var-202210-1070
Vulnerability from variot
An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked. It is written in C language and can be called by many languages, such as C language, C++, XSH. Currently there is no information about this vulnerability, please keep an eye on CNNVD or vendor announcements. Description:
Red Hat Advanced Cluster Management for Kubernetes 2.6.4 images
Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. See the following Release Notes documentation, which will be updated shortly for this release, for additional details about this release:
https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html/release_notes/
Issue addressed:
- RHACM 2.6.4 images (BZ# 2153382)
Security fixes:
-
CVE-2022-24999 express: "qs" prototype poisoning causes the hang of the node process
-
Solution:
For Red Hat Advanced Cluster Management for Kubernetes, see the following documentation, which will be updated shortly for this release, for important instructions on installing this release:
https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html-single/install/index#installing
- Bugs fixed (https://bugzilla.redhat.com/):
2150323 - CVE-2022-24999 express: "qs" prototype poisoning causes the hang of the node process 2153382 - RHACM 2.6.4 images
Security Fixes in this release include:
-
- golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests(CVE-2022-41717)
For more details about the security issues, including the impact; a CVSS score; acknowledgments; and other related information refer to the CVE pages linked in the References section. Bugs fixed (https://bugzilla.redhat.com/):
2161274 - CVE-2022-41717 golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests
-
The Red Hat Single Sign-On for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services.
-
snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)
- keycloak: path traversal via double URL encoding (CVE-2022-3782)
- RH-SSO for OpenShift images: unsecured management interface exposed to adjacent network (CVE-2022-4039)
- snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
- moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)
- sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
- CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)
- keycloak: keycloak: user impersonation via stolen uuid code (CVE-2023-0264)
- bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)
- rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)
- jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)
- jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
- keycloak: glob-parent: Regular Expression Denial of Service (CVE-2021-35065)
- keycloak: minimist: prototype pollution (CVE-2021-44906)
- keycloak: missing email notification template allowlist (CVE-2022-1274)
- keycloak: XSS on izmpersonation under specific circumstances (CVE-2022-1438)
- keycloak: Session takeover with OIDC offline refreshtokens (CVE-2022-3916)
- Moment.js: Path traversal in moment.locale (CVE-2022-24785)
- loader-utils: loader-utils:Regular expression denial of service (CVE-2022-37603)
- snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)
- snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)
- snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)
- jettison: parser crash by stackoverflow (CVE-2022-40149)
- jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
- jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)
- json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)
- jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
- jackson-databind: use of deeply nested arrays (CVE-2022-42004)
- CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)
- undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations (CVE-2022-2764)
- keycloak: Client Registration endpoint does not check token revocation (CVE-2023-0091)
This erratum releases a new image for Red Hat Single Sign-On 7.6.2 for use within the Red Hat OpenShift Container Platform (from the release of 3.11 up to the release of 4.12.0) cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release. Solution:
Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
1601614 - CVE-2018-14040 bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute 1601617 - CVE-2018-14042 bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip 1701972 - CVE-2019-11358 jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection 1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method 2031904 - CVE-2022-1438 keycloak: XSS on impersonation under specific circumstances 2066009 - CVE-2021-44906 minimist: prototype pollution 2072009 - CVE-2022-24785 Moment.js: Path traversal in moment.locale 2073157 - CVE-2022-1274 keycloak: HTML injection in execute-actions-email Admin REST API 2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS 2117506 - CVE-2022-2764 Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations 2126789 - CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limitation for collections 2129706 - CVE-2022-38749 snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode 2129707 - CVE-2022-38750 snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject 2129709 - CVE-2022-38751 snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match 2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS 2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays 2135770 - CVE-2022-40150 jettison: memory exhaustion via user-supplied XML or JSON data 2135771 - CVE-2022-40149 jettison: parser crash by stackoverflow 2138971 - CVE-2022-3782 keycloak: path traversal via double URL encoding 2140597 - CVE-2022-37603 loader-utils:Regular expression denial of service 2141404 - CVE-2022-3916 keycloak: Session takeover with OIDC offline refreshtokens 2143416 - CVE-2022-4039 rhsso-operator: unsecured management interface exposed to adjecent network 2145194 - CVE-2022-45047 mina-sshd: Java unsafe deserialization vulnerability 2150009 - CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution 2155681 - CVE-2022-46363 Apache CXF: directory listing / code exfiltration 2155682 - CVE-2022-46364 Apache CXF: SSRF Vulnerability 2155970 - CVE-2022-45693 jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos 2156263 - CVE-2022-46175 json5: Prototype Pollution in JSON5 via Parse Method 2156324 - CVE-2021-35065 glob-parent: Regular Expression Denial of Service 2158585 - CVE-2023-0091 keycloak: Client Registration endpoint does not check token revocation 2160585 - CVE-2023-0264 keycloak: user impersonation via stolen uuid code
- Bugs fixed (https://bugzilla.redhat.com/):
2171870 - CVE-2023-0923 odh-notebook-controller-container: Missing authorization allows for file contents disclosure
- JIRA issues fixed (https://issues.jboss.org/):
RHODS-6123 - Update dsp repo to match upstream kfp-tekton repo RHODS-6136 - Verify status of manifests RHODS-6330 - Remove Openvino and Etcd images from quay for self-managed deployments RHODS-6779 - [Model Serving] fallback image for ovms is not published, leading to image pull errors in upgrade scenarios
- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
APPLE-SA-2022-12-13-8 watchOS 9.2
watchOS 9.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213536.
Accounts Available for: Apple Watch Series 4 and later Impact: A user may be able to view sensitive user information Description: This issue was addressed with improved data protection. CVE-2022-42843: Mickey Jin (@patch1t)
AppleAVD Available for: Apple Watch Series 4 and later Impact: Parsing a maliciously crafted video file may lead to kernel code execution Description: An out-of-bounds write issue was addressed with improved input validation. CVE-2022-46694: Andrey Labunets and Nikita Tarakanov
AppleMobileFileIntegrity Available for: Apple Watch Series 4 and later Impact: An app may be able to bypass Privacy preferences Description: This issue was addressed by enabling hardened runtime. CVE-2022-42865: Wojciech Reguła (@_r3ggi) of SecuRing
CoreServices Available for: Apple Watch Series 4 and later Impact: An app may be able to bypass Privacy preferences Description: Multiple issues were addressed by removing the vulnerable code. CVE-2022-42859: Mickey Jin (@patch1t), Csaba Fitzl (@theevilbit) of Offensive Security
ImageIO Available for: Apple Watch Series 4 and later Impact: Processing a maliciously crafted file may lead to arbitrary code execution Description: An out-of-bounds write issue was addressed with improved input validation. CVE-2022-46693: Mickey Jin (@patch1t)
IOHIDFamily Available for: Apple Watch Series 4 and later Impact: An app may be able to execute arbitrary code with kernel privileges Description: A race condition was addressed with improved state handling. CVE-2022-42864: Tommy Muir (@Muirey03)
IOMobileFrameBuffer Available for: Apple Watch Series 4 and later Impact: An app may be able to execute arbitrary code with kernel privileges Description: An out-of-bounds write issue was addressed with improved input validation. CVE-2022-46690: John Aakerblom (@jaakerblom)
iTunes Store Available for: Apple Watch Series 4 and later Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution Description: An issue existed in the parsing of URLs. This issue was addressed with improved input validation. CVE-2022-42837: an anonymous researcher
Kernel Available for: Apple Watch Series 4 and later Impact: An app may be able to execute arbitrary code with kernel privileges Description: A race condition was addressed with additional validation. CVE-2022-46689: Ian Beer of Google Project Zero
Kernel Available for: Apple Watch Series 4 and later Impact: A remote user may be able to cause kernel code execution Description: The issue was addressed with improved memory handling. CVE-2022-42842: pattern-f (@pattern_F_) of Ant Security Light-Year Lab
Kernel Available for: Apple Watch Series 4 and later Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges Description: The issue was addressed with improved memory handling. CVE-2022-42845: Adam Doupé of ASU SEFCOM
libxml2 Available for: Apple Watch Series 4 and later Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution Description: An integer overflow was addressed through improved input validation. CVE-2022-40303: Maddie Stone of Google Project Zero
libxml2 Available for: Apple Watch Series 4 and later Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution Description: This issue was addressed with improved checks. CVE-2022-40304: Ned Williamson and Nathan Wachholz of Google Project Zero
Safari Available for: Apple Watch Series 4 and later Impact: Visiting a website that frames malicious content may lead to UI spoofing Description: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation. CVE-2022-46695: KirtiKumar Anandrao Ramchandani
Software Update Available for: Apple Watch Series 4 and later Impact: A user may be able to elevate privileges Description: An access issue existed with privileged API calls. This issue was addressed with additional restrictions. CVE-2022-42849: Mickey Jin (@patch1t)
Weather Available for: Apple Watch Series 4 and later Impact: An app may be able to read sensitive location information Description: The issue was addressed with improved handling of caches. CVE-2022-42866: an anonymous researcher
WebKit Available for: Apple Watch Series 4 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A use after free issue was addressed with improved memory management. WebKit Bugzilla: 245521 CVE-2022-42867: Maddie Stone of Google Project Zero
WebKit Available for: Apple Watch Series 4 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory consumption issue was addressed with improved memory handling. WebKit Bugzilla: 245466 CVE-2022-46691: an anonymous researcher
WebKit Available for: Apple Watch Series 4 and later Impact: Processing maliciously crafted web content may bypass Same Origin Policy Description: A logic issue was addressed with improved state management. WebKit Bugzilla: 246783 CVE-2022-46692: KirtiKumar Anandrao Ramchandani
WebKit Available for: Apple Watch Series 4 and later Impact: Processing maliciously crafted web content may result in the disclosure of process memory Description: The issue was addressed with improved memory handling. CVE-2022-42852: hazbinhotel working with Trend Micro Zero Day Initiative
WebKit Available for: Apple Watch Series 4 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved input validation. WebKit Bugzilla: 246942 CVE-2022-46696: Samuel Groß of Google V8 Security WebKit Bugzilla: 247562 CVE-2022-46700: Samuel Groß of Google V8 Security
WebKit Available for: Apple Watch Series 4 and later Impact: Processing maliciously crafted web content may disclose sensitive user information Description: A logic issue was addressed with improved checks. CVE-2022-46698: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs & DNSLab, Korea Univ.
WebKit Available for: Apple Watch Series 4 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved state management. WebKit Bugzilla: 247420 CVE-2022-46699: Samuel Groß of Google V8 Security WebKit Bugzilla: 244622 CVE-2022-42863: an anonymous researcher
Additional recognition
Kernel We would like to acknowledge Zweig of Kunlun Lab for their assistance.
Safari Extensions We would like to acknowledge Oliver Dunk and Christian R. of 1Password for their assistance.
WebKit We would like to acknowledge an anonymous researcher and scarlet for their assistance.
Instructions on how to update your Apple Watch software are available at https://support.apple.com/kb/HT204641 To check the version on your Apple Watch, open the Apple Watch app on your iPhone and select "My Watch > General > About". Alternatively, on your watch, select "My Watch > General > About". All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222.
This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmOZFX4ACgkQ4RjMIDke NxlyKA//eeU/txeqNxHM7JQE6xFrlla1tinQYMjbLhMgzdTbKpPjX8aHVqFfLB/Q 5nH+NqrGs4HQwNQJ6fSiBIId0th71mgX7W3Noa1apzFh7Okl6IehczkAFB9OH7ve vnwiEECGU0hUNmbIi0s9HuuBo6eSNPFsJt0Jqn8ovV+F9bc+ftl/IRv6q2vg3rl3 DNag62BCmCN4uXmqoJ4CKg7cNbddvma0bDbB1yYujxdmFwm4JGN6aittXE3WtPK2 GH2/UxdZll8FR7Zegh1ziUcTaLR4dwHlXRFgc6WC8hqx6T8imNh1heAPwzhT+Iag piObDoMs7UYFKF/eQ8LUcl4hX8IOdLFO5I+BcvCzOcKqHutPqbE8QRU9yqjcQlsJ sOV7GT9W9J+QhibpIJbLVkkQp5djPZ8mLP0OKiRN1quEDWMrquPdM+r9ftJwEIki PLL/ur9c7geXCJCLzglMSMkNcoGZk77qzfJuPdoE0lD6zjdvBHalF5j8S0a1+9gi ex3zU1I+ixqg7CvLNfkSjLcO9KOoPEFHnqEFrrO17QWWyraugrPgV0dMYArGRBpA FofYP6bXLv8eSUNuyOoQxF6kS4ChYgLUabl2NYqop9LoRWAtDAclTiabuvDJPfqA W09wxdhbpp2saxt8LlQjffzOmHJST6oHhHZiFiFswRM0q0nue6I= =DltD -----END PGP SIGNATURE-----
. Bugs fixed (https://bugzilla.redhat.com/):
2156729 - CVE-2021-4238 goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be 2163037 - CVE-2022-3064 go-yaml: Improve heuristics preventing CPU/memory abuse by parsing malicious or large YAML documents 2167819 - CVE-2023-23947 ArgoCD: Users with any cluster secret update access may update out-of-bounds cluster secrets
-
Gentoo Linux Security Advisory GLSA 202210-39
https://security.gentoo.org/
Severity: High Title: libxml2: Multiple Vulnerabilities Date: October 31, 2022 Bugs: #877149 ID: 202210-39
Synopsis
Multiple vulnerabilities have been found in libxml2, the worst of which could result in arbitrary code execution.
Background
libxml2 is the XML C parser and toolkit developed for the GNOME project.
Affected packages
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-libs/libxml2 < 2.10.3 >= 2.10.3
Description
Multiple vulnerabilities have been discovered in libxml2. Please review the CVE identifiers referenced below for details.
Impact
Please review the referenced CVE identifiers for details.
Workaround
There is no known workaround at this time.
Resolution
All libxml2 users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/libxml2-2.10.3"
References
[ 1 ] CVE-2022-40303 https://nvd.nist.gov/vuln/detail/CVE-2022-40303 [ 2 ] CVE-2022-40304 https://nvd.nist.gov/vuln/detail/CVE-2022-40304
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/202210-39
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us.
License
Copyright 2022 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5 . ========================================================================= Ubuntu Security Notice USN-5760-1 December 05, 2022
libxml2 vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in libxml2.
Software Description: - libxml2: GNOME XML library
Details:
It was discovered that libxml2 incorrectly handled certain XML files. An attacker could possibly use this issue to cause a crash. An attacker could possibly use this issue to expose sensitive information or cause a crash. An attacker could possibly use this issue to execute arbitrary code. (CVE-2022-40304)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 22.10: libxml2 2.9.14+dfsg-1ubuntu0.1 libxml2-utils 2.9.14+dfsg-1ubuntu0.1
Ubuntu 22.04 LTS: libxml2 2.9.13+dfsg-1ubuntu0.2 libxml2-utils 2.9.13+dfsg-1ubuntu0.2
Ubuntu 20.04 LTS: libxml2 2.9.10+dfsg-5ubuntu0.20.04.5 libxml2-utils 2.9.10+dfsg-5ubuntu0.20.04.5
Ubuntu 18.04 LTS: libxml2 2.9.4+dfsg1-6.1ubuntu1.8 libxml2-utils 2.9.4+dfsg1-6.1ubuntu1.8
In general, a standard system update will make all the necessary changes. JIRA issues fixed (https://issues.jboss.org/):
WRKLDS-653 - New SSO 1.1.1 release to address existing CVEs
- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
===================================================================== Red Hat Security Advisory
Synopsis: Important: Red Hat OpenShift Data Foundation 4.13.0 security and bug fix update Advisory ID: RHSA-2023:3742-02 Product: Red Hat OpenShift Data Foundation Advisory URL: https://access.redhat.com/errata/RHSA-2023:3742 Issue date: 2023-06-21 CVE Names: CVE-2015-20107 CVE-2018-25032 CVE-2020-10735 CVE-2020-16250 CVE-2020-16251 CVE-2020-17049 CVE-2021-3765 CVE-2021-3807 CVE-2021-4231 CVE-2021-4235 CVE-2021-4238 CVE-2021-28861 CVE-2021-43519 CVE-2021-43998 CVE-2021-44531 CVE-2021-44532 CVE-2021-44533 CVE-2021-44964 CVE-2021-46828 CVE-2021-46848 CVE-2022-0670 CVE-2022-1271 CVE-2022-1304 CVE-2022-1348 CVE-2022-1586 CVE-2022-1587 CVE-2022-2309 CVE-2022-2509 CVE-2022-2795 CVE-2022-2879 CVE-2022-2880 CVE-2022-3094 CVE-2022-3358 CVE-2022-3515 CVE-2022-3517 CVE-2022-3715 CVE-2022-3736 CVE-2022-3821 CVE-2022-3924 CVE-2022-4415 CVE-2022-21824 CVE-2022-23540 CVE-2022-23541 CVE-2022-24903 CVE-2022-26280 CVE-2022-27664 CVE-2022-28805 CVE-2022-29154 CVE-2022-30635 CVE-2022-31129 CVE-2022-32189 CVE-2022-32190 CVE-2022-33099 CVE-2022-34903 CVE-2022-35737 CVE-2022-36227 CVE-2022-37434 CVE-2022-38149 CVE-2022-38900 CVE-2022-40023 CVE-2022-40303 CVE-2022-40304 CVE-2022-40897 CVE-2022-41316 CVE-2022-41715 CVE-2022-41717 CVE-2022-41723 CVE-2022-41724 CVE-2022-41725 CVE-2022-42010 CVE-2022-42011 CVE-2022-42012 CVE-2022-42898 CVE-2022-42919 CVE-2022-43680 CVE-2022-45061 CVE-2022-45873 CVE-2022-46175 CVE-2022-47024 CVE-2022-47629 CVE-2022-48303 CVE-2022-48337 CVE-2022-48338 CVE-2022-48339 CVE-2023-0361 CVE-2023-0620 CVE-2023-0665 CVE-2023-2491 CVE-2023-22809 CVE-2023-24329 CVE-2023-24999 CVE-2023-25000 CVE-2023-25136 =====================================================================
- Summary:
Updated images that include numerous enhancements, security, and bug fixes are now available in Red Hat Container Registry for Red Hat OpenShift Data Foundation 4.13.0 on Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Description:
Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. In addition to persistent storage, Red Hat OpenShift Data Foundation provisions a multicloud data management service with an S3 compatible API.
Security Fix(es):
-
goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be (CVE-2021-4238)
-
decode-uri-component: improper input validation resulting in DoS (CVE-2022-38900)
-
vault: Hashicorp Vault AWS IAM Integration Authentication Bypass (CVE-2020-16250)
-
vault: GCP Auth Method Allows Authentication Bypass (CVE-2020-16251)
-
nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807)
-
go-yaml: Denial of Service in go-yaml (CVE-2021-4235)
-
vault: incorrect policy enforcement (CVE-2021-43998)
-
nodejs: Improper handling of URI Subject Alternative Names (CVE-2021-44531)
-
nodejs: Certificate Verification Bypass via String Injection (CVE-2021-44532)
-
nodejs: Incorrect handling of certificate subject and issuer fields (CVE-2021-44533)
-
golang: archive/tar: unbounded memory consumption when reading headers (CVE-2022-2879)
-
golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)
-
nodejs-minimatch: ReDoS via the braceExpand function (CVE-2022-3517)
-
jsonwebtoken: Insecure default algorithm in jwt.verify() could lead to signature validation bypass (CVE-2022-23540)
-
jsonwebtoken: Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC (CVE-2022-23541)
-
golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)
-
golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)
-
golang: net/url: JoinPath does not strip relative path components in all circumstances (CVE-2022-32190)
-
consul: Consul Template May Expose Vault Secrets When Processing Invalid Input (CVE-2022-38149)
-
vault: insufficient certificate revocation list checking (CVE-2022-41316)
-
golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)
-
golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)
-
net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723)
-
golang: crypto/tls: large handshake records may cause panics (CVE-2022-41724)
-
golang: net/http, mime/multipart: denial of service from excessive resource consumption (CVE-2022-41725)
-
json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)
-
vault: Vault’s Microsoft SQL Database Storage Backend Vulnerable to SQL Injection Via Configuration File (CVE-2023-0620)
-
hashicorp/vault: Vault’s PKI Issuer Endpoint Did Not Correctly Authorize Access to Issuer Metadata (CVE-2023-0665)
-
Hashicorp/vault: Vault Fails to Verify if Approle SecretID Belongs to Role During a Destroy Operation (CVE-2023-24999)
-
hashicorp/vault: Cache-Timing Attacks During Seal and Unseal Operations (CVE-2023-25000)
-
validator: Inefficient Regular Expression Complexity in Validator.js (CVE-2021-3765)
-
nodejs: Prototype pollution via console.table properties (CVE-2022-21824)
-
golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
- Solution:
These updated images include numerous enhancements and bug fixes. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat OpenShift Data Foundation Release Notes for information on the most significant of these changes:
https://access.redhat.com/documentation/en-us/red_hat_openshift_data_foundation/4.13/html/4.13_release_notes/index
All Red Hat OpenShift Data Foundation users are advised to upgrade to these updated images that provide numerous bug fixes and enhancements.
- Bugs fixed (https://bugzilla.redhat.com/):
1786696 - UI->Dashboards->Overview->Alerts shows MON components are at different versions, though they are NOT 1855339 - Wrong version of ocs-storagecluster 1943137 - [Tracker for BZ #1945618] rbd: Storage is not reclaimed after persistentvolumeclaim and job that utilized it are deleted 1944687 - [RFE] KMS server connection lost alert 1989088 - [4.8][Multus] UX experience issues and enhancements 2005040 - Uninstallation of ODF StorageSystem via OCP Console fails, gets stuck in Terminating state 2005830 - [DR] DRPolicy resource should not be editable after creation 2007557 - CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes 2028193 - CVE-2021-43998 vault: incorrect policy enforcement 2040839 - CVE-2021-44531 nodejs: Improper handling of URI Subject Alternative Names 2040846 - CVE-2021-44532 nodejs: Certificate Verification Bypass via String Injection 2040856 - CVE-2021-44533 nodejs: Incorrect handling of certificate subject and issuer fields 2040862 - CVE-2022-21824 nodejs: Prototype pollution via console.table properties 2042914 - [Tracker for BZ #2013109] [UI] Refreshing web console from the pop-up is taking to Install Operator page. 2052252 - CVE-2021-44531 CVE-2021-44532 CVE-2021-44533 CVE-2022-21824 [CVE] nodejs: various flaws [openshift-data-foundation-4] 2101497 - ceph_mon_metadata metrics are not collected properly 2101916 - must-gather is not collecting ceph logs or coredumps 2102304 - [GSS] Remove the entry of removed node from Storagecluster under Node Topology 2104148 - route ocs-storagecluster-cephobjectstore misconfigured to use http and https on same http route in haproxy.config 2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode 2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service 2115020 - [RDR] Sync schedule is not removed from mirrorpeer yaml after DR Policy is deleted 2115616 - [GSS] failing to change ownership of the NFS based PVC for PostgreSQL pod by using kube_pv_chown utility 2119551 - CVE-2022-38149 consul: Consul Template May Expose Vault Secrets When Processing Invalid Input 2120098 - [RDR] Even before an action gets fully completed, PeerReady and Available are reported as True in the DRPC yaml 2120944 - Large Omap objects found in pool 'ocs-storagecluster-cephfilesystem-metadata' 2124668 - CVE-2022-32190 golang: net/url: JoinPath does not strip relative path components in all circumstances 2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY 2126299 - CVE-2021-3765 validator: Inefficient Regular Expression Complexity in Validator.js 2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers 2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters 2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps 2134609 - CVE-2022-3517 nodejs-minimatch: ReDoS via the braceExpand function 2135339 - CVE-2022-41316 vault: insufficient certificate revocation list checking 2139037 - [cee/sd]Unable to access s3 via RGW route ocs-storagecluster-cephobjectstore 2141095 - [RDR] Storage System page on ACM Hub is visible even when data observability is not enabled 2142651 - RFE: OSDs need ability to bind to a service IP instead of the pod IP to support RBD mirroring in OCP clusters 2142894 - Credentials are ignored when creating a Backing/Namespace store after prompted to enter a name for the resource 2142941 - RGW cloud Transition. HEAD/GET requests to MCG are failing with 403 error 2143944 - [GSS] unknown parameter name "FORCE_OSD_REMOVAL" 2144256 - [RDR] [UI] DR Application applied to a single DRPolicy starts showing connected to multiple policies due to console flickering 2151903 - [MCG] Azure bs/ns creation fails with target bucket does not exists 2152143 - [Noobaa Clone] Secrets are used in env variables 2154250 - NooBaa Bucket Quota alerts are not working 2155507 - RBD reclaimspace job fails when the PVC is not mounted 2155743 - ODF Dashboard fails to load 2156067 - [RDR] [UI] When Peer Ready isn't True, UI doesn't reset the error message even when no subscription group is selected 2156069 - [UI] Instances of OCS can be seen on BlockPool action modals 2156263 - CVE-2022-46175 json5: Prototype Pollution in JSON5 via Parse Method 2156519 - 4.13: odf-csi-addons-operator failed with OwnNamespace InstallModeType not supported 2156727 - CVE-2021-4235 go-yaml: Denial of Service in go-yaml 2156729 - CVE-2021-4238 goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be 2157876 - [OCP Tracker] [UI] When OCP and ODF are upgraded, refresh web console pop-up doesn't appear after ODF upgrade resulting in dashboard crash 2158922 - Namespace store fails to get created via the ODF UI 2159676 - rbd-mirror logs are rotated very frequently, increase the default maxlogsize for rbd-mirror 2161274 - CVE-2022-41717 golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests 2161879 - logging issue when deleting webhook resources 2161937 - collect kernel and journal logs from all worker nodes 2162257 - [RDR][CEPHFS] sync/replication is getting stopped for some pvc 2164617 - Unable to expand ocs-storagecluster-ceph-rbd PVCs provisioned in Filesystem mode 2165495 - Placement scheduler is using too much resources 2165504 - Sizer sharing link is broken 2165929 - [RFE] ODF bluewash introduction in 4.12.x 2165938 - ocs-operator CSV is missing disconnected env annotation. 2165984 - [RDR] Replication stopped for images is represented with incorrect color 2166222 - CSV is missing disconnected env annotation and relatedImages spec 2166234 - Application user unable to invoke Failover and Relocate actions 2166869 - Match the version of consoleplugin to odf operator 2167299 - [RFE] ODF bluewash introduction in 4.12.x 2167308 - [mcg-clone] Security and VA issues with ODF operator 2167337 - CVE-2020-16250 vault: Hashicorp Vault AWS IAM Integration Authentication Bypass 2167340 - CVE-2020-16251 vault: GCP Auth Method Allows Authentication Bypass 2167946 - CSV is missing disconnected env annotation and relatedImages spec 2168113 - [Ceph Tracker BZ #2141110] [cee/sd][Bluestore] Newly deployed bluestore OSD's showing high fragmentation score 2168635 - fix redirect link to operator details page (OCS dashboard) 2168840 - [Fusion-aaS][ODF 4.13]Within 'prometheus-ceph-rules' the namespace for 'rook-ceph-mgr' jobs should be configurable. 2168849 - Must-gather doesn't collect coredump logs crucial for OSD crash events 2169375 - CVE-2022-23541 jsonwebtoken: Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC 2169378 - CVE-2022-23540 jsonwebtoken: Insecure default algorithm in jwt.verify() could lead to signature validation bypass 2169779 - [vSphere]: rook-ceph-mon- pvc are in pending state 2170644 - CVE-2022-38900 decode-uri-component: improper input validation resulting in DoS 2170673 - [RDR] Different replication states of PVC images aren't correctly distinguished and representated on UI 2172089 - [Tracker for Ceph BZ 2174461] rook-ceph-nfs pod is stuck at status 'CreateContainerError' after enabling NFS in ODF 4.13 2172365 - [csi-addons] odf-csi-addons-operator oomkilled with fresh installation 4.12 2172521 - No OSD pods are created for 4.13 LSO deployment 2173161 - ODF-console can not start when you disable IPv6 on Node with kernel parameter. 2173528 - Creation of OCS operator tag automatically for verified commits 2173534 - When on StorageSystem details click on History back btn it shows blank body 2173926 - [RFE] Include changes in MCG for new Ceph RGW transition headers 2175612 - noobaa-core-0 crashing and storagecluster not getting to ready state during ODF deployment with FIPS enabled in 4.13cluster 2175685 - RGW OBC creation via the UI is blocked by "Address form errors to proceed" error 2175714 - UI fix- capitalization 2175867 - Rook sets cephfs kernel mount options even when mon is using v1 port 2176080 - odf must-gather should collect output of oc get hpa -n openshift-storage 2176456 - [RDR] ramen-hub-operator and ramen-dr-cluster-operator is going into CLBO post deployment 2176739 - [UI] CSI Addons operator icon is broken 2176776 - Enable save options only when the protected apps has labels for manage DRPolicy 2176798 - [IBM Z ] Multi Cluster Orchestrator operator is not available in the Operator Hub 2176809 - [IBM Z ] DR operator is not available in the Operator Hub 2177134 - Next button if disabled for storage system deployment flow for IBM Ceph Storage security and network step when there is no OCS installed already 2177221 - Enable DR dashboard only when ACM observability is enabled 2177325 - Noobaa-db pod is taking longer time to start up in ODF 4.13 2177695 - DR dashbaord showing incorrect RPO data 2177844 - CVE-2023-24999 Hashicorp/vault: Vault Fails to Verify if Approle SecretID Belongs to Role During a Destroy Operation 2178033 - node topology warnings tab doesn't show pod warnings 2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding 2178488 - CVE-2022-41725 golang: net/http, mime/multipart: denial of service from excessive resource consumption 2178492 - CVE-2022-41724 golang: crypto/tls: large handshake records may cause panics 2178588 - No rack names on ODF Topology 2178619 - odf-operator failing to resolve its sub-dependencies leaving the ocs-consumer/provider addon in a failed and halted state 2178682 - [GSS] Add the valid AWS GovCloud regions in OCS UI. 2179133 - [UI] A blank page appears while selecting Storage Pool for creating Encrypted Storage Class 2179337 - Invalid storage system href link on the ODF multicluster dashboard 2179403 - (4.13) Mons are failing to start when msgr2 is required with RHCS 6.1 2179846 - [IBM Z] In RHCS external mode Cephobjectstore creation fails as it reports that the "object store name cannot be longer than 38 characters" 2179860 - [MCG] Bucket replication with deletion sync isn't complete 2179976 - [ODF 4.13] Missing the status-reporter binary causing pods "report-status-to-provider" remain in CreateContainerError on ODF to ODF cluster on ROSA 2179981 - ODF Topology search bar mistakes to find searched node/pod 2179997 - Topology. Exit full screen does not appear in Full screen mode 2180211 - StorageCluster stuck in progressing state for Thales KMS deployment 2180397 - Last sync time is missing on application set's disaster recovery status popover 2180440 - odf-monitoring-tool. YAML file misjudged as corrupted 2180921 - Deployment with external cluster in ODF 4.13 with unable to use cephfs as backing store for image_registry 2181112 - [RDR] [UI] Hide disable DR functionality as it would be un-tested in 4.13 2181133 - CI: backport E2E job improvements 2181446 - [KMS][UI] PVC provisioning failed in case of vault kubernetes authentication is configured. 2181535 - [GSS] Object storage in degraded state 2181551 - Build: move to 'dependencies' the ones required for running a build 2181832 - Create OBC via UI, placeholder on StorageClass dropped 2181949 - [ODF Tracker] [RFE] Catch MDS damage to the dentry's first snapid 2182041 - OCS-Operator expects NooBaa CRDs to be present on the cluster when installed directly without ODF Operator 2182296 - [Fusion-aaS][ODF 4.13]must-gather does not collect relevant logs when storage cluster is not in openshift-storage namespace 2182375 - [MDR] Not able to fence DR clusters 2182644 - [IBM Z] MDR policy creation fails unless the ocs-operator pod is restarted on the managed clusters 2182664 - Topology view should hide the sidebar when changing levels 2182703 - [RDR] After upgrading from 4.12.2 to 4.13.0 version.odf.openshift.io cr is not getting updated with latest ODF version 2182972 - CVE-2023-25000 hashicorp/vault: Cache-Timing Attacks During Seal and Unseal Operations 2182981 - CVE-2023-0665 hashicorp/vault: Vault?s PKI Issuer Endpoint Did Not Correctly Authorize Access to Issuer Metadata 2183155 - failed to mount the the cephfs subvolume as subvolumegroup name is not sent in the GetStorageConfig RPC call 2183196 - [Fusion-aaS] Collect Must-gather logs from the managed-fusion agent namesapce 2183266 - [Fusion aaS Rook ODF 4.13]] Rook-ceph-operator pod should allow OBC CRDs to be optional instead of causing a crash when not present 2183457 - [RDR] when running any ceph cmd we see error 2023-03-31T08:25:31.844+0000 7f8deaffd640 -1 monclient(hunting): handle_auth_bad_method server allowed_methods [2] but i only support [2,1] 2183478 - [MDR][UI] Cannot relocate subscription based apps, Appset based apps are possible to relocate 2183520 - [Fusion-aaS] csi-cephfs-plugin pods are not created after installing ocs-client-operator 2184068 - [Fusion-aaS] Failed to mount CephFS volumes while creating pods 2184605 - [ODF 4.13][Fusion-aaS] OpenShift Data Foundation Client operator is listed in OperatorHub and installable from UI 2184663 - CVE-2023-0620 vault: Vault?s Microsoft SQL Database Storage Backend Vulnerable to SQL Injection Via Configuration File 2184769 - {Fusion-aaS][ODF 4.13]Remove storageclassclaim cr and create new cr storageclass request cr 2184773 - multicluster-orchestrator should not reset spec.network.multiClusterService.Enabled field added by user 2184892 - Don't pass encryption options to ceph cluster in odf external mode to provider/consumer cluster 2184984 - Topology Sidebar alerts panel: alerts accordion does not toggle when clicking on alert severity text 2185164 - [KMS][VAULT] PVC provisioning is failing when the Vault (HCP) Kubernetes authentication is set. 2185188 - Fix storagecluster watch request for OCSInitialization 2185757 - add NFS dashboard 2185871 - [MDR][ACM-Tracker] Deleting an Appset based application does not delete its placement 2186171 - [GSS] "disableLoadBalancerService: true" config is reconciled after modifying the number of NooBaa endpoints 2186225 - [RDR] when running any ceph cmd we see error 2023-03-31T08:25:31.844+0000 7f8deaffd640 -1 monclient(hunting): handle_auth_bad_method server allowed_methods [2] but i only support [2,1] 2186475 - handle different network connection spec & Pass appropriate options for all the cases of Network Spec 2186752 - [translations] add translations for 4.13 2187251 - sync ocs and odf with the latest rook 2187296 - [MCG] Can't opt out of deletions sync once log-based replication with deletions sync is set 2187736 - [RDR] Replication history graph is showing incorrect value 2187952 - When cluster controller is cancelled frequently, multiple simultaneous controllers cause issues since need to wait for shutdown before continuing new controller 2187969 - [ODFMS-Migration ] [OCS Client Operator] csi-rbdplugin stuck in ImagePullBackOff on consumer clusters after Migration 2187986 - [MDR] ramen-dr-cluster-operator pod is in CLBO after assigning dr policy to an appset based app 2188053 - ocs-metrics-exporter cannot list/watch StorageCluster, StorageClass, CephBlockPool and other resources 2188238 - [RDR] Avoid using the terminologies "SLA" in DR dashbaord 2188303 - [RDR] Maintenance mode is not enabled after initiating failover action 2188427 - [External mode upgrade]: Upgrade from 4.12 -> 4.13 external mode is failing because rook-ceph-operator is not reaching clean state 2188666 - wrong label in new storageclassrequest cr 2189483 - After upgrade noobaa-db-pg-0 pod using old image in one of container 2189929 - [RDR/MDR] [UI] Dashboard fon size are very uneven 2189982 - [RDR] ocs_rbd_client_blocklisted datapoints and the corresponding alert is not getting generated 2189984 - [KMS][VAULT] Storage cluster remains in 'Progressing' state during deployment with storage class encryption, despite all pods being up and running. 2190129 - OCS Provider Server logs are incorrect 2190241 - nfs metric details are unavailable and server health is displaying as "Degraded" under Network file system tab in UI 2192088 - [IBM P] rbd_default_map_options value not set to ms_mode=secure in in-transit encryption enabled ODF cluster 2192670 - Details tab for nodes inside Topology throws "Something went wrong" on IBM Power platform 2192824 - [4.13] Fix Multisite in external cluster 2192875 - Enable ceph-exporter in rook 2193114 - MCG replication is failing due to OC binary incompatible on Power platform 2193220 - [Stretch cluster] CephCluster is updated frequently due to changing ordering of zones 2196176 - MULTUS UI, There is no option to change the multus configuration after we configure the params 2196236 - [RDR] With ACM 2.8 User is not able to apply Drpolicy to subscription workload 2196298 - [RDR] DRPolicy doesn't show connected application when subscription based workloads are deployed via CLI 2203795 - ODF Monitoring is missing some of the ceph_ metric values 2208029 - nfs server health is always displaying as "Degraded" under Network file system tab in UI. 2208079 - rbd mirror daemon is commonly not upgraded 2208269 - [RHCS Tracker] After add capacity the rebalance does not complete, and we see 2 PGs in active+clean+scrubbing and 1 active+clean+scrubbing+deep 2208558 - [MDR] ramen-dr-cluster-operator pod crashes during failover 2208962 - [UI] ODF Topology. Degraded cluster don't show red canvas on cluster level 2209364 - ODF dashboard crashes when OCP and ODF are upgraded 2209643 - Multus, Cephobjectstore stuck on Progressing state because " failed to create or retrieve rgw admin ops user" 2209695 - When collecting Must-gather logs shows /usr/bin/gather_ceph_resources: line 341: jq: command not found 2210964 - [UI][MDR] After hub recovery in overview tab of data policies Application set apps count is not showing 2211334 - The replication history graph is very unclear 2211343 - [MCG-Only]: upgrade failed from 4.12 to 4.13 due to missing CSI_ENABLE_READ_AFFINITY in ConfigMap openshift-storage/ocs-operator-config 2211704 - Multipart uploads fail to a Azure namespace bucket when user MD is sent as part of the upload
- References:
https://access.redhat.com/security/cve/CVE-2015-20107 https://access.redhat.com/security/cve/CVE-2018-25032 https://access.redhat.com/security/cve/CVE-2020-10735 https://access.redhat.com/security/cve/CVE-2020-16250 https://access.redhat.com/security/cve/CVE-2020-16251 https://access.redhat.com/security/cve/CVE-2020-17049 https://access.redhat.com/security/cve/CVE-2021-3765 https://access.redhat.com/security/cve/CVE-2021-3807 https://access.redhat.com/security/cve/CVE-2021-4231 https://access.redhat.com/security/cve/CVE-2021-4235 https://access.redhat.com/security/cve/CVE-2021-4238 https://access.redhat.com/security/cve/CVE-2021-28861 https://access.redhat.com/security/cve/CVE-2021-43519 https://access.redhat.com/security/cve/CVE-2021-43998 https://access.redhat.com/security/cve/CVE-2021-44531 https://access.redhat.com/security/cve/CVE-2021-44532 https://access.redhat.com/security/cve/CVE-2021-44533 https://access.redhat.com/security/cve/CVE-2021-44964 https://access.redhat.com/security/cve/CVE-2021-46828 https://access.redhat.com/security/cve/CVE-2021-46848 https://access.redhat.com/security/cve/CVE-2022-0670 https://access.redhat.com/security/cve/CVE-2022-1271 https://access.redhat.com/security/cve/CVE-2022-1304 https://access.redhat.com/security/cve/CVE-2022-1348 https://access.redhat.com/security/cve/CVE-2022-1586 https://access.redhat.com/security/cve/CVE-2022-1587 https://access.redhat.com/security/cve/CVE-2022-2309 https://access.redhat.com/security/cve/CVE-2022-2509 https://access.redhat.com/security/cve/CVE-2022-2795 https://access.redhat.com/security/cve/CVE-2022-2879 https://access.redhat.com/security/cve/CVE-2022-2880 https://access.redhat.com/security/cve/CVE-2022-3094 https://access.redhat.com/security/cve/CVE-2022-3358 https://access.redhat.com/security/cve/CVE-2022-3515 https://access.redhat.com/security/cve/CVE-2022-3517 https://access.redhat.com/security/cve/CVE-2022-3715 https://access.redhat.com/security/cve/CVE-2022-3736 https://access.redhat.com/security/cve/CVE-2022-3821 https://access.redhat.com/security/cve/CVE-2022-3924 https://access.redhat.com/security/cve/CVE-2022-4415 https://access.redhat.com/security/cve/CVE-2022-21824 https://access.redhat.com/security/cve/CVE-2022-23540 https://access.redhat.com/security/cve/CVE-2022-23541 https://access.redhat.com/security/cve/CVE-2022-24903 https://access.redhat.com/security/cve/CVE-2022-26280 https://access.redhat.com/security/cve/CVE-2022-27664 https://access.redhat.com/security/cve/CVE-2022-28805 https://access.redhat.com/security/cve/CVE-2022-29154 https://access.redhat.com/security/cve/CVE-2022-30635 https://access.redhat.com/security/cve/CVE-2022-31129 https://access.redhat.com/security/cve/CVE-2022-32189 https://access.redhat.com/security/cve/CVE-2022-32190 https://access.redhat.com/security/cve/CVE-2022-33099 https://access.redhat.com/security/cve/CVE-2022-34903 https://access.redhat.com/security/cve/CVE-2022-35737 https://access.redhat.com/security/cve/CVE-2022-36227 https://access.redhat.com/security/cve/CVE-2022-37434 https://access.redhat.com/security/cve/CVE-2022-38149 https://access.redhat.com/security/cve/CVE-2022-38900 https://access.redhat.com/security/cve/CVE-2022-40023 https://access.redhat.com/security/cve/CVE-2022-40303 https://access.redhat.com/security/cve/CVE-2022-40304 https://access.redhat.com/security/cve/CVE-2022-40897 https://access.redhat.com/security/cve/CVE-2022-41316 https://access.redhat.com/security/cve/CVE-2022-41715 https://access.redhat.com/security/cve/CVE-2022-41717 https://access.redhat.com/security/cve/CVE-2022-41723 https://access.redhat.com/security/cve/CVE-2022-41724 https://access.redhat.com/security/cve/CVE-2022-41725 https://access.redhat.com/security/cve/CVE-2022-42010 https://access.redhat.com/security/cve/CVE-2022-42011 https://access.redhat.com/security/cve/CVE-2022-42012 https://access.redhat.com/security/cve/CVE-2022-42898 https://access.redhat.com/security/cve/CVE-2022-42919 https://access.redhat.com/security/cve/CVE-2022-43680 https://access.redhat.com/security/cve/CVE-2022-45061 https://access.redhat.com/security/cve/CVE-2022-45873 https://access.redhat.com/security/cve/CVE-2022-46175 https://access.redhat.com/security/cve/CVE-2022-47024 https://access.redhat.com/security/cve/CVE-2022-47629 https://access.redhat.com/security/cve/CVE-2022-48303 https://access.redhat.com/security/cve/CVE-2022-48337 https://access.redhat.com/security/cve/CVE-2022-48338 https://access.redhat.com/security/cve/CVE-2022-48339 https://access.redhat.com/security/cve/CVE-2023-0361 https://access.redhat.com/security/cve/CVE-2023-0620 https://access.redhat.com/security/cve/CVE-2023-0665 https://access.redhat.com/security/cve/CVE-2023-2491 https://access.redhat.com/security/cve/CVE-2023-22809 https://access.redhat.com/security/cve/CVE-2023-24329 https://access.redhat.com/security/cve/CVE-2023-24999 https://access.redhat.com/security/cve/CVE-2023-25000 https://access.redhat.com/security/cve/CVE-2023-25136 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_openshift_data_foundation/4.13/html/4.13_release_notes/index
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202210-1070",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "h410c",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "clustered data ontap",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "tvos",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "16.2"
},
{
"model": "h300s",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "h410s",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "clustered data ontap antivirus connector",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "h500s",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "macos",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "11.7.2"
},
{
"model": "h700s",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "ipados",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "15.7.2"
},
{
"model": "macos",
"scope": "gte",
"trust": 1.0,
"vendor": "apple",
"version": "12.0"
},
{
"model": "macos",
"scope": "gte",
"trust": 1.0,
"vendor": "apple",
"version": "11.0"
},
{
"model": "libxml2",
"scope": "lt",
"trust": 1.0,
"vendor": "xmlsoft",
"version": "2.10.3"
},
{
"model": "macos",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "12.6.2"
},
{
"model": "iphone os",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "15.7.2"
},
{
"model": "smi-s provider",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "manageability software development kit",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "active iq unified manager",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "snapmanager",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "watchos",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "9.2"
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2022-40304"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Red Hat",
"sources": [
{
"db": "PACKETSTORM",
"id": "171025"
},
{
"db": "PACKETSTORM",
"id": "171318"
},
{
"db": "PACKETSTORM",
"id": "171215"
},
{
"db": "PACKETSTORM",
"id": "171173"
},
{
"db": "PACKETSTORM",
"id": "171040"
},
{
"db": "PACKETSTORM",
"id": "172460"
},
{
"db": "PACKETSTORM",
"id": "173107"
}
],
"trust": 0.7
},
"cve": "CVE-2022-40304",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.8,
"id": "CVE-2022-40304",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2022-40304",
"trust": 1.0,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2022-40304"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked. It is written in C language and can be called by many languages, such as C language, C++, XSH. Currently there is no information about this vulnerability, please keep an eye on CNNVD or vendor announcements. Description:\n\nRed Hat Advanced Cluster Management for Kubernetes 2.6.4 images\n\nRed Hat Advanced Cluster Management for Kubernetes provides the\ncapabilities to address common challenges that administrators and site\nreliability engineers face as they work across a range of public and\nprivate cloud environments. Clusters and applications are all visible and\nmanaged from a single console\u2014with security policy built in. See the following\nRelease Notes documentation, which will be updated shortly for this\nrelease, for additional details about this release:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html/release_notes/\n\nIssue addressed:\n\n* RHACM 2.6.4 images (BZ# 2153382)\n\nSecurity fixes:\n\n* CVE-2022-24999 express: \"qs\" prototype poisoning causes the hang of the\nnode process\n\n3. Solution:\n\nFor Red Hat Advanced Cluster Management for Kubernetes, see the following\ndocumentation, which will be updated shortly for this release, for\nimportant\ninstructions on installing this release:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html-single/install/index#installing\n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n2150323 - CVE-2022-24999 express: \"qs\" prototype poisoning causes the hang of the node process\n2153382 - RHACM 2.6.4 images\n\n5. \n\nSecurity Fixes in this release include:\n\n- - golang: net/http: An attacker can cause excessive memory growth in a Go\nserver accepting HTTP/2 requests(CVE-2022-41717)\n\nFor more details about the security issues, including the impact; a CVSS\nscore; acknowledgments; and other related information refer to the CVE\npages linked in the References section. Bugs fixed (https://bugzilla.redhat.com/):\n\n2161274 - CVE-2022-41717 golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests\n\n5. The Red Hat\nSingle Sign-On for OpenShift image provides an authentication server that\nyou can use to log in centrally, log out, and register. You can also manage\nuser accounts for web applications, mobile applications, and RESTful web\nservices. \n\n* snakeyaml: Constructor Deserialization Remote Code Execution\n(CVE-2022-1471)\n* keycloak: path traversal via double URL encoding (CVE-2022-3782)\n* RH-SSO for OpenShift images: unsecured management interface exposed to\nadjacent network (CVE-2022-4039)\n* snakeyaml: Denial of Service due to missing nested depth limitation for\ncollections (CVE-2022-25857)\n* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)\n* sshd-common: mina-sshd: Java unsafe deserialization vulnerability\n(CVE-2022-45047)\n* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)\n* keycloak: keycloak: user impersonation via stolen uuid code\n(CVE-2023-0264)\n* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent\nattribute (CVE-2018-14040)\n* rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the\ndata-container property of tooltip (CVE-2018-14042)\n* jquery: Prototype pollution in object\u0027s prototype leading to denial of\nservice, remote code execution, or property injection (CVE-2019-11358)\n* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter\nmethod (CVE-2020-11022)\n* keycloak: glob-parent: Regular Expression Denial of Service\n(CVE-2021-35065)\n* keycloak: minimist: prototype pollution (CVE-2021-44906)\n* keycloak: missing email notification template allowlist (CVE-2022-1274)\n* keycloak: XSS on izmpersonation under specific circumstances\n(CVE-2022-1438)\n* keycloak: Session takeover with OIDC offline refreshtokens\n(CVE-2022-3916)\n* Moment.js: Path traversal in moment.locale (CVE-2022-24785)\n* loader-utils: loader-utils:Regular expression denial of service\n(CVE-2022-37603)\n* snakeyaml: Uncaught exception in\norg.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)\n* snakeyaml: Uncaught exception in\norg.yaml.snakeyaml.constructor.BaseConstructor.constructObject\n(CVE-2022-38750)\n* snakeyaml: Uncaught exception in\njava.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)\n* jettison: parser crash by stackoverflow (CVE-2022-40149)\n* jettison: memory exhaustion via user-supplied XML or JSON data\n(CVE-2022-40150)\n* jettison: If the value in map is the map\u0027s self, the new new\nJSONObject(map) cause StackOverflowError which may lead to dos\n(CVE-2022-45693)\n* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)\n* jackson-databind: deep wrapper array nesting wrt\nUNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)\n* undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK\nforever for EJB invocations (CVE-2022-2764)\n* keycloak: Client Registration endpoint does not check token revocation\n(CVE-2023-0091)\n\nThis erratum releases a new image for Red Hat Single Sign-On 7.6.2 for use\nwithin the Red Hat OpenShift Container Platform (from the release of 3.11\nup to the release of 4.12.0) cloud computing Platform-as-a-Service (PaaS)\nfor on-premise or private cloud deployments, aligning with the standalone\nproduct release. Solution:\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied. \n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258\n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n1601614 - CVE-2018-14040 bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute\n1601617 - CVE-2018-14042 bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip\n1701972 - CVE-2019-11358 jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection\n1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method\n2031904 - CVE-2022-1438 keycloak: XSS on impersonation under specific circumstances\n2066009 - CVE-2021-44906 minimist: prototype pollution\n2072009 - CVE-2022-24785 Moment.js: Path traversal in moment.locale\n2073157 - CVE-2022-1274 keycloak: HTML injection in execute-actions-email Admin REST API\n2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS\n2117506 - CVE-2022-2764 Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations\n2126789 - CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limitation for collections\n2129706 - CVE-2022-38749 snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode\n2129707 - CVE-2022-38750 snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject\n2129709 - CVE-2022-38751 snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match\n2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS\n2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays\n2135770 - CVE-2022-40150 jettison: memory exhaustion via user-supplied XML or JSON data\n2135771 - CVE-2022-40149 jettison: parser crash by stackoverflow\n2138971 - CVE-2022-3782 keycloak: path traversal via double URL encoding\n2140597 - CVE-2022-37603 loader-utils:Regular expression denial of service\n2141404 - CVE-2022-3916 keycloak: Session takeover with OIDC offline refreshtokens\n2143416 - CVE-2022-4039 rhsso-operator: unsecured management interface exposed to adjecent network\n2145194 - CVE-2022-45047 mina-sshd: Java unsafe deserialization vulnerability\n2150009 - CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution\n2155681 - CVE-2022-46363 Apache CXF: directory listing / code exfiltration\n2155682 - CVE-2022-46364 Apache CXF: SSRF Vulnerability\n2155970 - CVE-2022-45693 jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos\n2156263 - CVE-2022-46175 json5: Prototype Pollution in JSON5 via Parse Method\n2156324 - CVE-2021-35065 glob-parent: Regular Expression Denial of Service\n2158585 - CVE-2023-0091 keycloak: Client Registration endpoint does not check token revocation\n2160585 - CVE-2023-0264 keycloak: user impersonation via stolen uuid code\n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n2171870 - CVE-2023-0923 odh-notebook-controller-container: Missing authorization allows for file contents disclosure\n\n5. JIRA issues fixed (https://issues.jboss.org/):\n\nRHODS-6123 - Update dsp repo to match upstream kfp-tekton repo\nRHODS-6136 - Verify status of manifests\nRHODS-6330 - Remove Openvino and Etcd images from quay for self-managed deployments\nRHODS-6779 - [Model Serving] fallback image for ovms is not published, leading to image pull errors in upgrade scenarios\n\n6. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\nAPPLE-SA-2022-12-13-8 watchOS 9.2\n\nwatchOS 9.2 addresses the following issues. \nInformation about the security content is also available at\nhttps://support.apple.com/HT213536. \n\nAccounts\nAvailable for: Apple Watch Series 4 and later\nImpact: A user may be able to view sensitive user information\nDescription: This issue was addressed with improved data protection. \nCVE-2022-42843: Mickey Jin (@patch1t)\n\nAppleAVD\nAvailable for: Apple Watch Series 4 and later\nImpact: Parsing a maliciously crafted video file may lead to kernel\ncode execution\nDescription: An out-of-bounds write issue was addressed with improved\ninput validation. \nCVE-2022-46694: Andrey Labunets and Nikita Tarakanov\n\nAppleMobileFileIntegrity\nAvailable for: Apple Watch Series 4 and later\nImpact: An app may be able to bypass Privacy preferences\nDescription: This issue was addressed by enabling hardened runtime. \nCVE-2022-42865: Wojciech Regu\u0142a (@_r3ggi) of SecuRing\n\nCoreServices\nAvailable for: Apple Watch Series 4 and later\nImpact: An app may be able to bypass Privacy preferences\nDescription: Multiple issues were addressed by removing the\nvulnerable code. \nCVE-2022-42859: Mickey Jin (@patch1t), Csaba Fitzl (@theevilbit) of\nOffensive Security\n\nImageIO\nAvailable for: Apple Watch Series 4 and later\nImpact: Processing a maliciously crafted file may lead to arbitrary\ncode execution\nDescription: An out-of-bounds write issue was addressed with improved\ninput validation. \nCVE-2022-46693: Mickey Jin (@patch1t)\n\nIOHIDFamily\nAvailable for: Apple Watch Series 4 and later\nImpact: An app may be able to execute arbitrary code with kernel\nprivileges\nDescription: A race condition was addressed with improved state\nhandling. \nCVE-2022-42864: Tommy Muir (@Muirey03)\n\nIOMobileFrameBuffer\nAvailable for: Apple Watch Series 4 and later\nImpact: An app may be able to execute arbitrary code with kernel\nprivileges\nDescription: An out-of-bounds write issue was addressed with improved\ninput validation. \nCVE-2022-46690: John Aakerblom (@jaakerblom)\n\niTunes Store\nAvailable for: Apple Watch Series 4 and later\nImpact: A remote user may be able to cause unexpected app termination\nor arbitrary code execution\nDescription: An issue existed in the parsing of URLs. This issue was\naddressed with improved input validation. \nCVE-2022-42837: an anonymous researcher\n\nKernel\nAvailable for: Apple Watch Series 4 and later\nImpact: An app may be able to execute arbitrary code with kernel\nprivileges\nDescription: A race condition was addressed with additional\nvalidation. \nCVE-2022-46689: Ian Beer of Google Project Zero\n\nKernel\nAvailable for: Apple Watch Series 4 and later\nImpact: A remote user may be able to cause kernel code execution\nDescription: The issue was addressed with improved memory handling. \nCVE-2022-42842: pattern-f (@pattern_F_) of Ant Security Light-Year\nLab\n\nKernel\nAvailable for: Apple Watch Series 4 and later\nImpact: An app with root privileges may be able to execute arbitrary\ncode with kernel privileges\nDescription: The issue was addressed with improved memory handling. \nCVE-2022-42845: Adam Doup\u00e9 of ASU SEFCOM\n\nlibxml2\nAvailable for: Apple Watch Series 4 and later\nImpact: A remote user may be able to cause unexpected app termination\nor arbitrary code execution\nDescription: An integer overflow was addressed through improved input\nvalidation. \nCVE-2022-40303: Maddie Stone of Google Project Zero\n\nlibxml2\nAvailable for: Apple Watch Series 4 and later\nImpact: A remote user may be able to cause unexpected app termination\nor arbitrary code execution\nDescription: This issue was addressed with improved checks. \nCVE-2022-40304: Ned Williamson and Nathan Wachholz of Google Project\nZero\n\nSafari\nAvailable for: Apple Watch Series 4 and later\nImpact: Visiting a website that frames malicious content may lead to\nUI spoofing\nDescription: A spoofing issue existed in the handling of URLs. This\nissue was addressed with improved input validation. \nCVE-2022-46695: KirtiKumar Anandrao Ramchandani\n\nSoftware Update\nAvailable for: Apple Watch Series 4 and later\nImpact: A user may be able to elevate privileges\nDescription: An access issue existed with privileged API calls. This\nissue was addressed with additional restrictions. \nCVE-2022-42849: Mickey Jin (@patch1t)\n\nWeather\nAvailable for: Apple Watch Series 4 and later\nImpact: An app may be able to read sensitive location information\nDescription: The issue was addressed with improved handling of\ncaches. \nCVE-2022-42866: an anonymous researcher\n\nWebKit\nAvailable for: Apple Watch Series 4 and later\nImpact: Processing maliciously crafted web content may lead to\narbitrary code execution\nDescription: A use after free issue was addressed with improved\nmemory management. \nWebKit Bugzilla: 245521\nCVE-2022-42867: Maddie Stone of Google Project Zero\n\nWebKit\nAvailable for: Apple Watch Series 4 and later\nImpact: Processing maliciously crafted web content may lead to\narbitrary code execution\nDescription: A memory consumption issue was addressed with improved\nmemory handling. \nWebKit Bugzilla: 245466\nCVE-2022-46691: an anonymous researcher\n\nWebKit\nAvailable for: Apple Watch Series 4 and later\nImpact: Processing maliciously crafted web content may bypass Same\nOrigin Policy\nDescription: A logic issue was addressed with improved state\nmanagement. \nWebKit Bugzilla: 246783\nCVE-2022-46692: KirtiKumar Anandrao Ramchandani\n\nWebKit\nAvailable for: Apple Watch Series 4 and later\nImpact: Processing maliciously crafted web content may result in the\ndisclosure of process memory\nDescription: The issue was addressed with improved memory handling. \nCVE-2022-42852: hazbinhotel working with Trend Micro Zero Day\nInitiative\n\nWebKit\nAvailable for: Apple Watch Series 4 and later\nImpact: Processing maliciously crafted web content may lead to\narbitrary code execution\nDescription: A memory corruption issue was addressed with improved\ninput validation. \nWebKit Bugzilla: 246942\nCVE-2022-46696: Samuel Gro\u00df of Google V8 Security\nWebKit Bugzilla: 247562\nCVE-2022-46700: Samuel Gro\u00df of Google V8 Security\n\nWebKit\nAvailable for: Apple Watch Series 4 and later\nImpact: Processing maliciously crafted web content may disclose\nsensitive user information\nDescription: A logic issue was addressed with improved checks. \nCVE-2022-46698: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs\n\u0026 DNSLab, Korea Univ. \n\nWebKit\nAvailable for: Apple Watch Series 4 and later\nImpact: Processing maliciously crafted web content may lead to\narbitrary code execution\nDescription: A memory corruption issue was addressed with improved\nstate management. \nWebKit Bugzilla: 247420\nCVE-2022-46699: Samuel Gro\u00df of Google V8 Security\nWebKit Bugzilla: 244622\nCVE-2022-42863: an anonymous researcher\n\nAdditional recognition\n\nKernel\nWe would like to acknowledge Zweig of Kunlun Lab for their\nassistance. \n\nSafari Extensions\nWe would like to acknowledge Oliver Dunk and Christian R. of\n1Password for their assistance. \n\nWebKit\nWe would like to acknowledge an anonymous researcher and scarlet for\ntheir assistance. \n\nInstructions on how to update your Apple Watch software are available\nat https://support.apple.com/kb/HT204641 To check the version on\nyour Apple Watch, open the Apple Watch app on your iPhone and select\n\"My Watch \u003e General \u003e About\". Alternatively, on your watch, select\n\"My Watch \u003e General \u003e About\". \nAll information is also posted on the Apple Security Updates\nweb site: https://support.apple.com/en-us/HT201222. \n\nThis message is signed with Apple\u0027s Product Security PGP key,\nand details are available at:\nhttps://www.apple.com/support/security/pgp/\n-----BEGIN PGP SIGNATURE-----\n\niQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmOZFX4ACgkQ4RjMIDke\nNxlyKA//eeU/txeqNxHM7JQE6xFrlla1tinQYMjbLhMgzdTbKpPjX8aHVqFfLB/Q\n5nH+NqrGs4HQwNQJ6fSiBIId0th71mgX7W3Noa1apzFh7Okl6IehczkAFB9OH7ve\nvnwiEECGU0hUNmbIi0s9HuuBo6eSNPFsJt0Jqn8ovV+F9bc+ftl/IRv6q2vg3rl3\nDNag62BCmCN4uXmqoJ4CKg7cNbddvma0bDbB1yYujxdmFwm4JGN6aittXE3WtPK2\nGH2/UxdZll8FR7Zegh1ziUcTaLR4dwHlXRFgc6WC8hqx6T8imNh1heAPwzhT+Iag\npiObDoMs7UYFKF/eQ8LUcl4hX8IOdLFO5I+BcvCzOcKqHutPqbE8QRU9yqjcQlsJ\nsOV7GT9W9J+QhibpIJbLVkkQp5djPZ8mLP0OKiRN1quEDWMrquPdM+r9ftJwEIki\nPLL/ur9c7geXCJCLzglMSMkNcoGZk77qzfJuPdoE0lD6zjdvBHalF5j8S0a1+9gi\nex3zU1I+ixqg7CvLNfkSjLcO9KOoPEFHnqEFrrO17QWWyraugrPgV0dMYArGRBpA\nFofYP6bXLv8eSUNuyOoQxF6kS4ChYgLUabl2NYqop9LoRWAtDAclTiabuvDJPfqA\nW09wxdhbpp2saxt8LlQjffzOmHJST6oHhHZiFiFswRM0q0nue6I=\n=DltD\n-----END PGP SIGNATURE-----\n\n\n. Bugs fixed (https://bugzilla.redhat.com/):\n\n2156729 - CVE-2021-4238 goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be\n2163037 - CVE-2022-3064 go-yaml: Improve heuristics preventing CPU/memory abuse by parsing malicious or large YAML documents\n2167819 - CVE-2023-23947 ArgoCD: Users with any cluster secret update access may update out-of-bounds cluster secrets\n\n5. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory GLSA 202210-39\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n https://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: High\n Title: libxml2: Multiple Vulnerabilities\n Date: October 31, 2022\n Bugs: #877149\n ID: 202210-39\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n========\n\nMultiple vulnerabilities have been found in libxml2, the worst of which\ncould result in arbitrary code execution. \n\nBackground\n==========\n\nlibxml2 is the XML C parser and toolkit developed for the GNOME project. \n\nAffected packages\n=================\n\n -------------------------------------------------------------------\n Package / Vulnerable / Unaffected\n -------------------------------------------------------------------\n 1 dev-libs/libxml2 \u003c 2.10.3 \u003e= 2.10.3\n\nDescription\n===========\n\nMultiple vulnerabilities have been discovered in libxml2. Please review\nthe CVE identifiers referenced below for details. \n\nImpact\n======\n\nPlease review the referenced CVE identifiers for details. \n\nWorkaround\n==========\n\nThere is no known workaround at this time. \n\nResolution\n==========\n\nAll libxml2 users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=dev-libs/libxml2-2.10.3\"\n\nReferences\n==========\n\n[ 1 ] CVE-2022-40303\n https://nvd.nist.gov/vuln/detail/CVE-2022-40303\n[ 2 ] CVE-2022-40304\n https://nvd.nist.gov/vuln/detail/CVE-2022-40304\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/202210-39\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. \n\nLicense\n=======\n\nCopyright 2022 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttps://creativecommons.org/licenses/by-sa/2.5\n. =========================================================================\nUbuntu Security Notice USN-5760-1\nDecember 05, 2022\n\nlibxml2 vulnerabilities\n=========================================================================\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 22.10\n- Ubuntu 22.04 LTS\n- Ubuntu 20.04 LTS\n- Ubuntu 18.04 LTS\n\nSummary:\n\nSeveral security issues were fixed in libxml2. \n\nSoftware Description:\n- libxml2: GNOME XML library\n\nDetails:\n\nIt was discovered that libxml2 incorrectly handled certain XML files. \nAn attacker could possibly use this issue to cause a crash. \nAn attacker could possibly use this issue to expose sensitive information\nor cause a crash. \nAn attacker could possibly use this issue to execute arbitrary code. \n(CVE-2022-40304)\n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 22.10:\n libxml2 2.9.14+dfsg-1ubuntu0.1\n libxml2-utils 2.9.14+dfsg-1ubuntu0.1\n\nUbuntu 22.04 LTS:\n libxml2 2.9.13+dfsg-1ubuntu0.2\n libxml2-utils 2.9.13+dfsg-1ubuntu0.2\n\nUbuntu 20.04 LTS:\n libxml2 2.9.10+dfsg-5ubuntu0.20.04.5\n libxml2-utils 2.9.10+dfsg-5ubuntu0.20.04.5\n\nUbuntu 18.04 LTS:\n libxml2 2.9.4+dfsg1-6.1ubuntu1.8\n libxml2-utils 2.9.4+dfsg1-6.1ubuntu1.8\n\nIn general, a standard system update will make all the necessary changes. JIRA issues fixed (https://issues.jboss.org/):\n\nWRKLDS-653 - New SSO 1.1.1 release to address existing CVEs\n\n6. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n=====================================================================\n Red Hat Security Advisory\n\nSynopsis: Important: Red Hat OpenShift Data Foundation 4.13.0 security and bug fix update\nAdvisory ID: RHSA-2023:3742-02\nProduct: Red Hat OpenShift Data Foundation\nAdvisory URL: https://access.redhat.com/errata/RHSA-2023:3742\nIssue date: 2023-06-21\nCVE Names: CVE-2015-20107 CVE-2018-25032 CVE-2020-10735 \n CVE-2020-16250 CVE-2020-16251 CVE-2020-17049 \n CVE-2021-3765 CVE-2021-3807 CVE-2021-4231 \n CVE-2021-4235 CVE-2021-4238 CVE-2021-28861 \n CVE-2021-43519 CVE-2021-43998 CVE-2021-44531 \n CVE-2021-44532 CVE-2021-44533 CVE-2021-44964 \n CVE-2021-46828 CVE-2021-46848 CVE-2022-0670 \n CVE-2022-1271 CVE-2022-1304 CVE-2022-1348 \n CVE-2022-1586 CVE-2022-1587 CVE-2022-2309 \n CVE-2022-2509 CVE-2022-2795 CVE-2022-2879 \n CVE-2022-2880 CVE-2022-3094 CVE-2022-3358 \n CVE-2022-3515 CVE-2022-3517 CVE-2022-3715 \n CVE-2022-3736 CVE-2022-3821 CVE-2022-3924 \n CVE-2022-4415 CVE-2022-21824 CVE-2022-23540 \n CVE-2022-23541 CVE-2022-24903 CVE-2022-26280 \n CVE-2022-27664 CVE-2022-28805 CVE-2022-29154 \n CVE-2022-30635 CVE-2022-31129 CVE-2022-32189 \n CVE-2022-32190 CVE-2022-33099 CVE-2022-34903 \n CVE-2022-35737 CVE-2022-36227 CVE-2022-37434 \n CVE-2022-38149 CVE-2022-38900 CVE-2022-40023 \n CVE-2022-40303 CVE-2022-40304 CVE-2022-40897 \n CVE-2022-41316 CVE-2022-41715 CVE-2022-41717 \n CVE-2022-41723 CVE-2022-41724 CVE-2022-41725 \n CVE-2022-42010 CVE-2022-42011 CVE-2022-42012 \n CVE-2022-42898 CVE-2022-42919 CVE-2022-43680 \n CVE-2022-45061 CVE-2022-45873 CVE-2022-46175 \n CVE-2022-47024 CVE-2022-47629 CVE-2022-48303 \n CVE-2022-48337 CVE-2022-48338 CVE-2022-48339 \n CVE-2023-0361 CVE-2023-0620 CVE-2023-0665 \n CVE-2023-2491 CVE-2023-22809 CVE-2023-24329 \n CVE-2023-24999 CVE-2023-25000 CVE-2023-25136 \n=====================================================================\n\n1. Summary:\n\nUpdated images that include numerous enhancements, security, and bug fixes\nare now available in Red Hat Container Registry for Red Hat OpenShift Data\nFoundation 4.13.0 on Red Hat Enterprise Linux 9. \n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section. \n\n2. Description:\n\nRed Hat OpenShift Data Foundation is software-defined storage integrated\nwith and optimized for the Red Hat OpenShift Container Platform. Red Hat\nOpenShift Data Foundation is a highly scalable, production-grade persistent\nstorage for stateful applications running in the Red Hat OpenShift\nContainer Platform. In addition to persistent storage, Red Hat OpenShift\nData Foundation provisions a multicloud data management service with an S3\ncompatible API. \n\nSecurity Fix(es):\n\n* goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as\nrandom as they should be (CVE-2021-4238)\n\n* decode-uri-component: improper input validation resulting in DoS\n(CVE-2022-38900)\n\n* vault: Hashicorp Vault AWS IAM Integration Authentication Bypass\n(CVE-2020-16250)\n\n* vault: GCP Auth Method Allows Authentication Bypass (CVE-2020-16251)\n\n* nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching\nANSI escape codes (CVE-2021-3807)\n\n* go-yaml: Denial of Service in go-yaml (CVE-2021-4235)\n\n* vault: incorrect policy enforcement (CVE-2021-43998)\n\n* nodejs: Improper handling of URI Subject Alternative Names\n(CVE-2021-44531)\n\n* nodejs: Certificate Verification Bypass via String Injection\n(CVE-2021-44532)\n\n* nodejs: Incorrect handling of certificate subject and issuer fields\n(CVE-2021-44533)\n\n* golang: archive/tar: unbounded memory consumption when reading headers\n(CVE-2022-2879)\n\n* golang: net/http/httputil: ReverseProxy should not forward unparseable\nquery parameters (CVE-2022-2880)\n\n* nodejs-minimatch: ReDoS via the braceExpand function (CVE-2022-3517)\n\n* jsonwebtoken: Insecure default algorithm in jwt.verify() could lead to\nsignature validation bypass (CVE-2022-23540)\n\n* jsonwebtoken: Insecure implementation of key retrieval function could\nlead to Forgeable Public/Private Tokens from RSA to HMAC (CVE-2022-23541)\n\n* golang: net/http: handle server errors after sending GOAWAY\n(CVE-2022-27664)\n\n* golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)\n\n* golang: net/url: JoinPath does not strip relative path components in all\ncircumstances (CVE-2022-32190)\n\n* consul: Consul Template May Expose Vault Secrets When Processing Invalid\nInput (CVE-2022-38149)\n\n* vault: insufficient certificate revocation list checking (CVE-2022-41316)\n\n* golang: regexp/syntax: limit memory used by parsing regexps\n(CVE-2022-41715)\n\n* golang: net/http: excessive memory growth in a Go server accepting HTTP/2\nrequests (CVE-2022-41717)\n\n* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK\ndecoding (CVE-2022-41723)\n\n* golang: crypto/tls: large handshake records may cause panics\n(CVE-2022-41724)\n\n* golang: net/http, mime/multipart: denial of service from excessive\nresource consumption (CVE-2022-41725)\n\n* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)\n\n* vault: Vault\u2019s Microsoft SQL Database Storage Backend Vulnerable to SQL\nInjection Via Configuration File (CVE-2023-0620)\n\n* hashicorp/vault: Vault\u2019s PKI Issuer Endpoint Did Not Correctly Authorize\nAccess to Issuer Metadata (CVE-2023-0665)\n\n* Hashicorp/vault: Vault Fails to Verify if Approle SecretID Belongs to\nRole During a Destroy Operation (CVE-2023-24999)\n\n* hashicorp/vault: Cache-Timing Attacks During Seal and Unseal Operations\n(CVE-2023-25000)\n\n* validator: Inefficient Regular Expression Complexity in Validator.js\n(CVE-2021-3765)\n\n* nodejs: Prototype pollution via console.table properties (CVE-2022-21824)\n\n* golang: math/big: decoding big.Float and big.Rat types can panic if the\nencoded message is too short, potentially allowing a denial of service\n(CVE-2022-32189)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\n3. Solution:\n\nThese updated images include numerous enhancements and bug fixes. Space\nprecludes documenting all of these changes in this advisory. Users are\ndirected to the Red Hat OpenShift Data Foundation Release Notes for\ninformation on the most significant of these changes:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_openshift_data_foundation/4.13/html/4.13_release_notes/index\n\nAll Red Hat OpenShift Data Foundation users are advised to upgrade to these\nupdated images that provide numerous bug fixes and enhancements. \n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n1786696 - UI-\u003eDashboards-\u003eOverview-\u003eAlerts shows MON components are at different versions, though they are NOT\n1855339 - Wrong version of ocs-storagecluster\n1943137 - [Tracker for BZ #1945618] rbd: Storage is not reclaimed after persistentvolumeclaim and job that utilized it are deleted\n1944687 - [RFE] KMS server connection lost alert\n1989088 - [4.8][Multus] UX experience issues and enhancements\n2005040 - Uninstallation of ODF StorageSystem via OCP Console fails, gets stuck in Terminating state\n2005830 - [DR] DRPolicy resource should not be editable after creation\n2007557 - CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes\n2028193 - CVE-2021-43998 vault: incorrect policy enforcement\n2040839 - CVE-2021-44531 nodejs: Improper handling of URI Subject Alternative Names\n2040846 - CVE-2021-44532 nodejs: Certificate Verification Bypass via String Injection\n2040856 - CVE-2021-44533 nodejs: Incorrect handling of certificate subject and issuer fields\n2040862 - CVE-2022-21824 nodejs: Prototype pollution via console.table properties\n2042914 - [Tracker for BZ #2013109] [UI] Refreshing web console from the pop-up is taking to Install Operator page. \n2052252 - CVE-2021-44531 CVE-2021-44532 CVE-2021-44533 CVE-2022-21824 [CVE] nodejs: various flaws [openshift-data-foundation-4]\n2101497 - ceph_mon_metadata metrics are not collected properly\n2101916 - must-gather is not collecting ceph logs or coredumps\n2102304 - [GSS] Remove the entry of removed node from Storagecluster under Node Topology\n2104148 - route ocs-storagecluster-cephobjectstore misconfigured to use http and https on same http route in haproxy.config\n2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode\n2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service\n2115020 - [RDR] Sync schedule is not removed from mirrorpeer yaml after DR Policy is deleted\n2115616 - [GSS] failing to change ownership of the NFS based PVC for PostgreSQL pod by using kube_pv_chown utility\n2119551 - CVE-2022-38149 consul: Consul Template May Expose Vault Secrets When Processing Invalid Input\n2120098 - [RDR] Even before an action gets fully completed, PeerReady and Available are reported as True in the DRPC yaml\n2120944 - Large Omap objects found in pool \u0027ocs-storagecluster-cephfilesystem-metadata\u0027\n2124668 - CVE-2022-32190 golang: net/url: JoinPath does not strip relative path components in all circumstances\n2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY\n2126299 - CVE-2021-3765 validator: Inefficient Regular Expression Complexity in Validator.js\n2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers\n2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters\n2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps\n2134609 - CVE-2022-3517 nodejs-minimatch: ReDoS via the braceExpand function\n2135339 - CVE-2022-41316 vault: insufficient certificate revocation list checking\n2139037 - [cee/sd]Unable to access s3 via RGW route ocs-storagecluster-cephobjectstore\n2141095 - [RDR] Storage System page on ACM Hub is visible even when data observability is not enabled\n2142651 - RFE: OSDs need ability to bind to a service IP instead of the pod IP to support RBD mirroring in OCP clusters\n2142894 - Credentials are ignored when creating a Backing/Namespace store after prompted to enter a name for the resource\n2142941 - RGW cloud Transition. HEAD/GET requests to MCG are failing with 403 error\n2143944 - [GSS] unknown parameter name \"FORCE_OSD_REMOVAL\"\n2144256 - [RDR] [UI] DR Application applied to a single DRPolicy starts showing connected to multiple policies due to console flickering\n2151903 - [MCG] Azure bs/ns creation fails with target bucket does not exists\n2152143 - [Noobaa Clone] Secrets are used in env variables\n2154250 - NooBaa Bucket Quota alerts are not working\n2155507 - RBD reclaimspace job fails when the PVC is not mounted\n2155743 - ODF Dashboard fails to load\n2156067 - [RDR] [UI] When Peer Ready isn\u0027t True, UI doesn\u0027t reset the error message even when no subscription group is selected\n2156069 - [UI] Instances of OCS can be seen on BlockPool action modals\n2156263 - CVE-2022-46175 json5: Prototype Pollution in JSON5 via Parse Method\n2156519 - 4.13: odf-csi-addons-operator failed with OwnNamespace InstallModeType not supported\n2156727 - CVE-2021-4235 go-yaml: Denial of Service in go-yaml\n2156729 - CVE-2021-4238 goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be\n2157876 - [OCP Tracker] [UI] When OCP and ODF are upgraded, refresh web console pop-up doesn\u0027t appear after ODF upgrade resulting in dashboard crash\n2158922 - Namespace store fails to get created via the ODF UI\n2159676 - rbd-mirror logs are rotated very frequently, increase the default maxlogsize for rbd-mirror\n2161274 - CVE-2022-41717 golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests\n2161879 - logging issue when deleting webhook resources\n2161937 - collect kernel and journal logs from all worker nodes\n2162257 - [RDR][CEPHFS] sync/replication is getting stopped for some pvc\n2164617 - Unable to expand ocs-storagecluster-ceph-rbd PVCs provisioned in Filesystem mode\n2165495 - Placement scheduler is using too much resources\n2165504 - Sizer sharing link is broken\n2165929 - [RFE] ODF bluewash introduction in 4.12.x\n2165938 - ocs-operator CSV is missing disconnected env annotation. \n2165984 - [RDR] Replication stopped for images is represented with incorrect color\n2166222 - CSV is missing disconnected env annotation and relatedImages spec\n2166234 - Application user unable to invoke Failover and Relocate actions\n2166869 - Match the version of consoleplugin to odf operator\n2167299 - [RFE] ODF bluewash introduction in 4.12.x\n2167308 - [mcg-clone] Security and VA issues with ODF operator\n2167337 - CVE-2020-16250 vault: Hashicorp Vault AWS IAM Integration Authentication Bypass\n2167340 - CVE-2020-16251 vault: GCP Auth Method Allows Authentication Bypass\n2167946 - CSV is missing disconnected env annotation and relatedImages spec\n2168113 - [Ceph Tracker BZ #2141110] [cee/sd][Bluestore] Newly deployed bluestore OSD\u0027s showing high fragmentation score\n2168635 - fix redirect link to operator details page (OCS dashboard)\n2168840 - [Fusion-aaS][ODF 4.13]Within \u0027prometheus-ceph-rules\u0027 the namespace for \u0027rook-ceph-mgr\u0027 jobs should be configurable. \n2168849 - Must-gather doesn\u0027t collect coredump logs crucial for OSD crash events\n2169375 - CVE-2022-23541 jsonwebtoken: Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC\n2169378 - CVE-2022-23540 jsonwebtoken: Insecure default algorithm in jwt.verify() could lead to signature validation bypass\n2169779 - [vSphere]: rook-ceph-mon-* pvc are in pending state\n2170644 - CVE-2022-38900 decode-uri-component: improper input validation resulting in DoS\n2170673 - [RDR] Different replication states of PVC images aren\u0027t correctly distinguished and representated on UI\n2172089 - [Tracker for Ceph BZ 2174461] rook-ceph-nfs pod is stuck at status \u0027CreateContainerError\u0027 after enabling NFS in ODF 4.13\n2172365 - [csi-addons] odf-csi-addons-operator oomkilled with fresh installation 4.12\n2172521 - No OSD pods are created for 4.13 LSO deployment\n2173161 - ODF-console can not start when you disable IPv6 on Node with kernel parameter. \n2173528 - Creation of OCS operator tag automatically for verified commits\n2173534 - When on StorageSystem details click on History back btn it shows blank body\n2173926 - [RFE] Include changes in MCG for new Ceph RGW transition headers\n2175612 - noobaa-core-0 crashing and storagecluster not getting to ready state during ODF deployment with FIPS enabled in 4.13cluster\n2175685 - RGW OBC creation via the UI is blocked by \"Address form errors to proceed\" error\n2175714 - UI fix- capitalization\n2175867 - Rook sets cephfs kernel mount options even when mon is using v1 port\n2176080 - odf must-gather should collect output of oc get hpa -n openshift-storage\n2176456 - [RDR] ramen-hub-operator and ramen-dr-cluster-operator is going into CLBO post deployment\n2176739 - [UI] CSI Addons operator icon is broken\n2176776 - Enable save options only when the protected apps has labels for manage DRPolicy\n2176798 - [IBM Z ] Multi Cluster Orchestrator operator is not available in the Operator Hub\n2176809 - [IBM Z ] DR operator is not available in the Operator Hub\n2177134 - Next button if disabled for storage system deployment flow for IBM Ceph Storage security and network step when there is no OCS installed already\n2177221 - Enable DR dashboard only when ACM observability is enabled\n2177325 - Noobaa-db pod is taking longer time to start up in ODF 4.13\n2177695 - DR dashbaord showing incorrect RPO data\n2177844 - CVE-2023-24999 Hashicorp/vault: Vault Fails to Verify if Approle SecretID Belongs to Role During a Destroy Operation\n2178033 - node topology warnings tab doesn\u0027t show pod warnings\n2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding\n2178488 - CVE-2022-41725 golang: net/http, mime/multipart: denial of service from excessive resource consumption\n2178492 - CVE-2022-41724 golang: crypto/tls: large handshake records may cause panics\n2178588 - No rack names on ODF Topology\n2178619 - odf-operator failing to resolve its sub-dependencies leaving the ocs-consumer/provider addon in a failed and halted state\n2178682 - [GSS] Add the valid AWS GovCloud regions in OCS UI. \n2179133 - [UI] A blank page appears while selecting Storage Pool for creating Encrypted Storage Class\n2179337 - Invalid storage system href link on the ODF multicluster dashboard\n2179403 - (4.13) Mons are failing to start when msgr2 is required with RHCS 6.1\n2179846 - [IBM Z] In RHCS external mode Cephobjectstore creation fails as it reports that the \"object store name cannot be longer than 38 characters\"\n2179860 - [MCG] Bucket replication with deletion sync isn\u0027t complete\n2179976 - [ODF 4.13] Missing the status-reporter binary causing pods \"report-status-to-provider\" remain in CreateContainerError on ODF to ODF cluster on ROSA\n2179981 - ODF Topology search bar mistakes to find searched node/pod\n2179997 - Topology. Exit full screen does not appear in Full screen mode\n2180211 - StorageCluster stuck in progressing state for Thales KMS deployment\n2180397 - Last sync time is missing on application set\u0027s disaster recovery status popover\n2180440 - odf-monitoring-tool. YAML file misjudged as corrupted\n2180921 - Deployment with external cluster in ODF 4.13 with unable to use cephfs as backing store for image_registry\n2181112 - [RDR] [UI] Hide disable DR functionality as it would be un-tested in 4.13\n2181133 - CI: backport E2E job improvements\n2181446 - [KMS][UI] PVC provisioning failed in case of vault kubernetes authentication is configured. \n2181535 - [GSS] Object storage in degraded state\n2181551 - Build: move to \u0027dependencies\u0027 the ones required for running a build\n2181832 - Create OBC via UI, placeholder on StorageClass dropped\n2181949 - [ODF Tracker] [RFE] Catch MDS damage to the dentry\u0027s first snapid\n2182041 - OCS-Operator expects NooBaa CRDs to be present on the cluster when installed directly without ODF Operator\n2182296 - [Fusion-aaS][ODF 4.13]must-gather does not collect relevant logs when storage cluster is not in openshift-storage namespace\n2182375 - [MDR] Not able to fence DR clusters\n2182644 - [IBM Z] MDR policy creation fails unless the ocs-operator pod is restarted on the managed clusters\n2182664 - Topology view should hide the sidebar when changing levels\n2182703 - [RDR] After upgrading from 4.12.2 to 4.13.0 version.odf.openshift.io cr is not getting updated with latest ODF version\n2182972 - CVE-2023-25000 hashicorp/vault: Cache-Timing Attacks During Seal and Unseal Operations\n2182981 - CVE-2023-0665 hashicorp/vault: Vault?s PKI Issuer Endpoint Did Not Correctly Authorize Access to Issuer Metadata\n2183155 - failed to mount the the cephfs subvolume as subvolumegroup name is not sent in the GetStorageConfig RPC call\n2183196 - [Fusion-aaS] Collect Must-gather logs from the managed-fusion agent namesapce\n2183266 - [Fusion aaS Rook ODF 4.13]] Rook-ceph-operator pod should allow OBC CRDs to be optional instead of causing a crash when not present\n2183457 - [RDR] when running any ceph cmd we see error 2023-03-31T08:25:31.844+0000 7f8deaffd640 -1 monclient(hunting): handle_auth_bad_method server allowed_methods [2] but i only support [2,1]\n2183478 - [MDR][UI] Cannot relocate subscription based apps, Appset based apps are possible to relocate\n2183520 - [Fusion-aaS] csi-cephfs-plugin pods are not created after installing ocs-client-operator\n2184068 - [Fusion-aaS] Failed to mount CephFS volumes while creating pods\n2184605 - [ODF 4.13][Fusion-aaS] OpenShift Data Foundation Client operator is listed in OperatorHub and installable from UI\n2184663 - CVE-2023-0620 vault: Vault?s Microsoft SQL Database Storage Backend Vulnerable to SQL Injection Via Configuration File\n2184769 - {Fusion-aaS][ODF 4.13]Remove storageclassclaim cr and create new cr storageclass request cr\n2184773 - multicluster-orchestrator should not reset spec.network.multiClusterService.Enabled field added by user\n2184892 - Don\u0027t pass encryption options to ceph cluster in odf external mode to provider/consumer cluster\n2184984 - Topology Sidebar alerts panel: alerts accordion does not toggle when clicking on alert severity text\n2185164 - [KMS][VAULT] PVC provisioning is failing when the Vault (HCP) Kubernetes authentication is set. \n2185188 - Fix storagecluster watch request for OCSInitialization\n2185757 - add NFS dashboard\n2185871 - [MDR][ACM-Tracker] Deleting an Appset based application does not delete its placement\n2186171 - [GSS] \"disableLoadBalancerService: true\" config is reconciled after modifying the number of NooBaa endpoints\n2186225 - [RDR] when running any ceph cmd we see error 2023-03-31T08:25:31.844+0000 7f8deaffd640 -1 monclient(hunting): handle_auth_bad_method server allowed_methods [2] but i only support [2,1]\n2186475 - handle different network connection spec \u0026 Pass appropriate options for all the cases of Network Spec\n2186752 - [translations] add translations for 4.13\n2187251 - sync ocs and odf with the latest rook\n2187296 - [MCG] Can\u0027t opt out of deletions sync once log-based replication with deletions sync is set\n2187736 - [RDR] Replication history graph is showing incorrect value\n2187952 - When cluster controller is cancelled frequently, multiple simultaneous controllers cause issues since need to wait for shutdown before continuing new controller\n2187969 - [ODFMS-Migration ] [OCS Client Operator] csi-rbdplugin stuck in ImagePullBackOff on consumer clusters after Migration\n2187986 - [MDR] ramen-dr-cluster-operator pod is in CLBO after assigning dr policy to an appset based app\n2188053 - ocs-metrics-exporter cannot list/watch StorageCluster, StorageClass, CephBlockPool and other resources\n2188238 - [RDR] Avoid using the terminologies \"SLA\" in DR dashbaord\n2188303 - [RDR] Maintenance mode is not enabled after initiating failover action\n2188427 - [External mode upgrade]: Upgrade from 4.12 -\u003e 4.13 external mode is failing because rook-ceph-operator is not reaching clean state\n2188666 - wrong label in new storageclassrequest cr\n2189483 - After upgrade noobaa-db-pg-0 pod using old image in one of container\n2189929 - [RDR/MDR] [UI] Dashboard fon size are very uneven\n2189982 - [RDR] ocs_rbd_client_blocklisted datapoints and the corresponding alert is not getting generated\n2189984 - [KMS][VAULT] Storage cluster remains in \u0027Progressing\u0027 state during deployment with storage class encryption, despite all pods being up and running. \n2190129 - OCS Provider Server logs are incorrect\n2190241 - nfs metric details are unavailable and server health is displaying as \"Degraded\" under Network file system tab in UI\n2192088 - [IBM P] rbd_default_map_options value not set to ms_mode=secure in in-transit encryption enabled ODF cluster\n2192670 - Details tab for nodes inside Topology throws \"Something went wrong\" on IBM Power platform\n2192824 - [4.13] Fix Multisite in external cluster\n2192875 - Enable ceph-exporter in rook\n2193114 - MCG replication is failing due to OC binary incompatible on Power platform\n2193220 - [Stretch cluster] CephCluster is updated frequently due to changing ordering of zones\n2196176 - MULTUS UI, There is no option to change the multus configuration after we configure the params\n2196236 - [RDR] With ACM 2.8 User is not able to apply Drpolicy to subscription workload\n2196298 - [RDR] DRPolicy doesn\u0027t show connected application when subscription based workloads are deployed via CLI\n2203795 - ODF Monitoring is missing some of the ceph_* metric values\n2208029 - nfs server health is always displaying as \"Degraded\" under Network file system tab in UI. \n2208079 - rbd mirror daemon is commonly not upgraded\n2208269 - [RHCS Tracker] After add capacity the rebalance does not complete, and we see 2 PGs in active+clean+scrubbing and 1 active+clean+scrubbing+deep\n2208558 - [MDR] ramen-dr-cluster-operator pod crashes during failover\n2208962 - [UI] ODF Topology. Degraded cluster don\u0027t show red canvas on cluster level\n2209364 - ODF dashboard crashes when OCP and ODF are upgraded\n2209643 - Multus, Cephobjectstore stuck on Progressing state because \" failed to create or retrieve rgw admin ops user\"\n2209695 - When collecting Must-gather logs shows /usr/bin/gather_ceph_resources: line 341: jq: command not found\n2210964 - [UI][MDR] After hub recovery in overview tab of data policies Application set apps count is not showing\n2211334 - The replication history graph is very unclear\n2211343 - [MCG-Only]: upgrade failed from 4.12 to 4.13 due to missing CSI_ENABLE_READ_AFFINITY in ConfigMap openshift-storage/ocs-operator-config\n2211704 - Multipart uploads fail to a Azure namespace bucket when user MD is sent as part of the upload\n\n5. References:\n\nhttps://access.redhat.com/security/cve/CVE-2015-20107\nhttps://access.redhat.com/security/cve/CVE-2018-25032\nhttps://access.redhat.com/security/cve/CVE-2020-10735\nhttps://access.redhat.com/security/cve/CVE-2020-16250\nhttps://access.redhat.com/security/cve/CVE-2020-16251\nhttps://access.redhat.com/security/cve/CVE-2020-17049\nhttps://access.redhat.com/security/cve/CVE-2021-3765\nhttps://access.redhat.com/security/cve/CVE-2021-3807\nhttps://access.redhat.com/security/cve/CVE-2021-4231\nhttps://access.redhat.com/security/cve/CVE-2021-4235\nhttps://access.redhat.com/security/cve/CVE-2021-4238\nhttps://access.redhat.com/security/cve/CVE-2021-28861\nhttps://access.redhat.com/security/cve/CVE-2021-43519\nhttps://access.redhat.com/security/cve/CVE-2021-43998\nhttps://access.redhat.com/security/cve/CVE-2021-44531\nhttps://access.redhat.com/security/cve/CVE-2021-44532\nhttps://access.redhat.com/security/cve/CVE-2021-44533\nhttps://access.redhat.com/security/cve/CVE-2021-44964\nhttps://access.redhat.com/security/cve/CVE-2021-46828\nhttps://access.redhat.com/security/cve/CVE-2021-46848\nhttps://access.redhat.com/security/cve/CVE-2022-0670\nhttps://access.redhat.com/security/cve/CVE-2022-1271\nhttps://access.redhat.com/security/cve/CVE-2022-1304\nhttps://access.redhat.com/security/cve/CVE-2022-1348\nhttps://access.redhat.com/security/cve/CVE-2022-1586\nhttps://access.redhat.com/security/cve/CVE-2022-1587\nhttps://access.redhat.com/security/cve/CVE-2022-2309\nhttps://access.redhat.com/security/cve/CVE-2022-2509\nhttps://access.redhat.com/security/cve/CVE-2022-2795\nhttps://access.redhat.com/security/cve/CVE-2022-2879\nhttps://access.redhat.com/security/cve/CVE-2022-2880\nhttps://access.redhat.com/security/cve/CVE-2022-3094\nhttps://access.redhat.com/security/cve/CVE-2022-3358\nhttps://access.redhat.com/security/cve/CVE-2022-3515\nhttps://access.redhat.com/security/cve/CVE-2022-3517\nhttps://access.redhat.com/security/cve/CVE-2022-3715\nhttps://access.redhat.com/security/cve/CVE-2022-3736\nhttps://access.redhat.com/security/cve/CVE-2022-3821\nhttps://access.redhat.com/security/cve/CVE-2022-3924\nhttps://access.redhat.com/security/cve/CVE-2022-4415\nhttps://access.redhat.com/security/cve/CVE-2022-21824\nhttps://access.redhat.com/security/cve/CVE-2022-23540\nhttps://access.redhat.com/security/cve/CVE-2022-23541\nhttps://access.redhat.com/security/cve/CVE-2022-24903\nhttps://access.redhat.com/security/cve/CVE-2022-26280\nhttps://access.redhat.com/security/cve/CVE-2022-27664\nhttps://access.redhat.com/security/cve/CVE-2022-28805\nhttps://access.redhat.com/security/cve/CVE-2022-29154\nhttps://access.redhat.com/security/cve/CVE-2022-30635\nhttps://access.redhat.com/security/cve/CVE-2022-31129\nhttps://access.redhat.com/security/cve/CVE-2022-32189\nhttps://access.redhat.com/security/cve/CVE-2022-32190\nhttps://access.redhat.com/security/cve/CVE-2022-33099\nhttps://access.redhat.com/security/cve/CVE-2022-34903\nhttps://access.redhat.com/security/cve/CVE-2022-35737\nhttps://access.redhat.com/security/cve/CVE-2022-36227\nhttps://access.redhat.com/security/cve/CVE-2022-37434\nhttps://access.redhat.com/security/cve/CVE-2022-38149\nhttps://access.redhat.com/security/cve/CVE-2022-38900\nhttps://access.redhat.com/security/cve/CVE-2022-40023\nhttps://access.redhat.com/security/cve/CVE-2022-40303\nhttps://access.redhat.com/security/cve/CVE-2022-40304\nhttps://access.redhat.com/security/cve/CVE-2022-40897\nhttps://access.redhat.com/security/cve/CVE-2022-41316\nhttps://access.redhat.com/security/cve/CVE-2022-41715\nhttps://access.redhat.com/security/cve/CVE-2022-41717\nhttps://access.redhat.com/security/cve/CVE-2022-41723\nhttps://access.redhat.com/security/cve/CVE-2022-41724\nhttps://access.redhat.com/security/cve/CVE-2022-41725\nhttps://access.redhat.com/security/cve/CVE-2022-42010\nhttps://access.redhat.com/security/cve/CVE-2022-42011\nhttps://access.redhat.com/security/cve/CVE-2022-42012\nhttps://access.redhat.com/security/cve/CVE-2022-42898\nhttps://access.redhat.com/security/cve/CVE-2022-42919\nhttps://access.redhat.com/security/cve/CVE-2022-43680\nhttps://access.redhat.com/security/cve/CVE-2022-45061\nhttps://access.redhat.com/security/cve/CVE-2022-45873\nhttps://access.redhat.com/security/cve/CVE-2022-46175\nhttps://access.redhat.com/security/cve/CVE-2022-47024\nhttps://access.redhat.com/security/cve/CVE-2022-47629\nhttps://access.redhat.com/security/cve/CVE-2022-48303\nhttps://access.redhat.com/security/cve/CVE-2022-48337\nhttps://access.redhat.com/security/cve/CVE-2022-48338\nhttps://access.redhat.com/security/cve/CVE-2022-48339\nhttps://access.redhat.com/security/cve/CVE-2023-0361\nhttps://access.redhat.com/security/cve/CVE-2023-0620\nhttps://access.redhat.com/security/cve/CVE-2023-0665\nhttps://access.redhat.com/security/cve/CVE-2023-2491\nhttps://access.redhat.com/security/cve/CVE-2023-22809\nhttps://access.redhat.com/security/cve/CVE-2023-24329\nhttps://access.redhat.com/security/cve/CVE-2023-24999\nhttps://access.redhat.com/security/cve/CVE-2023-25000\nhttps://access.redhat.com/security/cve/CVE-2023-25136\nhttps://access.redhat.com/security/updates/classification/#important\nhttps://access.redhat.com/documentation/en-us/red_hat_openshift_data_foundation/4.13/html/4.13_release_notes/index\n\n6. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2023 Red Hat, Inc",
"sources": [
{
"db": "NVD",
"id": "CVE-2022-40304"
},
{
"db": "VULHUB",
"id": "VHN-429438"
},
{
"db": "PACKETSTORM",
"id": "171025"
},
{
"db": "PACKETSTORM",
"id": "171318"
},
{
"db": "PACKETSTORM",
"id": "171215"
},
{
"db": "PACKETSTORM",
"id": "171173"
},
{
"db": "PACKETSTORM",
"id": "170318"
},
{
"db": "PACKETSTORM",
"id": "171040"
},
{
"db": "PACKETSTORM",
"id": "169620"
},
{
"db": "PACKETSTORM",
"id": "170096"
},
{
"db": "PACKETSTORM",
"id": "172460"
},
{
"db": "PACKETSTORM",
"id": "173107"
}
],
"trust": 1.89
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-429438",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-429438"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2022-40304",
"trust": 2.1
},
{
"db": "PACKETSTORM",
"id": "170318",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "171173",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "169620",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "170096",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "171040",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "169824",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "170317",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "170316",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "170753",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "171016",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "169857",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "170555",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "171043",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "170752",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "170899",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "170312",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "170955",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "169858",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "169732",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "170097",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "171042",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "171017",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "170754",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "170315",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "171260",
"trust": 0.1
},
{
"db": "CNNVD",
"id": "CNNVD-202210-1022",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-429438",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "171025",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "171318",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "171215",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "172460",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "173107",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-429438"
},
{
"db": "PACKETSTORM",
"id": "171025"
},
{
"db": "PACKETSTORM",
"id": "171318"
},
{
"db": "PACKETSTORM",
"id": "171215"
},
{
"db": "PACKETSTORM",
"id": "171173"
},
{
"db": "PACKETSTORM",
"id": "170318"
},
{
"db": "PACKETSTORM",
"id": "171040"
},
{
"db": "PACKETSTORM",
"id": "169620"
},
{
"db": "PACKETSTORM",
"id": "170096"
},
{
"db": "PACKETSTORM",
"id": "172460"
},
{
"db": "PACKETSTORM",
"id": "173107"
},
{
"db": "NVD",
"id": "CVE-2022-40304"
}
]
},
"id": "VAR-202210-1070",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-429438"
}
],
"trust": 0.01
},
"last_update_date": "2024-11-29T19:32:23.694000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-415",
"trust": 1.0
},
{
"problemtype": "CWE-611",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-429438"
},
{
"db": "NVD",
"id": "CVE-2022-40304"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.1,
"url": "https://security.netapp.com/advisory/ntap-20221209-0003/"
},
{
"trust": 1.1,
"url": "https://support.apple.com/kb/ht213531"
},
{
"trust": 1.1,
"url": "https://support.apple.com/kb/ht213533"
},
{
"trust": 1.1,
"url": "https://support.apple.com/kb/ht213534"
},
{
"trust": 1.1,
"url": "https://support.apple.com/kb/ht213535"
},
{
"trust": 1.1,
"url": "https://support.apple.com/kb/ht213536"
},
{
"trust": 1.1,
"url": "http://seclists.org/fulldisclosure/2022/dec/21"
},
{
"trust": 1.1,
"url": "http://seclists.org/fulldisclosure/2022/dec/24"
},
{
"trust": 1.1,
"url": "http://seclists.org/fulldisclosure/2022/dec/25"
},
{
"trust": 1.1,
"url": "http://seclists.org/fulldisclosure/2022/dec/26"
},
{
"trust": 1.1,
"url": "http://seclists.org/fulldisclosure/2022/dec/27"
},
{
"trust": 1.1,
"url": "https://gitlab.gnome.org/gnome/libxml2/-/commit/1b41ec4e9433b05bb0376be4725804c54ef1d80b"
},
{
"trust": 1.1,
"url": "https://gitlab.gnome.org/gnome/libxml2/-/tags"
},
{
"trust": 1.1,
"url": "https://gitlab.gnome.org/gnome/libxml2/-/tags/v2.10.3"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/cve/cve-2022-40304"
},
{
"trust": 0.7,
"url": "https://listman.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/cve/cve-2022-47629"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/cve/cve-2022-40303"
},
{
"trust": 0.7,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-40304"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-40303"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/cve/cve-2022-35737"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/cve/cve-2021-46848"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/cve/cve-2022-4415"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2022-23521"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-46848"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2022-41903"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-23521"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-47629"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2022-41717"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-43680"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-42012"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-42010"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-42011"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-48303"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-4415"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-46175"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-31129"
},
{
"trust": 0.2,
"url": "https://issues.jboss.org/):"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-41903"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2021-4238"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-4238"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-41715"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-27664"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-41724"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-32190"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2023-0361"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-42898"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-1586"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-34903"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-1304"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-32189"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-2880"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-41725"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-2867"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html/release_notes/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-2056"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html-single/install/index#installing"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-2964"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-2953"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-2869"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-2058"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2023:0794"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-2520"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-2057"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-2868"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-24999"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-2519"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-2058"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-2520"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-2953"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-2964"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-2868"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-2057"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-44617"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-2869"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-24999"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-2521"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-2056"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-2867"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-4883"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-2521"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-4139"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-46285"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-2519"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-48303"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/serverless/index"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/openshift_container_platform/4.11/html/serverless/index"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2023:1181"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-35737"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html/serverless/index"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/openshift_container_platform/4.9/html/serverless/index"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-41717"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-11022"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-38750"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-14042"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-1471"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-14040"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-1438"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-3916"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-40150"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2023:1047"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-31129"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-40149"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-25857"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-35065"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-45047"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-46364"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-44906"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-44906"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-0091"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-21843"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-4039"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-24785"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-37603"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-3782"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-42004"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-2764"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-21835"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11022"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-2764"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-46363"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-1471"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-0264"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-38751"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-1274"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-37603"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-45693"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-38749"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-35065"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-42003"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-1438"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-25857"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2018-14042"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-24785"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2018-14040"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-11358"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-11358"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-1274"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-0923"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-0923"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2023:0977"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-42867"
},
{
"trust": 0.1,
"url": "https://www.apple.com/support/security/pgp/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-42849"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-42842"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-42866"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-42845"
},
{
"trust": 0.1,
"url": "https://support.apple.com/en-us/ht201222."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-42865"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-42863"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-42864"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-42843"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-42852"
},
{
"trust": 0.1,
"url": "https://support.apple.com/kb/ht204641"
},
{
"trust": 0.1,
"url": "https://support.apple.com/ht213536."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-42837"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-42859"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-3064"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-23947"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-3064"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2023:0802"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-23947"
},
{
"trust": 0.1,
"url": "https://creativecommons.org/licenses/by-sa/2.5"
},
{
"trust": 0.1,
"url": "https://security.gentoo.org/glsa/202210-39"
},
{
"trust": 0.1,
"url": "https://security.gentoo.org/"
},
{
"trust": 0.1,
"url": "https://bugs.gentoo.org."
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/libxml2/2.9.10+dfsg-5ubuntu0.20.04.5"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/libxml2/2.9.4+dfsg1-6.1ubuntu1.8"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-2309"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/libxml2/2.9.13+dfsg-1ubuntu0.2"
},
{
"trust": 0.1,
"url": "https://ubuntu.com/security/notices/usn-5760-1"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/libxml2/2.9.14+dfsg-1ubuntu0.1"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-22662"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-23916"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-26700"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-26719"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2023:0584"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-26719"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-22629"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-22624"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22628"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22624"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22662"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-26709"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-1304"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-26710"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-26716"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-26717"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-30293"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-26709"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-4450"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-22628"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-26710"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-4304"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-26717"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-26700"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22629"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-26716"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-0215"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-0286"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-1586"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-27664"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-30635"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-23540"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-16250"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-41316"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-4231"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-2795"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-16250"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-0670"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-3517"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-36227"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-45873"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3765"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-2491"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-20107"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-43998"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-40897"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-24329"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-21824"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-44531"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-2879"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-2509"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2018-25032"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-38149"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-28805"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-3821"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-25136"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-1271"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-26280"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/red_hat_openshift_data_foundation/4.13/html/4.13_release_notes/index"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-37434"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-48337"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-43519"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-1587"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-29154"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-45061"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-28861"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-0620"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3807"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2023:3742"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-43519"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-24999"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-25000"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-25032"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-22809"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-4235"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-4235"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-40023"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-47024"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-16251"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-28861"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-3924"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-44533"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-44532"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-10735"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-3358"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-44964"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-3736"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-17049"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-3715"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-24903"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-43998"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2015-20107"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-38900"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2023-0665"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-1348"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-3515"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-48338"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-42919"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-16251"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-33099"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-48339"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-46828"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-2309"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3765"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-23541"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-41723"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-17049"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-10735"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-4231"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3807"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-3094"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-429438"
},
{
"db": "PACKETSTORM",
"id": "171025"
},
{
"db": "PACKETSTORM",
"id": "171318"
},
{
"db": "PACKETSTORM",
"id": "171215"
},
{
"db": "PACKETSTORM",
"id": "171173"
},
{
"db": "PACKETSTORM",
"id": "170318"
},
{
"db": "PACKETSTORM",
"id": "171040"
},
{
"db": "PACKETSTORM",
"id": "169620"
},
{
"db": "PACKETSTORM",
"id": "170096"
},
{
"db": "PACKETSTORM",
"id": "172460"
},
{
"db": "PACKETSTORM",
"id": "173107"
},
{
"db": "NVD",
"id": "CVE-2022-40304"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-429438"
},
{
"db": "PACKETSTORM",
"id": "171025"
},
{
"db": "PACKETSTORM",
"id": "171318"
},
{
"db": "PACKETSTORM",
"id": "171215"
},
{
"db": "PACKETSTORM",
"id": "171173"
},
{
"db": "PACKETSTORM",
"id": "170318"
},
{
"db": "PACKETSTORM",
"id": "171040"
},
{
"db": "PACKETSTORM",
"id": "169620"
},
{
"db": "PACKETSTORM",
"id": "170096"
},
{
"db": "PACKETSTORM",
"id": "172460"
},
{
"db": "PACKETSTORM",
"id": "173107"
},
{
"db": "NVD",
"id": "CVE-2022-40304"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-11-23T00:00:00",
"db": "VULHUB",
"id": "VHN-429438"
},
{
"date": "2023-02-16T15:44:21",
"db": "PACKETSTORM",
"id": "171025"
},
{
"date": "2023-03-10T14:24:58",
"db": "PACKETSTORM",
"id": "171318"
},
{
"date": "2023-03-02T15:19:44",
"db": "PACKETSTORM",
"id": "171215"
},
{
"date": "2023-02-28T17:09:39",
"db": "PACKETSTORM",
"id": "171173"
},
{
"date": "2022-12-22T02:13:22",
"db": "PACKETSTORM",
"id": "170318"
},
{
"date": "2023-02-17T16:01:57",
"db": "PACKETSTORM",
"id": "171040"
},
{
"date": "2022-11-01T13:29:06",
"db": "PACKETSTORM",
"id": "169620"
},
{
"date": "2022-12-05T15:18:07",
"db": "PACKETSTORM",
"id": "170096"
},
{
"date": "2023-05-19T14:41:19",
"db": "PACKETSTORM",
"id": "172460"
},
{
"date": "2023-06-23T14:56:34",
"db": "PACKETSTORM",
"id": "173107"
},
{
"date": "2022-11-23T18:15:12.167000",
"db": "NVD",
"id": "CVE-2022-40304"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-02-23T00:00:00",
"db": "VULHUB",
"id": "VHN-429438"
},
{
"date": "2023-11-07T03:52:15.353000",
"db": "NVD",
"id": "CVE-2022-40304"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "173107"
}
],
"trust": 0.1
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Red Hat Security Advisory 2023-0794-01",
"sources": [
{
"db": "PACKETSTORM",
"id": "171025"
}
],
"trust": 0.1
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "code execution, xss",
"sources": [
{
"db": "PACKETSTORM",
"id": "171215"
}
],
"trust": 0.1
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.