Red Hat OpenShift release 1.17",
          "product_id": "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:6a2828505d9760b9d4f27d5eafa05db0d025b45787828bc5e125b7c75d1f329f_arm64"
        },
        "product_reference": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:6a2828505d9760b9d4f27d5eafa05db0d025b45787828bc5e125b7c75d1f329f_arm64",
        "relates_to_product_reference": "Cert Manager support for Red Hat OpenShift release 1.17"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:9011ffee4064e0f466d6bc27c54f60ec2e1f041d1240548101d9ed9e0254df12_amd64 as a component of Cert Manager support for Red Hat OpenShift release 1.17",
          "product_id": "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:9011ffee4064e0f466d6bc27c54f60ec2e1f041d1240548101d9ed9e0254df12_amd64"
        },
        "product_reference": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:9011ffee4064e0f466d6bc27c54f60ec2e1f041d1240548101d9ed9e0254df12_amd64",
        "relates_to_product_reference": "Cert Manager support for Red Hat OpenShift release 1.17"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1bfde47d53ed34e899229870228ce35230fa216ade3e348befd9b77c2c7ceea_s390x as a component of Cert Manager support for Red Hat OpenShift release 1.17",
          "product_id": "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1bfde47d53ed34e899229870228ce35230fa216ade3e348befd9b77c2c7ceea_s390x"
        },
        "product_reference": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1bfde47d53ed34e899229870228ce35230fa216ade3e348befd9b77c2c7ceea_s390x",
        "relates_to_product_reference": "Cert Manager support for Red Hat OpenShift release 1.17"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:c73275043cc2caad071a88cb63f3745471fae11a953291b3dd93db4d752b1b13_ppc64le as a component of Cert Manager support for Red Hat OpenShift release 1.17",
          "product_id": "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:c73275043cc2caad071a88cb63f3745471fae11a953291b3dd93db4d752b1b13_ppc64le"
        },
        "product_reference": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:c73275043cc2caad071a88cb63f3745471fae11a953291b3dd93db4d752b1b13_ppc64le",
        "relates_to_product_reference": "Cert Manager support for Red Hat OpenShift release 1.17"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-47907",
      "cwe": {
        "id": "CWE-362",
        "name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
      },
      "discovery_date": "2025-08-07T16:01:06.247481+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2387083"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in database/sql. Concurrent queries can produce unexpected results when a query is cancelled during a Scan method call on returned Rows, creating a race condition. This vulnerability allows an attacker who can initiate and cancel queries to trigger this condition, possibly leading to inconsistent data being returned to the application.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "database/sql: Postgres Scan Race Condition",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability marked as Moderate severity issues rather than Important. The os/exec LookPath flaw requires a misconfigured PATH to be exploitable, and the database/sql race condition primarily impacts applications that cancel queries while running multiple queries concurrently. Both can cause unexpected behavior, but the exploitation scope is limited and unlikely to result in direct compromise in most typical deployments.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:3a01605ba6dd883043f622596c54bfdfc938cdab48f4c32638e6cad807c57e9a_arm64",
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:42f78dae41109753d076a75c14a9bc16096575cfdea102fdeda252665ff0381f_ppc64le",
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4974faad72c7c67e6d55f7bf8c9c2d752af17a2f48ef63153fe226b080d36132_s390x",
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:abcdf8c79fe663805d3bd5e43ac73b0472b5dab8c9dd80c90e1cf54ff161f41f_amd64",
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:6a2828505d9760b9d4f27d5eafa05db0d025b45787828bc5e125b7c75d1f329f_arm64",
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:9011ffee4064e0f466d6bc27c54f60ec2e1f041d1240548101d9ed9e0254df12_amd64",
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1bfde47d53ed34e899229870228ce35230fa216ade3e348befd9b77c2c7ceea_s390x",
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:c73275043cc2caad071a88cb63f3745471fae11a953291b3dd93db4d752b1b13_ppc64le"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-47907"
        },
        {
          "category": "external",
          "summary": "RHBZ#2387083",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2387083"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-47907",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-47907"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-47907",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47907"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/693735",
          "url": "https://go.dev/cl/693735"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/74831",
          "url": "https://go.dev/issue/74831"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM",
          "url": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2025-3849",
          "url": "https://pkg.go.dev/vuln/GO-2025-3849"
        }
      ],
      "release_date": "2025-08-07T15:25:30.704000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-03-24T15:38:55+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nThe steps to apply the upgraded images are different depending on the installation plan approval policy you used\nwhen installing the cert-manager Operator for Red Hat OpenShift.\n\n- If the approval policy is set to `Automatic`, then the Operator will be upgraded automatically when there is a\nnew version of the Operator. No further action is required to upgrade. This is the default setting.\n\n- If you changed the approval policy to `Manual`, then you must manually approve the upgrade to the Operator.\n\nSee https://docs.openshift.com/container-platform/latest/security/cert_manager_operator/index.html for additional\ninformation.",
          "product_ids": [
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:3a01605ba6dd883043f622596c54bfdfc938cdab48f4c32638e6cad807c57e9a_arm64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:42f78dae41109753d076a75c14a9bc16096575cfdea102fdeda252665ff0381f_ppc64le",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4974faad72c7c67e6d55f7bf8c9c2d752af17a2f48ef63153fe226b080d36132_s390x",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:abcdf8c79fe663805d3bd5e43ac73b0472b5dab8c9dd80c90e1cf54ff161f41f_amd64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:6a2828505d9760b9d4f27d5eafa05db0d025b45787828bc5e125b7c75d1f329f_arm64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:9011ffee4064e0f466d6bc27c54f60ec2e1f041d1240548101d9ed9e0254df12_amd64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1bfde47d53ed34e899229870228ce35230fa216ade3e348befd9b77c2c7ceea_s390x",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:c73275043cc2caad071a88cb63f3745471fae11a953291b3dd93db4d752b1b13_ppc64le"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:5645"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.0,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:3a01605ba6dd883043f622596c54bfdfc938cdab48f4c32638e6cad807c57e9a_arm64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:42f78dae41109753d076a75c14a9bc16096575cfdea102fdeda252665ff0381f_ppc64le",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4974faad72c7c67e6d55f7bf8c9c2d752af17a2f48ef63153fe226b080d36132_s390x",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:abcdf8c79fe663805d3bd5e43ac73b0472b5dab8c9dd80c90e1cf54ff161f41f_amd64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:6a2828505d9760b9d4f27d5eafa05db0d025b45787828bc5e125b7c75d1f329f_arm64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:9011ffee4064e0f466d6bc27c54f60ec2e1f041d1240548101d9ed9e0254df12_amd64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1bfde47d53ed34e899229870228ce35230fa216ade3e348befd9b77c2c7ceea_s390x",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:c73275043cc2caad071a88cb63f3745471fae11a953291b3dd93db4d752b1b13_ppc64le"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "database/sql: Postgres Scan Race Condition"
    },
    {
      "cve": "CVE-2025-58183",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2025-10-29T23:01:50.573951+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2407258"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the archive/tar package in the Go standard library. tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A specially crafted tar archive with a pax header indicating a big number of sparse regions can cause a Go program to try to allocate a large amount of memory, causing an out-of-memory condition and resulting in a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "golang: archive/tar: Unbounded allocation when parsing GNU sparse map",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "To exploit this issue, an attacker needs to be able to process a specially crafted GNU tar pax 1.0 archive with the application using the archive/tar package. Additionally, this issue can cause the Go application to allocate a large amount of memory, eventually leading to an out-of-memory condition and resulting in a denial of service with no other security impact. Due to these reasons, this flaw has been rated with a moderate severity.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:3a01605ba6dd883043f622596c54bfdfc938cdab48f4c32638e6cad807c57e9a_arm64",
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:42f78dae41109753d076a75c14a9bc16096575cfdea102fdeda252665ff0381f_ppc64le",
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4974faad72c7c67e6d55f7bf8c9c2d752af17a2f48ef63153fe226b080d36132_s390x",
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:abcdf8c79fe663805d3bd5e43ac73b0472b5dab8c9dd80c90e1cf54ff161f41f_amd64",
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:6a2828505d9760b9d4f27d5eafa05db0d025b45787828bc5e125b7c75d1f329f_arm64",
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:9011ffee4064e0f466d6bc27c54f60ec2e1f041d1240548101d9ed9e0254df12_amd64",
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1bfde47d53ed34e899229870228ce35230fa216ade3e348befd9b77c2c7ceea_s390x",
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:c73275043cc2caad071a88cb63f3745471fae11a953291b3dd93db4d752b1b13_ppc64le"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-58183"
        },
        {
          "category": "external",
          "summary": "RHBZ#2407258",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2407258"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-58183",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-58183"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-58183",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58183"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/709861",
          "url": "https://go.dev/cl/709861"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/75677",
          "url": "https://go.dev/issue/75677"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI",
          "url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2025-4014",
          "url": "https://pkg.go.dev/vuln/GO-2025-4014"
        }
      ],
      "release_date": "2025-10-29T22:10:14.376000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-03-24T15:38:55+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nThe steps to apply the upgraded images are different depending on the installation plan approval policy you used\nwhen installing the cert-manager Operator for Red Hat OpenShift.\n\n- If the approval policy is set to `Automatic`, then the Operator will be upgraded automatically when there is a\nnew version of the Operator. No further action is required to upgrade. This is the default setting.\n\n- If you changed the approval policy to `Manual`, then you must manually approve the upgrade to the Operator.\n\nSee https://docs.openshift.com/container-platform/latest/security/cert_manager_operator/index.html for additional\ninformation.",
          "product_ids": [
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:3a01605ba6dd883043f622596c54bfdfc938cdab48f4c32638e6cad807c57e9a_arm64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:42f78dae41109753d076a75c14a9bc16096575cfdea102fdeda252665ff0381f_ppc64le",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4974faad72c7c67e6d55f7bf8c9c2d752af17a2f48ef63153fe226b080d36132_s390x",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:abcdf8c79fe663805d3bd5e43ac73b0472b5dab8c9dd80c90e1cf54ff161f41f_amd64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:6a2828505d9760b9d4f27d5eafa05db0d025b45787828bc5e125b7c75d1f329f_arm64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:9011ffee4064e0f466d6bc27c54f60ec2e1f041d1240548101d9ed9e0254df12_amd64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1bfde47d53ed34e899229870228ce35230fa216ade3e348befd9b77c2c7ceea_s390x",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:c73275043cc2caad071a88cb63f3745471fae11a953291b3dd93db4d752b1b13_ppc64le"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:5645"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:3a01605ba6dd883043f622596c54bfdfc938cdab48f4c32638e6cad807c57e9a_arm64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:42f78dae41109753d076a75c14a9bc16096575cfdea102fdeda252665ff0381f_ppc64le",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4974faad72c7c67e6d55f7bf8c9c2d752af17a2f48ef63153fe226b080d36132_s390x",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:abcdf8c79fe663805d3bd5e43ac73b0472b5dab8c9dd80c90e1cf54ff161f41f_amd64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:6a2828505d9760b9d4f27d5eafa05db0d025b45787828bc5e125b7c75d1f329f_arm64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:9011ffee4064e0f466d6bc27c54f60ec2e1f041d1240548101d9ed9e0254df12_amd64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1bfde47d53ed34e899229870228ce35230fa216ade3e348befd9b77c2c7ceea_s390x",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:c73275043cc2caad071a88cb63f3745471fae11a953291b3dd93db4d752b1b13_ppc64le"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:3a01605ba6dd883043f622596c54bfdfc938cdab48f4c32638e6cad807c57e9a_arm64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:42f78dae41109753d076a75c14a9bc16096575cfdea102fdeda252665ff0381f_ppc64le",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4974faad72c7c67e6d55f7bf8c9c2d752af17a2f48ef63153fe226b080d36132_s390x",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:abcdf8c79fe663805d3bd5e43ac73b0472b5dab8c9dd80c90e1cf54ff161f41f_amd64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:6a2828505d9760b9d4f27d5eafa05db0d025b45787828bc5e125b7c75d1f329f_arm64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:9011ffee4064e0f466d6bc27c54f60ec2e1f041d1240548101d9ed9e0254df12_amd64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1bfde47d53ed34e899229870228ce35230fa216ade3e348befd9b77c2c7ceea_s390x",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:c73275043cc2caad071a88cb63f3745471fae11a953291b3dd93db4d752b1b13_ppc64le"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "golang: archive/tar: Unbounded allocation when parsing GNU sparse map"
    },
    {
      "cve": "CVE-2025-61726",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2026-01-28T20:01:42.791305+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2434432"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted HTTP request containing a massive number of query parameters will cause the application to consume an excessive amount of memory, eventually causing the application to crash or become unresponsive, resulting in a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "golang: net/url: Memory exhaustion in query parameter parsing in net/url",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "To exploit this flaw, an attacker must be able to send a specially crafted HTTP request to an application parsing URL-encoded forms with net/url, specifically a request containing a large number of unique query parameters. The request will cause the application to consume an excessive amount of memory and eventually result in a denial of service, with no impact to confidentiality or integrity. Due to this reason, this vulnerability has been rated with an important severity.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:3a01605ba6dd883043f622596c54bfdfc938cdab48f4c32638e6cad807c57e9a_arm64",
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:42f78dae41109753d076a75c14a9bc16096575cfdea102fdeda252665ff0381f_ppc64le",
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4974faad72c7c67e6d55f7bf8c9c2d752af17a2f48ef63153fe226b080d36132_s390x",
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:abcdf8c79fe663805d3bd5e43ac73b0472b5dab8c9dd80c90e1cf54ff161f41f_amd64",
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:6a2828505d9760b9d4f27d5eafa05db0d025b45787828bc5e125b7c75d1f329f_arm64",
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:9011ffee4064e0f466d6bc27c54f60ec2e1f041d1240548101d9ed9e0254df12_amd64",
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1bfde47d53ed34e899229870228ce35230fa216ade3e348befd9b77c2c7ceea_s390x",
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:c73275043cc2caad071a88cb63f3745471fae11a953291b3dd93db4d752b1b13_ppc64le"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-61726"
        },
        {
          "category": "external",
          "summary": "RHBZ#2434432",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2434432"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-61726",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-61726"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61726",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61726"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/736712",
          "url": "https://go.dev/cl/736712"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/77101",
          "url": "https://go.dev/issue/77101"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc",
          "url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2026-4341",
          "url": "https://pkg.go.dev/vuln/GO-2026-4341"
        }
      ],
      "release_date": "2026-01-28T19:30:31.215000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-03-24T15:38:55+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nThe steps to apply the upgraded images are different depending on the installation plan approval policy you used\nwhen installing the cert-manager Operator for Red Hat OpenShift.\n\n- If the approval policy is set to `Automatic`, then the Operator will be upgraded automatically when there is a\nnew version of the Operator. No further action is required to upgrade. This is the default setting.\n\n- If you changed the approval policy to `Manual`, then you must manually approve the upgrade to the Operator.\n\nSee https://docs.openshift.com/container-platform/latest/security/cert_manager_operator/index.html for additional\ninformation.",
          "product_ids": [
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:3a01605ba6dd883043f622596c54bfdfc938cdab48f4c32638e6cad807c57e9a_arm64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:42f78dae41109753d076a75c14a9bc16096575cfdea102fdeda252665ff0381f_ppc64le",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4974faad72c7c67e6d55f7bf8c9c2d752af17a2f48ef63153fe226b080d36132_s390x",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:abcdf8c79fe663805d3bd5e43ac73b0472b5dab8c9dd80c90e1cf54ff161f41f_amd64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:6a2828505d9760b9d4f27d5eafa05db0d025b45787828bc5e125b7c75d1f329f_arm64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:9011ffee4064e0f466d6bc27c54f60ec2e1f041d1240548101d9ed9e0254df12_amd64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1bfde47d53ed34e899229870228ce35230fa216ade3e348befd9b77c2c7ceea_s390x",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:c73275043cc2caad071a88cb63f3745471fae11a953291b3dd93db4d752b1b13_ppc64le"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:5645"
        },
        {
          "category": "workaround",
          "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
          "product_ids": [
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:3a01605ba6dd883043f622596c54bfdfc938cdab48f4c32638e6cad807c57e9a_arm64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:42f78dae41109753d076a75c14a9bc16096575cfdea102fdeda252665ff0381f_ppc64le",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4974faad72c7c67e6d55f7bf8c9c2d752af17a2f48ef63153fe226b080d36132_s390x",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:abcdf8c79fe663805d3bd5e43ac73b0472b5dab8c9dd80c90e1cf54ff161f41f_amd64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:6a2828505d9760b9d4f27d5eafa05db0d025b45787828bc5e125b7c75d1f329f_arm64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:9011ffee4064e0f466d6bc27c54f60ec2e1f041d1240548101d9ed9e0254df12_amd64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1bfde47d53ed34e899229870228ce35230fa216ade3e348befd9b77c2c7ceea_s390x",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:c73275043cc2caad071a88cb63f3745471fae11a953291b3dd93db4d752b1b13_ppc64le"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:3a01605ba6dd883043f622596c54bfdfc938cdab48f4c32638e6cad807c57e9a_arm64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:42f78dae41109753d076a75c14a9bc16096575cfdea102fdeda252665ff0381f_ppc64le",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4974faad72c7c67e6d55f7bf8c9c2d752af17a2f48ef63153fe226b080d36132_s390x",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:abcdf8c79fe663805d3bd5e43ac73b0472b5dab8c9dd80c90e1cf54ff161f41f_amd64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:6a2828505d9760b9d4f27d5eafa05db0d025b45787828bc5e125b7c75d1f329f_arm64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:9011ffee4064e0f466d6bc27c54f60ec2e1f041d1240548101d9ed9e0254df12_amd64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1bfde47d53ed34e899229870228ce35230fa216ade3e348befd9b77c2c7ceea_s390x",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:c73275043cc2caad071a88cb63f3745471fae11a953291b3dd93db4d752b1b13_ppc64le"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "golang: net/url: Memory exhaustion in query parameter parsing in net/url"
    },
    {
      "cve": "CVE-2025-61728",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2026-01-28T20:01:39.965024+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2434431"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the archive/zip package in the Go standard library. A super-linear file name indexing algorithm is used in the first time a file in an archive is opened. A crafted zip archive containing a specific arrangement of file names can cause an excessive CPU and memory consumption. A Go application processing a malicious archive can become unresponsive or crash, resulting in a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "To exploit this flaw, an attacker needs to be able to process a malicious zip archive with an application using the archive/zip package. Additionally, this vulnerability can cause a Go application to consume an excessive amount of CPU and memory, eventually resulting in a denial of service with no other security impact. Due to these reasons, this flaw has been rated with a moderate severity.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:3a01605ba6dd883043f622596c54bfdfc938cdab48f4c32638e6cad807c57e9a_arm64",
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:42f78dae41109753d076a75c14a9bc16096575cfdea102fdeda252665ff0381f_ppc64le",
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4974faad72c7c67e6d55f7bf8c9c2d752af17a2f48ef63153fe226b080d36132_s390x",
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:abcdf8c79fe663805d3bd5e43ac73b0472b5dab8c9dd80c90e1cf54ff161f41f_amd64",
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:6a2828505d9760b9d4f27d5eafa05db0d025b45787828bc5e125b7c75d1f329f_arm64",
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:9011ffee4064e0f466d6bc27c54f60ec2e1f041d1240548101d9ed9e0254df12_amd64",
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1bfde47d53ed34e899229870228ce35230fa216ade3e348befd9b77c2c7ceea_s390x",
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:c73275043cc2caad071a88cb63f3745471fae11a953291b3dd93db4d752b1b13_ppc64le"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-61728"
        },
        {
          "category": "external",
          "summary": "RHBZ#2434431",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2434431"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-61728",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-61728"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61728",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61728"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/736713",
          "url": "https://go.dev/cl/736713"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/77102",
          "url": "https://go.dev/issue/77102"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc",
          "url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2026-4342",
          "url": "https://pkg.go.dev/vuln/GO-2026-4342"
        }
      ],
      "release_date": "2026-01-28T19:30:31.354000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-03-24T15:38:55+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nThe steps to apply the upgraded images are different depending on the installation plan approval policy you used\nwhen installing the cert-manager Operator for Red Hat OpenShift.\n\n- If the approval policy is set to `Automatic`, then the Operator will be upgraded automatically when there is a\nnew version of the Operator. No further action is required to upgrade. This is the default setting.\n\n- If you changed the approval policy to `Manual`, then you must manually approve the upgrade to the Operator.\n\nSee https://docs.openshift.com/container-platform/latest/security/cert_manager_operator/index.html for additional\ninformation.",
          "product_ids": [
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:3a01605ba6dd883043f622596c54bfdfc938cdab48f4c32638e6cad807c57e9a_arm64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:42f78dae41109753d076a75c14a9bc16096575cfdea102fdeda252665ff0381f_ppc64le",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4974faad72c7c67e6d55f7bf8c9c2d752af17a2f48ef63153fe226b080d36132_s390x",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:abcdf8c79fe663805d3bd5e43ac73b0472b5dab8c9dd80c90e1cf54ff161f41f_amd64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:6a2828505d9760b9d4f27d5eafa05db0d025b45787828bc5e125b7c75d1f329f_arm64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:9011ffee4064e0f466d6bc27c54f60ec2e1f041d1240548101d9ed9e0254df12_amd64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1bfde47d53ed34e899229870228ce35230fa216ade3e348befd9b77c2c7ceea_s390x",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:c73275043cc2caad071a88cb63f3745471fae11a953291b3dd93db4d752b1b13_ppc64le"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:5645"
        },
        {
          "category": "workaround",
          "details": "To mitigate this vulnerability, implement a timeout in your archive/zip processing logic to abort the operation if it exceeds a few seconds, preventing the application from consuming an excessive amount of resources.",
          "product_ids": [
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:3a01605ba6dd883043f622596c54bfdfc938cdab48f4c32638e6cad807c57e9a_arm64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:42f78dae41109753d076a75c14a9bc16096575cfdea102fdeda252665ff0381f_ppc64le",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4974faad72c7c67e6d55f7bf8c9c2d752af17a2f48ef63153fe226b080d36132_s390x",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:abcdf8c79fe663805d3bd5e43ac73b0472b5dab8c9dd80c90e1cf54ff161f41f_amd64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:6a2828505d9760b9d4f27d5eafa05db0d025b45787828bc5e125b7c75d1f329f_arm64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:9011ffee4064e0f466d6bc27c54f60ec2e1f041d1240548101d9ed9e0254df12_amd64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1bfde47d53ed34e899229870228ce35230fa216ade3e348befd9b77c2c7ceea_s390x",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:c73275043cc2caad071a88cb63f3745471fae11a953291b3dd93db4d752b1b13_ppc64le"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:3a01605ba6dd883043f622596c54bfdfc938cdab48f4c32638e6cad807c57e9a_arm64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:42f78dae41109753d076a75c14a9bc16096575cfdea102fdeda252665ff0381f_ppc64le",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4974faad72c7c67e6d55f7bf8c9c2d752af17a2f48ef63153fe226b080d36132_s390x",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:abcdf8c79fe663805d3bd5e43ac73b0472b5dab8c9dd80c90e1cf54ff161f41f_amd64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:6a2828505d9760b9d4f27d5eafa05db0d025b45787828bc5e125b7c75d1f329f_arm64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:9011ffee4064e0f466d6bc27c54f60ec2e1f041d1240548101d9ed9e0254df12_amd64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1bfde47d53ed34e899229870228ce35230fa216ade3e348befd9b77c2c7ceea_s390x",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:c73275043cc2caad071a88cb63f3745471fae11a953291b3dd93db4d752b1b13_ppc64le"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip"
    },
    {
      "cve": "CVE-2025-61729",
      "cwe": {
        "id": "CWE-1050",
        "name": "Excessive Platform Resource Consumption within a Loop"
      },
      "discovery_date": "2025-12-02T20:01:45.330964+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2418462"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the `HostnameError.Error()` function. This flaw, caused by unbounded string concatenation, leads to excessive resource consumption. Successful exploitation can result in a denial of service (DoS) for the affected system.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:3a01605ba6dd883043f622596c54bfdfc938cdab48f4c32638e6cad807c57e9a_arm64",
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:42f78dae41109753d076a75c14a9bc16096575cfdea102fdeda252665ff0381f_ppc64le",
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4974faad72c7c67e6d55f7bf8c9c2d752af17a2f48ef63153fe226b080d36132_s390x",
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:abcdf8c79fe663805d3bd5e43ac73b0472b5dab8c9dd80c90e1cf54ff161f41f_amd64",
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:6a2828505d9760b9d4f27d5eafa05db0d025b45787828bc5e125b7c75d1f329f_arm64",
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:9011ffee4064e0f466d6bc27c54f60ec2e1f041d1240548101d9ed9e0254df12_amd64",
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1bfde47d53ed34e899229870228ce35230fa216ade3e348befd9b77c2c7ceea_s390x",
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:c73275043cc2caad071a88cb63f3745471fae11a953291b3dd93db4d752b1b13_ppc64le"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-61729"
        },
        {
          "category": "external",
          "summary": "RHBZ#2418462",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418462"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-61729",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-61729"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/725920",
          "url": "https://go.dev/cl/725920"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/76445",
          "url": "https://go.dev/issue/76445"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4",
          "url": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2025-4155",
          "url": "https://pkg.go.dev/vuln/GO-2025-4155"
        }
      ],
      "release_date": "2025-12-02T18:54:10.166000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-03-24T15:38:55+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nThe steps to apply the upgraded images are different depending on the installation plan approval policy you used\nwhen installing the cert-manager Operator for Red Hat OpenShift.\n\n- If the approval policy is set to `Automatic`, then the Operator will be upgraded automatically when there is a\nnew version of the Operator. No further action is required to upgrade. This is the default setting.\n\n- If you changed the approval policy to `Manual`, then you must manually approve the upgrade to the Operator.\n\nSee https://docs.openshift.com/container-platform/latest/security/cert_manager_operator/index.html for additional\ninformation.",
          "product_ids": [
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:3a01605ba6dd883043f622596c54bfdfc938cdab48f4c32638e6cad807c57e9a_arm64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:42f78dae41109753d076a75c14a9bc16096575cfdea102fdeda252665ff0381f_ppc64le",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4974faad72c7c67e6d55f7bf8c9c2d752af17a2f48ef63153fe226b080d36132_s390x",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:abcdf8c79fe663805d3bd5e43ac73b0472b5dab8c9dd80c90e1cf54ff161f41f_amd64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:6a2828505d9760b9d4f27d5eafa05db0d025b45787828bc5e125b7c75d1f329f_arm64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:9011ffee4064e0f466d6bc27c54f60ec2e1f041d1240548101d9ed9e0254df12_amd64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1bfde47d53ed34e899229870228ce35230fa216ade3e348befd9b77c2c7ceea_s390x",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:c73275043cc2caad071a88cb63f3745471fae11a953291b3dd93db4d752b1b13_ppc64le"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:5645"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:3a01605ba6dd883043f622596c54bfdfc938cdab48f4c32638e6cad807c57e9a_arm64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:42f78dae41109753d076a75c14a9bc16096575cfdea102fdeda252665ff0381f_ppc64le",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4974faad72c7c67e6d55f7bf8c9c2d752af17a2f48ef63153fe226b080d36132_s390x",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:abcdf8c79fe663805d3bd5e43ac73b0472b5dab8c9dd80c90e1cf54ff161f41f_amd64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:6a2828505d9760b9d4f27d5eafa05db0d025b45787828bc5e125b7c75d1f329f_arm64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:9011ffee4064e0f466d6bc27c54f60ec2e1f041d1240548101d9ed9e0254df12_amd64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1bfde47d53ed34e899229870228ce35230fa216ade3e348befd9b77c2c7ceea_s390x",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:c73275043cc2caad071a88cb63f3745471fae11a953291b3dd93db4d752b1b13_ppc64le"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate"
    },
    {
      "cve": "CVE-2025-68121",
      "discovery_date": "2026-02-05T18:01:30.086058+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2437111"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "crypto/tls: Unexpected session resumption in crypto/tls",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:3a01605ba6dd883043f622596c54bfdfc938cdab48f4c32638e6cad807c57e9a_arm64",
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:42f78dae41109753d076a75c14a9bc16096575cfdea102fdeda252665ff0381f_ppc64le",
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4974faad72c7c67e6d55f7bf8c9c2d752af17a2f48ef63153fe226b080d36132_s390x",
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:abcdf8c79fe663805d3bd5e43ac73b0472b5dab8c9dd80c90e1cf54ff161f41f_amd64",
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:6a2828505d9760b9d4f27d5eafa05db0d025b45787828bc5e125b7c75d1f329f_arm64",
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:9011ffee4064e0f466d6bc27c54f60ec2e1f041d1240548101d9ed9e0254df12_amd64",
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1bfde47d53ed34e899229870228ce35230fa216ade3e348befd9b77c2c7ceea_s390x",
          "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:c73275043cc2caad071a88cb63f3745471fae11a953291b3dd93db4d752b1b13_ppc64le"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-68121"
        },
        {
          "category": "external",
          "summary": "RHBZ#2437111",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437111"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-68121",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-68121"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-68121",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68121"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/737700",
          "url": "https://go.dev/cl/737700"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/77217",
          "url": "https://go.dev/issue/77217"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/g/golang-announce/c/K09ubi9FQFk",
          "url": "https://groups.google.com/g/golang-announce/c/K09ubi9FQFk"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2026-4337",
          "url": "https://pkg.go.dev/vuln/GO-2026-4337"
        }
      ],
      "release_date": "2026-02-05T17:48:44.141000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-03-24T15:38:55+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nThe steps to apply the upgraded images are different depending on the installation plan approval policy you used\nwhen installing the cert-manager Operator for Red Hat OpenShift.\n\n- If the approval policy is set to `Automatic`, then the Operator will be upgraded automatically when there is a\nnew version of the Operator. No further action is required to upgrade. This is the default setting.\n\n- If you changed the approval policy to `Manual`, then you must manually approve the upgrade to the Operator.\n\nSee https://docs.openshift.com/container-platform/latest/security/cert_manager_operator/index.html for additional\ninformation.",
          "product_ids": [
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:3a01605ba6dd883043f622596c54bfdfc938cdab48f4c32638e6cad807c57e9a_arm64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:42f78dae41109753d076a75c14a9bc16096575cfdea102fdeda252665ff0381f_ppc64le",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4974faad72c7c67e6d55f7bf8c9c2d752af17a2f48ef63153fe226b080d36132_s390x",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:abcdf8c79fe663805d3bd5e43ac73b0472b5dab8c9dd80c90e1cf54ff161f41f_amd64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:6a2828505d9760b9d4f27d5eafa05db0d025b45787828bc5e125b7c75d1f329f_arm64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:9011ffee4064e0f466d6bc27c54f60ec2e1f041d1240548101d9ed9e0254df12_amd64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1bfde47d53ed34e899229870228ce35230fa216ade3e348befd9b77c2c7ceea_s390x",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:c73275043cc2caad071a88cb63f3745471fae11a953291b3dd93db4d752b1b13_ppc64le"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:5645"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:3a01605ba6dd883043f622596c54bfdfc938cdab48f4c32638e6cad807c57e9a_arm64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:42f78dae41109753d076a75c14a9bc16096575cfdea102fdeda252665ff0381f_ppc64le",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:4974faad72c7c67e6d55f7bf8c9c2d752af17a2f48ef63153fe226b080d36132_s390x",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:abcdf8c79fe663805d3bd5e43ac73b0472b5dab8c9dd80c90e1cf54ff161f41f_amd64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:6a2828505d9760b9d4f27d5eafa05db0d025b45787828bc5e125b7c75d1f329f_arm64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:9011ffee4064e0f466d6bc27c54f60ec2e1f041d1240548101d9ed9e0254df12_amd64",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:a1bfde47d53ed34e899229870228ce35230fa216ade3e348befd9b77c2c7ceea_s390x",
            "Cert Manager support for Red Hat OpenShift release 1.17:registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:c73275043cc2caad071a88cb63f3745471fae11a953291b3dd93db4d752b1b13_ppc64le"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "crypto/tls: Unexpected session resumption in crypto/tls"
    }
  ]
}

CVE-2025-47907 (GCVE-0-2025-47907)

Vulnerability from cvelistv5 – Published: 2025-08-07 15:25 – Updated: 2025-11-04 21:10

Title

Incorrect results returned from Rows.Scan in database/sql

Summary

Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error.

Severity ?

7 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L

CWE

CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Assigner

References

URL

Tags

	https://go.dev/cl/693735
	https://go.dev/issue/74831
	https://groups.google.com/g/golang-announce/c/x5M…
	https://pkg.go.dev/vuln/GO-2025-3849

Impacted products

	Vendor	Product	Version
	Go standard library	database/sql	Affected: 0 , < 1.23.12 (semver) Affected: 1.24.0 , < 1.24.6 (semver)

Credits

Spike Curtis from Coder

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 7,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-47907",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-07T15:45:26.297503Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-07T15:48:03.634Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T21:10:56.083Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/08/06/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "database/sql",
          "product": "database/sql",
          "programRoutines": [
            {
              "name": "Rows.Scan"
            },
            {
              "name": "Row.Scan"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.23.12",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.24.6",
              "status": "affected",
              "version": "1.24.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Spike Curtis from Coder"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-07T15:25:30.704Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/693735"
        },
        {
          "url": "https://go.dev/issue/74831"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2025-3849"
        }
      ],
      "title": "Incorrect results returned from Rows.Scan in database/sql"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2025-47907",
    "datePublished": "2025-08-07T15:25:30.704Z",
    "dateReserved": "2025-05-13T23:31:29.597Z",
    "dateUpdated": "2025-11-04T21:10:56.083Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68121 (GCVE-0-2025-68121)

Vulnerability from cvelistv5 – Published: 2026-02-05 17:48 – Updated: 2026-02-20 16:05

Title

Unexpected session resumption in crypto/tls

Summary

Severity ?

7.4 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-295 - Improper Certificate Validation

Assigner

References

URL

Tags

	https://groups.google.com/g/golang-announce/c/K09…
	https://go.dev/cl/737700
	https://go.dev/issue/77217
	https://pkg.go.dev/vuln/GO-2026-4337

Impacted products

	Vendor	Product	Version
	Go standard library	crypto/tls	Affected: 0 , < 1.24.13 (semver) Affected: 1.25.0-0 , < 1.25.7 (semver) Affected: 1.26.0-rc.1 , < 1.26.0-rc.3 (semver)

Credits

Coia Prant (github.com/rbqvq) Go Security Team

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.4,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-68121",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-20T16:05:03.924102Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-295",
                "description": "CWE-295 Improper Certificate Validation",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-20T16:05:07.679Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "crypto/tls",
          "product": "crypto/tls",
          "programRoutines": [
            {
              "name": "Conn.handshakeContext"
            },
            {
              "name": "Conn.Handshake"
            },
            {
              "name": "Conn.HandshakeContext"
            },
            {
              "name": "Conn.Read"
            },
            {
              "name": "Conn.Write"
            },
            {
              "name": "Dial"
            },
            {
              "name": "DialWithDialer"
            },
            {
              "name": "Dialer.Dial"
            },
            {
              "name": "Dialer.DialContext"
            },
            {
              "name": "QUICConn.Start"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.24.13",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.25.7",
              "status": "affected",
              "version": "1.25.0-0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.0-rc.3",
              "status": "affected",
              "version": "1.26.0-rc.1",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Coia Prant (github.com/rbqvq)"
        },
        {
          "lang": "en",
          "value": "Go Security Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-295: Improper Certificate Validation",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-05T17:48:44.141Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://groups.google.com/g/golang-announce/c/K09ubi9FQFk"
        },
        {
          "url": "https://go.dev/cl/737700"
        },
        {
          "url": "https://go.dev/issue/77217"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4337"
        }
      ],
      "title": "Unexpected session resumption in crypto/tls"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2025-68121",
    "datePublished": "2026-02-05T17:48:44.141Z",
    "dateReserved": "2025-12-15T16:48:04.451Z",
    "dateUpdated": "2026-02-20T16:05:07.679Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-61729 (GCVE-0-2025-61729)

Vulnerability from cvelistv5 – Published: 2025-12-02 18:54 – Updated: 2025-12-03 19:37

Title

Excessive resource consumption when printing error string for host certificate validation in crypto/x509

Summary

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

References

URL

Tags

	https://go.dev/cl/725920
	https://go.dev/issue/76445
	https://groups.google.com/g/golang-announce/c/8FJ…
	https://pkg.go.dev/vuln/GO-2025-4155

Impacted products

	Vendor	Product	Version
	Go standard library	crypto/x509	Affected: 0 , < 1.24.11 (semver) Affected: 1.25.0 , < 1.25.5 (semver)

Credits

Philippe Antoine (Catena cyber)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-61729",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-02T21:52:36.341575Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-02T21:52:58.224Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "crypto/x509",
          "product": "crypto/x509",
          "programRoutines": [
            {
              "name": "Certificate.VerifyHostname"
            },
            {
              "name": "Certificate.Verify"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.24.11",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.25.5",
              "status": "affected",
              "version": "1.25.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Philippe Antoine (Catena cyber)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-03T19:37:14.903Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/725920"
        },
        {
          "url": "https://go.dev/issue/76445"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2025-4155"
        }
      ],
      "title": "Excessive resource consumption when printing error string for host certificate validation in crypto/x509"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2025-61729",
    "datePublished": "2025-12-02T18:54:10.166Z",
    "dateReserved": "2025-09-30T15:05:03.605Z",
    "dateUpdated": "2025-12-03T19:37:14.903Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-61726 (GCVE-0-2025-61726)

Vulnerability from cvelistv5 – Published: 2026-01-28 19:30 – Updated: 2026-01-29 18:31

Title

Memory exhaustion in query parameter parsing in net/url

Summary

The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

References

URL

Tags

	https://go.dev/cl/736712
	https://go.dev/issue/77101
	https://groups.google.com/g/golang-announce/c/Vd2…
	https://pkg.go.dev/vuln/GO-2026-4341

Impacted products

	Vendor	Product	Version
	Go standard library	net/url	Affected: 0 , < 1.24.12 (semver) Affected: 1.25.0 , < 1.25.6 (semver)

Credits

jub0bs

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-61726",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-29T18:31:39.150633Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-29T18:31:59.685Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "net/url",
          "product": "net/url",
          "programRoutines": [
            {
              "name": "parseQuery"
            },
            {
              "name": "ParseQuery"
            },
            {
              "name": "URL.Query"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.24.12",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.25.6",
              "status": "affected",
              "version": "1.25.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "jub0bs"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-28T19:30:31.215Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/736712"
        },
        {
          "url": "https://go.dev/issue/77101"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4341"
        }
      ],
      "title": "Memory exhaustion in query parameter parsing in net/url"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2025-61726",
    "datePublished": "2026-01-28T19:30:31.215Z",
    "dateReserved": "2025-09-30T15:05:03.605Z",
    "dateUpdated": "2026-01-29T18:31:59.685Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-61728 (GCVE-0-2025-61728)

Vulnerability from cvelistv5 – Published: 2026-01-28 19:30 – Updated: 2026-01-29 18:30

Title

Excessive CPU consumption when building archive index in archive/zip

Summary

archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE

CWE-407 - Inefficient Algorithmic Complexity

Assigner

References

URL

Tags

	https://go.dev/cl/736713
	https://go.dev/issue/77102
	https://groups.google.com/g/golang-announce/c/Vd2…
	https://pkg.go.dev/vuln/GO-2026-4342

Impacted products

	Vendor	Product	Version
	Go standard library	archive/zip	Affected: 0 , < 1.24.12 (semver) Affected: 1.25.0 , < 1.25.6 (semver)

Credits

Jakub Ciolek

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-01-28T20:08:22.055Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/01/15/4"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-61728",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-29T18:29:58.068724Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-29T18:30:24.487Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "archive/zip",
          "product": "archive/zip",
          "programRoutines": [
            {
              "name": "Reader.initFileList"
            },
            {
              "name": "Reader.Open"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.24.12",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.25.6",
              "status": "affected",
              "version": "1.25.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Jakub Ciolek"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-407: Inefficient Algorithmic Complexity",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-28T19:30:31.354Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/736713"
        },
        {
          "url": "https://go.dev/issue/77102"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4342"
        }
      ],
      "title": "Excessive CPU consumption when building archive index in archive/zip"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2025-61728",
    "datePublished": "2026-01-28T19:30:31.354Z",
    "dateReserved": "2025-09-30T15:05:03.605Z",
    "dateUpdated": "2026-01-29T18:30:24.487Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-58183 (GCVE-0-2025-58183)

Vulnerability from cvelistv5 – Published: 2025-10-29 22:10 – Updated: 2025-11-04 21:13

Title

Unbounded allocation when parsing GNU sparse map in archive/tar

Summary

tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.

Severity ?

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

References

URL

Tags

	https://go.dev/cl/709861
	https://go.dev/issue/75677
	https://groups.google.com/g/golang-announce/c/4Em…
	https://pkg.go.dev/vuln/GO-2025-4014

Impacted products

	Vendor	Product	Version
	Go standard library	archive/tar	Affected: 0 , < 1.24.8 (semver) Affected: 1.25.0 , < 1.25.2 (semver)

Credits

Harshit Gupta (Mr HAX)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 4.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-58183",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-30T14:22:41.219110Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:56:37.377Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T21:13:32.834Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/10/08/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "archive/tar",
          "product": "archive/tar",
          "programRoutines": [
            {
              "name": "readGNUSparseMap1x0"
            },
            {
              "name": "Reader.Next"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.24.8",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.25.2",
              "status": "affected",
              "version": "1.25.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Harshit Gupta (Mr HAX)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-29T22:10:14.376Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/709861"
        },
        {
          "url": "https://go.dev/issue/75677"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2025-4014"
        }
      ],
      "title": "Unbounded allocation when parsing GNU sparse map in archive/tar"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2025-58183",
    "datePublished": "2025-10-29T22:10:14.376Z",
    "dateReserved": "2025-08-27T14:50:58.691Z",
    "dateUpdated": "2025-11-04T21:13:32.834Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2026:5645

CVE-2025-47907 (GCVE-0-2025-47907)

CVE-2025-68121 (GCVE-0-2025-68121)

CVE-2025-61729 (GCVE-0-2025-61729)

CVE-2025-61726 (GCVE-0-2025-61726)

CVE-2025-61728 (GCVE-0-2025-61728)

CVE-2025-58183 (GCVE-0-2025-58183)

Tags

Sightings

Nomenclature